added yubikey support

hosts/default/variables.nix

@@ -54,4 +54,8 @@
 
   # Network host ID (needed for zfs, otherwise leave as-is)
   hostId = "5ab03f50";
+
+  # YubiKey serial numbers for yubico-pam challenge-response
+  # Run: nix-shell --command 'ykinfo -s' -p yubikey-personalization
+  yubikeyIds = [ "12345678" ];
 }

modules/core/default.nix

@@ -20,6 +20,7 @@ in
     (if vars.displayManager == "tui" then ./greetd.nix else ./sddm.nix)
     ./security.nix
     ./services.nix
+    ./yubikey.nix
     ./stylix.nix
     ./syncthing.nix
     ./system.nix

modules/core/yubikey.nix

@@ -0,0 +1,47 @@
+{
+  pkgs,
+  host,
+  ...
+}:
+let
+  vars = import ../../hosts/${host}/variables.nix;
+in
+{
+  # Udev rules for YubiKey
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+
+  # Smartcard daemon (for CCID / GPG smartcard mode)
+  services.pcscd.enable = true;
+
+  # GPG agent with SSH support
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Yubico PAM — challenge-response authentication
+  security.pam.yubico = {
+    enable = true;
+    debug = false;
+    mode = "challenge-response";
+    id = vars.yubikeyIds;
+  };
+
+  # Lock all sessions when a YubiKey is unplugged
+  services.udev.extraRules = ''
+    ACTION=="remove",\
+     ENV{ID_BUS}=="usb",\
+     ENV{ID_MODEL_ID}=="0407",\
+     ENV{ID_VENDOR_ID}=="1050",\
+     ENV{ID_VENDOR}=="Yubico",\
+     RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+  '';
+
+  # Useful CLI tools for managing YubiKeys
+  environment.systemPackages = with pkgs; [
+    yubikey-personalization
+    yubikey-manager
+    yubico-pam
+    pam_u2f
+  ];
+}