Nicer gdm U2F authentication + PIN

Signed-off-by: Mel <mel@rnrd.eu>
author: Mel <mel@rnrd.eu> 2025-06-20 03:32:37 +0200
committer: Mel <mel@rnrd.eu> 2025-06-20 03:32:37 +0200
commit: 8d1c0b0651974775b029a1770df16a25b0b13fa1 (patch)
tree: 06748de4cd99355c5169e5a2bdb9df842aa12fd2 /modules
parent: 6bc6aa9e4263df0a4c54b2a5e655d5c8f2995744 (diff)
download: minerals-8d1c0b0651974775b029a1770df16a25b0b13fa1.tar.zst
minerals-8d1c0b0651974775b029a1770df16a25b0b13fa1.zip
3 files changed, 34 insertions, 20 deletions
diff --git a/modules/hardware-keys.nix b/modules/hardware-keys.nix
index 13175dc..ac50ecd 100644
--- a/modules/hardware-keys.nix
+++ b/modules/hardware-keys.nix
@@ -1,5 +1,18 @@
 { pkgs, ... }:
 
+let
+  keys = [
+    # username of YubiKey owner (me! :3)
+    "mel"
+
+    # "carnal" YubiKey
+    "7dYKqa9yw69hXwmYd61Bw0hnnxbSsASieIBmokmbAHArJexkPz+TGRVdXW2U8QiLAoe9l1QKo3jrtQxxbBiuFQ==,N7bABlRz0DvIqwxgBnTiyNZ4/JnRIRUEhVk+95h7+KtbTYdnoGnSaqiiimGQxTWxOHfpHbuii127f0HUwYPmXw==,es256,+presence"
+    # "anatomy" YubiKey
+    "//CLbB23LlMtMwefGzrMVELgTkIcfMRSjxJlQDvQ3FKRrlyPA75rosYVl5tqQbkPyed0fwsAkr1vhqPtth4GMQ==,VwxKl0ZYDmCTU02ziMigG1ZVC1MXDH9qeuBT1qplw1pt++tV32xao/yHayiRc2hvbJdJjfplQxT7mLnW90u9WQ==,es256,+presence"
+  ];
+
+  authFile = pkgs.writeText "u2f_mappings" (builtins.concatStringsSep ":" keys);
+in
 {
   programs = {
     yubikey-touch-detector = {
@@ -17,14 +30,33 @@
   security = {
     pam = {
       services = {
-        login.u2fAuth = true;
-        sudo.u2fAuth = true;
+        login = {
+          u2fAuth = true;
+          unixAuth = false; # careful
+        };
+        sudo = {
+          u2fAuth = true;
+          unixAuth = true;
+        };
+      };
+
+      u2f = {
+        enable = true;
+        settings = {
+          cue = true;
+          pinverification = 1;
+          authfile = authFile;
+        };
       };
 
       mount.enable = true;
     };
   };
 
+  services.udev.packages = with pkgs; [
+    yubikey-personalization
+  ];
+
   environment.systemPackages = with pkgs; [
     yubikey-manager
     yubioath-flutter
diff --git a/modules/home/common.nix b/modules/home/common.nix
index cdf8c1c..e2b57f7 100644
--- a/modules/home/common.nix
+++ b/modules/home/common.nix
@@ -5,7 +5,6 @@
     ../foundation/home
 
     ./shell.nix
-    ./yubikeys.nix
     ./code.nix
     ./zed.nix
   ];
diff --git a/modules/home/yubikeys.nix b/modules/home/yubikeys.nix
deleted file mode 100644
index 266ce9d..0000000
--- a/modules/home/yubikeys.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ ... }:
-
-let
-  keys = [
-    # username of YubiKey owner (me! :3)
-    "mel"
-    # "carnal" YubiKey
-    "7dYKqa9yw69hXwmYd61Bw0hnnxbSsASieIBmokmbAHArJexkPz+TGRVdXW2U8QiLAoe9l1QKo3jrtQxxbBiuFQ==,N7bABlRz0DvIqwxgBnTiyNZ4/JnRIRUEhVk+95h7+KtbTYdnoGnSaqiiimGQxTWxOHfpHbuii127f0HUwYPmXw==,es256,+presence"
-    # "anatomy" YubiKey
-    "//CLbB23LlMtMwefGzrMVELgTkIcfMRSjxJlQDvQ3FKRrlyPA75rosYVl5tqQbkPyed0fwsAkr1vhqPtth4GMQ==,VwxKl0ZYDmCTU02ziMigG1ZVC1MXDH9qeuBT1qplw1pt++tV32xao/yHayiRc2hvbJdJjfplQxT7mLnW90u9WQ==,es256,+presence"
-  ];
-in
-{
-  xdg.configFile = {
-    "Yubico/u2f_keys".text = builtins.concatStringsSep ":" keys;
-  };
-}
author	Mel <mel@rnrd.eu>	2025-06-20 03:32:37 +0200
committer	Mel <mel@rnrd.eu>	2025-06-20 03:32:37 +0200
commit	8d1c0b0651974775b029a1770df16a25b0b13fa1 (patch)
tree	06748de4cd99355c5169e5a2bdb9df842aa12fd2 /modules
parent	6bc6aa9e4263df0a4c54b2a5e655d5c8f2995744 (diff)
download	minerals-8d1c0b0651974775b029a1770df16a25b0b13fa1.tar.zst minerals-8d1c0b0651974775b029a1770df16a25b0b13fa1.zip