modularize yubikey

sys/modules/default.nix

@@ -6,5 +6,6 @@
 }: {
   imports = [
     ./baseline.nix
+    ./yubikey.nix
   ];
 }

sys/modules/yubikey.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.yubikey;
+in {
+  options.local.sys.yubikey = {
+    enable = mkEnableOption "yubikey settings";
+  };
+  config = mkIf cfg.enable {
+    services = {
+      pcscd.enable = true;
+      udev.packages = [pkgs.yubikey-personalization];
+    };
+
+    environment.etc."pkcs11/modules/ykcs11".text = ''
+      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
+    '';
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+
+    security.pam = {
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+
+      u2f = {
+        enable = true;
+        control = "sufficient";
+        settings = {
+          debug = false;
+          cue = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/posixlycorrect/default.nix

@@ -10,11 +10,12 @@
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
-    ./yubikey.nix
   ];
 
   local.sys = {
     baseline.enable = true;
+
+    yubikey.enable = true;
   };
 
   # Use the systemd-boot EFI boot loader.

sys/platforms/posixlycorrect/yubikey.nix

@@ -1,36 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  services = {
-    pcscd.enable = true;
-    udev.packages = [pkgs.yubikey-personalization];
-  };
-
-  environment.etc."pkcs11/modules/ykcs11".text = ''
-    module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
-  '';
-
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-  };
-
-  security.pam = {
-    services = {
-      login.u2fAuth = true;
-      sudo.u2fAuth = true;
-    };
-
-    u2f = {
-      enable = true;
-      control = "sufficient";
-      settings = {
-        debug = false;
-        cue = true;
-      };
-    };
-  };
-}