From 16d14bcb1ebe810ee5e4b13764c71df947e65ed4 Mon Sep 17 00:00:00 2001
From: Hektor Misplon <hektor.misplon@pm.me>
Date: Sun, 22 Feb 2026 17:07:01 +0100
Subject: [PATCH] feat: add 'yubikey' module to 'andromache' host

---
 hosts/andromache/default.nix | 20 ++++++++++
 modules/yubikey/default.nix  | 75 ++++++++++++++++++++++++++++++++++++
 2 files changed, 95 insertions(+)
 create mode 100644 modules/yubikey/default.nix

diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix
index 67ec837..b4c05c9 100644
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -42,6 +42,7 @@ in
     ../../modules/docker
     ../../modules/syncthing
     ../../modules/nvidia
+    ../../modules/yubikey
   ];
 
   home-manager.users.${username} = import ../../home/hosts/andromache {
@@ -91,6 +92,25 @@ in
     inputs.colmena.packages.${pkgs.stdenv.hostPlatform.system}.colmena
   ];
 
+  my.yubikey = {
+    enable = false;
+    inherit username;
+    keys = [
+      {
+        handle = "<KeyHandle1>";
+        userKey = "<UserKey1>";
+        coseType = "<CoseType1>";
+        options = "<Options1>";
+      }
+      {
+        handle = "<KeyHandle2>";
+        userKey = "<UserKey2>";
+        coseType = "<CoseType2>";
+        options = "<Options2>";
+      }
+    ];
+  };
+
   services = {
     locate = {
       enable = true;
diff --git a/modules/yubikey/default.nix b/modules/yubikey/default.nix
new file mode 100644
index 0000000..e922690
--- /dev/null
+++ b/modules/yubikey/default.nix
@@ -0,0 +1,75 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.my.yubikey;
+  formatKey = key: ":${key.handle},${key.userKey},${key.coseType},${key.options}";
+  authfileContent = username: keys: username + lib.concatMapStrings formatKey keys;
+in
+{
+  options.my.yubikey = {
+    enable = mkEnableOption "yubiKey U2F authentication";
+
+    username = mkOption {
+      type = types.str;
+      default = "h";
+    };
+
+    origin = mkOption {
+      type = types.str;
+      default = "pam://yubi";
+    };
+
+    keys = mkOption {
+      type = types.listOf (
+        types.submodule {
+          options = {
+            handle = mkOption {
+              type = types.str;
+              example = "<KeyHandle1>";
+            };
+            userKey = mkOption {
+              type = types.str;
+              example = "<UserKey1>";
+            };
+            coseType = mkOption {
+              type = types.str;
+              default = "es256";
+            };
+            options = mkOption {
+              type = types.str;
+              default = "";
+            };
+          };
+        }
+      );
+      default = [ ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    security.pam = {
+      u2f = {
+        enable = true;
+        settings = {
+          interactive = true;
+          cue = true;
+          inherit (cfg) origin;
+          authfile = pkgs.writeText "u2f-mappings" (authfileContent cfg.username cfg.keys);
+        };
+      };
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+    };
+
+    services.udev.packages = [ pkgs.yubikey-personalization ];
+  };
+}