From d61fc3da96fb2cbc44f39f58ad6bbfe7001b6c81 Mon Sep 17 00:00:00 2001
From: Ben Sima <ben@bsima.me>
Date: Tue, 1 Feb 2022 22:23:13 -0500
Subject: lock when yubikey is removed

Took me forever but I figured out how to use udev rules to give xautolock
permission to see the yubi when unlocking.

Also triggers a systemd service that locks the screen when yubi is removed. I
couldn't do this directly in a udev RUN becaues udev sucks at running programs
as different users and with environment variables and such.

This is still a bit buggy, I seem to consistently need to authenticate twice
when unlocking, but I think that would be fixed if I get rid of the
serviceConfig.User thing with some fancy scripting.

And as a backup, added Super+Shift+L for manual locking.
---
 machines/helium.nix | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

(limited to 'machines/helium.nix')

diff --git a/machines/helium.nix b/machines/helium.nix
index 564dd28..b0bcf64 100644
--- a/machines/helium.nix
+++ b/machines/helium.nix
@@ -47,6 +47,7 @@ in {
     yubioath-desktop
     yubico-pam
     yubikey-manager
+    yubikey-personalization
   ];
 
   nixpkgs = {
@@ -107,10 +108,12 @@ in {
     xserver.desktopManager.xterm.enable = true;
 
     xserver.xautolock.enable = true;
+    xserver.xautolock.locker = "${pkgs.xlockmore}/bin/xlock";
+    xserver.xautolock.nowlocker = "${pkgs.xlockmore}/bin/xlock"; # xautolock -locknow
+    xserver.xautolock.time = 5; # minutes
     xserver.xautolock.enableNotifier = true;
-    xserver.xautolock.notifier = "${pkgs.libnotify}/bin/notify-send 'locking in 10 seconds'";
-    xserver.xautolock.nowlocker = "${pkgs.i3lock}/bin/i3lock --color=000000 --show-failed-attempts --ignore-empty-password";
-    xserver.xautolock.locker = "${pkgs.i3lock}/bin/i3lock --color=000000 --show-failed-attempts --ignore-empty-password";
+    xserver.xautolock.notify = 30; # seconds
+    xserver.xautolock.notifier = ''${pkgs.libnotify}/bin/notify-send "Locking in 30 seconds"'';
 
     vnstat.enable = true;
 
@@ -118,6 +121,28 @@ in {
     fail2ban.enable = true;
     clamav.daemon.enable = true;
     clamav.updater.enable = true;
+
+    udev.extraRules = ''
+      # allows xlock to read the yubikey for challenge-response when unlocking.
+      # you need to do 'udevadm control --reload && udevadm trigger' after
+      # changing this. 'ykinfo -v' without sudo should work.
+      ACTION!="add|change", GOTO="yubico_end", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", OWNER="ben", MODE="0600"
+      LABEL="yubico_end"
+
+      # when yubi is removed, activate yubilock
+      ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", ENV{ID_SERIAL}="Yubico_Yubikey_4_OTP+U2F+CCID", RUN+="${pkgs.systemd}/bin/systemctl start yubilock"
+    '';
+  };
+  systemd.services = {
+    "yubilock" = {
+      script = "xlock";
+      path = [ pkgs.xlockmore  ];
+      wantedBy = ["dummy.device"]; # i have to provide a WantedBy
+      environment = { DISPLAY = ":0"; };
+      # i think i can get rid of user if I use this script:
+      # https://0day.work/locking-the-screen-when-removing-a-yubikey/
+      serviceConfig.User = "ben";
+    };
   };
 
   # Use the systemd-boot EFI boot loader.
-- 
cgit v1.2.3