mio-ops/images/usb-yubikey.nix

# Configuration for USB image for air gapped Yubikey machine
#
# Usage: nix-build -A iso images/usb-yubikey.nix
{
  nixpkgs ? <nixpkgs>,
  system ? "x86_64-linux",
}: let
  config = {pkgs, ...}:
    with pkgs; {
      imports = [
        <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
      ];
      boot.supportedFilesystems = ["zfs"];
      boot.kernelParams = ["console=ttyS0,115200n8"];
      programs = {
        ssh.startAgent = false;
        gnupg.agent = {
          enable = true;
          enableSSHSupport = true;
        };
      };
      services.pcscd.enable = true;
      services.udev.packages = [yubikey-personalization];
      environment.systemPackages = [
        curl # Tool for transferring files with URL syntax
        gnupg # GNU Privacy Guard
        paperkey # Store OpenPGP or GnuPG on paper
        pinentry # GnuPG’s interface to passphrase input
        wget # Retrieve files using HTTP, HTTPS, and FTP
      ];
      nixpkgs.config.allowUnfree = true;
      #services.openssh.enable = false;
    };
  evalNixos = configuration:
    import <nixpkgs/nixos> {inherit system configuration;};
in {iso = (evalNixos config).config.system.build.isoImage;}