Yubikey module

2021-11-17 18:01:41 +02:00 · 2021-11-17 18:01:41 +02:00 · 7da1cb3caa
commit 7da1cb3caa
3 changed files with 81 additions and 0 deletions
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,25 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1637156900,
+        "narHash": "sha256-nusyaSsL1RLyUEWufUUywDrGKMXw+4ugSSZ3ss8TSuw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "12fc0f19fefa9dff68bc3e0938b815ab8d89df90",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,8 @@
+{
+  description = "Yubikey module";
+
+  outputs = { self, nixpkgs }: {
+
+    nixosModule = import ./modules/yubikey/default.nix;
+  };
+}
--- a/modules/yubikey/default.nix
+++ b/modules/yubikey/default.nix
@ -0,0 +1,48 @@
+{ config, lib, pkgs, ...}:
+
+with lib;
+
+let
+
+  cfg = config.programs.yubikey;
+
+in
+
+{
+  options.programs.yubikey = {
+    enable = mkEnableOption "Yubikey";
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      yubikey-personalization
+    ];
+    services.udev = {
+      packages = with pkgs; [
+        yubikey-personalization
+      ];
+      extraRules = ''
+        # Yubikey: create a symlink when key is plugged in, register this in systemd
+        # ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", SYMLINK+="yubikey", TAG+="systemd"
+        # Yubikey: create a device alias when key is plugged in, register this in systemd
+        ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0405", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/yubikey"
+
+        # Yubikey: unregister key when unplugged (bug in systemd/kernel, see https://github.com/systemd/systemd/issues/7587)
+        ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/405/*", TAG+="systemd"
+        # Yubikey: grant access to group plugdev
+        ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", \
+          MODE="664", GROUP="wheel"
+      '';
+    };
+    # services.pcscd.enable = true;
+    programs.ssh.startAgent = false;
+    programs.gnupg.agent = {
+      pinentryFlavor = "gnome3";
+      enable = true;
+      enableSSHSupport = true;
+      enableExtraSocket = true;
+      enableBrowserSocket = true;
+    };
+  };
+}
+