fix: remove signing keys

chore: update lockfile
refactor(home): organize home manager modules
2026-03-11 19:38:43 +01:00 · 2026-03-11 19:38:43 +01:00 · 2026-03-11 19:38:43 +01:00 · 2026-03-11 19:38:43 +01:00
21 changed files with 146 additions and 57 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -121,11 +121,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1772424169,
-        "narHash": "sha256-mhv7yclJj+qCagNv0WOuob5yQNV1aTqKcJLfBMUqsVA=",
+        "lastModified": 1773115390,
+        "narHash": "sha256-nl1kcyM1locj//JnzC43hZIjY4z5opcTPqv1RnMZqPU=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "701de032cc247a1c309a34f0ed646e824efd7ac6",
+        "rev": "aecb1fc3e18c3cdcbdd96485b392ffa4584467e8",
        "type": "gitlab"
      },
      "original": {
@@ -284,11 +284,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772024342,
-        "narHash": "sha256-+eXlIc4/7dE6EcPs9a2DaSY3fTA9AE526hGqkNID3Wg=",
+        "lastModified": 1772893680,
+        "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "6e34e97ed9788b17796ee43ccdbaf871a5c2b476",
+        "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9",
        "type": "github"
      },
      "original": {
@@ -344,11 +344,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772380461,
-        "narHash": "sha256-O3ukj3Bb3V0Tiy/4LUfLlBpWypJ9P0JeUgsKl2nmZZY=",
+        "lastModified": 1773093840,
+        "narHash": "sha256-u/96NoAyN8BSRuM3ZimGf7vyYgXa3pLx4MYWjokuoH4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f140aa04d7d14f8a50ab27f3691b5766b17ae961",
+        "rev": "bb014746edb2a98d975abde4dd40fa240de4cf86",
        "type": "github"
      },
      "original": {
@@ -453,11 +453,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1771969195,
-        "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
+        "lastModified": 1772972630,
+        "narHash": "sha256-mUJxsNOrBMNOUJzN0pfdVJ1r2pxeqm9gI/yIKXzVVbk=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
+        "rev": "3966ce987e1a9a164205ac8259a5fe8a64528f72",
        "type": "github"
      },
      "original": {
@@ -469,11 +469,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1772198003,
-        "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=",
+        "lastModified": 1772963539,
+        "narHash": "sha256-9jVDGZnvCckTGdYT53d/EfznygLskyLQXYwJLKMPsZs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61",
+        "rev": "9dcb002ca1690658be4a04645215baea8b95f31d",
        "type": "github"
      },
      "original": {
@@ -667,11 +667,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772401007,
-        "narHash": "sha256-YHykQg0h9hrlZGpMcywnaFzQ1Kn/5YNCCOSaaAl6z7Q=",
+        "lastModified": 1773096132,
+        "narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "d8be5ea4cd3bc363492ab5bc6e874ccdc5465fe4",
+        "rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784",
        "type": "github"
      },
      "original": {
--- a/home/hosts/andromache/default.nix
+++ b/home/hosts/andromache/default.nix
@@ -11,26 +11,26 @@ in
 {
  imports = [
    ../../modules
-    ../../modules/ai-tools.nix
+    ../../modules/3d
+    ../../modules/ai-tools
+    ../../modules/anki
    ../../modules/audio
+    ../../modules/browser
    ../../modules/cloud
    ../../modules/comms
    ../../modules/desktop/niri
    ../../modules/direnv
-    ../../modules/3d
    ../../modules/git
    ../../modules/k8s/k9s.nix
-    ../../modules/kitty.nix
+    ../../modules/keepassxc
    ../../modules/music
-    ../../modules/nvim.nix
-    ../../modules/pandoc.nix
-    ../../modules/ssh.nix
-    ../../modules/taskwarrior.nix
-    ../../modules/keepassxc.nix
-    ../../modules/anki.nix
+    ../../modules/nvim
+    ../../modules/pandoc
    ../../modules/photography
-    ../../modules/browser
    ../../modules/shell
+    ../../modules/ssh
+    ../../modules/taskwarrior
+    ../../modules/terminal
  ];

