diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-12-24 16:35:06 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-12-24 16:50:53 -0600 |
| commit | 1108ab1c4ffe76a14080fc1abb8015012b1a0c9c (patch) | |
| tree | 161b3909755a809ed2985b2cc5889e00cb4f26fa /sys | |
| parent | ba0ad441fcfde226dc7f01ebd394d87f7a6a3714 (diff) | |
sys/hardware/yubico: enable pam-u2f
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/hardware/yubico.nix | 41 | ||||
| -rw-r--r-- | sys/preset/user.nix | 8 |
2 files changed, 45 insertions, 4 deletions
diff --git a/sys/hardware/yubico.nix b/sys/hardware/yubico.nix index 0c8478c..0c26133 100644 --- a/sys/hardware/yubico.nix +++ b/sys/hardware/yubico.nix @@ -7,8 +7,22 @@ with lib; let cfg = config.local.hardware.yubico; in { - options.local.hardware.yubico = { - enable = mkEnableOption "Yubico hardware support"; + options = { + local.hardware.yubico = { + enable = mkEnableOption "Yubico hardware support"; + + pamAuth = mkOption { + type = lib.types.bool; + default = false; + }; + }; + + security.pam.services = mkOption { + type = with lib.types; + attrsOf (submodule { + config.u2fAuth = lib.mkDefault false; + }); + }; }; config = mkIf cfg.enable { @@ -16,6 +30,29 @@ in { module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so ''; + security.pam = mkIf cfg.pamAuth { + u2f = { + enable = true; + control = "sufficient"; + + settings = { + authfile = "/var/trust/pam_u2f_keys"; + cue = true; + pinverification = true; + userpresence = false; + userverification = false; + }; + }; + + services = { + gtklock.u2fAuth = true; + su.u2fAuth = true; + sudo.u2fAuth = true; + systemd-run0.u2fAuth = true; + vlock.u2fAuth = true; + }; + }; + services = { pcscd.enable = true; udev.packages = [pkgs.yubikey-personalization]; diff --git a/sys/preset/user.nix b/sys/preset/user.nix index 4a34473..56b6866 100644 --- a/sys/preset/user.nix +++ b/sys/preset/user.nix @@ -50,7 +50,11 @@ in { }; hardware = { - yubico.enable = mkDefault true; + yubico = { + enable = mkDefault true; + pamAuth = mkDefault true; + }; + bluetooth.enable = mkDefault true; }; @@ -61,7 +65,7 @@ in { graphical = mkDefault true; }; - trivionomiconMotd.enable = true; + #trivionomiconMotd.enable = true; }; services.nullmailer = { |