Added a nix module and systemd for improved statefulness.

guttermonk · guttermonk · commit 8a0e1b252112 · 2025-10-19T19:54:57.000-05:00
diff --git a/readme.md b/readme.md
@@ -14,6 +14,47 @@ This Waybar module is intended to be used with hardware like the following (ref
 - [usbutils](http://www.linux-usb.org/) needed to run `lsusb`
 
 ## Installation Instructions
+
+### Option 1: NixOS with Home Manager (Recommended for NixOS users)
+
+For NixOS users with Home Manager, you can use the included NixOS module for automatic systemd service management:
+
+1. Import the module in your Home Manager configuration:
+   ```nix
+   { config, pkgs, ... }:
+   {
+     imports = [
+       /path/to/yubilock/yubilock.nix
+     ];
+
+     services.yubilock = {
+       enable = true;
+       autoRestore = true;  # Automatically restore yubilock state on login
+     };
+   }
+   ```
+
+2. Copy the Waybar scripts to `~/.config/waybar/scripts/`:
+   ```bash
+   mkdir -p ~/.config/waybar/scripts/
+   cp scripts/*.sh ~/.config/waybar/scripts/
+   chmod +x ~/.config/waybar/scripts/*.sh
+   ```
+
+3. Add the custom module to your Waybar config (see [Waybar Configuration](#part-3-waybar-configuration)).
+
+4. Add the CSS to your Waybar style.css (see [Waybar CSS Style](#part-4-waybar-css-style)).
+
+5. Rebuild your NixOS configuration:
+   ```bash
+   home-manager switch
+   ```
+
+The systemd services will be automatically configured:
+- `yubilock.service` - Monitors YubiKey presence and locks screen on removal
+- `yubilock-restore.service` - Restores yubilock state on login (if `autoRestore = true`)
+
+### Option 2: Manual Installation (All Linux distributions)
 1. Save the three scripts to: `~/.config/waybar/scripts/`
 2. Make them executable:
    ```
diff --git a/scripts/yubilock-restore.sh b/scripts/yubilock-restore.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+    STATE_FILE="$HOME/.cache/yubilock-state"
+    LOG_FILE="$HOME/.cache/yubilock-restore.log"
+    
+    echo "[$(date)] Checking yubilock state on login" >> "$LOG_FILE"
+    
+    # Create state file if it doesn't exist
+    if [ ! -f "$STATE_FILE" ]; then
+        echo "off" > "$STATE_FILE"
+        echo "[$(date)] No state file found, defaulting to off" >> "$LOG_FILE"
+        exit 0
+    fi
+    
+    # Read the saved state
+    saved_state=$(cat "$STATE_FILE")
+    echo "[$(date)] Saved state: $saved_state" >> "$LOG_FILE"
+    
+    # If it was enabled before, re-enable it
+    if [ "$saved_state" = "on" ]; then
+        if ! systemctl --user is-active yubilock.service > /dev/null 2>&1; then
+            echo "[$(date)] Restoring yubilock service" >> "$LOG_FILE"
+            systemctl --user start yubilock.service
+            echo "[$(date)] Yubilock service restored" >> "$LOG_FILE"
+        else
+            echo "[$(date)] Yubilock service already running" >> "$LOG_FILE"
+        fi
+    fi
diff --git a/scripts/yubilock.sh b/scripts/yubilock.sh
@@ -1,8 +1,36 @@
 #!/usr/bin/env bash
 
+PID_FILE="$HOME/.cache/yubilock.pid"
 STATE_FILE="$HOME/.cache/yubilock-state"
 LOG_FILE="$HOME/.cache/yubilock.log"
-PID_FILE="$HOME/.cache/yubilock.pid"
+### UPDATE THE LOCKSCREEN FUNCTION BELOW WITH YOUR PREFERRED SCREEN LOCKING COMMAND
+
+# Log startup
+echo "[$(date)] Yubilock starting with PID $$" >> "$LOG_FILE"
+
+# Create state file if it doesn't exist, but preserve existing state
+if [ ! -f "$STATE_FILE" ]; then
+    echo "off" > "$STATE_FILE"
+    echo "[$(date)] No state file found, defaulting to off" >> "$LOG_FILE"
+else
+    echo "[$(date)] Using existing state: $(cat "$STATE_FILE")" >> "$LOG_FILE"
+fi
+
+# Write PID to file
+echo $$ > "$PID_FILE"
+echo "[$(date)] PID file written, state: $(cat "$STATE_FILE")" >> "$LOG_FILE"
+
+# Function to clean up on exit
+cleanup() {
+    echo "[$(date)] Cleanup triggered" >> "$LOG_FILE"
+    rm -f "$PID_FILE"
+    # Don't modify state file - preserve it across reboots
+    pkill -SIGRTMIN+5 waybar 2>/dev/null
+    exit 0
+}
+
+# Set up signal handlers
+trap cleanup EXIT TERM INT
 
