2020-01-14 06:20:02 +00:00
|
|
|
|
# NixOps configuration for the hosts using Yubikeys
|
|
|
|
|
|
{
|
2022-03-07 14:26:15 +00:00
|
|
|
|
config,
|
|
|
|
|
|
pkgs,
|
|
|
|
|
|
lib,
|
|
|
|
|
|
...
|
|
|
|
|
|
}: {
|
2020-01-24 06:21:28 +00:00
|
|
|
|
services = {
|
|
|
|
|
|
udev = {
|
|
|
|
|
|
packages = [
|
2021-11-16 04:57:23 +00:00
|
|
|
|
pkgs.yubikey-personalization # A library and command line tool to personalize YubiKeys
|
|
|
|
|
|
pkgs.libu2f-host # A C library and command-line tool that implements the host-side of the U2F protocol
|
2020-01-24 06:21:28 +00:00
|
|
|
|
];
|
|
|
|
|
|
extraRules = let
|
2022-03-07 14:26:15 +00:00
|
|
|
|
dependencies = with pkgs; [coreutils gnupg gawk gnugrep];
|
2020-01-24 06:21:28 +00:00
|
|
|
|
clearYubikey = pkgs.writeScript "clear-yubikey" ''
|
|
|
|
|
|
#!${pkgs.stdenv.shell}
|
|
|
|
|
|
export PATH=${pkgs.lib.makeBinPath dependencies};
|
|
|
|
|
|
keygrips=$(
|
|
|
|
|
|
gpg-connect-agent 'keyinfo --list' /bye 2>/dev/null \
|
|
|
|
|
|
| grep -v OK \
|
|
|
|
|
|
| awk '{if ($4 == "T") { print $3 ".key" }}')
|
|
|
|
|
|
for f in $keygrips; do
|
|
|
|
|
|
rm -v ~/.gnupg/private-keys-v1.d/$f
|
|
|
|
|
|
done
|
|
|
|
|
|
gpg --card-status 2>/dev/null 1>/dev/null || true
|
|
|
|
|
|
'';
|
|
|
|
|
|
clearYubikeyUser = pkgs.writeScript "clear-yubikey-user" ''
|
|
|
|
|
|
#!${pkgs.stdenv.shell}
|
2020-02-10 13:53:35 +00:00
|
|
|
|
${pkgs.sudo}/bin/sudo -u craige ${clearYubikey}
|
2020-01-24 06:21:28 +00:00
|
|
|
|
'';
|
|
|
|
|
|
in ''
|
|
|
|
|
|
ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", RUN+="${clearYubikeyUser}"
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
2021-11-16 04:57:23 +00:00
|
|
|
|
pcscd.enable = true; # Enable PCSC-Lite daemon
|
2020-01-24 06:21:28 +00:00
|
|
|
|
};
|
2020-01-14 06:20:02 +00:00
|
|
|
|
|
|
|
|
|
|
# Additional packages used with the Yubikey
|
|
|
|
|
|
environment = {
|
|
|
|
|
|
systemPackages = with pkgs; [
|
2021-11-16 04:57:23 +00:00
|
|
|
|
paperkey # Store OpenPGP or GnuPG on paper
|
2024-02-06 04:12:48 +00:00
|
|
|
|
pinentry-curses # GnuPG’s interface to passphrase input
|
|
|
|
|
|
pinentry-qt # GnuPG’s interface to passphrase input
|
2021-11-16 04:57:23 +00:00
|
|
|
|
yubikey-manager # CLI tool for configuring any YubiKey over USB
|
|
|
|
|
|
yubikey-manager-qt # Configure any YubiKey over USB interfaces
|
|
|
|
|
|
yubikey-personalization # Lib & CLI tool to personalize YubiKeys
|
|
|
|
|
|
yubikey-personalization-gui # QT based utility to facilitate Yubikey reconfiguration
|
2023-06-04 23:24:39 +00:00
|
|
|
|
yubioath-flutter # Yubikey Desktop Authenticator
|
2020-01-14 06:20:02 +00:00
|
|
|
|
];
|
2020-01-24 06:21:28 +00:00
|
|
|
|
shellInit = ''
|
|
|
|
|
|
export GPG_TTY="$(tty)"
|
|
|
|
|
|
gpg-connect-agent /bye
|
|
|
|
|
|
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
programs = {
|
2021-11-16 04:57:23 +00:00
|
|
|
|
ssh.startAgent = false; # Disable the SSH Agent
|
2024-06-01 15:08:47 +00:00
|
|
|
|
gnupg.agent = with pkgs; {
|
2021-11-16 04:57:23 +00:00
|
|
|
|
enable = true; # Enable GPG Agent
|
|
|
|
|
|
enableSSHSupport = true; # Enable SSH agent support in GnuPG agent
|
2024-06-01 15:08:47 +00:00
|
|
|
|
pinentryPackage = pinentry-qt;
|
2020-01-24 06:21:28 +00:00
|
|
|
|
};
|
2020-01-14 06:20:02 +00:00
|
|
|
|
};
|
|
|
|
|
|
}
|
