1 files changed, 34 insertions, 2 deletions

diff --git a/modules/hardware-keys.nix b/modules/hardware-keys.nix
index 13175dc..ac50ecd 100644
--- a/modules/hardware-keys.nix
+++ b/modules/hardware-keys.nix
@@ -1,5 +1,18 @@
 { pkgs, ... }:
 
+let
+  keys = [
+    # username of YubiKey owner (me! :3)
+    "mel"
+
+    # "carnal" YubiKey
+    "7dYKqa9yw69hXwmYd61Bw0hnnxbSsASieIBmokmbAHArJexkPz+TGRVdXW2U8QiLAoe9l1QKo3jrtQxxbBiuFQ==,N7bABlRz0DvIqwxgBnTiyNZ4/JnRIRUEhVk+95h7+KtbTYdnoGnSaqiiimGQxTWxOHfpHbuii127f0HUwYPmXw==,es256,+presence"
+    # "anatomy" YubiKey
+    "//CLbB23LlMtMwefGzrMVELgTkIcfMRSjxJlQDvQ3FKRrlyPA75rosYVl5tqQbkPyed0fwsAkr1vhqPtth4GMQ==,VwxKl0ZYDmCTU02ziMigG1ZVC1MXDH9qeuBT1qplw1pt++tV32xao/yHayiRc2hvbJdJjfplQxT7mLnW90u9WQ==,es256,+presence"
+  ];
+
+  authFile = pkgs.writeText "u2f_mappings" (builtins.concatStringsSep ":" keys);
+in
 {
   programs = {
     yubikey-touch-detector = {
@@ -17,14 +30,33 @@
   security = {
     pam = {
       services = {
-        login.u2fAuth = true;
-        sudo.u2fAuth = true;
+        login = {
+          u2fAuth = true;
+          unixAuth = false; # careful
+        };
+        sudo = {
+          u2fAuth = true;
+          unixAuth = true;
+        };
+      };
+
+      u2f = {
+        enable = true;
+        settings = {
+          cue = true;
+          pinverification = 1;
+          authfile = authFile;
+        };
       };
 
       mount.enable = true;
     };
   };
 
+  services.udev.packages = with pkgs; [
+    yubikey-personalization
+  ];
+
   environment.systemPackages = with pkgs; [
     yubikey-manager
     yubioath-flutter