From 03e1ae20ae3eca5ac71388bc448ecf263b481f68 Mon Sep 17 00:00:00 2001 From: Mihai Fufezan Date: Tue, 23 Jan 2024 21:26:45 +0200 Subject: [PATCH] nixos/howdy: init --- .../manual/release-notes/rl-2411.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/security/pam.nix | 11 ++++ .../services/security/howdy/config.nix | 46 +++++++++++++++ .../services/security/howdy/default.nix | 57 +++++++++++++++++++ 5 files changed, 117 insertions(+) create mode 100644 nixos/modules/services/security/howdy/config.nix create mode 100644 nixos/modules/services/security/howdy/default.nix diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 8cb0986567f2a..c4bd11b1ca8d3 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -89,6 +89,8 @@ - [Privatebin](https://github.com/PrivateBin/PrivateBin/), a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable). +- [Howdy](https://github.com/boltgolt/howdy), a Windows Helloâ„¢ style facial authentication program for Linux. + - [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable). - [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 350bb8a0e3cbd..8cb9aa1a5e6c5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1324,6 +1324,7 @@ ./services/security/hockeypuck.nix ./services/security/hologram-agent.nix ./services/security/hologram-server.nix + ./services/security/howdy ./services/security/infnoise.nix ./services/security/intune.nix ./services/security/jitterentropy-rngd.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index e50038ecbec9f..0be9e61906211 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -267,6 +267,16 @@ let ''; }; + howdyAuth = lib.mkOption { + default = config.services.howdy.enable; + defaultText = lib.literalExpression "config.services.howdy.enable"; + type = lib.types.bool; + description = '' + If set, IR camera will be used (if it exists and your + facial models are enrolled). + ''; + }; + oathAuth = lib.mkOption { default = config.security.pam.oath.enable; defaultText = lib.literalExpression "config.security.pam.oath.enable"; @@ -709,6 +719,7 @@ let dp9ik.authserver ]; }) { name = "fprintd"; enable = cfg.fprintAuth; control = "sufficient"; modulePath = "${config.services.fprintd.package}/lib/security/pam_fprintd.so"; } + { name = "howdy"; enable = cfg.howdyAuth; control = "sufficient"; modulePath = "${config.services.howdy.package}/lib/security/pam_howdy.so"; } ] ++ # Modules in this block require having the password set in PAM_AUTHTOK. # pam_unix is marked as 'sufficient' on NixOS which means nothing will run diff --git a/nixos/modules/services/security/howdy/config.nix b/nixos/modules/services/security/howdy/config.nix new file mode 100644 index 0000000000000..e806366d377e0 --- /dev/null +++ b/nixos/modules/services/security/howdy/config.nix @@ -0,0 +1,46 @@ +{ + core = { + detection_notice = false; + timeout_notice = true; + no_confirmation = false; + suppress_unknown = false; + abort_if_ssh = true; + abort_if_lid_closed = true; + disabled = false; + use_cnn = false; + workaround = "off"; + }; + + video = { + certainty = 3.5; + timeout = 4; + device_path = "/dev/video2"; + warn_no_device = true; + max_height = 320; + frame_width = -1; + frame_height = -1; + dark_threshold = 60; + recording_plugin = "opencv"; + device_format = "v4l2"; + force_mjpeg = false; + exposure = -1; + device_fps = -1; + rotate = 0; + }; + + snapshots = { + save_failed = false; + save_successful = false; + }; + + rubberstamps = { + enabled = false; + stamp_rules = "nod 5s failsafe min_distance=12"; + }; + + debug = { + end_report = false; + verbose_stamps = false; + gtk_stdout = false; + }; +} diff --git a/nixos/modules/services/security/howdy/default.nix b/nixos/modules/services/security/howdy/default.nix new file mode 100644 index 0000000000000..979be38c3be17 --- /dev/null +++ b/nixos/modules/services/security/howdy/default.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.howdy; + settingsType = pkgs.formats.ini { }; +in +{ + options = { + services.howdy = { + enable = lib.mkEnableOption "" // { + description = '' + Whether to enable Howdy and its PAM module for face recognition. See + `services.linux-enable-ir-emitter` for enabling the IR emitter support. + + ::: {.caution} + Howdy is not a safe alternative to unlocking with your password. It + can be fooled using a well-printed photo. + + Do **not** use it as the sole authentication method for your system. + ::: + ''; + }; + + package = lib.mkPackageOption pkgs "howdy" { }; + + settings = lib.mkOption { + inherit (settingsType) type; + default = import ./config.nix; + description = '' + Howdy configuration file. Refer to + + for options. + ''; + }; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + environment.etc."howdy/config.ini".source = settingsType.generate "howdy-config.ini" cfg.settings; + assertions = [ + { + assertion = !(builtins.elem "v4l2loopback" config.boot.kernelModules); + message = "Adding 'v4l2loopback' to `boot.kernelModules` causes Howdy to no longer work. Consider adding it to `boot.extraModulePackages` instead."; + } + ]; + }) + { + services.howdy.settings = lib.mapAttrsRecursive (name: lib.mkDefault) (import ./config.nix); + } + ]; +}