From a6be5159250156a0df407e872b61dd126b370c2b Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Tue, 17 Sep 2024 13:42:25 -0600 Subject: [PATCH] add yubikey support --- .../fabian@posixlycorrect/lib/default.nix | 3 ++ sys/platforms/posixlycorrect/default.nix | 1 + sys/platforms/posixlycorrect/yubikey.nix | 32 +++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 sys/platforms/posixlycorrect/yubikey.nix diff --git a/home/platforms/fabian@posixlycorrect/lib/default.nix b/home/platforms/fabian@posixlycorrect/lib/default.nix index b00a0c7..73fe593 100644 --- a/home/platforms/fabian@posixlycorrect/lib/default.nix +++ b/home/platforms/fabian@posixlycorrect/lib/default.nix @@ -45,6 +45,9 @@ vlc vpsfree-client vscodium-fhs + yubikey-manager + yubico-pam + yubikey-personalization zip zola zoom-us diff --git a/sys/platforms/posixlycorrect/default.nix b/sys/platforms/posixlycorrect/default.nix index f67ae8c..3a18f9b 100644 --- a/sys/platforms/posixlycorrect/default.nix +++ b/sys/platforms/posixlycorrect/default.nix @@ -10,6 +10,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./yubikey.nix ]; # Use the systemd-boot EFI boot loader. diff --git a/sys/platforms/posixlycorrect/yubikey.nix b/sys/platforms/posixlycorrect/yubikey.nix new file mode 100644 index 0000000..1b9ee9f --- /dev/null +++ b/sys/platforms/posixlycorrect/yubikey.nix @@ -0,0 +1,32 @@ +{ + config, + pkgs, + lib, + ... +}: { + services = { + pcscd.enable = true; + udev.packages = [pkgs.yubikey-personalization]; + }; + + environment.etc."pkcs11/modules/ykcs11".text = '' + module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so + ''; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + security.pam.services = { + login.u2fAuth = true; + sudo.u2fAuth = true; + }; + + security.pam.yubico = { + enable = true; + debug = false; + mode = "challenge-response"; + id = ["27677315"]; + }; +}