auto-update-daily-20260202
 1{
 2  lib,
 3  pkgs,
 4  desktop,
 5  ...
 6}:
 7{
 8  environment.systemPackages =
 9    with pkgs;
10    [
11      age-plugin-yubikey
12      yubico-piv-tool
13      yubikey-personalization
14      yubikey-manager
15      yubikey-agent
16      openssh-askpass # GTK askpass for FIDO2 PIN prompts
17    ]
18    ++ lib.optionals (builtins.isString desktop) [
19      yubioath-flutter # Maybe not necessary
20    ];
21
22  programs.yubikey-touch-detector.enable = builtins.isString desktop;
23
24  services = {
25    pcscd.enable = true;
26    udev = {
27      packages = [ pkgs.yubikey-personalization ];
28      # FIXME: is it necessary ?
29      extraRules = ''
30        # Yubico YubiKey
31        KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel"
32        # ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
33      '';
34    };
35  };
36
37  security.pam.u2f = {
38    enable = true;
39    settings = {
40      origin = "pam://yubi";
41      authfile = pkgs.writeText "u2f-mappings" (
42        lib.concatStrings [
43          "vincent"
44          ":4IiWZI9g6D8W6LeAW13ug4CnS8PreNRcHdcebkUDny3gWGfmpMJg4TgBWaZSIdh+sgg4jQA4MxYwTCmmP/ipWQ==,qOl+ouBRk6MMEJiE7H5LuTAirhBhN0UQrCNlLQoRsVttp6IBKG4yq4zDwm4fmYlfy1MFhvh7oOapMOmodMKJpQ==,es256,+presence" # yubikey5-a
45          ":Sz4J2qMhoE7bE/uzwUzjJxG/bE0s+cw18zXcQjRsLIdJTVbuMad1ivKlYeLZW6vWV0lYiODlRW21HTSaFzu06A==,p7OZ3z5fiAIuJRHVzm56Y8Ti934+4cVHjsG7kaapmz8cWPfXfXfj5c8QiyIz3EQ0hOoxVV5cbkzUTxe7hdQIsA==,es256,+presence" # yubikey5-c1
46        ]
47      );
48    };
49  };
50
51  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
52
53  # SSH agent with FIDO2 PIN prompt support
54  # Uses NixOS's startAgent which properly sets SSH_ASKPASS in the agent's environment
55  programs.ssh = {
56    startAgent = true;
57    enableAskPassword = true;
58    askPassword = "${pkgs.openssh-askpass}/libexec/gtk-ssh-askpass";
59  };
60
61  # Disable GNOME's gcr-ssh-agent (conflicts with programs.ssh.startAgent)
62  # niri module enables gnome-keyring which enables gcr-ssh-agent by default
63  services.gnome.gcr-ssh-agent.enable = false;
64
65  # SSH_ASKPASS_REQUIRE for the user environment (agent confirmation prompts)
66  environment.variables.SSH_ASKPASS_REQUIRE = "prefer";
67
68  # Disabled - using FIDO2 keys with ssh-agent instead of PIV with yubikey-agent
69  services.yubikey-agent.enable = false;
70  # systemd.packages = [ pkgs.yubikey-agent ];
71
72  # This overrides the systemd user unit shipped with the
73  # yubikey-agent package
74  # systemd.user.services.yubikey-agent =
75  #   lib.mkIf (config.programs.gnupg.agent.pinentryPackage != null)
76  #     {t
77  #       path = [ config.programs.gnupg.agent.pinentryPackage ];
78  #       wantedBy = [ "default.target" ];
79  #     };
80}