From 1221aaf0fc977819d305e06f5f11d4042fca1e93 Mon Sep 17 00:00:00 2001
From: Fabian Montero <fabian@posixlycorrect.com>
Date: Mon, 2 Dec 2024 14:14:13 -0600
Subject: [PATCH] modularize yubikey

---
 sys/modules/default.nix                  |  1 +
 sys/modules/yubikey.nix                  | 44 ++++++++++++++++++++++++
 sys/platforms/posixlycorrect/default.nix |  3 +-
 sys/platforms/posixlycorrect/yubikey.nix | 36 -------------------
 4 files changed, 47 insertions(+), 37 deletions(-)
 create mode 100644 sys/modules/yubikey.nix
 delete mode 100644 sys/platforms/posixlycorrect/yubikey.nix

diff --git a/sys/modules/default.nix b/sys/modules/default.nix
index 02f9f67..9f6fdcc 100644
--- a/sys/modules/default.nix
+++ b/sys/modules/default.nix
@@ -6,5 +6,6 @@
 }: {
   imports = [
     ./baseline.nix
+    ./yubikey.nix
   ];
 }
diff --git a/sys/modules/yubikey.nix b/sys/modules/yubikey.nix
new file mode 100644
index 0000000..c5e3008
--- /dev/null
+++ b/sys/modules/yubikey.nix
@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.yubikey;
+in {
+  options.local.sys.yubikey = {
+    enable = mkEnableOption "yubikey settings";
+  };
+  config = mkIf cfg.enable {
+    services = {
+      pcscd.enable = true;
+      udev.packages = [pkgs.yubikey-personalization];
+    };
+
+    environment.etc."pkcs11/modules/ykcs11".text = ''
+      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
+    '';
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+
+    security.pam = {
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+
+      u2f = {
+        enable = true;
+        control = "sufficient";
+        settings = {
+          debug = false;
+          cue = true;
+        };
+      };
+    };
+  };
+}
diff --git a/sys/platforms/posixlycorrect/default.nix b/sys/platforms/posixlycorrect/default.nix
index d5c1bb8..2125f47 100644
--- a/sys/platforms/posixlycorrect/default.nix
+++ b/sys/platforms/posixlycorrect/default.nix
@@ -10,11 +10,12 @@
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
-    ./yubikey.nix
   ];
 
   local.sys = {
     baseline.enable = true;
+
+    yubikey.enable = true;
   };
 
   # Use the systemd-boot EFI boot loader.
diff --git a/sys/platforms/posixlycorrect/yubikey.nix b/sys/platforms/posixlycorrect/yubikey.nix
deleted file mode 100644
index 1064b1d..0000000
--- a/sys/platforms/posixlycorrect/yubikey.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  services = {
-    pcscd.enable = true;
-    udev.packages = [pkgs.yubikey-personalization];
-  };
-
-  environment.etc."pkcs11/modules/ykcs11".text = ''
-    module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
-  '';
-
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-  };
-
-  security.pam = {
-    services = {
-      login.u2fAuth = true;
-      sudo.u2fAuth = true;
-    };
-
-    u2f = {
-      enable = true;
-      control = "sufficient";
-      settings = {
-        debug = false;
-        cue = true;
-      };
-    };
-  };
-}