feat(yubikey): declare yubikey-manager

2026-05-16 11:39:36 +02:00
parent cd52edbc4d
commit 11a89aa772
6 changed files with 81 additions and 78 deletions
--- a/home/hosts/andromache/default.nix
+++ b/home/hosts/andromache/default.nix
@@ -30,8 +30,9 @@
    ../../modules/ssh
    ../../modules/taskwarrior
    ../../modules/terminal
-    ../../modules/zk
    ../../modules/torrenting
+    ../../modules/yubikey
+    ../../modules/zk
  ];

  home = {
@@ -58,6 +59,7 @@
  shell.bash.aliases.lang-js = true;
  shell.bash.addBinToPath = true;
  torrenting.enable = true;
+  my.yubikey.enable = true;
  zk.enable = true;

  programs = {
--- a/home/hosts/astyanax/default.nix
+++ b/home/hosts/astyanax/default.nix
@@ -29,6 +29,7 @@
    ../../modules/ssh
    ../../modules/taskwarrior
    ../../modules/terminal
+    ../../modules/yubikey
  ];

  home = {
@@ -53,6 +54,7 @@
  git.github.enable = true;
  shell.bash.aliases.lang-js = true;
  shell.bash.addBinToPath = true;
+  my.yubikey.enable = true;

  programs = {
    home-manager.enable = true;
--- a/home/modules/yubikey/default.nix
+++ b/home/modules/yubikey/default.nix
@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  options.my.yubikey = {
+    enable = lib.mkEnableOption "yubikey";
+  };
+
+  config = lib.mkIf config.my.yubikey.enable {
+    home.packages = with pkgs; [
+      yubikey-manager
+      yubikey-personalization
+    ];
+  };
+}
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -91,21 +91,8 @@ in
  ];

  my.yubikey = {
-    enable = false;
-    keys = [
-      {
-        handle = "<KeyHandle1>";
-        userKey = "<UserKey1>";
-        coseType = "<CoseType1>";
-        options = "<Options1>";
-      }
-      {
-        handle = "<KeyHandle2>";
-        userKey = "<UserKey2>";
-        coseType = "<CoseType2>";
-        options = "<Options2>";
-      }
-    ];
+    enable = true;
+    pam.enable = false;
  };

  services.locate = {
--- a/hosts/astyanax/default.nix
+++ b/hosts/astyanax/default.nix
@@ -99,21 +99,7 @@ in

  my.yubikey = {
    enable = true;
-    # inherit (config.host) username;
-    # keys = [
-    #   {
-    #     handle = "<KeyHandle1>";
-    #     userKey = "<UserKey1>";
-    #     coseType = "<CoseType1>";
-    #     options = "<Options1>";
-    #   }
-    #   {
-    #     handle = "<KeyHandle2>";
-    #     userKey = "<UserKey2>";
-    #     coseType = "<CoseType2>";
-    #     options = "<Options2>";
-    #   }
-    # ];
+    pam.enable = false;
  };

  services = {
--- a/modules/yubikey/default.nix
+++ b/modules/yubikey/default.nix
@@ -15,13 +15,13 @@ let
 in
 {
  options.my.yubikey = {
-    enable = mkEnableOption "yubiKey U2F authentication";
-
+    enable = mkEnableOption "YubiKey";
+    pam = {
+      enable = mkEnableOption "YubiKey PAM U2F";
      origin = mkOption {
        type = types.str;
        default = "pam://yubi";
      };
-
      keys = mkOption {
        type = types.listOf (
          types.submodule {
@@ -48,16 +48,24 @@ in
        default = [ ];
      };
    };
+  };

-  config = mkIf cfg.enable {
+  config = mkMerge [
+    (mkIf cfg.enable {
+      services.udev.packages = with pkgs; [
+        yubikey-manager
+        yubikey-personalization
+      ];
+    })
+    (mkIf (cfg.enable && cfg.pam.enable) {
      security.pam = {
        u2f = {
          enable = true;
          settings = {
            interactive = true;
            cue = true;
-          inherit (cfg) origin;
-          authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys);
+            origin = cfg.pam.origin;
+            authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.pam.keys);
          };
        };
        services = {
@@ -65,7 +73,6 @@ in
          sudo.u2fAuth = true;
        };
      };
-
-    services.udev.packages = with pkgs; [ yubikey-personalization ];
-  };
+    })
+  ];
 }