From 01efa60483ca8702720ce8b781852b3deaeb4a52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Sat, 22 Mar 2025 23:40:18 +0100 Subject: [PATCH] feat: add yubikey ids --- SwarselSystems.org | 21 +++++++++++++++++++++ flake.lock | 6 +++--- profiles/home/common/yubikey.nix | 14 ++++++++++++++ scripts/swarsel-install.sh | 1 + scripts/swarsel-rebuild.sh | 1 + 5 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 profiles/home/common/yubikey.nix diff --git a/SwarselSystems.org b/SwarselSystems.org index a93849e..8c2d01f 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -3136,6 +3136,7 @@ This program builds a configuration locally. rm profiles/home/common/gammastep.nix rm profiles/home/common/git.nix rm profiles/home/common/mail.nix + rm profiles/home/common/yubikey.nix rm profiles/nixos/common/home-manager-extra.nix nix flake update vbc-nix git add . @@ -3270,6 +3271,7 @@ This program sets up a new NixOS host locally. rm profiles/home/common/gammastep.nix rm profiles/home/common/git.nix rm profiles/home/common/mail.nix + rm profiles/home/common/yubikey.nix rm profiles/nixos/common/home-manager-extra.nix nix flake update vbc-nix git add . @@ -8920,6 +8922,25 @@ I use sops-nix to handle secrets that I want to have available on my machines at } #+end_src +**** Yubikey + +#+begin_src nix :tangle profiles/home/common/yubikey.nix + { lib, nix-secrets, ... }: + let + secretsDirectory = builtins.toString nix-secrets; + yubikey1 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey1"; + yubikey2 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey2"; + in + { + pam.yubico.authorizedYubiKeys = { + ids = [ + "${yubikey1}" + "${yubikey2}" + ]; + }; + } +#+end_src + **** SSH Machines :PROPERTIES: :CUSTOM_ID: h:edd6720e-1f90-40bf-b6f9-30a19d4cae08 diff --git a/flake.lock b/flake.lock index c672bac..a9c1666 100644 --- a/flake.lock +++ b/flake.lock @@ -823,10 +823,10 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1742594924, - "narHash": "sha256-3oLkbjXbOv6Xq3+LJsasyJq4jBS0VkwKsbVdTB8MGJM=", + "lastModified": 1742682980, + "narHash": "sha256-oHqbNiTdpGrOtZtu1UAMjOteEPEDJTolTh/cNqgj2HM=", "ref": "main", - "rev": "4ecfe7a80064e0595f386a203ba179c1a3c8bca3", + "rev": "b9e7aa2f01b68aa186271a1c0db722049fa14c17", "shallow": true, "type": "git", "url": "ssh://git@github.com/Swarsel/nix-secrets.git" diff --git a/profiles/home/common/yubikey.nix b/profiles/home/common/yubikey.nix new file mode 100644 index 0000000..4486ec5 --- /dev/null +++ b/profiles/home/common/yubikey.nix @@ -0,0 +1,14 @@ +{ lib, nix-secrets, ... }: +let + secretsDirectory = builtins.toString nix-secrets; + yubikey1 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey1"; + yubikey2 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey2"; +in +{ + pam.yubico.authorizedYubiKeys = { + ids = [ + "${yubikey1}" + "${yubikey2}" + ]; + }; +} diff --git a/scripts/swarsel-install.sh b/scripts/swarsel-install.sh index 6a0f236..6681f1f 100644 --- a/scripts/swarsel-install.sh +++ b/scripts/swarsel-install.sh @@ -99,6 +99,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then rm profiles/home/common/gammastep.nix rm profiles/home/common/git.nix rm profiles/home/common/mail.nix + rm profiles/home/common/yubikey.nix rm profiles/nixos/common/home-manager-extra.nix nix flake update vbc-nix git add . diff --git a/scripts/swarsel-rebuild.sh b/scripts/swarsel-rebuild.sh index 83f3031..29eb07e 100644 --- a/scripts/swarsel-rebuild.sh +++ b/scripts/swarsel-rebuild.sh @@ -81,6 +81,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then rm profiles/home/common/gammastep.nix rm profiles/home/common/git.nix rm profiles/home/common/mail.nix + rm profiles/home/common/yubikey.nix rm profiles/nixos/common/home-manager-extra.nix nix flake update vbc-nix git add .