Xsecurelock + xss-lock on i3 / no homemanager - xss-lock not present when setting option enabled?

I am using i3 on nixos. I want to use securelock when my system times out, manual lock, etc.

It looks like there are many ways to set this up and tools to trigger the locking, etc. and I am getting a bit lost on what combination I need. I see some posts about making change to the i3 config, but I would ideally want this to be done with my nixos configuration directly if possible.

If I do somethin simple like:

programs.i3lock.enable = true;

It will work, triggers on timeout, triggers if I manually call something like xset s activate, etc. But I do not like the default i3lock.

I tried a config like this:

{ config, inputs, lib, pkgs, platform, username, ... }:
{
  environment.systemPackages = with pkgs; [
   xsecurelock
  ];
  programs.xss-lock.enable = true;
  programs.xss-lock.lockerCommand = "xsecurelock";
}

but when I do this configuration and run xss-lock I get a “command not found” error.

If I install xss-lock as a package it will be present, but it still doesn’t do anything from the lockerCommand option seems not to be active.

Somewhere in the searching I saw something that said xss-lock won’t activate this way unless you also have display manager explicitly set, something like:

services.xserver.displayManager.lightdm.enable = true;

I tried the above without the manual environment.systemPackages, but it would still be command not found.

xsecurelock works if I just call it manually from CLI, what do I need to do to get it to trigger automatically system wide?

Is the i3block still somehow active or specified? It seems to only be present if I enable it in my config.

I see in the base/default i3 config a line for xss-lock:

exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock --nofork

Even if this needs to then be changed to use xsecurelock, it seems that it is expecting it to run via xss-lock, which is not installing via the option?

Is it enough to just install the package manually and then manually change i3? Would prefer a way of setting this up with my configuration to avoid manual edits / copying files / home-manager / etc.

Here is where I found the note about needing a displayManager set:

https://github.com/NixOS/nixpkgs/blob/9e122ef8742f921eeb211094deb024319f4e6c62/nixos/modules/programs/xss-lock.nix#L45

  "xss-lock service only works if a displayManager is set; it doesn't work when services.xserver.displayManager.startx.enable = true"

I did some more sleuthing. xss-lock seems to be install and running as a service in the background.

When I run: ps -aux | grep xss I see:

/nix/store/5idl1a15wfpby2qx8rwxc91ah6p88fji-xss-lock-unstable-2018-05-31/bin/xss-lock --session 28 -- xsecurelock

xset q confirms I have timeout on. But the background service never seems to trigger.

Also, in all the i3 examples I see, it just specifies xss-lock and I am not sure how in i3 to tell it about the nix store path.

Is there some conflict between i3 and the system setting? Should I ALSO install xss-lock as a regular program so i3 can then call it and not rely on the system setting?

So I just tried this using:

environment.systemPackages = with pkgs; [
   xsecurelock
   xss-lock
  ];

then in i3, I configured:

# xss-lock grabs a logind suspend inhibit lock and will use i3lock to lock the
# screen before suspend. Use loginctl lock-session to lock your screen.
#exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock --nofork
exec_always --no-startup-id xset s 30 
#exec_always --no-startup-id xss-lock -n /usr/lib/xsecurelock/dimmer -l -- xsecurelock
exec_always --no-startup-id xss-lock -l -- xsecurelock

With the bottom command in my i3 config and installing as package, it seems to be working.

I also just confirmed that if I remove all the options from i3 (maybe some conflict) and then again configure from program.xss-lock it still does trigger.

I am not sure what else to look at, but when I look at ps-aux | grep xss the only difference between these two methods is that with programs... in the nix config the path for xss-lock is direct from the nix store while in i3 i will just specify xss-lock and let the system figure out.

I am not sure if there are conflicts, privileges, silent errors. For the most part the i3 configuration seems to be working, but ideally I could have this be more generalized and agnostic in case I swtich off i3 later.

Would appreciate any next steps or other information about what is needed here.