add: yubilock nix package

2026-05-29 15:44:32 -04:00
parent aa5251a603
commit a81f667f94
3 changed files with 60 additions and 4 deletions
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,6 +1,8 @@
-{ pkgs }: {
+{ pkgs }:
+{
  # sable-web = pkgs.callPackage ./common/sable.nix {};
  swaytreesave = pkgs.callPackage ./linux/swaytreesave.nix { };
  musicpresence = pkgs.callPackage ./linux/musicpresence.nix { };
  vintage-story = pkgs.callPackage ./linux/vintage-story.nix { };
+  yubilock = pkgs.callPackage ./linux/yubilock/default.nix { };
 }
--- a/pkgs/linux/yubilock/default.nix
+++ b/pkgs/linux/yubilock/default.nix
@@ -0,0 +1,21 @@
+{ pkgs }:
+let
+  name = "yubilock";
+  runtimeInputs = with pkgs; [
+    systemd
+    coreutils
+    yubikey-manager
+    gawk
+    getent
+    logger
+  ];
+  yubilock = (pkgs.writeScriptBin name (builtins.readFile ./yubilock.sh)).overrideAttrs (old: {
+    buildCommand = "${old.buildCommand}\n patchShebangs $out";
+  });
+in
+pkgs.symlinkJoin {
+  inherit name;
+  paths = [ yubilock ] ++ runtimeInputs;
+  buildInputs = [ pkgs.makeWrapper ];
+  postBuild = "wrapProgram $out/bin/${name} --prefix PATH : $out/bin";
+}
--- a/pkgs/linux/yubilock/yubilock.sh
+++ b/pkgs/linux/yubilock/yubilock.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+SESSIONS=($(loginctl list-sessions --no-legend | awk '{ print $1 }'))
+
+for SESSION_ID in "${SESSIONS[@]}"
+do
+  USERNAME=$(loginctl show-session ${SESSION_ID} -p Name --value)
+  SESSION_TYPE=$(loginctl show-session ${SESSION_ID} -p Type --value) # should be x11 or wayland
+  SESSION_LOCKED=$(loginctl show-session ${SESSION_ID} -p LockedHint --value) # yes/no
+  USER_DIR=$(getent passwd "$USERNAME" | cut -d: -f6)
+  KEY_FILE="$USER_DIR/.yubikeys"
+
+  if ! [[ "$SESSION_TYPE" == "x11" || "$SESSION_TYPE" == "wayland" ]]; then
+    continue
+  fi
+  if ! [ -e "$KEY_FILE" ]; then
+    continue
+  fi
+
+  MATCHING_KEYS=$(comm -12 <(ykman list --serials | sort) <(sort $KEY_FILE))
+
+  if [[ $MATCHING_KEYS == "" ]]; then
+    if [[ $SESSION_LOCKED == "no" ]]; then
+      logger "All YubiKeys Removed ($USERNAME)"
+      loginctl lock-session ${SESSION_ID}
+    fi
+  else
+    if [[ $SESSION_LOCKED == "yes" ]]; then
+      logger "YubiKey Found, Unlocking ($USERNAME)"
+      loginctl activate ${SESSION_ID}
+      loginctl unlock-session ${SESSION_ID}
+    fi
+  fi
+done