diff --git a/roles/yubikey.nix b/roles/yubikey.nix index bd3afc7..7980d1f 100644 --- a/roles/yubikey.nix +++ b/roles/yubikey.nix @@ -4,22 +4,62 @@ { - services.udev.packages = [ - pkgs.yubikey-personalization # A library and command line tool to personalize YubiKeys - pkgs.libu2f-host # A C library and command-line tool that implements the host-side of the U2F protocol - ]; - - services.pcscd.enable = true; # Enable PCSC-Lite daemon + services = { + udev = { + packages = [ + pkgs.yubikey-personalization # A library and command line tool to personalize YubiKeys + pkgs.libu2f-host # A C library and command-line tool that implements the host-side of the U2F protocol + ]; + extraRules = let + dependencies = with pkgs; [ coreutils gnupg gawk gnugrep ]; + clearYubikey = pkgs.writeScript "clear-yubikey" '' + #!${pkgs.stdenv.shell} + export PATH=${pkgs.lib.makeBinPath dependencies}; + keygrips=$( + gpg-connect-agent 'keyinfo --list' /bye 2>/dev/null \ + | grep -v OK \ + | awk '{if ($4 == "T") { print $3 ".key" }}') + for f in $keygrips; do + rm -v ~/.gnupg/private-keys-v1.d/$f + done + gpg --card-status 2>/dev/null 1>/dev/null || true + ''; + clearYubikeyUser = pkgs.writeScript "clear-yubikey-user" '' + #!${pkgs.stdenv.shell} + ${pkgs.sudo}/bin/sudo -u ${clearYubikey} + ''; + in '' + ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", RUN+="${clearYubikeyUser}" + ''; + }; + pcscd.enable = true; # Enable PCSC-Lite daemon + }; # Additional packages used with the Yubikey environment = { systemPackages = with pkgs; [ + gnupg # GNU Privacy Guard + pinentry_ncurses # GnuPG’s interface to passphrase input + paperkey # Store OpenPGP or GnuPG on paper yubikey-manager # CLI tool for configuring any YubiKey over USB yubikey-manager-qt # Configure any YubiKey over USB interfaces yubikey-personalization # Lib & CLI tool to personalize YubiKeys yubikey-personalization-gui # QT based utility to facilitate Yubikey reconfiguration yubioath-desktop # Yubikey Desktop Authenticator ]; + shellInit = '' + export GPG_TTY="$(tty)" + gpg-connect-agent /bye + export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" + ''; + }; + + programs = { + ssh.startAgent = false; # Disable the SSH Agent + gnupg.agent = { + enable = true; # Enable GPG Agent + enableSSHSupport = true; # Enable SSH agent support in GnuPG agent + }; }; }