From 6f3c7db3465013faaa4dfb6f9beb1b5853c06628 Mon Sep 17 00:00:00 2001 From: Mihai Fufezan Date: Mon, 13 Feb 2023 17:49:31 +0200 Subject: [PATCH 1/4] linux-enable-ir-emitter: init at 6.1.2 --- .../li/linux-enable-ir-emitter/package.nix | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 pkgs/by-name/li/linux-enable-ir-emitter/package.nix diff --git a/pkgs/by-name/li/linux-enable-ir-emitter/package.nix b/pkgs/by-name/li/linux-enable-ir-emitter/package.nix new file mode 100644 index 0000000000000..220faab6e30f4 --- /dev/null +++ b/pkgs/by-name/li/linux-enable-ir-emitter/package.nix @@ -0,0 +1,62 @@ +{ + lib, + stdenv, + makeWrapper, + fetchFromGitHub, + meson, + ninja, + pkg-config, + argparse, + gtk3, + python3, + spdlog, + usbutils, + yaml-cpp, +}: +stdenv.mkDerivation (finalAttrs: { + pname = "linux-enable-ir-emitter"; + version = "6.1.2"; + + src = fetchFromGitHub { + owner = "EmixamPP"; + repo = "linux-enable-ir-emitter"; + tag = finalAttrs.version; + hash = "sha256-wSmWebX4H3Hj8bbFoVMq3DY3i/nKkQaeu3mXX0o6IaY="; + }; + + nativeBuildInputs = [ + makeWrapper + meson + ninja + pkg-config + ]; + + buildInputs = [ + argparse + gtk3 + spdlog + usbutils + yaml-cpp + python3.pkgs.opencv4Full + ]; + + mesonFlags = lib.lists.flatten [ + (lib.attrsets.mapAttrsToList lib.strings.mesonOption { + config_dir = "/var/lib"; + localstatedir = "/var"; + }) + (lib.attrsets.mapAttrsToList lib.strings.mesonBool { + create_config_dir = false; + create_log_dir = false; + }) + ]; + + meta = { + description = "Provides support for infrared cameras that are not directly enabled out-of-the box"; + homepage = "https://github.com/EmixamPP/linux-enable-ir-emitter"; + license = lib.licenses.mit; + maintainers = with lib.maintainers; [ fufexan ]; + mainProgram = "linux-enable-ir-emitter"; + platforms = lib.platforms.linux; + }; +}) From 7a3e9ef2a1754a597180b81742bbc196d5fa6527 Mon Sep 17 00:00:00 2001 From: Mihai Fufezan Date: Mon, 13 Feb 2023 18:53:46 +0200 Subject: [PATCH 2/4] howdy: init at 3.0.0 --- pkgs/by-name/ho/howdy/package.nix | 166 ++++++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 pkgs/by-name/ho/howdy/package.nix diff --git a/pkgs/by-name/ho/howdy/package.nix b/pkgs/by-name/ho/howdy/package.nix new file mode 100644 index 0000000000000..76736305daf9a --- /dev/null +++ b/pkgs/by-name/ho/howdy/package.nix @@ -0,0 +1,166 @@ +{ + stdenv, + lib, + copyDesktopItems, + fetchFromGitHub, + fetchpatch, + fetchurl, + bzip2, + gobject-introspection, + imagemagick, + meson, + ninja, + pkg-config, + wrapGAppsHook3, + makeDesktopItem, + makeWrapper, + fmt, + gettext, + gtk3, + inih, + libevdev, + pam, + python3, +}: + +stdenv.mkDerivation (finalAttrs: { + pname = "howdy"; + version = "3.0.0"; + + src = fetchFromGitHub { + owner = "boltgolt"; + repo = "howdy"; + # The 3.0.0 release does not have a corresponding tag yet. + # The maintainer was asked to provide one here https://github.com/boltgolt/howdy/pull/1023#issuecomment-3722339500 + rev = "d3ab99382f88f043d15f15c1450ab69433892a1c"; + hash = "sha256-Xd/uScMnX1GMwLD5GYSbE2CwEtzrhwHocsv0ESKV8IM="; + }; + + patches = [ + # Allows specifying whether to install config file. Paired with the + # `install_config` meson option. Needed to disallow installing the config + # file in `/etc/howdy`, as it is not allowed by the Nix sandbox. A NixOS + # module creates `/etc/howdy` and the config file of course. + # PR sent upstream https://github.com/boltgolt/howdy/pull/1050 + (fetchpatch { + url = "https://github.com/boltgolt/howdy/commit/1f3b83e2db5a8dfd9c7c88706ecce033e154060a.patch"; + hash = "sha256-OIN8A4q0zjtMOMzZgBqrKy2qOD8BDPB+euG6zerFbCE="; + }) + + # Fix python path for howdy-gtk. Uses python from meson option instead of + # the system installation (which is not defined in this package). + # PR sent upstream https://github.com/boltgolt/howdy/pull/1049 + (fetchpatch { + url = "https://github.com/boltgolt/howdy/commit/b056724f84361dc6150554e7a806152af032c54b.patch"; + hash = "sha256-ZOb+QmWagKWtyXI0Xg00tnw8UP8uDWw7wb4Fwjy3VeE="; + }) + ]; + + mesonFlags = lib.concatLists [ + (lib.mapAttrsToList lib.mesonOption { + config_dir = "/etc/howdy"; + python_path = "${finalAttrs.finalPackage.pythonEnv}/bin/python"; + user_models_dir = "/var/lib/howdy/models"; + }) + (lib.mapAttrsToList lib.mesonBool { + install_config = false; + with_polkit = true; + }) + ]; + + nativeBuildInputs = [ + bzip2 + copyDesktopItems + gobject-introspection + imagemagick + meson + ninja + pkg-config + wrapGAppsHook3 + makeWrapper + ]; + + buildInputs = [ + fmt + gettext + gtk3 + inih + libevdev + pam + ]; + + desktopItems = [ + (makeDesktopItem { + name = "howdy"; + exec = "howdy-gtk"; + icon = "howdy"; + comment = "Howdy facial authentication"; + desktopName = "Howdy"; + genericName = "Facial authentication"; + categories = [ + "System" + "Security" + ]; + }) + ]; + + postInstall = '' + # install dlib data + rm -rf $out/share/dlib-data/* + ${lib.concatStrings ( + lib.mapAttrsToList (n: v: '' + bzip2 -dc ${v} > $out/share/dlib-data/${n}.dat + '') finalAttrs.finalPackage.passthru.dlibModels + )} + + for size in 16 24 32 48 64 128 256 512; do + mkdir -p $out/share/icons/hicolor/"$size"x"$size"/apps + magick -background none "$out/share/howdy-gtk/logo.png" -resize "$size"x"$size" $out/share/icons/hicolor/"$size"x"$size"/apps/howdy.png + done + + chmod +x $out/lib/howdy-gtk/init.py + ''; + + pythonEnv = python3.buildEnv.override { + extraLibs = lib.attrVals finalAttrs.finalPackage.passthru.pythonDeps python3.pkgs; + makeWrapperArgs = [ + "--set" + "OMP_NUM_THREADS" + "1" + ]; + }; + + passthru = { + pythonDeps = [ + "dlib" + "elevate" + "face-recognition" + "keyboard" + "opencv4Full" + "pycairo" + "pygobject3" + ]; + dlibModels = lib.mapAttrs ( + name: hash: + fetchurl { + name = "howdy-${name}.dat"; + url = "https://github.com/davisking/dlib-models/raw/daf943f7819a3dda8aec4276754ef918dc26491f/${name}.dat.bz2"; + inherit hash; + } + ) finalAttrs.finalPackage.passthru.dlibModelsHashes; + dlibModelsHashes = { + dlib_face_recognition_resnet_model_v1 = "sha256-q7H2EEHkNEZYVc6Bwr1UboMNKLy+2NJ/++W7QIsRVTo="; + mmod_human_face_detector = "sha256-256eQPCSwRjV6z5kOTWyFoOBcHk1WVFVQcVqK1DZ/IQ="; + shape_predictor_5_face_landmarks = "sha256-bnh7vr9cnv23k/bNHwIyMMRBMwZgXyTymfEoaflapHI="; + }; + }; + + meta = { + description = "Windows Hello™ style facial authentication for Linux"; + homepage = "https://github.com/boltgolt/howdy"; + license = lib.licenses.mit; + mainProgram = "howdy"; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ fufexan ]; + }; +}) From c29b9ef82a8d9d75970bf5037c7facb623b418f3 Mon Sep 17 00:00:00 2001 From: Mihai Fufezan Date: Wed, 22 Oct 2025 22:53:40 +0300 Subject: [PATCH 3/4] nixos/howdy: init --- .../manual/release-notes/rl-2605.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/security/pam.nix | 50 +++++++ .../services/security/howdy/default.nix | 122 ++++++++++++++++++ 4 files changed, 175 insertions(+) create mode 100644 nixos/modules/services/security/howdy/default.nix diff --git a/nixos/doc/manual/release-notes/rl-2605.section.md b/nixos/doc/manual/release-notes/rl-2605.section.md index 12e0580cc96de..7d6e7e34d2a98 100644 --- a/nixos/doc/manual/release-notes/rl-2605.section.md +++ b/nixos/doc/manual/release-notes/rl-2605.section.md @@ -36,6 +36,8 @@ - [Dawarich](https://dawarich.app/), a self-hostable location history tracker. Available as [services.dawarich](#opt-services.dawarich.enable). +- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux. + - [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`. - [Komodo Periphery](https://github.com/moghtech/komodo), a multi-server Docker and Git deployment agent by Komodo. Available as [services.komodo-periphery](#opt-services.komodo-periphery.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index bec540d6f5041..19be56b1241cf 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1488,6 +1488,7 @@ ./services/security/hockeypuck.nix ./services/security/hologram-agent.nix ./services/security/hologram-server.nix + ./services/security/howdy ./services/security/infnoise.nix ./services/security/intune.nix ./services/security/jitterentropy-rngd.