diff --git a/configuration.nix b/configuration.nix index f2387642..9960b51c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -19,6 +19,10 @@ in # Enable integration with Docker Desktop (needs to be installed) # docker.enable = true; + + # Enable authenticating sudo prompts with Windows Hello + # DO NOT USE THIS FOR ANYTHING SECURITY-CRITICAL + # windowsHello.enable = true; }; # Enable nix flakes diff --git a/flake.nix b/flake.nix index 256ca84a..c8e7c06c 100644 --- a/flake.nix +++ b/flake.nix @@ -17,9 +17,10 @@ nixosModules.wsl = { imports = [ ./modules/build-tarball.nix - ./modules/wsl-distro.nix ./modules/docker-desktop.nix ./modules/installer.nix + ./modules/windows-hello.nix + ./modules/wsl-distro.nix ]; }; diff --git a/modules/windows-hello.nix b/modules/windows-hello.nix new file mode 100644 index 00000000..8a4444a7 --- /dev/null +++ b/modules/windows-hello.nix @@ -0,0 +1,50 @@ +{ lib, pkgs, config, ... }: + +with builtins; with lib; +{ + + options.wsl.windowsHello = { + enable = mkEnableOption "Authentication using Windows Hello"; + }; + + config = + let + cfg = config.wsl.windowsHello; + in + mkIf (config.wsl.enable && cfg.enable) { + + security.sudo.wheelNeedsPassword = true; + security.sudo.extraConfig = '' + Defaults rootpw + ''; + + # Hijack the pam_usb module, because NixOS does not allow for adding custom PAM modules at the moment + security.pam.usb.enable = true; + nixpkgs.overlays = [ + (self: super: { + pam_usb = + let + authenticator = pkgs.stdenv.mkDerivation { + name = "WindowsHelloAuthenticator.exe"; + src = pkgs.fetchurl { + url = "https://github.com/nzbr/PAM-WindowsHello/releases/download/v1/WindowsHelloAuthenticator.exe"; + sha256 = "4856a1fefa5c869b78890f9313a560d310e9c11f2a2a212c2868cf292792ff7f"; + }; + dontUnpack = true; + buildCommand = '' + install -m 0755 $src $out + ''; + }; + wrapper = pkgs.writeShellScript "wrapper" '' + export PATH=${pkgs.coreutils}/bin # The PAM environment does not include the default PATH + export WSL_INTEROP="/run/WSL/$(ls -tr /run/WSL | tail -n1)" # Find the correct WSL_INTEROP socket to be able to start the EXE + exec ${authenticator} [$PAM_SERVICE] $PAM_RUSER wants to authenticate as $PAM_USER + ''; + in + "${pkgs.pam}/lib/security/pam_exec.so ${wrapper} \n# "; + }) + ]; + + }; + +}