From 1f8e342296eb9619197525469e6f91856e0309bf Mon Sep 17 00:00:00 2001 From: albert Date: Sun, 5 May 2024 15:07:33 +0900 Subject: [PATCH] Add Yubikey support --- home-manager/common/software/cli/ssh.nix | 3 --- home-manager/users/albert/default.nix | 2 +- nixos/common/modules/yubikey-auth.nix | 16 ++++++++++++++++ nixos/hosts/nixos-framework/default.nix | 1 + 4 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 nixos/common/modules/yubikey-auth.nix diff --git a/home-manager/common/software/cli/ssh.nix b/home-manager/common/software/cli/ssh.nix index 82204bf3..0f61a452 100644 --- a/home-manager/common/software/cli/ssh.nix +++ b/home-manager/common/software/cli/ssh.nix @@ -4,8 +4,5 @@ home.file.".ssh/config".text = '' Host 192.168.1.210 StrictHostKeyChecking no - Host framework-server - ForwardAgent yes - StreamLocalBindUnlink yes ''; } diff --git a/home-manager/users/albert/default.nix b/home-manager/users/albert/default.nix index b91071b6..b0e1f697 100644 --- a/home-manager/users/albert/default.nix +++ b/home-manager/users/albert/default.nix @@ -21,7 +21,7 @@ }; programs.gpg.publicKeys = [ - { + { # Albert J. Copeland source = ../../../keys/users/albert.asc; trust = "ultimate"; } diff --git a/nixos/common/modules/yubikey-auth.nix b/nixos/common/modules/yubikey-auth.nix new file mode 100644 index 00000000..4afb3a20 --- /dev/null +++ b/nixos/common/modules/yubikey-auth.nix @@ -0,0 +1,16 @@ +{ ... }: { + security.pam.yubico = { + enable = true; + debug = true; + mode = "challenge-response"; + id = [ "18550256" ]; + }; + services.udev.extraRules = '' + ACTION=="remove",\ + ENV{ID_BUS}=="usb",\ + ENV{ID_MODEL_ID}=="0407",\ + ENV{ID_VENDOR_ID}=="1050",\ + ENV{ID_VENDOR}=="Yubico",\ + RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" + ''; +} diff --git a/nixos/hosts/nixos-framework/default.nix b/nixos/hosts/nixos-framework/default.nix index afdd13f3..b1b807ef 100644 --- a/nixos/hosts/nixos-framework/default.nix +++ b/nixos/hosts/nixos-framework/default.nix @@ -8,6 +8,7 @@ ../../common/modules/secureboot.nix # ../../common/modules/boot.nix ../../common/modules/udev-rules.nix + ../../common/modules/yubikey-auth.nix ../../common/modules/builder.nix ../../common/services/podman.nix ];