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 12fdf781e9ec8..176a8e4c79eb8 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -322,6 +322,28 @@ let ''; }; + howdy = { + enable = lib.mkOption { + default = config.security.pam.howdy.enable; + defaultText = lib.literalExpression "config.security.pam.howdy.enable"; + type = lib.types.bool; + description = '' + Whether to enable the Howdy PAM module. + + If set, users can be authenticated using Howdy, the Windows + Hello™-style facial authentication service. + ''; + }; + control = lib.mkOption { + default = config.security.pam.howdy.control; + defaultText = lib.literalExpression "config.security.pam.howdy.control"; + type = lib.types.str; + description = '' + This option sets the PAM "control" used for this module. + ''; + }; + }; + oathAuth = lib.mkOption { default = config.security.pam.oath.enable; defaultText = lib.literalExpression "config.security.pam.oath.enable"; @@ -951,6 +973,12 @@ let control = "sufficient"; modulePath = "${config.services.fprintd.package}/lib/security/pam_fprintd.so"; } + { + name = "howdy"; + enable = cfg.howdy.enable; + control = cfg.howdy.control; + modulePath = "${config.services.howdy.package}/lib/security/pam_howdy.so"; + } ] ++ # Modules in this block require having the password set in PAM_AUTHTOK. @@ -1797,6 +1825,28 @@ in }; }; + security.pam.howdy = { + enable = lib.mkOption { + default = config.services.howdy.enable; + defaultText = lib.literalExpression "config.services.howdy.enable"; + type = lib.types.bool; + description = '' + Whether to enable the Howdy PAM module. + + If set, users can be authenticated using Howdy, the Windows + Hello™-style facial authentication service. + ''; + }; + control = lib.mkOption { + default = config.services.howdy.control; + defaultText = lib.literalExpression "config.services.howdy.control"; + type = lib.types.str; + description = '' + This option sets the PAM "control" used for this module. + ''; + }; + }; + security.pam.krb5 = { enable = lib.mkOption { default = config.security.krb5.enable; diff --git a/nixos/modules/services/security/howdy/default.nix b/nixos/modules/services/security/howdy/default.nix new file mode 100644 index 0000000000000..80ba52ac1965d --- /dev/null +++ b/nixos/modules/services/security/howdy/default.nix @@ -0,0 +1,122 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.howdy; + settingsType = pkgs.formats.ini { }; + + default_config = { + core = { + detection_notice = false; + timeout_notice = true; + no_confirmation = false; + suppress_unknown = false; + abort_if_ssh = true; + abort_if_lid_closed = true; + disabled = false; + use_cnn = false; + workaround = "off"; + }; + + video = { + certainty = 3.5; + timeout = 4; + device_path = "/dev/video2"; + warn_no_device = true; + max_height = 320; + frame_width = -1; + frame_height = -1; + dark_threshold = 60; + recording_plugin = "opencv"; + device_format = "v4l2"; + force_mjpeg = false; + exposure = -1; + device_fps = -1; + rotate = 0; + }; + + snapshots = { + save_failed = false; + save_successful = false; + }; + + rubberstamps = { + enabled = false; + stamp_rules = "nod 5s failsafe min_distance=12"; + }; + + debug = { + end_report = false; + verbose_stamps = false; + gtk_stdout = false; + }; + }; +in +{ + options = { + services.howdy = { + enable = lib.mkEnableOption "" // { + description = '' + Whether to enable Howdy and its PAM module for face recognition. See + `services.linux-enable-ir-emitter` for enabling the IR emitter support. + + ::: {.caution} + Howdy is not a safe alternative to unlocking with your password. It + can be fooled using a well-printed photo. + + Do **not** use it as the sole authentication method for your system. + ::: + + ::: {.note} + By default, the {option}`config.services.howdy.control` option is set + to `"required"`, meaning it will act as a second-factor authentication + in most services. To change this, set the option to `"sufficient"`. + ::: + ''; + }; + + package = lib.mkPackageOption pkgs "howdy" { }; + + control = lib.mkOption { + type = lib.types.str; + default = "required"; + description = '' + PAM control flag to use for Howdy. + + Sets the {option}`security.pam.howdy.control` option. + + Refer to {manpage}`pam.conf(5)` for options. + ''; + }; + + settings = lib.mkOption { + inherit (settingsType) type; + default = default_config; + description = '' + Howdy configuration file. Refer to + + for options. + ''; + }; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + environment.etc."howdy/config.ini".source = settingsType.generate "howdy-config.ini" cfg.settings; + assertions = [ + { + assertion = !