diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-12-24 16:35:06 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-12-24 16:50:53 -0600 |
| commit | 1108ab1c4ffe76a14080fc1abb8015012b1a0c9c (patch) | |
| tree | 161b3909755a809ed2985b2cc5889e00cb4f26fa /sys/hardware | |
| parent | ba0ad441fcfde226dc7f01ebd394d87f7a6a3714 (diff) | |
sys/hardware/yubico: enable pam-u2f
Diffstat (limited to '')
| -rw-r--r-- | sys/hardware/yubico.nix | 41 |
1 files changed, 39 insertions, 2 deletions
diff --git a/sys/hardware/yubico.nix b/sys/hardware/yubico.nix index 0c8478c..0c26133 100644 --- a/sys/hardware/yubico.nix +++ b/sys/hardware/yubico.nix @@ -7,8 +7,22 @@ with lib; let cfg = config.local.hardware.yubico; in { - options.local.hardware.yubico = { - enable = mkEnableOption "Yubico hardware support"; + options = { + local.hardware.yubico = { + enable = mkEnableOption "Yubico hardware support"; + + pamAuth = mkOption { + type = lib.types.bool; + default = false; + }; + }; + + security.pam.services = mkOption { + type = with lib.types; + attrsOf (submodule { + config.u2fAuth = lib.mkDefault false; + }); + }; }; config = mkIf cfg.enable { @@ -16,6 +30,29 @@ in { module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so ''; + security.pam = mkIf cfg.pamAuth { + u2f = { + enable = true; + control = "sufficient"; + + settings = { + authfile = "/var/trust/pam_u2f_keys"; + cue = true; + pinverification = true; + userpresence = false; + userverification = false; + }; + }; + + services = { + gtklock.u2fAuth = true; + su.u2fAuth = true; + sudo.u2fAuth = true; + systemd-run0.u2fAuth = true; + vlock.u2fAuth = true; + }; + }; + services = { pcscd.enable = true; udev.packages = [pkgs.yubikey-personalization]; |