 # Function to check if a YubiKey is currently plugged in
 check_yubikey() {
@@ -13,55 +41,56 @@ check_yubikey() {
     fi
 }
 
-# Function to lock the screen
+### Function to lock the screen
+### You can replace this with your preferred screen locking command
+### Examples:
+### gnome-screensaver-command -l  # For GNOME
+### loginctl lock-session         # systemd-based systems
+### xscreensaver-command -lock    # For xscreensaver
+### i3lock                        # For i3
 lock_screen() {
-    # You can replace this with your preferred screen locking command
-    # Examples:
-    # gnome-screensaver-command -l  # For GNOME
-    # loginctl lock-session         # systemd-based systems
-    # xscreensaver-command -lock    # For xscreensaver
-    # i3lock                        # For i3
-
     lockscreen
-    echo "Screen locked at $(date)" >> "$LOG_FILE"
+    echo "Screen locked at $(date)"
 }
 
-# Create state file if it doesn't exist
-if [ ! -f "$STATE_FILE" ]; then
-    echo "off" > "$STATE_FILE"
-fi
-
-# Record PID for later termination
-echo "$$" > "$PID_FILE"
-
 # Main monitoring loop
-echo "YubiKey monitoring started at $(date)" >> "$LOG_FILE"
+echo "[$(date)] YubiKey monitoring started" >> "$LOG_FILE"
+echo "YubiKey monitoring started at $(date)"
+
+# Signal waybar to update
+pkill -SIGRTMIN+5 waybar 2>/dev/null
 
 while true; do
-    # Check if monitoring is still enabled
+    # Check if monitoring is enabled
     if [ "$(cat "$STATE_FILE")" != "on" ]; then
-        echo "YubiKey monitoring stopped at $(date)" >> "$LOG_FILE"
-        exit 0
+        # Monitoring is paused, wait and check again
+        echo "[$(date)] YubiKey monitoring paused (state: off)" >> "$LOG_FILE"
+        sleep 5
+        continue
     fi
 
+    # Only monitor when state is "on"
     if check_yubikey; then
-        echo "YubiKey detected at $(date)" >> "$LOG_FILE"
+        echo "[$(date)] YubiKey detected" >> "$LOG_FILE"
+        echo "YubiKey detected at $(date)"
 
         # Wait until the YubiKey is removed
         while check_yubikey && [ "$(cat "$STATE_FILE")" = "on" ]; do
             sleep 1
         done
 
-        # If we exited because service was disabled, exit gracefully
+        # If we exited because service was disabled, continue the loop
         if [ "$(cat "$STATE_FILE")" != "on" ]; then
-            echo "YubiKey monitoring stopped at $(date)" >> "$LOG_FILE"
-            exit 0
+            echo "[$(date)] YubiKey monitoring paused" >> "$LOG_FILE"
+            continue
         fi
 
