feat(yubikey): declare yubikey-manager

2026-05-16 11:39:36 +02:00
parent cd52edbc4d
commit 11a89aa772
6 changed files with 81 additions and 78 deletions
--- a/modules/yubikey/default.nix
+++ b/modules/yubikey/default.nix
@@ -15,57 +15,64 @@ let
 in
 {
  options.my.yubikey = {
-    enable = mkEnableOption "yubiKey U2F authentication";
-
-    origin = mkOption {
-      type = types.str;
-      default = "pam://yubi";
-    };
-
-    keys = mkOption {
-      type = types.listOf (
-        types.submodule {
-          options = {
-            handle = mkOption {
-              type = types.str;
-              example = "<KeyHandle1>";
+    enable = mkEnableOption "YubiKey";
+    pam = {
+      enable = mkEnableOption "YubiKey PAM U2F";
+      origin = mkOption {
+        type = types.str;
+        default = "pam://yubi";
+      };
+      keys = mkOption {
+        type = types.listOf (
+          types.submodule {
+            options = {
+              handle = mkOption {
+                type = types.str;
+                example = "<KeyHandle1>";
+              };
+              userKey = mkOption {
+                type = types.str;
+                example = "<UserKey1>";
+              };
+              coseType = mkOption {
+                type = types.str;
+                default = "es256";
+              };
+              options = mkOption {
+                type = types.str;
+                default = "";
+              };
            };
-            userKey = mkOption {
-              type = types.str;
-              example = "<UserKey1>";
-            };
-            coseType = mkOption {
-              type = types.str;
-              default = "es256";
-            };
-            options = mkOption {
-              type = types.str;
-              default = "";
-            };
-          };
-        }
-      );
-      default = [ ];
+          }
+        );
+        default = [ ];
+      };
    };
  };

-  config = mkIf cfg.enable {
-    security.pam = {
-      u2f = {
-        enable = true;
-        settings = {
-          interactive = true;
-          cue = true;
-          inherit (cfg) origin;
-          authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys);
+  config = mkMerge [
+    (mkIf cfg.enable {
+      services.udev.packages = with pkgs; [
+        yubikey-manager
+        yubikey-personalization
+      ];
+    })
+    (mkIf (cfg.enable && cfg.pam.enable) {
+      security.pam = {
+        u2f = {
+          enable = true;
+          settings = {
+            interactive = true;
+            cue = true;
+            origin = cfg.pam.origin;
+            authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.pam.keys);
+          };
+        };
+        services = {
+          login.u2fAuth = true;
+          sudo.u2fAuth = true;
        };
      };
-      services = {
-        login.u2fAuth = true;
-        sudo.u2fAuth = true;
-      };
-    };
-
-    services.udev.packages = with pkgs; [ yubikey-personalization ];
-  };
+    })
+  ];
 }