(builtins.elem "v4l2loopback" config.boot.kernelModules); + message = "Adding 'v4l2loopback' to `boot.kernelModules` causes Howdy to no longer work. Consider adding 'v4l2loopback' to `boot.extraModulePackages` instead."; + } + ]; + }) + { + services.howdy.settings = lib.mapAttrsRecursive (name: lib.mkDefault) default_config; + } + ]; +} From beea11b99e0ee7e9891f2273743e1a07f84156a5 Mon Sep 17 00:00:00 2001 From: Mihai Fufezan Date: Wed, 22 Oct 2025 22:54:28 +0300 Subject: [PATCH 4/4] nixos/linux-enable-ir-emitter: init --- .../manual/release-notes/rl-2605.section.md | 2 + nixos/modules/module-list.nix | 1 + .../services/misc/linux-enable-ir-emitter.nix | 71 +++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 nixos/modules/services/misc/linux-enable-ir-emitter.nix diff --git a/nixos/doc/manual/release-notes/rl-2605.section.md b/nixos/doc/manual/release-notes/rl-2605.section.md index 7d6e7e34d2a98..2e40f225818d8 100644 --- a/nixos/doc/manual/release-notes/rl-2605.section.md +++ b/nixos/doc/manual/release-notes/rl-2605.section.md @@ -38,6 +38,8 @@ - [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux. +- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy. + - [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`. - [Komodo Periphery](https://github.com/moghtech/komodo), a multi-server Docker and Git deployment agent by Komodo. Available as [services.komodo-periphery](#opt-services.komodo-periphery.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 19be56b1241cf..8422d5f308c23 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -878,6 +878,7 @@ ./services/misc/languagetool.nix ./services/misc/leaps.nix ./services/misc/lifecycled.nix + ./services/misc/linux-enable-ir-emitter.nix ./services/misc/litellm.nix ./services/misc/llama-cpp.nix ./services/misc/local-content-share.nix diff --git a/nixos/modules/services/misc/linux-enable-ir-emitter.nix b/nixos/modules/services/misc/linux-enable-ir-emitter.nix new file mode 100644 index 0000000000000..66d10fc87b351 --- /dev/null +++ b/nixos/modules/services/misc/linux-enable-ir-emitter.nix @@ -0,0 +1,71 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.linux-enable-ir-emitter; +in +{ + options = { + services.linux-enable-ir-emitter = { + enable = lib.mkEnableOption "" // { + description = '' + Whether to enable IR emitter hardware. Designed to be used with the + Howdy facial authentication. After enabling the service, configure + the emitter with `sudo linux-enable-ir-emitter configure`. + ''; + }; + + package = lib.mkPackageOption pkgs "linux-enable-ir-emitter" { } // { + description = '' + Package to use for the Linux Enable IR Emitter service. + ''; + }; + + device = lib.mkOption { + type = lib.types.str; + default = "video2"; + description = '' + IR camera device to depend on. For example, for `/dev/video2` + the value would be `video2`. Find this with the command + {command}`realpath /dev/v4l/by-path/`. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + # https://github.com/EmixamPP/linux-enable-ir-emitter/blob/7e3a6527ef2efccabaeefc5a93c792628325a8db/sources/systemd/linux-enable-ir-emitter.service + systemd.services.linux-enable-ir-emitter = + let + targets = [ + "suspend.target" + "sleep.target" + "hybrid-sleep.target" + "hibernate.target" + "suspend-then-hibernate.target" + ]; + in + { + description = "Enable the infrared emitter"; + # Added to match + # https://github.com/EmixamPP/linux-enable-ir-emitter/blob/6.1.2/boot_service/systemd/linux-enable-ir-emitter.service + # Prevents the program fail to detect the IR camera until a service + # restart. + preStart = '' + ${pkgs.kmod}/bin/modprobe uvcvideo + sleep 1 + ''; + script = "${lib.getExe cfg.package} --verbose run"; + serviceConfig.StateDirectory = "linux-enable-ir-emitter"; + serviceConfig.LogsDirectory = "linux-enable-ir-emitter"; + + wantedBy = targets ++ [ "multi-user.target" ]; + after = targets ++ [ "dev-${cfg.device}.device" ]; + }; + }; +}