aaron/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added yubikey module working

Browse source
This commit is contained in:
aaron 2025-04-03 23:42:38 +02:00
parent 40565e81ae
commit b356a47712
4 changed files with 59 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -58,7 +58,7 @@
./modules/defaults/virtualization/docker.nix ./modules/defaults/virtualization/docker.nix
./modules/defaults/virtualization/kvm.nix ./modules/defaults/virtualization/kvm.nix
./modules/defaults/security.nix ./modules/defaults/security.nix
#./modules/defaults/yubikey.nix ./modules/defaults/yubikey.nix
]; ];
}; };
}; };

2
modules/defaults/nix.nix
View file

@ -3,7 +3,7 @@
{ {
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
nix.package = pkgs.nixVersions.git; nix.package = pkgs.nixVersions.latest;
# nix.extraOptions = "experimental-features = nix-command flakes ca-derivations"; # nix.extraOptions = "experimental-features = nix-command flakes ca-derivations";
nix.extraOptions = "experimental-features = nix-command flakes"; nix.extraOptions = "experimental-features = nix-command flakes";

7
modules/defaults/security.nix
View file

@ -25,8 +25,13 @@
services.clamav.daemon.enable = true; services.clamav.daemon.enable = true;
services.clamav.updater.enable = true; services.clamav.updater.enable = true;
security.pam.yubico = {
enable = true;
# logoutOnRemove = true;
};
security.pam.services = { security.pam.services = {
login.u2fAuth = true; # login.u2fAuth = true;
sudo.u2fAuth = true; sudo.u2fAuth = true;
}; };

51
modules/defaults/yubikey.nix Normal file
View file

@ -0,0 +1,51 @@
{ config, lib, pkgs, ... }: let
cfg = config.security.pam.yubico;
in {
options.security.pam.yubico = {
logoutOnRemove = lib.mkEnableOption "Logout on Yubikey remove";
asClient = lib.mkEnableOption "Use Yubikey as client";
clients = lib.mkOption {
type = with lib.types; attrsOf (listOf str);
example = { myUser = [ "myYubikeyTokenID" ]; };
default = {};
description = "The users that are allowed to use the Yubikey";
};
product_id = lib.mkOption {
type = lib.types.str;
default = "1050/407/543";
description = "The product id of the Yubikey";
};
};
config = lib.mkIf cfg.enable {
systemd.tmpfiles.rules = let
keysFiles = builtins.mapAttrs (n: v: pkgs.writeText "authorized_yubikeys_${n}" ''
${lib.concatStringsSep ":" ([ n ] ++ v)}
'') cfg.clients;
in if cfg.asClient then
(builtins.concatMap (n: [
"d /home/${n}/.yubico 0655 ${n} users -"
"L+ /home/${n}/.yubico/authorized_yubikeys 0644 ${n} users - ${keysFiles.${n}}"
"Z /home/${n}/.yubico - root root"
]) (builtins.attrNames cfg.clients))
else
[ "d /var/yubico 0700 root root -" ];
services.udev.extraRules = lib.mkIf (cfg.logoutOnRemove && !cfg.asClient) ''
SUBSYSTEM=="usb", ACTION=="remove", ENV{PRODUCT}=="${cfg.product_id}", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
'';
security.pam = {
services.hyprlock.yubicoAuth = lib.mkIf config.programs.hyprlock.enable false;
yubico = {
id = "106508";
mode = if cfg.asClient then "client" else "challenge-response";
control = "required";
challengeResponsePath = lib.mkIf (!cfg.asClient) "/var/yubico";
};
};
};
}