aboutsummaryrefslogtreecommitdiff
path: root/profiles/disablePasswordManager.nix
blob: cf71db61eb3bad282e3843333adad400a767c5b8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{ config, lib, ... }: with lib; {
  options.features.disablePasswordManager = mkOption {
    type = types.bool;
    default = false;
    description = ''
      Prevent the user from storing any passwords in the browser.
      This can be justified if the physical security of the device is uncertain, or
      if the provider wants to avoid the responsiblity of storing such sensitive data.

      However, the users alternatives must be considered: what will a user do without the
      password manager?

      Possible "alternatives" (from user perspective) include:
        - Choose much weaker passwords
        - Store the passwords in an unencrypted form (e.g. on the desktop)
    '';
  };

  config = mkMerge [
    (mkIf config.features.disablePasswordManager {
      policies = {
        # TODO: how exactly are passwords stored?
        OfferToSaveLogins = false;
        PasswordManagerEnabled = false;
      };
    })

    (mkIf (!config.features.disablePasswordManager) {
      preferences = {
        # Ask for password every 15 minutes
        security.ask_for_password = 2;
        security.password_lifetime = 15; # minutes
        signon.masterPasswordReprompt.timeout_ms = 15 * 60 * 1000;
      };
    })
  ];
}