yubikey.nix (1445B)
1 { config, lib, pkgs, ... }: 2 let 3 inherit (lib) mkEnableOption mkIf mkMerge mkOption types; 4 cfg = config.modules.hardware.yubikey; 5 in 6 { 7 options = { 8 modules.hardware.yubikey = { 9 enable = mkEnableOption "Enable yubikey profile"; 10 u2f = mkOption { 11 default = true; 12 description = "wether to enable auth with yubkeys throguh pam using u2f"; 13 type = types.bool; 14 }; 15 }; 16 }; 17 config = mkIf cfg.enable (mkMerge [ 18 { 19 environment = { 20 systemPackages = with pkgs; [ 21 yubico-piv-tool 22 yubikey-personalization 23 yubikey-manager 24 ]; 25 }; 26 services = { 27 pcscd.enable = true; 28 udev = { 29 packages = with pkgs; [ yubikey-personalization ]; 30 extraRules = '' 31 # Yubico YubiKey 32 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel" 33 # ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" 34 ''; 35 }; 36 }; 37 } 38 (mkIf config.modules.desktop.enable { 39 environment.systemPackages = with pkgs; [ 40 yubioath-flutter 41 ]; 42 }) 43 (mkIf cfg.u2f { 44 security.pam.u2f = { 45 enable = true; 46 }; 47 }) 48 ]); 49 }