-        echo "YubiKey removed at $(date)" >> "$LOG_FILE"
+        echo "[$(date)] YubiKey removed - locking screen" >> "$LOG_FILE"
+        echo "YubiKey removed at $(date)"
         lock_screen
     else
-        echo "No YubiKey detected. Checking again in 10 seconds..." >> "$LOG_FILE"
+        echo "[$(date)] No YubiKey detected. Checking again..." >> "$LOG_FILE"
+        echo "No YubiKey detected. Checking again in 10 seconds..."
         # Check less frequently to reduce system load
         sleep 10
     fi
diff --git a/yubilock.nix b/yubilock.nix
@@ -0,0 +1,160 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.yubilock;
+  
+  # Script paths - users should copy scripts to their ~/.config/waybar/scripts/
+  yubilockScript = pkgs.writeShellScript "yubilock" ''
+    STATE_FILE="$HOME/.cache/yubilock-state"
+    LOG_FILE="$HOME/.cache/yubilock.log"
+    PID_FILE="$HOME/.cache/yubilock.pid"
+
+    # Function to check if a YubiKey is currently plugged in
+    check_yubikey() {
+        if ${pkgs.usbutils}/bin/lsusb | ${pkgs.gnugrep}/bin/grep -i "yubikey" > /dev/null; then
+            return 0 # device is present
+        else
+            return 1 # device is not present
+        fi
+    }
+
+    # Function to lock the screen
+    lock_screen() {
+        # Using loginctl for systemd-based systems
+        ${pkgs.systemd}/bin/loginctl lock-session
+        echo "Screen locked at $(date)" >> "$LOG_FILE"
+    }
+
+    # Create state file if it doesn't exist
+    if [ ! -f "$STATE_FILE" ]; then
+        echo "off" > "$STATE_FILE"
+    fi
+
+    # Record PID for later termination
+    echo "$$" > "$PID_FILE"
+
+    # Main monitoring loop
+    echo "YubiKey monitoring started at $(date)" >> "$LOG_FILE"
+
+    while true; do
+        # Check if monitoring is still enabled
+        if [ "$(cat "$STATE_FILE")" != "on" ]; then
+            echo "YubiKey monitoring stopped at $(date)" >> "$LOG_FILE"
+            exit 0
+        fi
+
+        if check_yubikey; then
+            echo "YubiKey detected at $(date)" >> "$LOG_FILE"
+
+            # Wait until the YubiKey is removed
+            while check_yubikey && [ "$(cat "$STATE_FILE")" = "on" ]; do
+                sleep 1
+            done
+
+            # If we exited because service was disabled, exit gracefully
+            if [ "$(cat "$STATE_FILE")" != "on" ]; then
+                echo "YubiKey monitoring stopped at $(date)" >> "$LOG_FILE"
+                exit 0
+            fi
+
+            echo "YubiKey removed at $(date)" >> "$LOG_FILE"
+            lock_screen
+        else
+            echo "No YubiKey detected. Checking again in 10 seconds..." >> "$LOG_FILE"
+            # Check less frequently to reduce system load
+            sleep 10
+        fi
+    done
+  '';
+
+  yubilockRestoreScript = pkgs.writeShellScript "yubilock-restore" ''
+    STATE_FILE="$HOME/.cache/yubilock-state"
+    LOG_FILE="$HOME/.cache/yubilock-restore.log"
+    
+    echo "[$(date)] Checking yubilock state on login" >> "$LOG_FILE"
+    
+    # Create state file if it doesn't exist
+    if [ ! -f "$STATE_FILE" ]; then
+        echo "off" > "$STATE_FILE"
+        echo "[$(date)] No state file found, defaulting to off" >> "$LOG_FILE"
+        exit 0
+    fi
+    
+    # Read the saved state
+    saved_state=$(cat "$STATE_FILE")
+    echo "[$(date)] Saved state: $saved_state" >> "$LOG_FILE"
+    
+    # If it was enabled before, re-enable it
+    if [ "$saved_state" = "on" ]; then
+        if ! ${pkgs.systemd}/bin/systemctl --user is-active yubilock.service > /dev/null 2>&1; then
+            echo "[$(date)] Restoring yubilock service" >> "$LOG_FILE"
+            ${pkgs.systemd}/bin/systemctl --user start yubilock.service
+            echo "[$(date)] Yubilock service restored" >> "$LOG_FILE"
+        else
+            echo "[$(date)] Yubilock service already running" >> "$LOG_FILE"
+        fi
+    fi
+  '';
+
+in {
+  options.services.yubilock = {
+    enable = mkEnableOption "YubiKey screen lock monitor";
+
+    autoRestore = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Automatically restore yubilock state on login.
+        If enabled, the yubilock service will be restarted on login
+        if it was running when you last logged out.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Systemd user service for yubilock
+    systemd.user.services.yubilock = {
+      Unit = {
+        Description = "YubiKey lock screen monitor";
+        After = [ "graphical-session.target" ];
+        PartOf = [ "graphical-session.target" ];
+      };
+      Service = {
+        Type = "simple";
+        ExecStart = "${yubilockScript}";
+        Restart = "on-failure";
+        RestartSec = "5s";
+        # Ensure state persists
+        ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p %h/.cache";
+        # Clean state on stop
+        ExecStopPost = "${pkgs.bash}/bin/bash -c 'echo off > %h/.cache/yubilock-state'";
+      };
+      Install = {
+        WantedBy = [ "graphical-session.target" ];
+      };
+    };
+    
+    # Systemd user service to restore yubilock state on login
+    systemd.user.services.yubilock-restore = mkIf cfg.autoRestore {
+      Unit = {
+        Description = "Restore YubiKey monitor state on login";
+        After = [ "graphical-session.target" ];
+      };
+      Service = {
+        Type = "oneshot";
+        ExecStart = "${yubilockRestoreScript}";
+        RemainAfterExit = false;
+      };
+      Install = {
+        WantedBy = [ "graphical-session.target" ];
+      };
+    };
+
+    # Ensure required packages are available
+    home.packages = with pkgs; [
+      usbutils  # for lsusb command
+    ];
+  };
+}