  home = {
--- a/home/hosts/astyanax/default.nix
+++ b/home/hosts/astyanax/default.nix
@@ -10,25 +10,25 @@ in
 {
  imports = [
    ../../modules
-    ../../modules/ai-tools.nix
+    ../../modules/ai-tools
+    ../../modules/anki
    ../../modules/audio
-    ../../modules/anki.nix
+    ../../modules/browser
    ../../modules/cloud
    ../../modules/comms
-    ../../modules/direnv
    ../../modules/desktop/niri
+    ../../modules/direnv
    ../../modules/git
    ../../modules/k8s/k9s.nix
-    ../../modules/kitty.nix
+    ../../modules/keepassxc
    ../../modules/music
    ../../modules/nfc
-    ../../modules/nvim.nix
-    ../../modules/pandoc.nix
-    ../../modules/ssh.nix
-    ../../modules/taskwarrior.nix
-    ../../modules/keepassxc.nix
-    ../../modules/browser
+    ../../modules/nvim
+    ../../modules/pandoc
    ../../modules/shell
+    ../../modules/ssh
+    ../../modules/taskwarrior
+    ../../modules/terminal
  ];

  home = {
--- a/home/hosts/work/default.nix
+++ b/home/hosts/work/default.nix
@@ -12,31 +12,31 @@ in
  imports = [
    inputs.sops-nix.homeManagerModules.sops
    ../../modules
-    ../../modules/stylix.nix
-    ../../modules/ai-tools.nix
+    ../../modules/ai-tools
    ../../modules/anki.nix
+    ../../modules/browser
+    ../../modules/bruno
    ../../modules/cloud
    ../../modules/comms
+    ../../modules/dconf
    ../../modules/desktop/niri
-    ../../modules/dconf.nix
    ../../modules/direnv
    ../../modules/docker
    ../../modules/git
    ../../modules/go
    ../../modules/k8s
    ../../modules/k8s/k9s.nix
-    ../../modules/keepassxc.nix
+    ../../modules/keepassxc
    ../../modules/kitty.nix
-    ../../modules/nvim.nix
-    ../../modules/pandoc.nix
-    ../../modules/secrets
-    ../../modules/browser
-    ../../modules/shell
    ../../modules/music
    ../../modules/nodejs.nix
-    ../../modules/taskwarrior.nix
-    ../../modules/bruno.nix
-    ../../modules/pandoc.nix
+    ../../modules/nvim
+    ../../modules/pandoc
+    ../../modules/secrets
+    ../../modules/shell
+    ../../modules/stylix
+    ../../modules/taskwarrior
+    ../../modules/terminal
    ../../modules/vscode.nix
  ];

--- a/home/modules/ai-tools/default.nix
+++ b/home/modules/ai-tools/default.nix
--- a/home/modules/anki/default.nix
+++ b/home/modules/anki/default.nix
--- a/home/modules/bruno/default.nix
+++ b/home/modules/bruno/default.nix
--- a/home/modules/dconf/default.nix
+++ b/home/modules/dconf/default.nix
--- a/home/modules/keepassxc/default.nix
+++ b/home/modules/keepassxc/default.nix
--- a/home/modules/nvim/default.nix
+++ b/home/modules/nvim/default.nix
--- a/home/modules/pandoc/default.nix
+++ b/home/modules/pandoc/default.nix
--- a/home/modules/shell/default.nix
+++ b/home/modules/shell/default.nix
@@ -3,6 +3,6 @@
    ./bash.nix
    ./utils.nix
    ./prompt.nix
-    ../tmux.nix
+    ../tmux
  ];
 }
--- a/home/modules/ssh/default.nix
+++ b/home/modules/ssh/default.nix
--- a/home/modules/stylix/default.nix
+++ b/home/modules/stylix/default.nix
--- a/home/modules/taskwarrior/default.nix
+++ b/home/modules/taskwarrior/default.nix
--- a/home/modules/terminal/default.nix
+++ b/home/modules/terminal/default.nix
--- a/home/modules/tmux/default.nix
+++ b/home/modules/tmux/default.nix
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -42,6 +42,7 @@ in
    ../../modules/docker
    ../../modules/syncthing
    ../../modules/nvidia
+    ../../modules/yubikey
  ];

  home-manager.users.${username} = import ../../home/hosts/andromache {
@@ -61,8 +62,6 @@ in
  secrets.username = username;
  docker.user = username;

-  nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ];
-
  disko.devices = {
    disk.data = {
      type = "disk";
@@ -91,6 +90,25 @@ in
    inputs.colmena.packages.${pkgs.stdenv.hostPlatform.system}.colmena
  ];

+  my.yubikey = {
+    enable = false;
+    inherit username;
+    keys = [
+      {
+        handle = "<KeyHandle1>";
+        userKey = "<UserKey1>";
+        coseType = "<CoseType1>";
+        options = "<Options1>";
+      }
+      {
+        handle = "<KeyHandle2>";
+        userKey = "<UserKey2>";
+        coseType = "<CoseType2>";
+        options = "<Options2>";
+      }
+    ];
+  };
+
  services = {
    locate = {
      enable = true;
--- a/hosts/astyanax/default.nix
+++ b/hosts/astyanax/default.nix
@@ -61,8 +61,6 @@ in
  nfc.user = username;
  desktop.ly.enable = true;

-  nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];
-
  hardware = {
    cpu.intel.updateMicrocode = true;
    # https://wiki.nixos.org/wiki/Intel_Graphics
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -29,8 +29,6 @@ in
        "anki_sync_user".owner = config.users.users.${cfg.username}.name;
        "anki_sync_key".owner = config.users.users.${cfg.username}.name;
        "hcloud".owner = config.users.users.${cfg.username}.name;
-        "nix_signing_key_astyanax" = { };
-        "nix_signing_key_andromache" = { };
        "opencode_api_key".owner = config.users.users.${cfg.username}.name;
        # TODO: using shared secrets for now, but would be better to to per-host secrets
        # To add per-host secrets:
--- a/modules/yubikey/default.nix
+++ b/modules/yubikey/default.nix
@@ -0,0 +1,75 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.my.yubikey;
+  formatKey = key: ":${key.handle},${key.userKey},${key.coseType},${key.options}";
+  authfileContent = username: keys: username + lib.concatMapStrings formatKey keys;
+in
+{
+  options.my.yubikey = {
+    enable = mkEnableOption "yubiKey U2F authentication";
+
+    username = mkOption {
+      type = types.str;
+      default = "h";
+    };
+
+    origin = mkOption {
+      type = types.str;
+      default = "pam://yubi";
+    };
+
+    keys = mkOption {
+      type = types.listOf (
+        types.submodule {
+          options = {
+            handle = mkOption {
+              type = types.str;
+              example = "<KeyHandle1>";
+            };
+            userKey = mkOption {
+              type = types.str;
+              example = "<UserKey1>";
+            };
+            coseType = mkOption {
+              type = types.str;
+              default = "es256";
+            };
+            options = mkOption {
+              type = types.str;
+              default = "";
+            };
+          };
+        }
+      );
+      default = [ ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    security.pam = {
+      u2f = {
+        enable = true;
+        settings = {
+          interactive = true;
+          cue = true;
+          inherit (cfg) origin;
+          authfile = pkgs.writeText "u2f-mappings" (authfileContent cfg.username cfg.keys);
+        };
+      };
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+    };
+
+    services.udev.packages = [ pkgs.yubikey-personalization ];
+  };
+}
Author	SHA1	Message	Date
Hektor Misplon	dd8a485632	fix: remove signing keys	2026-03-11 19:38:43 +01:00
Hektor Misplon	adf7793f8c	chore: update lockfile	2026-03-11 19:38:43 +01:00
Hektor Misplon	6643ba6bee	refactor(home): organize home manager modules	2026-03-11 19:38:43 +01:00
Hektor Misplon	c5254c96a0	feat: add 'yubikey' module to 'andromache' host	2026-03-11 19:38:43 +01:00