commit 3c5c3d62449387e9a1175736566504396068d439
parent c8ef999b00961d979b214a1aabd1db93d1e0a878
Author: Vincent Demeester <vincent@sbr.pm>
Date: Thu, 28 Jul 2022 12:02:33 +0200
systems/modules: migrate profiles.yubikey to modules.hardware.yubikey
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
7 files changed, 11 insertions(+), 55 deletions(-)
diff --git a/flake.nix b/flake.nix
@@ -137,7 +137,6 @@
./systems/modules/profiles/sway.nix
./systems/modules/profiles/virtualization.nix
./systems/modules/profiles/wireguard.server.nix
- ./systems/modules/profiles/yubikey.nix
./systems/modules/profiles/zsh.nix
./systems/modules/services/default.nix
sops-nix.nixosModules.sops
diff --git a/systems/hosts/aomi.nix b/systems/hosts/aomi.nix
@@ -97,13 +97,16 @@ in
services.hardware.bolt.enable = true;
+ modules = {
+ hardware = { };
+ };
+
profiles = {
externalbuilder.enable = true;
# desktop.i3.enable = true;
laptop.enable = true;
home = true;
dev.enable = true;
- yubikey.enable = true;
virtualization = { enable = true; nested = true; };
redhat.enable = true;
ssh.enable = true;
diff --git a/systems/hosts/naruhodo.nix b/systems/hosts/naruhodo.nix
@@ -116,13 +116,17 @@ in
localCaches = [ ];
};
+ modules = {
+ hardware = {
+ yubikey.enable = true;
+ };
+ };
profiles = {
externalbuilder.enable = true;
desktop.i3.enable = true;
laptop.enable = true;
home = true;
dev.enable = true;
- yubikey.enable = true;
virtualization = { enable = true; nested = true; };
redhat.enable = true;
scanning.enable = true;
diff --git a/systems/modules/hardware/yubikey.nix b/systems/modules/hardware/yubikey.nix
@@ -35,7 +35,7 @@ in
};
};
}
- (mkIf cfg.config.desktop {
+ (mkIf config.profiles.desktop.enable {
environment.systemPackages = with pkgs; [
yubioath-desktop
];
diff --git a/systems/modules/profiles/sway.nix b/systems/modules/profiles/sway.nix
@@ -12,12 +12,8 @@ in
};
config = mkIf cfg.enable {
- #profiles = {
- # desktop.enable = true;
- #};
profiles.avahi.enable = true;
profiles.printing.enable = true;
- # profiles.pulseaudio.enable = true;
profiles.scanning.enable = true;
profiles.syncthing.enable = true;
diff --git a/systems/modules/profiles/yubikey.nix b/systems/modules/profiles/yubikey.nix
@@ -1,46 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
- cfg = config.profiles.yubikey;
-in
-{
- options = {
- profiles.yubikey = {
- enable = mkEnableOption "Enable yubikey profile";
- u2f = mkOption {
- default = true;
- description = "wether to enable auth with yubkeys throguh pam using u2f";
- type = types.bool;
- };
- };
- };
- config = mkIf cfg.enable (mkMerge [
- {
- environment = {
- systemPackages = with pkgs; [
- yubico-piv-tool
- yubikey-personalization
- yubioath-desktop
- yubikey-manager
- ];
- };
- services = {
- pcscd.enable = true;
- udev = {
- packages = with pkgs; [ yubikey-personalization ];
- extraRules = ''
- # Yubico YubiKey
- KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel"
- # ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
- '';
- };
- };
- }
- (mkIf cfg.u2f {
- security.pam.u2f = {
- enable = true;
- };
- })
- ]);
-}
diff --git a/users/vincent/default.nix b/users/vincent/default.nix
@@ -13,7 +13,7 @@ let
in
{
warnings = if (versionAtLeast config.system.nixos.release "21.11") then [ ] else [ "NixOS release: ${config.system.nixos.release}" ];
- sops.secrets.u2f_keys = mkIf (config.profiles.yubikey.enable && config.profiles.yubikey.u2f) {
+ sops.secrets.u2f_keys = mkIf (config.modules.hardware.yubikey.enable && config.modules.hardware.yubikey.u2f) {
path = "/home/vincent/.config/Yubico/u2f_keys";
owner = "vincent";
};