diff --git a/home/hosts/andromache/default.nix b/home/hosts/andromache/default.nix
index 376c9e50..eff6445c 100644
--- a/home/hosts/andromache/default.nix
+++ b/home/hosts/andromache/default.nix
@@ -30,8 +30,9 @@
     ../../modules/ssh
     ../../modules/taskwarrior
     ../../modules/terminal
-    ../../modules/zk
     ../../modules/torrenting
+    ../../modules/yubikey
+    ../../modules/zk
   ];
 
   home = {
@@ -58,6 +59,7 @@
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
   torrenting.enable = true;
+  my.yubikey.enable = true;
   zk.enable = true;
 
   programs = {
diff --git a/home/hosts/astyanax/default.nix b/home/hosts/astyanax/default.nix
index 0fccaabc..64c7049c 100644
--- a/home/hosts/astyanax/default.nix
+++ b/home/hosts/astyanax/default.nix
@@ -29,6 +29,7 @@
     ../../modules/ssh
     ../../modules/taskwarrior
     ../../modules/terminal
+    ../../modules/yubikey
   ];
 
   home = {
@@ -53,6 +54,7 @@
   git.github.enable = true;
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
+  my.yubikey.enable = true;
 
   programs = {
     home-manager.enable = true;
diff --git a/home/modules/yubikey/default.nix b/home/modules/yubikey/default.nix
new file mode 100644
index 00000000..233f704a
--- /dev/null
+++ b/home/modules/yubikey/default.nix
@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  options.my.yubikey = {
+    enable = lib.mkEnableOption "yubikey";
+  };
+
+  config = lib.mkIf config.my.yubikey.enable {
+    home.packages = with pkgs; [
+      yubikey-manager
+      yubikey-personalization
+    ];
+  };
+}
diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix
index 3c7a0b42..f6fc1798 100644
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -91,21 +91,8 @@ in
   ];
 
   my.yubikey = {
-    enable = false;
-    keys = [
-      {
-        handle = "<KeyHandle1>";
-        userKey = "<UserKey1>";
-        coseType = "<CoseType1>";
-        options = "<Options1>";
-      }
-      {
-        handle = "<KeyHandle2>";
-        userKey = "<UserKey2>";
-        coseType = "<CoseType2>";
-        options = "<Options2>";
-      }
-    ];
+    enable = true;
+    pam.enable = false;
   };
 
   services.locate = {
diff --git a/hosts/astyanax/default.nix b/hosts/astyanax/default.nix
index 30555a5b..1e20bedb 100644
--- a/hosts/astyanax/default.nix
+++ b/hosts/astyanax/default.nix
@@ -99,21 +99,7 @@ in
 
   my.yubikey = {
     enable = true;
-    # inherit (config.host) username;
-    # keys = [
-    #   {
-    #     handle = "<KeyHandle1>";
-    #     userKey = "<UserKey1>";
-    #     coseType = "<CoseType1>";
-    #     options = "<Options1>";
-    #   }
-    #   {
-    #     handle = "<KeyHandle2>";
-    #     userKey = "<UserKey2>";
-    #     coseType = "<CoseType2>";
-    #     options = "<Options2>";
-    #   }
-    # ];
+    pam.enable = false;
   };
 
   services = {
diff --git a/modules/yubikey/default.nix b/modules/yubikey/default.nix
index b4fef386..04e1ede6 100644
--- a/modules/yubikey/default.nix
+++ b/modules/yubikey/default.nix
@@ -15,57 +15,64 @@ let
 in
 {
   options.my.yubikey = {
-    enable = mkEnableOption "yubiKey U2F authentication";
-
-    origin = mkOption {
-      type = types.str;
-      default = "pam://yubi";
-    };
-
-    keys = mkOption {
-      type = types.listOf (
-        types.submodule {
-          options = {
-            handle = mkOption {
-              type = types.str;
-              example = "<KeyHandle1>";
+    enable = mkEnableOption "YubiKey";
+    pam = {
+      enable = mkEnableOption "YubiKey PAM U2F";
+      origin = mkOption {
+        type = types.str;
+        default = "pam://yubi";
+      };
+      keys = mkOption {
+        type = types.listOf (
+          types.submodule {
+            options = {
+              handle = mkOption {
+                type = types.str;
+                example = "<KeyHandle1>";
+              };
+              userKey = mkOption {
+                type = types.str;
+                example = "<UserKey1>";
+              };
+              coseType = mkOption {
+                type = types.str;
+                default = "es256";
+              };
+              options = mkOption {
+                type = types.str;
+                default = "";
+              };
             };
-            userKey = mkOption {
-              type = types.str;
-              example = "<UserKey1>";
-            };
-            coseType = mkOption {
-              type = types.str;
-              default = "es256";
-            };
-            options = mkOption {
-              type = types.str;
-              default = "";
-            };
-          };
-        }
-      );
-      default = [ ];
+          }
+        );
+        default = [ ];
+      };
     };
   };
 
-  config = mkIf cfg.enable {
-    security.pam = {
-      u2f = {
-        enable = true;
-        settings = {
-          interactive = true;
-          cue = true;
-          inherit (cfg) origin;
-          authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys);
+  config = mkMerge [
+    (mkIf cfg.enable {
+      services.udev.packages = with pkgs; [
+        yubikey-manager
+        yubikey-personalization
+      ];
+    })
+    (mkIf (cfg.enable && cfg.pam.enable) {
+      security.pam = {
+        u2f = {
+          enable = true;
+          settings = {
+            interactive = true;
+            cue = true;
+            origin = cfg.pam.origin;
+            authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.pam.keys);
+          };
+        };
+        services = {
+          login.u2fAuth = true;
+          sudo.u2fAuth = true;
         };
       };
-      services = {
-        login.u2fAuth = true;
-        sudo.u2fAuth = true;
-      };
-    };
-
-    services.udev.packages = with pkgs; [ yubikey-personalization ];
-  };
+    })
+  ];
 }