idiosyn/nixos/module/security.nix

{ ... }: { lib, config, ... }: {
  boot.loader.systemd-boot.editor = false;

  security.acme.acceptTerms = true;
  security.pam.services.swaylock.fprintAuth = false;
  security.pam.services.login.fprintAuth = false;
  security.pam.services.sudo-rs = {
    fprintAuth = config.services.fprintd.enable;
    sshAgentAuth = config.security.pam.sshAgentAuth.enable;
  };

  security.sudo.enable = false;
  security.sudo-rs = {
    enable = true;
    execWheelOnly = true;
    wheelNeedsPassword = config.security.pam.services.sudo-rs.fprintAuth
      || config.security.pam.services.sudo-rs.sshAgentAuth;

    extraConfig = ''
      Defaults env_keep += SSH_AUTH_SOCK
    '';
  };

  services.logind.killUserProcesses = true;
}
Initial import 2024-08-18 13:47:18 +02:00			`{ ... }: { lib, config, ... }: {`
			`boot.loader.systemd-boot.editor = false;`

			`security.acme.acceptTerms = true;`
			`security.pam.services.swaylock.fprintAuth = false;`
			`security.pam.services.login.fprintAuth = false;`
			`security.pam.services.sudo-rs = {`
			`fprintAuth = config.services.fprintd.enable;`
			`sshAgentAuth = config.security.pam.sshAgentAuth.enable;`
			`};`

			`security.sudo.enable = false;`
			`security.sudo-rs = {`
			`enable = true;`
			`execWheelOnly = true;`
			`wheelNeedsPassword = config.security.pam.services.sudo-rs.fprintAuth`
			`\|\| config.security.pam.services.sudo-rs.sshAgentAuth;`
security: Enable SSH agent access with sudo 2024-08-27 19:00:24 +02:00
			`extraConfig = ''`
			`Defaults env_keep += SSH_AUTH_SOCK`
			`'';`
Initial import 2024-08-18 13:47:18 +02:00			`};`

			`services.logind.killUserProcesses = true;`
			`}`