From b356a47712a256149df0800710d86a6d18892882 Mon Sep 17 00:00:00 2001 From: aaron Date: Thu, 3 Apr 2025 23:42:38 +0200 Subject: [PATCH] added yubikey module working --- flake.nix | 2 +- modules/defaults/nix.nix | 2 +- modules/defaults/security.nix | 7 ++++- modules/defaults/yubikey.nix | 51 +++++++++++++++++++++++++++++++++++ 4 files changed, 59 insertions(+), 3 deletions(-) create mode 100644 modules/defaults/yubikey.nix diff --git a/flake.nix b/flake.nix index 5491261..cf0d990 100644 --- a/flake.nix +++ b/flake.nix @@ -58,7 +58,7 @@ ./modules/defaults/virtualization/docker.nix ./modules/defaults/virtualization/kvm.nix ./modules/defaults/security.nix - #./modules/defaults/yubikey.nix + ./modules/defaults/yubikey.nix ]; }; }; diff --git a/modules/defaults/nix.nix b/modules/defaults/nix.nix index c4ecaa6..a3207db 100644 --- a/modules/defaults/nix.nix +++ b/modules/defaults/nix.nix @@ -3,7 +3,7 @@ { boot.tmp.cleanOnBoot = true; - nix.package = pkgs.nixVersions.git; + nix.package = pkgs.nixVersions.latest; # nix.extraOptions = "experimental-features = nix-command flakes ca-derivations"; nix.extraOptions = "experimental-features = nix-command flakes"; diff --git a/modules/defaults/security.nix b/modules/defaults/security.nix index fd6b386..5748639 100644 --- a/modules/defaults/security.nix +++ b/modules/defaults/security.nix @@ -25,8 +25,13 @@ services.clamav.daemon.enable = true; services.clamav.updater.enable = true; + security.pam.yubico = { + enable = true; + # logoutOnRemove = true; + }; + security.pam.services = { - login.u2fAuth = true; + # login.u2fAuth = true; sudo.u2fAuth = true; }; diff --git a/modules/defaults/yubikey.nix b/modules/defaults/yubikey.nix new file mode 100644 index 0000000..ae5616d --- /dev/null +++ b/modules/defaults/yubikey.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: let + cfg = config.security.pam.yubico; + +in { + options.security.pam.yubico = { + logoutOnRemove = lib.mkEnableOption "Logout on Yubikey remove"; + asClient = lib.mkEnableOption "Use Yubikey as client"; + clients = lib.mkOption { + type = with lib.types; attrsOf (listOf str); + example = { myUser = [ "myYubikeyTokenID" ]; }; + default = {}; + description = "The users that are allowed to use the Yubikey"; + }; + + product_id = lib.mkOption { + type = lib.types.str; + default = "1050/407/543"; + description = "The product id of the Yubikey"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.tmpfiles.rules = let + keysFiles = builtins.mapAttrs (n: v: pkgs.writeText "authorized_yubikeys_${n}" '' + ${lib.concatStringsSep ":" ([ n ] ++ v)} + '') cfg.clients; + in if cfg.asClient then + (builtins.concatMap (n: [ + "d /home/${n}/.yubico 0655 ${n} users -" + "L+ /home/${n}/.yubico/authorized_yubikeys 0644 ${n} users - ${keysFiles.${n}}" + "Z /home/${n}/.yubico - root root" + ]) (builtins.attrNames cfg.clients)) + else + [ "d /var/yubico 0700 root root -" ]; + + services.udev.extraRules = lib.mkIf (cfg.logoutOnRemove && !cfg.asClient) '' + SUBSYSTEM=="usb", ACTION=="remove", ENV{PRODUCT}=="${cfg.product_id}", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" + ''; + + security.pam = { + services.hyprlock.yubicoAuth = lib.mkIf config.programs.hyprlock.enable false; + yubico = { + id = "106508"; + mode = if cfg.asClient then "client" else "challenge-response"; + control = "required"; + challengeResponsePath = lib.mkIf (!cfg.asClient) "/var/yubico"; + }; + }; + }; +} +