diff options
| author | Mel <mel@rnrd.eu> | 2025-06-05 03:41:32 +0200 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2025-06-05 03:41:32 +0200 |
| commit | 182aa5ecdc5c6583ce9b44c5a13432bb30409fc8 (patch) | |
| tree | bf4d0fbba4e1cc8db47238002a293bae90998e4e /modules | |
| parent | bca04b418838998c183b4e087ded86856c88a062 (diff) | |
| download | minerals-182aa5ecdc5c6583ce9b44c5a13432bb30409fc8.tar.zst minerals-182aa5ecdc5c6583ce9b44c5a13432bb30409fc8.zip | |
Setup login and sudo authentication through U2F w/ YubiKey
Signed-off-by: Mel <mel@rnrd.eu>
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/common.nix | 3 | ||||
| -rw-r--r-- | modules/hardware-keys.nix | 29 | ||||
| -rw-r--r-- | modules/home/common.nix | 1 | ||||
| -rw-r--r-- | modules/home/yubikeys.nix | 17 |
4 files changed, 49 insertions, 1 deletions
diff --git a/modules/common.nix b/modules/common.nix index cfbf2fa..30fd3ab 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -11,6 +11,7 @@ ./fonts.nix ./flatpak.nix ./libreoffice.nix + ./hardware-keys.nix ./nix-ld.nix ]; @@ -81,7 +82,7 @@ environment.systemPackages = (with pkgs; [ file unzip jq dig htop wget screen - gnupg pinentry-gnome3 age agenix minisign openssl + gnupg pinentry-gnome3 age agenix minisign openssl cryptsetup pamtester inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid avrdude minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool sysprof wireshark mitmproxy hardinfo remmina diff --git a/modules/hardware-keys.nix b/modules/hardware-keys.nix new file mode 100644 index 0000000..e6ae089 --- /dev/null +++ b/modules/hardware-keys.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: + +{ + programs = { + yubikey-touch-detector = { + enable = true; + libnotify = true; + }; + }; + + services = { + yubikey-agent.enable = true; + }; + + # see `modules/home/yubikeys.nix` for the YubiKey + # universal second factor (u2f) configuration file. + security = { + pam.services = { + login.u2fAuth = true; + sudo.u2fAuth = true; + }; + }; + + environment.systemPackages = with pkgs; [ + yubikey-manager yubikey-manager-qt + yubikey-personalization yubikey-personalization-gui + age-plugin-yubikey pam_u2f + ]; +} diff --git a/modules/home/common.nix b/modules/home/common.nix index e2b57f7..cdf8c1c 100644 --- a/modules/home/common.nix +++ b/modules/home/common.nix @@ -5,6 +5,7 @@ ../foundation/home ./shell.nix + ./yubikeys.nix ./code.nix ./zed.nix ]; diff --git a/modules/home/yubikeys.nix b/modules/home/yubikeys.nix new file mode 100644 index 0000000..266ce9d --- /dev/null +++ b/modules/home/yubikeys.nix @@ -0,0 +1,17 @@ +{ ... }: + +let + keys = [ + # username of YubiKey owner (me! :3) + "mel" + # "carnal" YubiKey + "7dYKqa9yw69hXwmYd61Bw0hnnxbSsASieIBmokmbAHArJexkPz+TGRVdXW2U8QiLAoe9l1QKo3jrtQxxbBiuFQ==,N7bABlRz0DvIqwxgBnTiyNZ4/JnRIRUEhVk+95h7+KtbTYdnoGnSaqiiimGQxTWxOHfpHbuii127f0HUwYPmXw==,es256,+presence" + # "anatomy" YubiKey + "//CLbB23LlMtMwefGzrMVELgTkIcfMRSjxJlQDvQ3FKRrlyPA75rosYVl5tqQbkPyed0fwsAkr1vhqPtth4GMQ==,VwxKl0ZYDmCTU02ziMigG1ZVC1MXDH9qeuBT1qplw1pt++tV32xao/yHayiRc2hvbJdJjfplQxT7mLnW90u9WQ==,es256,+presence" + ]; +in +{ + xdg.configFile = { + "Yubico/u2f_keys".text = builtins.concatStringsSep ":" keys; + }; +} |