# Configuration for USB image for air gapped Yubikey machine
#
# Usage: nix-build -A iso images/usb-yubikey.nix

{ nixpkgs? <nixpkgs>, system ? "x86_64-linux" }:

let
  config = { pkgs, ... }: {
    imports = [<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>];
    boot.supportedFilesystems = [ "zfs" ];
    boot.kernelParams = [ "console=ttyS0,115200n8" ];
    programs = {
      ssh.startAgent = false;
      gnupg.agent = {
        enable = true;
        enableSSHSupport = true;
      };
    };
    services.pcscd.enable = true;
    services.udev.packages = [ pkgs.yubikey-personalization ];
    environment.systemPackages = with pkgs; [
      curl               # Tool for transferring files with URL syntax
      gnupg              # GNU Privacy Guard
      paperkey           # Store OpenPGP or GnuPG on paper
      pinentry_ncurses   # GnuPG’s interface to passphrase input
      wget               # Retrieve files using HTTP, HTTPS, and FTP
    ];
    nixpkgs.config.allowUnfree = true;
    services.openssh.enable = false;
  };
  evalNixos = configuration: import <nixpkgs/nixos> {
    inherit system configuration;
  };

in {
  iso = (evalNixos config).config.system.build.isoImage;
  }