NixOS/FxNet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
FxNet/modules/hm/yubilock.nix
derfenix 0316fb2b6c Use clever yubilock
2025-11-16 02:29:56 +03:00

168 lines
4.9 KiB
Nix
Raw Permalink Blame History

# Stealed from https://github.com/guttermonk/yubilock
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.yubilock;
# Script paths - users should copy scripts to their ~/.config/waybar/scripts/
yubilockScript = pkgs.writeShellScript "yubilock" ''
STATE_FILE="$HOME/.cache/yubilock-state"
LOG_FILE="$HOME/.cache/yubilock.log"
PID_FILE="$HOME/.cache/yubilock.pid"
# Function to check if a YubiKey is currently plugged in
check_yubikey() {
if ${pkgs.usbutils}/bin/lsusb | ${pkgs.gnugrep}/bin/grep -i "yubikey" > /dev/null; then
return 0 # device is present
else
return 1 # device is not present
fi
}
# Function to lock the screen
lock_screen() {
# Using loginctl for systemd-based systems
${pkgs.systemd}/bin/loginctl lock-session
echo "Screen locked at $(date)" >> "$LOG_FILE"
}
# Create state file if it doesn't exist
if [ ! -f "$STATE_FILE" ]; then
echo "off" > "$STATE_FILE"
fi
# Record PID for later termination
echo "$$" > "$PID_FILE"
# Main monitoring loop
echo "YubiKey monitoring started at $(date)" >> "$LOG_FILE"
while true; do
# Check if monitoring is still enabled
if [ "$(cat "$STATE_FILE")" != "on" ]; then
echo "YubiKey monitoring stopped at $(date)" >> "$LOG_FILE"
exit 0
fi
if check_yubikey; then
echo "YubiKey detected at $(date)" >> "$LOG_FILE"
# Wait until the YubiKey is removed
while check_yubikey && [ "$(cat "$STATE_FILE")" = "on" ]; do
sleep 1
done
# If we exited because service was disabled, exit gracefully
if [ "$(cat "$STATE_FILE")" != "on" ]; then
echo "YubiKey monitoring stopped at $(date)" >> "$LOG_FILE"
exit 0
fi
echo "YubiKey removed at $(date)" >> "$LOG_FILE"
lock_screen
else
echo "No YubiKey detected. Checking again in 10 seconds..." >> "$LOG_FILE"
# Check less frequently to reduce system load
sleep 10
fi
done
'';
yubilockRestoreScript = pkgs.writeShellScript "yubilock-restore" ''
STATE_FILE="$HOME/.cache/yubilock-state"
LOG_FILE="$HOME/.cache/yubilock-restore.log"
echo "[$(date)] Checking yubilock state on login" >> "$LOG_FILE"
# Create state file if it doesn't exist
if [ ! -f "$STATE_FILE" ]; then
echo "off" > "$STATE_FILE"
echo "[$(date)] No state file found, defaulting to off" >> "$LOG_FILE"
exit 0
fi
# Read the saved state
saved_state=$(cat "$STATE_FILE")
echo "[$(date)] Saved state: $saved_state" >> "$LOG_FILE"
# If it was enabled before, re-enable it
if [ "$saved_state" = "on" ]; then
if ! ${pkgs.systemd}/bin/systemctl --user is-active yubilock.service > /dev/null 2>&1; then
echo "[$(date)] Restoring yubilock service" >> "$LOG_FILE"
${pkgs.systemd}/bin/systemctl --user start yubilock.service
echo "[$(date)] Yubilock service restored" >> "$LOG_FILE"
else
echo "[$(date)] Yubilock service already running" >> "$LOG_FILE"
fi
fi
'';
in
{
options.services.yubilock = {
enable = mkEnableOption "YubiKey screen lock monitor";
autoRestore = mkOption {
type = types.bool;
default = true;
description = ''
Automatically restore yubilock state on login.
If enabled, the yubilock service will be restarted on login
if it was running when you last logged out.
'';
};
};
config = mkIf cfg.enable {
# Systemd user service for yubilock
systemd.user.services.yubilock = {
Unit = {
Description = "YubiKey lock screen monitor";
After = [ "graphical-session.target" ];
PartOf = [ "graphical-session.target" ];
};
Service = {
Type = "simple";
ExecStart = "${yubilockScript}";
Restart = "on-failure";
RestartSec = "5s";
# Ensure state persists
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p %h/.cache";
# Clean state on stop
ExecStopPost = "${pkgs.bash}/bin/bash -c 'echo off > %h/.cache/yubilock-state'";
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
};
# Systemd user service to restore yubilock state on login
systemd.user.services.yubilock-restore = mkIf cfg.autoRestore {
Unit = {
Description = "Restore YubiKey monitor state on login";
After = [ "graphical-session.target" ];
};
Service = {
Type = "oneshot";
ExecStart = "${yubilockRestoreScript}";
RemainAfterExit = false;
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
};
# Ensure required packages are available
home.packages = with pkgs; [
usbutils # for lsusb command
];
};
}
Reference in New Issue View Git Blame Copy Permalink