feat: make yubikey pam work on all machines

2025-12-06 17:17:22 +01:00 · 2025-07-14 04:15:14 +02:00 · 2025-07-14 04:15:14 +02:00 · 21c1067572
commit 21c1067572
parent 18a2a32bae
5 changed files with 77 additions and 112 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -5509,6 +5509,10 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance

 #+begin_src nix-ts :tangle modules/nixos/client/hardwarecompatibility-yubikey.nix
  { lib, config, pkgs, ... }:
+  let
+    inherit (config.swarselsystems) mainUser;
+    inherit (config.repo.secrets.common.yubikeys) cfg1 cfg2;
+  in
  {
    options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey config";
    config = lib.mkIf config.swarselsystems.modules.yubikey {
@ -5518,6 +5522,21 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance

      hardware.gpgSmartcards.enable = true;

+      security.pam.u2f = {
+        enable = true;
+        control = "sufficient";
+        settings = {
+          interactive = false; # displays a prompt BEFORE asking for presence
+          cue = true; # prints a message that a touch is requrired
+          origin = "pam://${mainUser}"; # make the keys work on all machines
+          authfile = pkgs.writeText "u2f-mappings" (lib.concatStrings [
+            mainUser
+            cfg1
+            cfg2
+          ]);
+        };
+      };
+
      services.udev.packages = with pkgs; [
        yubikey-personalization
      ];
@ -16602,7 +16621,7 @@ This holds modules that are to be used on most hosts. These are also the most im
        general = lib.mkDefault true;
        nixgl = lib.mkDefault true;
        sops = lib.mkDefault true;
-        yubikey = lib.mkDefault true;
+        yubikey = lib.mkDefault false;
        ssh = lib.mkDefault true;
        stylix = lib.mkDefault true;
        desktop = lib.mkDefault true;