Compare commits
2 commits
697d37b027
...
b356a47712
| Author | SHA1 | Date | |
|---|---|---|---|
|
b356a47712 | ||
|
|
40565e81ae |
5 changed files with 71 additions and 13 deletions
18
flake.lock
generated
18
flake.lock
generated
|
|
@ -7,11 +7,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1742996658,
|
||||
"narHash": "sha256-snxgTLVq6ooaD3W3mPHu7LVWpoZKczhxHAUZy2ea4oA=",
|
||||
"lastModified": 1743360001,
|
||||
"narHash": "sha256-HtpS/ZdgWXw0y+aFdORcX5RuBGTyz3WskThspNR70SM=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "693840c01b9bef9e54100239cef937e53d4661bf",
|
||||
"rev": "b6fd653ef8fbeccfd4958650757e91767a65506d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -22,11 +22,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1742806253,
|
||||
"narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=",
|
||||
"lastModified": 1743167577,
|
||||
"narHash": "sha256-I09SrXIO0UdyBFfh0fxDq5WnCDg8XKmZ1HQbaXzMA1k=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726",
|
||||
"rev": "0ed819e708af17bfc4bbc63ee080ef308a24aa42",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -38,11 +38,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1742889210,
|
||||
"narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=",
|
||||
"lastModified": 1743315132,
|
||||
"narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "698214a32beb4f4c8e3942372c694f40848b360d",
|
||||
"rev": "52faf482a3889b7619003c0daec593a1912fddc1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@
|
|||
./modules/defaults/virtualization/docker.nix
|
||||
./modules/defaults/virtualization/kvm.nix
|
||||
./modules/defaults/security.nix
|
||||
#./modules/defaults/yubikey.nix
|
||||
./modules/defaults/yubikey.nix
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
{
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
|
||||
nix.package = pkgs.nixVersions.git;
|
||||
nix.package = pkgs.nixVersions.latest;
|
||||
|
||||
# nix.extraOptions = "experimental-features = nix-command flakes ca-derivations";
|
||||
nix.extraOptions = "experimental-features = nix-command flakes";
|
||||
|
|
|
|||
|
|
@ -22,9 +22,16 @@
|
|||
|
||||
# mutableUsers = false; TODO: blocked by https://github.com/Mic92/sops-nix/pull/680
|
||||
|
||||
programs.adb.enable = true;
|
||||
services.clamav.daemon.enable = true;
|
||||
services.clamav.updater.enable = true;
|
||||
|
||||
security.pam.yubico = {
|
||||
enable = true;
|
||||
# logoutOnRemove = true;
|
||||
};
|
||||
|
||||
security.pam.services = {
|
||||
login.u2fAuth = true;
|
||||
# login.u2fAuth = true;
|
||||
sudo.u2fAuth = true;
|
||||
};
|
||||
|
||||
|
|
|
|||
51
modules/defaults/yubikey.nix
Normal file
51
modules/defaults/yubikey.nix
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
{ config, lib, pkgs, ... }: let
|
||||
cfg = config.security.pam.yubico;
|
||||
|
||||
in {
|
||||
options.security.pam.yubico = {
|
||||
logoutOnRemove = lib.mkEnableOption "Logout on Yubikey remove";
|
||||
asClient = lib.mkEnableOption "Use Yubikey as client";
|
||||
clients = lib.mkOption {
|
||||
type = with lib.types; attrsOf (listOf str);
|
||||
example = { myUser = [ "myYubikeyTokenID" ]; };
|
||||
default = {};
|
||||
description = "The users that are allowed to use the Yubikey";
|
||||
};
|
||||
|
||||
product_id = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "1050/407/543";
|
||||
description = "The product id of the Yubikey";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.tmpfiles.rules = let
|
||||
keysFiles = builtins.mapAttrs (n: v: pkgs.writeText "authorized_yubikeys_${n}" ''
|
||||
${lib.concatStringsSep ":" ([ n ] ++ v)}
|
||||
'') cfg.clients;
|
||||
in if cfg.asClient then
|
||||
(builtins.concatMap (n: [
|
||||
"d /home/${n}/.yubico 0655 ${n} users -"
|
||||
"L+ /home/${n}/.yubico/authorized_yubikeys 0644 ${n} users - ${keysFiles.${n}}"
|
||||
"Z /home/${n}/.yubico - root root"
|
||||
]) (builtins.attrNames cfg.clients))
|
||||
else
|
||||
[ "d /var/yubico 0700 root root -" ];
|
||||
|
||||
services.udev.extraRules = lib.mkIf (cfg.logoutOnRemove && !cfg.asClient) ''
|
||||
SUBSYSTEM=="usb", ACTION=="remove", ENV{PRODUCT}=="${cfg.product_id}", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
|
||||
'';
|
||||
|
||||
security.pam = {
|
||||
services.hyprlock.yubicoAuth = lib.mkIf config.programs.hyprlock.enable false;
|
||||
yubico = {
|
||||
id = "106508";
|
||||
mode = if cfg.asClient then "client" else "challenge-response";
|
||||
control = "required";
|
||||
challengeResponsePath = lib.mkIf (!cfg.asClient) "/var/yubico";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Loading…
Add table
Reference in a new issue