Commit 6014d7cacb34

Vincent Demeester <vincent@sbr.pm>
2025-01-09 16:35:09
yubikey: rework pam.u2f to work with my yubikeys…
… on any hosts I configure it. Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent f8b5db4
Changed files (2)
systems
modules
hardware
yubikey.nix
users
vincent
default.nix
systems/modules/hardware/yubikey.nix
@@ -48,6 +48,12 @@ in
     (mkIf cfg.u2f {
       security.pam.u2f = {
         enable = true;
+        origin = "pam://yubi";
+        authFile = pkgs.writeText "u2f-mappings" (lib.concatStrings [
+          "vincent"
+          ":4IiWZI9g6D8W6LeAW13ug4CnS8PreNRcHdcebkUDny3gWGfmpMJg4TgBWaZSIdh+sgg4jQA4MxYwTCmmP/ipWQ==,qOl+ouBRk6MMEJiE7H5LuTAirhBhN0UQrCNlLQoRsVttp6IBKG4yq4zDwm4fmYlfy1MFhvh7oOapMOmodMKJpQ==,es256,+presence" # yubikey5-a
+          ":Sz4J2qMhoE7bE/uzwUzjJxG/bE0s+cw18zXcQjRsLIdJTVbuMad1ivKlYeLZW6vWV0lYiODlRW21HTSaFzu06A==,p7OZ3z5fiAIuJRHVzm56Y8Ti934+4cVHjsG7kaapmz8cWPfXfXfj5c8QiyIz3EQ0hOoxVV5cbkzUTxe7hdQIsA==,es256,+presence" # yubikey5-c1
+        ]);
       };
     })
     (mkIf cfg.agent {
users/vincent/default.nix
@@ -13,10 +13,6 @@ let
 in
 {
   warnings = if (versionAtLeast config.system.nixos.release "21.11") then [ ] else [ "NixOS release: ${config.system.nixos.release}" ];
-  sops.secrets.u2f_keys = mkIf (config.modules.hardware.yubikey.enable && config.modules.hardware.yubikey.u2f) {
-    path = "/home/vincent/.config/Yubico/u2f_keys";
-    owner = "vincent";
-  };
   users.users.vincent = {
     createHome = true;
     uid = 1000;