Yubikey module

modules/yubikey/default.nix

@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ...}:
+
+with lib;
+
+let
+
+  cfg = config.programs.yubikey;
+
+in
+
+{
+  options.programs.yubikey = {
+    enable = mkEnableOption "Yubikey";
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      yubikey-personalization
+    ];
+    services.udev = {
+      packages = with pkgs; [
+        yubikey-personalization
+      ];
+      extraRules = ''
+        # Yubikey: create a symlink when key is plugged in, register this in systemd
+        # ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", SYMLINK+="yubikey", TAG+="systemd"
+        # Yubikey: create a device alias when key is plugged in, register this in systemd
+        ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0405", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/yubikey"
+
+        # Yubikey: unregister key when unplugged (bug in systemd/kernel, see https://github.com/systemd/systemd/issues/7587)
+        ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/405/*", TAG+="systemd"
+        # Yubikey: grant access to group plugdev
+        ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", \
+          MODE="664", GROUP="wheel"
+      '';
+    };
+    # services.pcscd.enable = true;
+    programs.ssh.startAgent = false;
+    programs.gnupg.agent = {
+      pinentryFlavor = "gnome3";
+      enable = true;
+      enableSSHSupport = true;
+      enableExtraSocket = true;
+      enableBrowserSocket = true;
+    };
+  };
+}
+