diff --git a/.sops.yaml b/.sops.yaml index 7e661f63..85171fe2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,6 +13,13 @@ keys: - &host_nuc-server creation_rules: + + - path_regex: secrets\/yubikey\.yaml$ + key_groups: + - pgp: + - *user_albert + - *host_nixos-framework + - path_regex: secrets\/secrets\.yaml$ key_groups: - pgp: diff --git a/nixos/common/modules/yubikey-auth.nix b/nixos/common/modules/yubikey-auth.nix index ebef07e1..85986191 100644 --- a/nixos/common/modules/yubikey-auth.nix +++ b/nixos/common/modules/yubikey-auth.nix @@ -4,8 +4,14 @@ debug = true; control = "required"; mode = "challenge-response"; + challengeResponsePath = /run/secrets/yubikey/; id = [ "18550256" ]; }; + + sops.secrets."yubikey/albert-18550256" = { + owner = "root"; + sopsFile = ../../secrets/yubikey.yaml; + }; environment.systemPackages = with pkgs; [ yubico-pam @@ -17,6 +23,6 @@ ENV{ID_MODEL_ID}=="0407",\ ENV{ID_VENDOR_ID}=="1050",\ ENV{ID_VENDOR}=="Yubico",\ - RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" + RUN+="shutdown -h now" ''; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 37f1423d..99c82a91 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -9,8 +9,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-04-28T11:40:09Z" - mac: ENC[AES256_GCM,data:0nfSYSCUKe4G5977jBuM8eQK531CkoA+rlrWGU6Dy8ukXkDCY3uG7nozKrbWgKFsiK22anfiHedcZbJ10tPvPGJK1WGiY26049cYoaDCCGGeZWS04YhbMomvNDRj2sqnj7NNcveJeLTThSSrkzv1f/KSSlnnuB8V3YjlrdX5D00=,iv:P4b+QtAz5QRwZfSONrg7YV7PhSZuTNrAfDJNxpq4gYk=,tag:JR4FZv8FMFCyHKJ4Pz6i5Q==,type:str] + lastmodified: "2024-05-05T07:52:02Z" + mac: ENC[AES256_GCM,data:xe5E4B0nIyAAEs7dJVlJOFiuC/xM8RCZ8/Gxj5C+kgcVRMqiL+UoaXMb6N4c5hAJDSbbF6SwDwqTy+bmZu7aV0NSoClICJl/zuyc1jPQrIFf/8GUWDe654mqSmsOijXPsNvPWWC+h2QDSEcut8fe1WQag6RA61ri4fL4ih4VukA=,iv:966NPVYUEdBspI7WhvutngvRs5SgwI+wyDVhldG9IqA=,tag:Pvmeir7NCw8mbN9rtoYsDg==,type:str] pgp: - created_at: "2024-04-28T00:33:16Z" enc: |-