feat(yubikey): declare yubikey-manager

home/hosts/andromache/default.nix

@@ -30,8 +30,9 @@
     ../../modules/ssh
     ../../modules/taskwarrior
     ../../modules/terminal
-    ../../modules/zk
     ../../modules/torrenting
+    ../../modules/yubikey
+    ../../modules/zk
   ];
 
   home = {
@@ -58,6 +59,7 @@
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
   torrenting.enable = true;
+  my.yubikey.enable = true;
   zk.enable = true;
 
   programs = {

home/hosts/astyanax/default.nix

@@ -29,6 +29,7 @@
     ../../modules/ssh
     ../../modules/taskwarrior
     ../../modules/terminal
+    ../../modules/yubikey
   ];
 
   home = {
@@ -53,6 +54,7 @@
   git.github.enable = true;
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
+  my.yubikey.enable = true;
 
   programs = {
     home-manager.enable = true;

home/modules/yubikey/default.nix

@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  options.my.yubikey = {
+    enable = lib.mkEnableOption "yubikey";
+  };
+
+  config = lib.mkIf config.my.yubikey.enable {
+    home.packages = with pkgs; [
+      yubikey-manager
+      yubikey-personalization
+    ];
+  };
+}

hosts/andromache/default.nix

@@ -91,21 +91,8 @@ in
   ];
 
   my.yubikey = {
-    enable = false;
+    enable = true;
-    keys = [
+    pam.enable = false;
-      {
-        handle = "<KeyHandle1>";
-        userKey = "<UserKey1>";
-        coseType = "<CoseType1>";
-        options = "<Options1>";
-      }
-      {
-        handle = "<KeyHandle2>";
-        userKey = "<UserKey2>";
-        coseType = "<CoseType2>";
-        options = "<Options2>";
-      }
-    ];
   };
 
   services.locate = {

hosts/astyanax/default.nix

@@ -99,21 +99,7 @@ in
 
   my.yubikey = {
     enable = true;
-    # inherit (config.host) username;
+    pam.enable = false;
-    # keys = [
-    #   {
-    #     handle = "<KeyHandle1>";
-    #     userKey = "<UserKey1>";
-    #     coseType = "<CoseType1>";
-    #     options = "<Options1>";
-    #   }
-    #   {
-    #     handle = "<KeyHandle2>";
-    #     userKey = "<UserKey2>";
-    #     coseType = "<CoseType2>";
-    #     options = "<Options2>";
-    #   }
-    # ];
   };
 
   services = {

modules/yubikey/default.nix

@@ -15,57 +15,64 @@ let
 in
 {
   options.my.yubikey = {
-    enable = mkEnableOption "yubiKey U2F authentication";
+    enable = mkEnableOption "YubiKey";
-
+    pam = {
-    origin = mkOption {
+      enable = mkEnableOption "YubiKey PAM U2F";
-      type = types.str;
+      origin = mkOption {
-      default = "pam://yubi";
+        type = types.str;
-    };
+        default = "pam://yubi";
-
+      };
-    keys = mkOption {
+      keys = mkOption {
-      type = types.listOf (
+        type = types.listOf (
-        types.submodule {
+          types.submodule {
-          options = {
+            options = {
-            handle = mkOption {
+              handle = mkOption {
-              type = types.str;
+                type = types.str;
-              example = "<KeyHandle1>";
+                example = "<KeyHandle1>";
+              };
+              userKey = mkOption {
+                type = types.str;
+                example = "<UserKey1>";
+              };
+              coseType = mkOption {
+                type = types.str;
+                default = "es256";
+              };
+              options = mkOption {
+                type = types.str;
+                default = "";
+              };
             };
-            userKey = mkOption {
+          }
-              type = types.str;
+        );
-              example = "<UserKey1>";
+        default = [ ];
-            };
+      };
-            coseType = mkOption {
-              type = types.str;
-              default = "es256";
-            };
-            options = mkOption {
-              type = types.str;
-              default = "";
-            };
-          };
-        }
-      );
-      default = [ ];
     };
   };
 
-  config = mkIf cfg.enable {
+  config = mkMerge [
-    security.pam = {
+    (mkIf cfg.enable {
-      u2f = {
+      services.udev.packages = with pkgs; [
-        enable = true;
+        yubikey-manager
-        settings = {
+        yubikey-personalization
-          interactive = true;
+      ];
-          cue = true;
+    })
-          inherit (cfg) origin;
+    (mkIf (cfg.enable && cfg.pam.enable) {
-          authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys);
+      security.pam = {
+        u2f = {
+          enable = true;
+          settings = {
+            interactive = true;
+            cue = true;
+            origin = cfg.pam.origin;
+            authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.pam.keys);
+          };
+        };
+        services = {
+          login.u2fAuth = true;
+          sudo.u2fAuth = true;
         };
       };
-      services = {
+    })
-        login.u2fAuth = true;
+  ];
-        sudo.u2fAuth = true;
-      };
-    };
-
-    services.udev.packages = with pkgs; [ yubikey-personalization ];
-  };
 }