1 files changed, 62 insertions, 0 deletions

diff --git a/sys/hardware/yubico.nix b/sys/hardware/yubico.nix
new file mode 100644
index 0000000..1c77675
--- /dev/null
+++ b/sys/hardware/yubico.nix
@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.hardware.yubico;
+in {
+  options = {
+    local.hardware.yubico = {
+      enable = mkEnableOption "Yubico hardware support";
+
+      pamAuth = mkOption {
+        type = lib.types.bool;
+        default = false;
+      };
+    };
+
+    security.pam.services = mkOption {
+      type = with lib.types;
+        attrsOf (submodule {
+          config.u2fAuth = lib.mkDefault false;
+        });
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.etc."pkcs11/modules/ykcs11".text = ''
+      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
+    '';
+
+    security.pam = mkIf cfg.pamAuth {
+      u2f = {
+        enable = true;
+        control = "sufficient";
+
+        settings = {
+          authfile = "/var/trust/pam_u2f_keys";
+          cue = true;
+          pinverification = 1;
+          userpresence = 0;
+          userverification = 0;
+        };
+      };
+
+      services = {
+        gtklock.u2fAuth = true;
+        login.u2fAuth = true;
+        su.u2fAuth = true;
+        sudo.u2fAuth = true;
+        systemd-run0.u2fAuth = true;
+        vlock.u2fAuth = true;
+      };
+    };
+
+    services = {
+      pcscd.enable = true;
+      udev.packages = [pkgs.yubikey-personalization];
+    };
+  };
+}