nix-files/hosts/common/programs/swaylock.nix

{ config, lib, pkgs, ... }:
let
  cfg = config.sane.programs.swaylock;
in
{
  sane.programs.swaylock = {
    packageUnwrapped = pkgs.swaylock.overrideAttrs (upstream: {
      nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
        pkgs.copyDesktopItems
      ];
      desktopItems = (upstream.desktopItems or []) ++ [
        (pkgs.makeDesktopItem {
          name = "swaylock";
          exec = "swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
          desktopName = "Sway session locker";
        })
      ];
    });

    sandbox.method = "bwrap";
    sandbox.extraPaths = [
      # N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
      # swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,
      # which needs read access to /etc/shadow. that can be either via suid bit (default; incompatible with sandbox)
      # or by making /etc/shadow readable by the user (which is what i do -- check the activationScript)
      "/etc/shadow"
    ];
    sandbox.whitelistWayland = true;
  };

  security.pam.services = lib.mkIf cfg.enabled {
    swaylock = {};
  };
}
sway: launch gui apps via sane-open-desktop instead of inline this will allow for sandboxing, in the future 2024-03-01 04:02:32 +00:00			`{ config, lib, pkgs, ... }:`
sway: define without using nixos "programs.sway" motivation was to leverage 'sane.programs.sway.env' to statically configure SWAYSOCK. i think that's still the right way: we'll see 2024-02-15 14:22:40 +00:00			`let`
			`cfg = config.sane.programs.swaylock;`
			`in`
			`{`
			`sane.programs.swaylock = {`
sway: launch gui apps via sane-open-desktop instead of inline this will allow for sandboxing, in the future 2024-03-01 04:02:32 +00:00			`packageUnwrapped = pkgs.swaylock.overrideAttrs (upstream: {`
			`nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [`
			`pkgs.copyDesktopItems`
			`];`
			`desktopItems = (upstream.desktopItems or []) ++ [`
			`(pkgs.makeDesktopItem {`
			`name = "swaylock";`
			`exec = "swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";`
			`desktopName = "Sway session locker";`
			`})`
			`];`
			`});`

sway: define without using nixos "programs.sway" motivation was to leverage 'sane.programs.sway.env' to statically configure SWAYSOCK. i think that's still the right way: we'll see 2024-02-15 14:22:40 +00:00			`sandbox.method = "bwrap";`
			`sandbox.extraPaths = [`
			`# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.`
			# swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,
			`# which needs read access to /etc/shadow. that can be either via suid bit (default; incompatible with sandbox)`
			`# or by making /etc/shadow readable by the user (which is what i do -- check the activationScript)`
			`"/etc/shadow"`
			`];`
			`sandbox.whitelistWayland = true;`
			`};`

			`security.pam.services = lib.mkIf cfg.enabled {`
			`swaylock = {};`
			`};`
			`}`