swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 13:19:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat[work]: prepare for sk keys

Browse source
This commit is contained in:
Leon Schwarzäugl 2026-03-25 13:54:33 +01:00
parent 30c7d8c1c2
commit a254a2712a
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
8 changed files with 62 additions and 96 deletions
Download patch file Download diff file Expand all files Collapse all files

20
modules/nixos/client/hardwarecompatibility-yubikey.nix
View file

@ -6,9 +6,20 @@ in
{
options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config";
config = lib.mkIf config.swarselmodules.yubikey {
programs.ssh.startAgent = false;
programs.ssh = {
startAgent = false; # yes we want this to use FIDO2 keys
# enableAskPassword = true;
# askPassword = lib.getExe pkgs.kdePackages.ksshaskpass;
};
services = {
gnome.gcr-ssh-agent.enable = false;
yubikey-agent.enable = false;
pcscd.enable = true;
services.pcscd.enable = true;
udev.packages = with pkgs; [
yubikey-personalization
];
};
hardware.gpgSmartcards.enable = true;
@ -27,9 +38,8 @@ in
};
};
services.udev.packages = with pkgs; [
yubikey-personalization
environment.systemPackages = with pkgs; [
kdePackages.ksshaskpass
];
};
}

3
modules/nixos/common/home-manager-secrets.nix
View file

@ -4,6 +4,7 @@ let
inherit (config.repo.secrets.common.emacs) radicaleUser;
certsSopsFile = self + /secrets/repo/certs.yaml;
workSopsFile = self + /secrets/work/secrets.yaml;
in
{
config = { } // lib.optionalAttrs withHomeManager {
@ -29,6 +30,8 @@ in
github-forge-token = { owner = mainUser; };
}) // (lib.optionalAttrs (modules ? optional-work) {
harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; };
ucKey = { sopsFile = workSopsFile; owner = mainUser; };
}) // (lib.optionalAttrs (modules ? optional-noctalia) {
radicale-token = { owner = mainUser; };
}) // (lib.optionalAttrs modules.anki {

4
modules/nixos/common/pii.nix
View file

@ -1,5 +1,5 @@
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
{ config, inputs, lib, nodes, globals, ... }:
{ config, inputs, lib, homeLib, nodes, globals, ... }:
let
# If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to
@ -53,7 +53,7 @@ in
secrets = lib.mkOption {
readOnly = true;
default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes globals inputs; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
type = lib.types.unspecified;
description = "Exposes the loaded repo secrets. This option is read-only.";
};