yubikey.nix

 1{
 2  lib,
 3  pkgs,
 4  desktop,
 5  ...
 6}:
 7{
 8  environment.systemPackages =
 9    with pkgs;
10    [
11      age-plugin-yubikey
12      yubico-piv-tool
13      yubikey-personalization
14      yubikey-manager
15      yubikey-agent
16    ]
17    ++ lib.optionals (builtins.isString desktop) [
18      yubioath-flutter # Maybe not necessary
19    ];
20
21  programs.yubikey-touch-detector.enable = builtins.isString desktop;
22
23  services = {
24    pcscd.enable = true;
25    udev = {
26      packages = [ pkgs.yubikey-personalization ];
27      # FIXME: is it necessary ?
28      extraRules = ''
29        # Yubico YubiKey
30        KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel"
31        # ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
32      '';
33    };
34  };
35
36  security.pam.u2f = {
37    enable = true;
38    settings = {
39      origin = "pam://yubi";
40      authfile = pkgs.writeText "u2f-mappings" (
41        lib.concatStrings [
42          "vincent"
43          ":4IiWZI9g6D8W6LeAW13ug4CnS8PreNRcHdcebkUDny3gWGfmpMJg4TgBWaZSIdh+sgg4jQA4MxYwTCmmP/ipWQ==,qOl+ouBRk6MMEJiE7H5LuTAirhBhN0UQrCNlLQoRsVttp6IBKG4yq4zDwm4fmYlfy1MFhvh7oOapMOmodMKJpQ==,es256,+presence" # yubikey5-a
44          ":Sz4J2qMhoE7bE/uzwUzjJxG/bE0s+cw18zXcQjRsLIdJTVbuMad1ivKlYeLZW6vWV0lYiODlRW21HTSaFzu06A==,p7OZ3z5fiAIuJRHVzm56Y8Ti934+4cVHjsG7kaapmz8cWPfXfXfj5c8QiyIz3EQ0hOoxVV5cbkzUTxe7hdQIsA==,es256,+presence" # yubikey5-c1
45        ]
46      );
47    };
48  };
49
50  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
51  services.yubikey-agent.enable = true;
52  # systemd.packages = [ pkgs.yubikey-agent ];
53
54  # This overrides the systemd user unit shipped with the
55  # yubikey-agent package
56  # systemd.user.services.yubikey-agent =
57  #   lib.mkIf (config.programs.gnupg.agent.pinentryPackage != null)
58  #     {t
59  #       path = [ config.programs.gnupg.agent.pinentryPackage ];
60  #       wantedBy = [ "default.target" ];
61  #     };
62}