dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Enable yubikey and upgrade keys

Browse source
This commit is contained in:
Tim Schubert 2023-10-07 18:22:44 +02:00
parent 75cb0fb634
commit 49245cee2e
Signed by: dadada
GPG key ID: EEB8D1CE62C4DFEA
8 changed files with 81 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

1
admins.nix
View file

@ -3,6 +3,7 @@
shell = "zsh";
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE2JWU+BuWSvoiGFSTDQ9/1SCvfJEnkFQsFLYPNlY6wcAAAABHNzaDo= dadada <dadada@dadada.li>"
];
};
}

2
home/home/default.nix
View file

@ -25,7 +25,7 @@ in
programs.git = {
signing = {
key = "D68C84695C087E0F733A28D0EEB8D1CE62C4DFEA";
key = "~/.ssh/dadada-git-signing";
signByDefault = true;
};
userEmail = "dadada@dadada.li";

1
home/modules/git.nix
View file

@ -45,6 +45,7 @@ in
commit.verbose = true;
log.date = "iso8601-local";
tag.gpgSign = true;
gpg.format = "ssh";
pull = {
prune = true;
ff = "only";

4
home/modules/gpg.nix
View file

@ -29,9 +29,5 @@ in
enableSshSupport = false;
pinentryFlavor = "gnome3";
};
programs.git.extraConfig = {
commit = { gpgSign = true; };
};
};
}

2
home/modules/keyring.nix
View file

@ -12,7 +12,7 @@ in
config = mkIf cfg.enable {
services.gnome-keyring = {
enable = false;
components = [ "pkcs11" "secrets" ];
components = [ "secrets" ];
};
};
}

27
nixos/gorgon/configuration.nix
View file

@ -1,21 +1,9 @@
{ config
, pkgs
, lib
, secretsPath
, ...
}:
let
signHook =
pkgs.writeShellScript "/etc/nix/sign-cache.sh"
''
set -eu
set -f # disable globbing
export IFS=' '
echo "Signing paths" $OUT_PATHS
nix store sign --key-file /etc/nix/key.private $OUT_PATHS
'';
xilinxJtag = pkgs.writeTextFile {
name = "xilinx-jtag";
text = ''
@ -65,13 +53,16 @@ in
networking.hostName = "gorgon";
dadada = {
#headphones.enable = true;
steam.enable = true;
#fido2 = {
# credential = "04ea2813a116f634e90f9728dbbb45f1c0f93b7811941a5a14fb75e711794df0c26552dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec01473070000";
# enablePam = true;
#};
luks.uuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4";
yubikey = {
enable = true;
#luksUuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4";
fido2Credentials = [
"0295c215865e4d988cf5148db9197ae58bc26b0838b35e2b35bafdb837e9f8b103309466d7cfa8c71d6c01d4908e2708"
"f8a4359e4a67d8a149a72ad5fb2db0fbc11e2480102e5a2e353297dce5e1ad53419acade31eb4a4bd803b808c29ba0b4"
];
};
networking = {
enableBsShare = true;
vpnExtension = "3";

1
nixos/modules/default.nix
View file

@ -21,4 +21,5 @@
sway = import ./sway.nix;
vpnServer = import ./vpnServer.nix;
weechat = import ./weechat.nix;
yubikey = import ./yubikey.nix;
}

67
nixos/modules/yubikey.nix Normal file
View file

@ -0,0 +1,67 @@
{ config
, pkgs
, lib
, ...
}:
with lib; let
yubikey = config.dadada.yubikey;
in
{
options = {
dadada.yubikey = {
enable = mkEnableOption "Enable Yubikey";
fido2Credentials = mkOption {
type = with types; listOf str;
description = "FIDO2 credential strings";
default = [ ];
};
luksUuid = mkOption {
type = with types; nullOr str;
description = "Device UUID";
default = null;
};
};
};
config = mkIf yubikey.enable {
boot.initrd.luks = {
fido2Support = true;
devices = mkIf (yubikey.luksUuid != null) {
root = {
device = "/dev/disk/by-uuid/${yubikey.luksUuid}";
preLVM = true;
allowDiscards = true;
fido2 = mkIf (yubikey.fido2Credentials != [ ]) {
credentials = yubikey.fido2Credentials;
passwordLess = true;
};
};
};
};
security.pam = {
# Keys must be placed in $XDG_CONFIG_HOME/Yubico/u2f_keys
services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
};
u2f = {
control = "sufficient";
cue = true;
};
};
services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];
environment.systemPackages = with pkgs; [
fido2luks
linuxPackages.acpi_call
pam_u2f
pamtester
yubikey-manager
yubikey-manager-qt
];
};
}