Enable yubikey and upgrade keys

2023-10-07 18:22:44 +02:00 · 2023-10-07 18:22:44 +02:00 · 49245cee2e
commit 49245cee2e
parent 75cb0fb634
8 changed files with 81 additions and 24 deletions
--- a/admins.nix
+++ b/admins.nix
@ -3,6 +3,7 @@
    shell = "zsh";
    keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE2JWU+BuWSvoiGFSTDQ9/1SCvfJEnkFQsFLYPNlY6wcAAAABHNzaDo= dadada <dadada@dadada.li>"
    ];
  };
 }
--- a/home/home/default.nix
+++ b/home/home/default.nix
@ -25,7 +25,7 @@ in
  programs.git = {
    signing = {
-      key = "D68C84695C087E0F733A28D0EEB8D1CE62C4DFEA";
+      key = "~/.ssh/dadada-git-signing";
      signByDefault = true;
    };
    userEmail = "dadada@dadada.li";
--- a/home/modules/git.nix
+++ b/home/modules/git.nix
@ -45,6 +45,7 @@ in
        commit.verbose = true;
        log.date = "iso8601-local";
        tag.gpgSign = true;
        gpg.format = "ssh";
        pull = {
          prune = true;
          ff = "only";
--- a/home/modules/gpg.nix
+++ b/home/modules/gpg.nix
@ -29,9 +29,5 @@ in
      enableSshSupport = false;
      pinentryFlavor = "gnome3";
    };
    programs.git.extraConfig = {
      commit = { gpgSign = true; };
    };
  };
 }
--- a/home/modules/keyring.nix
+++ b/home/modules/keyring.nix
@ -12,7 +12,7 @@ in
  config = mkIf cfg.enable {
    services.gnome-keyring = {
      enable = false;
-      components = [ "pkcs11" "secrets" ];
+      components = [ "secrets" ];
    };
  };
 }
--- a/nixos/gorgon/configuration.nix
+++ b/nixos/gorgon/configuration.nix
@ -1,21 +1,9 @@
 { config
 , pkgs
 , lib
 , secretsPath
 , ...
 }:
 let
  signHook =
    pkgs.writeShellScript "/etc/nix/sign-cache.sh"
      ''
        set -eu
        set -f # disable globbing
        export IFS=' '
        echo "Signing paths" $OUT_PATHS
        nix store sign --key-file /etc/nix/key.private $OUT_PATHS
      '';
  xilinxJtag = pkgs.writeTextFile {
    name = "xilinx-jtag";
    text = ''
@ -65,13 +53,16 @@ in
  networking.hostName = "gorgon";
  dadada = {
    #headphones.enable = true;
    steam.enable = true;
-    #fido2 = {
+    yubikey = {
-    #  credential = "04ea2813a116f634e90f9728dbbb45f1c0f93b7811941a5a14fb75e711794df0c26552dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec01473070000";
+      enable = true;
-    #  enablePam = true;
+      #luksUuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4";
-    #};
+      fido2Credentials = [
-    luks.uuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4";
+        "0295c215865e4d988cf5148db9197ae58bc26b0838b35e2b35bafdb837e9f8b103309466d7cfa8c71d6c01d4908e2708"
        "f8a4359e4a67d8a149a72ad5fb2db0fbc11e2480102e5a2e353297dce5e1ad53419acade31eb4a4bd803b808c29ba0b4"
      ];
    };
    networking = {
      enableBsShare = true;
      vpnExtension = "3";
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -21,4 +21,5 @@
  sway = import ./sway.nix;
  vpnServer = import ./vpnServer.nix;
  weechat = import ./weechat.nix;
  yubikey = import ./yubikey.nix;
 }
--- a/nixos/modules/yubikey.nix
+++ b/nixos/modules/yubikey.nix
@ -0,0 +1,67 @@
 { config
 , pkgs
 , lib
 , ...
 }:
 with lib; let
  yubikey = config.dadada.yubikey;
 in
 {
  options = {
    dadada.yubikey = {
      enable = mkEnableOption "Enable Yubikey";
      fido2Credentials = mkOption {
        type = with types; listOf str;
        description = "FIDO2 credential strings";
        default = [ ];
      };
      luksUuid = mkOption {
        type = with types; nullOr str;
        description = "Device UUID";
        default = null;
      };
    };
  };
  config = mkIf yubikey.enable {
    boot.initrd.luks = {
      fido2Support = true;
      devices = mkIf (yubikey.luksUuid != null) {
        root = {
          device = "/dev/disk/by-uuid/${yubikey.luksUuid}";
          preLVM = true;
          allowDiscards = true;
          fido2 = mkIf (yubikey.fido2Credentials != [ ]) {
            credentials = yubikey.fido2Credentials;
            passwordLess = true;
          };
        };
      };
    };
    security.pam = {
      # Keys must be placed in $XDG_CONFIG_HOME/Yubico/u2f_keys
      services = {
        login.u2fAuth = true;
        sudo.u2fAuth = true;
      };
      u2f = {
        control = "sufficient";
        cue = true;
      };
    };
    services.pcscd.enable = true;
    services.udev.packages = [ pkgs.yubikey-personalization ];
    environment.systemPackages = with pkgs; [
      fido2luks
      linuxPackages.acpi_call
      pam_u2f
      pamtester
      yubikey-manager
      yubikey-manager-qt
    ];
  };
 }