yubikey

2025-02-25 16:36:22 -06:00 · 2025-02-25 16:36:22 -06:00 · 0d4d413f94
parent 05a2111bc1
commit 0d4d413f94
4 changed files with 43 additions and 21 deletions
--- a/system/default.nix
+++ b/system/default.nix
@ -14,31 +14,24 @@
    ./plasma.nix
    ./security.nix
    ./virt.nix
+    ./yubikey.nix
    ../overlays
    inputs.sops-nix.nixosModules.sops
  ];
  options.u = {
-    has = {
-      graphical = lib.mkOption {
-        type = lib.types.bool;
-        description = "enable graphical settings";
-        default = true;
-      };
-      wine = lib.mkOption {
-        type = lib.types.bool;
-        description = "enable wine settings";
-        default = true;
-      };
-      virt = lib.mkOption {
-        type = lib.types.bool;
-        description = "enable virt settings";
-        default = true;
-      };
-      container = lib.mkOption {
-        type = lib.types.bool;
-        description = "enable container settings";
-        default = true;
-      };
+    has = let
+      mkOpt = name:
+        lib.mkOption {
+          type = lib.types.bool;
+          description = "enable ${name}";
+          default = true;
+        };
+    in {
+      graphical = mkOpt "graphical";
+      wine = mkOpt "wine";
+      virt = mkOpt "virt";
+      container = mkOpt "container";
+      yubikey = mkOpt "yubikey";
    };
  };
 }
--- a/system/yubikey.nix
+++ b/system/yubikey.nix
@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+lib.mkIf config.u.has.yubikey {
+  environment.systemPackages = [
+    pkgs.yubikey-manager
+    pkgs.yubioath-flutter
+    pkgs.pam_u2f
+  ];
+  services.pcscd.enable = true;
+  services.udev.packages = [pkgs.yubikey-personalization];
+  services.yubikey-agent.enable = true;
+  security.pam = {
+    u2f = {
+      enable = true;
+      settings.cue = true;
+    };
+    services.login.u2fAuth = false;
+    services.physlock.u2fAuth = false;
+  };
+  programs.yubikey-touch-detector.enable = true;
+}
--- a/user/autostart.nix
+++ b/user/autostart.nix
@ -18,6 +18,9 @@ lib.mkIf config.u.has.graphical {
        "safeeyes.service"
        "snixembed.service"
      ];
+      Requires = [
+        "graphical-session.target"
+      ];
    };
  };
  systemd.user.services = {
--- a/user/packages.nix
+++ b/user/packages.nix
@ -26,6 +26,7 @@
      ffsubsync
      unzip
      unar
+      keepassxc
    ]
    ++ lib.optionals config.u.has.graphical [
      (config.u.lib.localHome pkgs.firefox "firefox" "bin/firefox")