How to lock before suspending? [solved]

l0b0 · August 13, 2019, 5:52am

I just opened my laptop lid after it being closed for hours to find that while it did suspend it did not lock first, even though xautolock is running. It seems this needs to be enabled separately, but how? The relevant parts of my configuration:

{
  services = {
    acpid.enable = true;
    xserver = {
      desktopManager.xfce = {
        enable = true;
        noDesktop = true;
      };
      displayManager.lightdm.enable = true;
      enable = true;
      windowManager = {
        awesome.enable = true;
        default = "awesome";
      };
      xautolock = {
        enable = true;
        enableNotifier = true;
        locker = ''${pkgs.xlockmore}/bin/xlock -mode blank'';
        notifier =
          ''${pkgs.libnotify}/bin/notify-send "Locking in 10 seconds"'';
      };
    };
  };

  system.stateVersion = "19.03";
}

It looks like physlock might be a possibility, but from the chaos of lockers, idle detectors like xautolock, and miscellaneous tools in this space I really can’t tell where it fits in. Is it complementary to xautolock, or does it replace it? xautolock’s last release was in 2007 and doesn’t seem to have an issue tracker or public repository, so that’s pretty bad.

Update: I tried simply enabling physlock, and it seems to fit the bill - the desktop now locks when suspending. On the other hand, I now have two lockers, since I can’t seem to start the physlock service as a normal user, even with allowAnyUser.

Update 2: Turns out allowAnyUser is about running the physlock command, not the service. But now there’s another weird issue: after setting services.xserver.xautolock.locker = ''${pkgs.physlock}/bin/physlock''; and restarting the xautolock user service it reports “physlock: Must be root!” when trying to lock the screen. I guess I need to refer to the wrapper command, but how can I do that without hard-coding /run/wrappers/bin/physlock?

And fixed:

diff --git a/configuration.nix b/configuration.nix
index 9d8690968e3f1bf0136ffe89094deb7e7f1bd720..f30fe3de2d6bfca5a0b15babf20fd356dc34c9f2 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -235,7 +235,10 @@
       passwordAuthentication = false;
       permitRootLogin = "no";
     };
-    physlock.enable = true;
+    physlock = {
+      allowAnyUser = true;
+      enable = true;
+    };
     printing = {
       enable = true;
       drivers = [ pkgs.hplip ];
@@ -268,7 +271,7 @@
       xautolock = {
         enable = true;
         enableNotifier = true;
-        locker = ''${pkgs.xlockmore}/bin/xlock -mode blank'';
+        locker = ''${config.security.wrapperDir}/physlock'';
         notifier =
           ''${pkgs.libnotify}/bin/notify-send "Locking in 10 seconds"'';
       };

roni · August 13, 2019, 2:22pm

Looks like you’ve got it working but I thought I’d share my own solution for this in case it’s useful to someone. I went through some confusion myself regarding the different ways of locking the screen, etc., and finally came up with the solution here: https://github.com/waxlamp/nixos-config/blob/f8aecac4eb6e145f32d3c10f3842da18c217dd34/machines/kahless/configuration.nix#L171-L194.

roni

l0b0 · August 13, 2019, 7:17pm

Except for enabling acpid I think that’s redundant, because systemd already suspends my laptop when closing the lid. Or is that not what this does?