feat(yubikey): declare yubikey-manager

home/hosts/andromache/default.nix

@@ -30,8 +30,9 @@
     ../../modules/ssh
     ../../modules/taskwarrior
     ../../modules/terminal
-    ../../modules/zk
     ../../modules/torrenting
+    ../../modules/yubikey
+    ../../modules/zk
   ];
 
   home = {
@@ -58,6 +59,7 @@
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
   torrenting.enable = true;
+  my.yubikey.enable = true;
   zk.enable = true;
 
   programs = {

home/hosts/astyanax/default.nix

@@ -29,6 +29,7 @@
     ../../modules/ssh
     ../../modules/taskwarrior
     ../../modules/terminal
+    ../../modules/yubikey
   ];
 
   home = {
@@ -53,6 +54,7 @@
   git.github.enable = true;
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
+  my.yubikey.enable = true;
 
   programs = {
     home-manager.enable = true;

home/modules/yubikey/default.nix

@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  options.my.yubikey = {
+    enable = lib.mkEnableOption "yubikey";
+  };
+
+  config = lib.mkIf config.my.yubikey.enable {
+    home.packages = with pkgs; [
+      yubikey-manager
+      yubikey-personalization
+    ];
+  };
+}

hosts/andromache/default.nix

@@ -91,21 +91,8 @@ in
   ];
 
   my.yubikey = {
-    enable = false;
+    enable = true;
-    keys = [
+    pam.enable = false;
-      {
-        handle = "<KeyHandle1>";
-        userKey = "<UserKey1>";
-        coseType = "<CoseType1>";
-        options = "<Options1>";
-      }
-      {
-        handle = "<KeyHandle2>";
-        userKey = "<UserKey2>";
-        coseType = "<CoseType2>";
-        options = "<Options2>";
-      }
-    ];
   };
 
   services.locate = {

hosts/astyanax/default.nix

@@ -99,21 +99,7 @@ in
 
   my.yubikey = {
     enable = true;
-    # inherit (config.host) username;
+    pam.enable = false;
-    # keys = [
-    #   {
-    #     handle = "<KeyHandle1>";
-    #     userKey = "<UserKey1>";
-    #     coseType = "<CoseType1>";
-    #     options = "<Options1>";
-    #   }
-    #   {
-    #     handle = "<KeyHandle2>";
-    #     userKey = "<UserKey2>";
-    #     coseType = "<CoseType2>";
-    #     options = "<Options2>";
-    #   }
-    # ];
   };
 
   services = {

modules/yubikey/default.nix

@@ -15,13 +15,13 @@ let
 in
 {
   options.my.yubikey = {
-    enable = mkEnableOption "yubiKey U2F authentication";
+    enable = mkEnableOption "YubiKey";
-
+    pam = {
+      enable = mkEnableOption "YubiKey PAM U2F";
       origin = mkOption {
         type = types.str;
         default = "pam://yubi";
       };
-
       keys = mkOption {
         type = types.listOf (
           types.submodule {
@@ -48,16 +48,24 @@ in
         default = [ ];
       };
     };
+  };
 
-  config = mkIf cfg.enable {
+  config = mkMerge [
+    (mkIf cfg.enable {
+      services.udev.packages = with pkgs; [
+        yubikey-manager
+        yubikey-personalization
+      ];
+    })
+    (mkIf (cfg.enable && cfg.pam.enable) {
       security.pam = {
         u2f = {
           enable = true;
           settings = {
             interactive = true;
             cue = true;
-          inherit (cfg) origin;
+            origin = cfg.pam.origin;
-          authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys);
+            authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.pam.keys);
           };
         };
         services = {
@@ -65,7 +73,6 @@ in
           sudo.u2fAuth = true;
         };
       };
-
+    })
-    services.udev.packages = with pkgs; [ yubikey-personalization ];
+  ];
-  };
 }