From 367b0c114f38d5c332f5ee971ad13dd69e302dec Mon Sep 17 00:00:00 2001
From: tilpner
Date: Mon, 15 Jun 2020 09:53:06 +0200
Subject: WIP towards module based configuration

---
 profiles/disablePasswordManager.nix | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 profiles/disablePasswordManager.nix

(limited to 'profiles/disablePasswordManager.nix')

diff --git a/profiles/disablePasswordManager.nix b/profiles/disablePasswordManager.nix
new file mode 100644
index 0000000..cf71db6
--- /dev/null
+++ b/profiles/disablePasswordManager.nix
@@ -0,0 +1,37 @@
+{ config, lib, ... }: with lib; {
+  options.features.disablePasswordManager = mkOption {
+    type = types.bool;
+    default = false;
+    description = ''
+      Prevent the user from storing any passwords in the browser.
+      This can be justified if the physical security of the device is uncertain, or
+      if the provider wants to avoid the responsiblity of storing such sensitive data.
+
+      However, the users alternatives must be considered: what will a user do without the
+      password manager?
+
+      Possible "alternatives" (from user perspective) include:
+        - Choose much weaker passwords
+        - Store the passwords in an unencrypted form (e.g. on the desktop)
+    '';
+  };
+
+  config = mkMerge [
+    (mkIf config.features.disablePasswordManager {
+      policies = {
+        # TODO: how exactly are passwords stored?
+        OfferToSaveLogins = false;
+        PasswordManagerEnabled = false;
+      };
+    })
+
+    (mkIf (!config.features.disablePasswordManager) {
+      preferences = {
+        # Ask for password every 15 minutes
+        security.ask_for_password = 2;
+        security.password_lifetime = 15; # minutes
+        signon.masterPasswordReprompt.timeout_ms = 15 * 60 * 1000;
+      };
+    })
+  ];
+}
-- 
cgit v1.2.3