aboutsummaryrefslogtreecommitdiff
path: root/nixos
diff options
context:
space:
mode:
authorStefan Weigl-Bosker <stefan@s00.xyz>2025-07-07 16:51:10 -0400
committerStefan Weigl-Bosker <stefan@s00.xyz>2025-07-07 16:51:42 -0400
commitd9330be6272a670047eb87de132feda669d728b9 (patch)
tree9a9be9e09b9bee635edbfc81d9099ee300aa64ca /nixos
parent0598d3ec7273f043f41ab6d044fb5679682e8554 (diff)
downloadhome-d9330be6272a670047eb87de132feda669d728b9.tar.gz
nixos/yubikey: init
Diffstat (limited to 'nixos')
-rw-r--r--nixos/default.nix1
-rw-r--r--nixos/yubikey.nix48
2 files changed, 49 insertions, 0 deletions
diff --git a/nixos/default.nix b/nixos/default.nix
index e31a96a..a8720da 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -7,6 +7,7 @@ in
./bluetooth.nix
./osu.nix
./keyd.nix
+ ./yubikey.nix
];
options.nixos = with lib.options; {
diff --git a/nixos/yubikey.nix b/nixos/yubikey.nix
new file mode 100644
index 0000000..3da6fc9
--- /dev/null
+++ b/nixos/yubikey.nix
@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+let
+ cfg = config.nixos.yubikey;
+ inherit (lib) types mkOption;
+in
+{
+ options.nixos.yubikey = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "enable yubikey support";
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ environment.systemPackages = builtins.attrValues {
+ inherit (pkgs)
+ yubioath-flutter
+ yubikey-manager
+ pam_u2f
+ ;
+ };
+
+ # for gpg and ssh
+ services.pcscd.enable = true; # https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html
+ services.udev.packages = [ pkgs.yubikey-personalization ];
+
+ security.pam = {
+ u2f = {
+ enable = true;
+ origin = "pam://yubi";
+ settings = {
+ # interactive = true;
+ interactive = false;
+ cue = true;
+ authfile = pkgs.writeText "u2f-mappings" (lib.concatStrings [
+ config.nixos.username
+ ":GB+R91Ur898D/fEgih7f/tsSDOaDw1QcEOSGzHs4fOUo5uCaliIiEK4fFGDClybL/8Qa7tGAN+mo0tU7PVmzfA==,GUPJuYykJoqBw7atGbIK/QcIATgJ3VZQKd1BrjMZ9g/f3nSejOv69LM5UCEoXAwuZHyJitVr1qYd1jLP2uckoQ==,es256,+presence"
+ ]);
+ };
+ };
+ services = {
+ login.u2fAuth = true;
+ sudo.u2fAuth = true;
+ };
+ };
+ };
+}