flake-update-20260201
 1{
 2  lib,
 3  pkgs,
 4  desktop,
 5  ...
 6}:
 7{
 8  environment.systemPackages =
 9    with pkgs;
10    [
11      age-plugin-yubikey
12      yubico-piv-tool
13      yubikey-personalization
14      yubikey-manager
15      yubikey-agent
16      openssh-askpass # GTK askpass for FIDO2 PIN prompts
17    ]
18    ++ lib.optionals (builtins.isString desktop) [
19      yubioath-flutter # Maybe not necessary
20    ];
21
22  programs.yubikey-touch-detector.enable = builtins.isString desktop;
23
24  services = {
25    pcscd.enable = true;
26    udev = {
27      packages = [ pkgs.yubikey-personalization ];
28      # FIXME: is it necessary ?
29      extraRules = ''
30        # Yubico YubiKey
31        KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel"
32        # ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
33      '';
34    };
35  };
36
37  security.pam.u2f = {
38    enable = true;
39    settings = {
40      origin = "pam://yubi";
41      authfile = pkgs.writeText "u2f-mappings" (
42        lib.concatStrings [
43          "vincent"
44          ":4IiWZI9g6D8W6LeAW13ug4CnS8PreNRcHdcebkUDny3gWGfmpMJg4TgBWaZSIdh+sgg4jQA4MxYwTCmmP/ipWQ==,qOl+ouBRk6MMEJiE7H5LuTAirhBhN0UQrCNlLQoRsVttp6IBKG4yq4zDwm4fmYlfy1MFhvh7oOapMOmodMKJpQ==,es256,+presence" # yubikey5-a
45          ":Sz4J2qMhoE7bE/uzwUzjJxG/bE0s+cw18zXcQjRsLIdJTVbuMad1ivKlYeLZW6vWV0lYiODlRW21HTSaFzu06A==,p7OZ3z5fiAIuJRHVzm56Y8Ti934+4cVHjsG7kaapmz8cWPfXfXfj5c8QiyIz3EQ0hOoxVV5cbkzUTxe7hdQIsA==,es256,+presence" # yubikey5-c1
46        ]
47      );
48    };
49  };
50
51  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
52
53  # SSH_ASKPASS for FIDO2 PIN prompts
54  environment.variables = {
55    SSH_ASKPASS = lib.mkForce "${pkgs.openssh-askpass}/libexec/gtk-ssh-askpass";
56    SSH_ASKPASS_REQUIRE = "prefer"; # Use askpass when available, fallback to terminal
57  };
58
59  # Disabled - using FIDO2 keys with ssh-agent instead of PIV with yubikey-agent
60  services.yubikey-agent.enable = false;
61  # systemd.packages = [ pkgs.yubikey-agent ];
62
63  # This overrides the systemd user unit shipped with the
64  # yubikey-agent package
65  # systemd.user.services.yubikey-agent =
66  #   lib.mkIf (config.programs.gnupg.agent.pinentryPackage != null)
67  #     {t
68  #       path = [ config.programs.gnupg.agent.pinentryPackage ];
69  #       wantedBy = [ "default.target" ];
70  #     };
71}