Initial commit for yubikey.

2022-05-03 00:12:30 -04:00 · 2022-05-03 00:12:30 -04:00 · 650cfe1724
parent 1e81adac73
commit 650cfe1724
3 changed files with 58 additions and 1 deletions
--- a/hosts/nil.nix
+++ b/hosts/nil.nix
@ -34,7 +34,10 @@
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  this.systems.zfs.enable = true;
+  this.systems = {
+    zfs.enable = true;
+    yubikey.enable = true;
+  };

  networking = {
    # This is required for the zfs module as well. Must be unique. Run the following head -c4  /dev/urandom | od -A none -t x4
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@ -8,6 +8,7 @@
    ./gtk.nix
    ./power.nix
    ./xdg.nix
+    ./yubikey.nix
    ./zfs.nix
  ];
 }
--- a/modules/system/yubikey.nix
+++ b/modules/system/yubikey.nix
@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.this.systems.yubikey;
+  graphical = config.this.graphical;
+in with lib; {
+  options.this.systems.yubikey.enable = mkEnableOption "Yubikey";
+
+  config = mkIf cfg.enable {
+    services.udev.packages = with pkgs; [ yubikey-personalization ];
+
+    environment.shellInit = ''
+      export GPG_TTY="$(tty)"
+      gpg-connect-agent /bye
+      export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
+    '';
+
+    programs = {
+      ssh.startAgent = false;
+      gnupg.agent = {
+        enable = true;
+        enableSSHSupport = true;
+        pinentryFlavor = if graphical.enable then "gnome3" else "curses";
+      };
+    };
+
+    # security.pam = {
+    #   yubico = {
+    #     enable = true;
+    #     mode = "challenge-response";
+    #     control = "required"; # oh boy.
+    #   };
+    # };
+
+    environment.systemPackages = with pkgs;
+      [ yubioath-desktop pinentry-curses ]
+      ++ optionals (graphical.enable) [ pinentry-gnome ];
+
+    home-manager.users.james.home = {
+      packages = with pkgs;
+        [ yubikey-manager yubikey-personalization ]
+        ++ optionals (graphical.enable) [
+          yubikey-manager-qt
+          yubikey-personalization-gui
+        ];
+      file.".gnupg/gpg-agent.config" = {
+        text = if graphical.enable then
+          "pinentry-program ${pkgs.pinentry-gnome}/bin/pinentry"
+        else
+          "pinentry-program ${pkgs.pinentry-curses}/bin/pinentry";
+      };
+    };
+  };
+}