From 0d4d413f941ef14d6064b974f1759473ce4bd822 Mon Sep 17 00:00:00 2001
From: caandt <caandt@twoha.cc>
Date: Tue, 25 Feb 2025 16:36:22 -0600
Subject: [PATCH] yubikey

---
 system/default.nix | 35 ++++++++++++++---------------------
 system/yubikey.nix | 25 +++++++++++++++++++++++++
 user/autostart.nix |  3 +++
 user/packages.nix  |  1 +
 4 files changed, 43 insertions(+), 21 deletions(-)
 create mode 100644 system/yubikey.nix

diff --git a/system/default.nix b/system/default.nix
index 6a7d76a..e2ec699 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -14,31 +14,24 @@
     ./plasma.nix
     ./security.nix
     ./virt.nix
+    ./yubikey.nix
     ../overlays
     inputs.sops-nix.nixosModules.sops
   ];
   options.u = {
-    has = {
-      graphical = lib.mkOption {
-        type = lib.types.bool;
-        description = "enable graphical settings";
-        default = true;
-      };
-      wine = lib.mkOption {
-        type = lib.types.bool;
-        description = "enable wine settings";
-        default = true;
-      };
-      virt = lib.mkOption {
-        type = lib.types.bool;
-        description = "enable virt settings";
-        default = true;
-      };
-      container = lib.mkOption {
-        type = lib.types.bool;
-        description = "enable container settings";
-        default = true;
-      };
+    has = let
+      mkOpt = name:
+        lib.mkOption {
+          type = lib.types.bool;
+          description = "enable ${name}";
+          default = true;
+        };
+    in {
+      graphical = mkOpt "graphical";
+      wine = mkOpt "wine";
+      virt = mkOpt "virt";
+      container = mkOpt "container";
+      yubikey = mkOpt "yubikey";
     };
   };
 }
diff --git a/system/yubikey.nix b/system/yubikey.nix
new file mode 100644
index 0000000..178f0ea
--- /dev/null
+++ b/system/yubikey.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+lib.mkIf config.u.has.yubikey {
+  environment.systemPackages = [
+    pkgs.yubikey-manager
+    pkgs.yubioath-flutter
+    pkgs.pam_u2f
+  ];
+  services.pcscd.enable = true;
+  services.udev.packages = [pkgs.yubikey-personalization];
+  services.yubikey-agent.enable = true;
+  security.pam = {
+    u2f = {
+      enable = true;
+      settings.cue = true;
+    };
+    services.login.u2fAuth = false;
+    services.physlock.u2fAuth = false;
+  };
+  programs.yubikey-touch-detector.enable = true;
+}
diff --git a/user/autostart.nix b/user/autostart.nix
index 1782178..fb939df 100644
--- a/user/autostart.nix
+++ b/user/autostart.nix
@@ -18,6 +18,9 @@ lib.mkIf config.u.has.graphical {
         "safeeyes.service"
         "snixembed.service"
       ];
+      Requires = [
+        "graphical-session.target"
+      ];
     };
   };
   systemd.user.services = {
diff --git a/user/packages.nix b/user/packages.nix
index 9932486..5a30671 100644
--- a/user/packages.nix
+++ b/user/packages.nix
@@ -26,6 +26,7 @@
       ffsubsync
       unzip
       unar
+      keepassxc
     ]
     ++ lib.optionals config.u.has.graphical [
       (config.u.lib.localHome pkgs.firefox "firefox" "bin/firefox")