From d9330be6272a670047eb87de132feda669d728b9 Mon Sep 17 00:00:00 2001
From: Stefan Weigl-Bosker <stefan@s00.xyz>
Date: Mon, 7 Jul 2025 16:51:10 -0400
Subject: nixos/yubikey: init

---
 nixos/yubikey.nix | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 nixos/yubikey.nix

(limited to 'nixos/yubikey.nix')

diff --git a/nixos/yubikey.nix b/nixos/yubikey.nix
new file mode 100644
index 0000000..3da6fc9
--- /dev/null
+++ b/nixos/yubikey.nix
@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.nixos.yubikey;
+  inherit (lib) types mkOption;
+in
+{
+  options.nixos.yubikey = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "enable yubikey support";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = builtins.attrValues {
+      inherit (pkgs)
+      yubioath-flutter
+      yubikey-manager
+      pam_u2f
+      ;
+    };
+
+    # for gpg and ssh
+    services.pcscd.enable = true; # https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html
+    services.udev.packages = [ pkgs.yubikey-personalization ];
+
+    security.pam = {
+      u2f = {
+        enable = true;
+        origin = "pam://yubi";
+        settings = {
+          # interactive = true;
+          interactive = false;
+          cue = true;
+          authfile = pkgs.writeText "u2f-mappings" (lib.concatStrings [
+            config.nixos.username
+            ":GB+R91Ur898D/fEgih7f/tsSDOaDw1QcEOSGzHs4fOUo5uCaliIiEK4fFGDClybL/8Qa7tGAN+mo0tU7PVmzfA==,GUPJuYykJoqBw7atGbIK/QcIATgJ3VZQKd1BrjMZ9g/f3nSejOv69LM5UCEoXAwuZHyJitVr1qYd1jLP2uckoQ==,es256,+presence"
+          ]);
+        };
+      };
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+    };
+  };
+}
-- 
cgit v1.2.3