From 49245cee2eac550ca1ff394cebd5462bde524f56 Mon Sep 17 00:00:00 2001 From: dadada Date: Sat, 7 Oct 2023 18:22:44 +0200 Subject: [PATCH] Enable yubikey and upgrade keys --- admins.nix | 1 + home/home/default.nix | 2 +- home/modules/git.nix | 1 + home/modules/gpg.nix | 4 -- home/modules/keyring.nix | 2 +- nixos/gorgon/configuration.nix | 27 +++++--------- nixos/modules/default.nix | 1 + nixos/modules/yubikey.nix | 67 ++++++++++++++++++++++++++++++++++ 8 files changed, 81 insertions(+), 24 deletions(-) create mode 100644 nixos/modules/yubikey.nix diff --git a/admins.nix b/admins.nix index e83a69a..a49c355 100644 --- a/admins.nix +++ b/admins.nix @@ -3,6 +3,7 @@ shell = "zsh"; keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE2JWU+BuWSvoiGFSTDQ9/1SCvfJEnkFQsFLYPNlY6wcAAAABHNzaDo= dadada " ]; }; } diff --git a/home/home/default.nix b/home/home/default.nix index 0cf8aa6..039b064 100644 --- a/home/home/default.nix +++ b/home/home/default.nix @@ -25,7 +25,7 @@ in programs.git = { signing = { - key = "D68C84695C087E0F733A28D0EEB8D1CE62C4DFEA"; + key = "~/.ssh/dadada-git-signing"; signByDefault = true; }; userEmail = "dadada@dadada.li"; diff --git a/home/modules/git.nix b/home/modules/git.nix index e7ec38e..ede60eb 100644 --- a/home/modules/git.nix +++ b/home/modules/git.nix @@ -45,6 +45,7 @@ in commit.verbose = true; log.date = "iso8601-local"; tag.gpgSign = true; + gpg.format = "ssh"; pull = { prune = true; ff = "only"; diff --git a/home/modules/gpg.nix b/home/modules/gpg.nix index e8c159a..2e77ad0 100644 --- a/home/modules/gpg.nix +++ b/home/modules/gpg.nix @@ -29,9 +29,5 @@ in enableSshSupport = false; pinentryFlavor = "gnome3"; }; - - programs.git.extraConfig = { - commit = { gpgSign = true; }; - }; }; } diff --git a/home/modules/keyring.nix b/home/modules/keyring.nix index 382ca32..e82d476 100644 --- a/home/modules/keyring.nix +++ b/home/modules/keyring.nix @@ -12,7 +12,7 @@ in config = mkIf cfg.enable { services.gnome-keyring = { enable = false; - components = [ "pkcs11" "secrets" ]; + components = [ "secrets" ]; }; }; } diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index 420dfc8..64443e2 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -1,21 +1,9 @@ { config , pkgs , lib -, secretsPath , ... }: let - signHook = - pkgs.writeShellScript "/etc/nix/sign-cache.sh" - '' - set -eu - set -f # disable globbing - export IFS=' ' - - echo "Signing paths" $OUT_PATHS - nix store sign --key-file /etc/nix/key.private $OUT_PATHS - ''; - xilinxJtag = pkgs.writeTextFile { name = "xilinx-jtag"; text = '' @@ -65,13 +53,16 @@ in networking.hostName = "gorgon"; dadada = { - #headphones.enable = true; steam.enable = true; - #fido2 = { - # credential = "04ea2813a116f634e90f9728dbbb45f1c0f93b7811941a5a14fb75e711794df0c26552dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec01473070000"; - # enablePam = true; - #}; - luks.uuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4"; + yubikey = { + enable = true; + #luksUuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4"; + fido2Credentials = [ + "0295c215865e4d988cf5148db9197ae58bc26b0838b35e2b35bafdb837e9f8b103309466d7cfa8c71d6c01d4908e2708" + "f8a4359e4a67d8a149a72ad5fb2db0fbc11e2480102e5a2e353297dce5e1ad53419acade31eb4a4bd803b808c29ba0b4" + ]; + }; + networking = { enableBsShare = true; vpnExtension = "3"; diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index f89d4ce..3448a55 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -21,4 +21,5 @@ sway = import ./sway.nix; vpnServer = import ./vpnServer.nix; weechat = import ./weechat.nix; + yubikey = import ./yubikey.nix; } diff --git a/nixos/modules/yubikey.nix b/nixos/modules/yubikey.nix new file mode 100644 index 0000000..9d1b117 --- /dev/null +++ b/nixos/modules/yubikey.nix @@ -0,0 +1,67 @@ +{ config +, pkgs +, lib +, ... +}: +with lib; let + yubikey = config.dadada.yubikey; +in +{ + options = { + dadada.yubikey = { + enable = mkEnableOption "Enable Yubikey"; + fido2Credentials = mkOption { + type = with types; listOf str; + description = "FIDO2 credential strings"; + default = [ ]; + }; + luksUuid = mkOption { + type = with types; nullOr str; + description = "Device UUID"; + default = null; + }; + }; + }; + + config = mkIf yubikey.enable { + boot.initrd.luks = { + fido2Support = true; + devices = mkIf (yubikey.luksUuid != null) { + root = { + device = "/dev/disk/by-uuid/${yubikey.luksUuid}"; + preLVM = true; + allowDiscards = true; + fido2 = mkIf (yubikey.fido2Credentials != [ ]) { + credentials = yubikey.fido2Credentials; + passwordLess = true; + }; + }; + }; + }; + + security.pam = { + # Keys must be placed in $XDG_CONFIG_HOME/Yubico/u2f_keys + services = { + login.u2fAuth = true; + sudo.u2fAuth = true; + }; + u2f = { + control = "sufficient"; + cue = true; + }; + }; + + services.pcscd.enable = true; + + services.udev.packages = [ pkgs.yubikey-personalization ]; + + environment.systemPackages = with pkgs; [ + fido2luks + linuxPackages.acpi_call + pam_u2f + pamtester + yubikey-manager + yubikey-manager-qt + ]; + }; +}