yubikey.nix (1276B)
1 { config, lib, pkgs, ... }: 2 3 with lib; 4 let 5 cfg = config.profiles.yubikey; 6 in 7 { 8 options = { 9 profiles.yubikey = { 10 enable = mkEnableOption "Enable yubikey profile"; 11 u2f = mkOption { 12 default = true; 13 description = "wether to enable auth with yubkeys throguh pam using u2f"; 14 type = types.bool; 15 }; 16 }; 17 }; 18 config = mkIf cfg.enable (mkMerge [ 19 { 20 environment = { 21 systemPackages = with pkgs; [ 22 yubico-piv-tool 23 yubikey-personalization 24 yubioath-desktop 25 yubikey-manager 26 ]; 27 }; 28 services = { 29 pcscd.enable = true; 30 udev = { 31 packages = with pkgs; [ yubikey-personalization ]; 32 extraRules = '' 33 # Yubico YubiKey 34 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel" 35 # ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" 36 ''; 37 }; 38 }; 39 } 40 (mkIf cfg.u2f { 41 security.pam.u2f = { 42 enable = true; 43 }; 44 }) 45 ]); 46 }