fix 1p fingerprint, soteria for polkit, allow pw without fp
This commit is contained in:
parent
ceb3f3d3f7
commit
4445c8bc72
1 changed files with 56 additions and 16 deletions
|
|
@ -199,6 +199,17 @@
|
||||||
programs.hyprland.enable = true;
|
programs.hyprland.enable = true;
|
||||||
programs.hyprland.xwayland.enable = false;
|
programs.hyprland.xwayland.enable = false;
|
||||||
programs.hyprland.withUWSM = true;
|
programs.hyprland.withUWSM = true;
|
||||||
|
# 1Password system unlock uses polkit/PAM; keyring holds auxiliary secrets.
|
||||||
|
services.gnome.gnome-keyring.enable = true;
|
||||||
|
systemd.user.services.gnome-keyring = {
|
||||||
|
description = "GNOME Keyring daemon";
|
||||||
|
wantedBy = [ "default.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "simple";
|
||||||
|
ExecStart = "${pkgs.gnome-keyring}/bin/gnome-keyring-daemon --start --foreground --components=pkcs11,secrets,ssh";
|
||||||
|
Restart = "on-failure";
|
||||||
|
};
|
||||||
|
};
|
||||||
programs.hyprlock.enable = true;
|
programs.hyprlock.enable = true;
|
||||||
services.hypridle.enable = true;
|
services.hypridle.enable = true;
|
||||||
programs.waybar.enable = false;
|
programs.waybar.enable = false;
|
||||||
|
|
@ -258,6 +269,7 @@
|
||||||
"org.freedesktop.impl.portal.ScreenCast" = [ "hyprland" ];
|
"org.freedesktop.impl.portal.ScreenCast" = [ "hyprland" ];
|
||||||
"org.freedesktop.impl.portal.Screenshot" = [ "wlr" ];
|
"org.freedesktop.impl.portal.Screenshot" = [ "wlr" ];
|
||||||
"org.freedesktop.impl.portal.FileChooser" = [ "gtk" ];
|
"org.freedesktop.impl.portal.FileChooser" = [ "gtk" ];
|
||||||
|
"org.freedesktop.impl.portal.Secret" = [ "gnome-keyring" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
@ -470,23 +482,39 @@
|
||||||
kanata
|
kanata
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
systemd.user.services = {
|
# Soteria has a working auth UI on Hyprland. Plain start-hyprland never
|
||||||
polkit-agent = {
|
# activates graphical-session.target and doesn't import XDG_SESSION_ID into
|
||||||
description = "PolKit Authentication Agent";
|
# systemd --user, so wrap the agent and start it when Wayland is up.
|
||||||
wantedBy = [ "graphical-session.target" ];
|
security.soteria.enable = true;
|
||||||
wants = [ "graphical-session.target" ];
|
systemd.user.services.polkit-soteria = {
|
||||||
partOf = [ "graphical-session.target" ];
|
wantedBy = lib.mkForce [ ];
|
||||||
after = [ "graphical-session.target" ];
|
wants = lib.mkForce [ ];
|
||||||
|
after = lib.mkForce [ ];
|
||||||
unitConfig.StartLimitIntervalSec = 0;
|
unitConfig.StartLimitIntervalSec = 0;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
ExecStart = lib.mkForce (
|
||||||
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
|
pkgs.writeShellScript "polkit-soteria-wrapper" ''
|
||||||
Environment = "GDK_BACKEND=wayland,x11";
|
if [ -z "''${XDG_SESSION_ID:-}" ]; then
|
||||||
Restart = "on-failure";
|
XDG_SESSION_ID=$(${pkgs.systemd}/bin/loginctl list-sessions --no-legend \
|
||||||
RestartSec = 5;
|
| ${pkgs.gawk}/bin/awk -v uid=$(id -u) '$2 == uid && $6 == "user" { print $1; exit }')
|
||||||
|
export XDG_SESSION_ID
|
||||||
|
fi
|
||||||
|
exec ${lib.getExe pkgs.soteria}
|
||||||
|
''
|
||||||
|
);
|
||||||
|
Restart = lib.mkForce "on-failure";
|
||||||
|
RestartSec = lib.mkForce 5;
|
||||||
TimeoutStopSec = 10;
|
TimeoutStopSec = 10;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
systemd.user.paths.polkit-soteria-wayland = {
|
||||||
|
description = "Start soteria polkit agent when Wayland is available";
|
||||||
|
wantedBy = [ "default.target" ];
|
||||||
|
pathConfig = {
|
||||||
|
PathExistsGlob = "/run/user/%U/wayland-*";
|
||||||
|
Unit = "polkit-soteria.service";
|
||||||
|
MakeDirectory = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable automatic login for the user.
|
# Enable automatic login for the user.
|
||||||
|
|
@ -647,6 +675,18 @@
|
||||||
systemd.services."user@".serviceConfig.Delegate = "cpu io memory pids cpuset";
|
systemd.services."user@".serviceConfig.Delegate = "cpu io memory pids cpuset";
|
||||||
|
|
||||||
services.fprintd.enable = true;
|
services.fprintd.enable = true;
|
||||||
|
# Password before fingerprint: correct password unlocks without FP;
|
||||||
|
# empty Enter still falls through to fprintd.
|
||||||
|
security.pam.services.polkit-1.fprintAuth = true;
|
||||||
|
security.pam.services.hyprlock.rules.auth.fprintd.order =
|
||||||
|
config.security.pam.services.hyprlock.rules.auth.unix.order + 1;
|
||||||
|
security.pam.services.hyprlock.rules.auth.unix.settings.nullok = lib.mkForce true;
|
||||||
|
security.pam.services.polkit-1.rules.auth.fprintd.order =
|
||||||
|
config.security.pam.services.polkit-1.rules.auth.unix.order + 1;
|
||||||
|
security.pam.services.polkit-1.rules.auth.unix.settings.nullok = lib.mkForce true;
|
||||||
|
security.pam.services.xlock.rules.auth.fprintd.order =
|
||||||
|
config.security.pam.services.xlock.rules.auth.unix.order + 1;
|
||||||
|
security.pam.services.xlock.rules.auth.unix.settings.nullok = lib.mkForce true;
|
||||||
#security.pam.services = {
|
#security.pam.services = {
|
||||||
# login.fprintAuth = true;
|
# login.fprintAuth = true;
|
||||||
# xscreensaver.fprintAuth = true;
|
# xscreensaver.fprintAuth = true;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue