added yubikey support

2026-03-25 15:49:07 +01:00
parent c2c37cc50a
commit 842e4ea6fa
3 changed files with 52 additions and 0 deletions
--- a/modules/core/yubikey.nix
+++ b/modules/core/yubikey.nix
@@ -0,0 +1,47 @@
+{
+  pkgs,
+  host,
+  ...
+}:
+let
+  vars = import ../../hosts/${host}/variables.nix;
+in
+{
+  # Udev rules for YubiKey
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+
+  # Smartcard daemon (for CCID / GPG smartcard mode)
+  services.pcscd.enable = true;
+
+  # GPG agent with SSH support
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Yubico PAM — challenge-response authentication
+  security.pam.yubico = {
+    enable = true;
+    debug = false;
+    mode = "challenge-response";
+    id = vars.yubikeyIds;
+  };
+
+  # Lock all sessions when a YubiKey is unplugged
+  services.udev.extraRules = ''
+    ACTION=="remove",\
+     ENV{ID_BUS}=="usb",\
+     ENV{ID_MODEL_ID}=="0407",\
+     ENV{ID_VENDOR_ID}=="1050",\
+     ENV{ID_VENDOR}=="Yubico",\
+     RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+  '';
+
+  # Useful CLI tools for managing YubiKeys
+  environment.systemPackages = with pkgs; [
+    yubikey-personalization
+    yubikey-manager
+    yubico-pam
+    pam_u2f
+  ];
+}