home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

yubikey.nix (1276B)


      1 { config, lib, pkgs, ... }:
      2 
      3 with lib;
      4 let
      5   cfg = config.profiles.yubikey;
      6 in
      7 {
      8   options = {
      9     profiles.yubikey = {
     10       enable = mkEnableOption "Enable yubikey profile";
     11       u2f = mkOption {
     12         default = true;
     13         description = "wether to enable auth with yubkeys throguh pam using u2f";
     14         type = types.bool;
     15       };
     16     };
     17   };
     18   config = mkIf cfg.enable (mkMerge [
     19     {
     20       environment = {
     21         systemPackages = with pkgs; [
     22           yubico-piv-tool
     23           yubikey-personalization
     24           yubioath-desktop
     25           yubikey-manager
     26         ];
     27       };
     28       services = {
     29         pcscd.enable = true;
     30         udev = {
     31           packages = with pkgs; [ yubikey-personalization ];
     32           extraRules = ''
     33             # Yubico YubiKey
     34             KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel"
     35             # ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
     36           '';
     37         };
     38       };
     39     }
     40     (mkIf cfg.u2f {
     41       security.pam.u2f = {
     42         enable = true;
     43       };
     44     })
     45   ]);
     46 }