windows-hello module

nzbr · nzbr · commit 89780224eac0 · 2022-04-21T16:29:35.000+02:00
diff --git a/configuration.nix b/configuration.nix
@@ -19,6 +19,9 @@ in
 
     # Enable integration with Docker Desktop (needs to be installed)
     # docker.enable = true;
+
+    # Enable authenticating sudo prompts with Windows Hello
+    # windowsHello.enable = true;
   };
 
   # Enable nix flakes
diff --git a/flake.nix b/flake.nix
@@ -17,9 +17,10 @@
       nixosModules.wsl = {
         imports = [
           ./modules/build-tarball.nix
-          ./modules/wsl-distro.nix
           ./modules/docker-desktop.nix
           ./modules/installer.nix
+          ./modules/windows-hello.nix
+          ./modules/wsl-distro.nix
         ];
       };
 
diff --git a/modules/windows-hello.nix b/modules/windows-hello.nix
@@ -0,0 +1,51 @@
+{ lib, pkgs, config, ... }:
+
+with builtins; with lib;
+{
+
+  options.wsl.windowsHello = {
+    enable = mkEnableOption "Authentication using Windows Hello";
+  };
+
+  config =
+    let
+      cfg = config.wsl.windowsHello;
+    in
+    mkIf (config.wsl.enable && cfg.enable) {
+
+      security.sudo.wheelNeedsPassword = true;
+      security.sudo.extraConfig = ''
+        Defaults rootpw
+      '';
+
+      # Hijack the pam_usb module, because NixOS does not allow for adding custom PAM modules at the moment
+      security.pam.usb.enable = true;
+      nixpkgs.overlays = [
+        (self: super: {
+          pam_usb =
+            let
+              authenticator = pkgs.stdenv.mkDerivation {
+                name = "WindowsHelloAuthenticator.exe";
+                src = pkgs.fetchurl {
+                  url = "https://github.com/nzbr/PAM-WindowsHello/releases/download/v1/WindowsHelloAuthenticator.exe";
+                  sha256 = "4856a1fefa5c869b78890f9313a560d310e9c11f2a2a212c2868cf292792ff7f";
+                };
+                dontUnpack = true;
+                buildCommand = ''
+                  install -m 0755 $src $out
+                '';
+              };
+              wrapper = pkgs.writeShellScript "wrapper" ''
+                export PATH=${pkgs.coreutils}/bin # The PAM environment does not include the default PATH
+                export WSL_INTEROP="/run/WSL/$(ls -tr /run/WSL | tail -n1)" # Find the correct WSL_INTEROP socket to be able to start the EXE
+                env > /tmp/env
+                exec ${authenticator} [$PAM_SERVICE] $PAM_RUSER wants to authenticate as $PAM_USER
+              '';
+            in
+            "${pkgs.pam}/lib/security/pam_exec.so ${wrapper} \n# ";
+        })
+      ];
+
+    };
+
+}
