diff --git a/hosts/nil.nix b/hosts/nil.nix index ea088d1..bcf3e58 100644 --- a/hosts/nil.nix +++ b/hosts/nil.nix @@ -34,7 +34,10 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - this.systems.zfs.enable = true; + this.systems = { + zfs.enable = true; + yubikey.enable = true; + }; networking = { # This is required for the zfs module as well. Must be unique. Run the following head -c4 /dev/urandom | od -A none -t x4 diff --git a/modules/system/default.nix b/modules/system/default.nix index b6a2b9e..b59383c 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -8,6 +8,7 @@ ./gtk.nix ./power.nix ./xdg.nix + ./yubikey.nix ./zfs.nix ]; } diff --git a/modules/system/yubikey.nix b/modules/system/yubikey.nix new file mode 100644 index 0000000..075304b --- /dev/null +++ b/modules/system/yubikey.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.this.systems.yubikey; + graphical = config.this.graphical; +in with lib; { + options.this.systems.yubikey.enable = mkEnableOption "Yubikey"; + + config = mkIf cfg.enable { + services.udev.packages = with pkgs; [ yubikey-personalization ]; + + environment.shellInit = '' + export GPG_TTY="$(tty)" + gpg-connect-agent /bye + export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" + ''; + + programs = { + ssh.startAgent = false; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryFlavor = if graphical.enable then "gnome3" else "curses"; + }; + }; + + # security.pam = { + # yubico = { + # enable = true; + # mode = "challenge-response"; + # control = "required"; # oh boy. + # }; + # }; + + environment.systemPackages = with pkgs; + [ yubioath-desktop pinentry-curses ] + ++ optionals (graphical.enable) [ pinentry-gnome ]; + + home-manager.users.james.home = { + packages = with pkgs; + [ yubikey-manager yubikey-personalization ] + ++ optionals (graphical.enable) [ + yubikey-manager-qt + yubikey-personalization-gui + ]; + file.".gnupg/gpg-agent.config" = { + text = if graphical.enable then + "pinentry-program ${pkgs.pinentry-gnome}/bin/pinentry" + else + "pinentry-program ${pkgs.pinentry-curses}/bin/pinentry"; + }; + }; + }; +}