sercanto/mio-ops
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Activity
mio-ops/profiles/yubikey.nix

67 lines
2.3 KiB
Nix
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# NixOps configuration for the hosts using Yubikeys
{
config,
pkgs,
lib,
...
}: {
services = {
udev = {
packages = [
pkgs.yubikey-personalization # A library and command line tool to personalize YubiKeys
pkgs.libu2f-host # A C library and command-line tool that implements the host-side of the U2F protocol
];
extraRules = let
dependencies = with pkgs; [coreutils gnupg gawk gnugrep];
clearYubikey = pkgs.writeScript "clear-yubikey" ''
#!${pkgs.stdenv.shell}
export PATH=${pkgs.lib.makeBinPath dependencies};
keygrips=$(
gpg-connect-agent 'keyinfo --list' /bye 2>/dev/null \
| grep -v OK \
| awk '{if ($4 == "T") { print $3 ".key" }}')
for f in $keygrips; do
rm -v ~/.gnupg/private-keys-v1.d/$f
done
gpg --card-status 2>/dev/null 1>/dev/null || true
'';
clearYubikeyUser = pkgs.writeScript "clear-yubikey-user" ''
#!${pkgs.stdenv.shell}
${pkgs.sudo}/bin/sudo -u craige ${clearYubikey}
'';
in ''
ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", RUN+="${clearYubikeyUser}"
'';
};
pcscd.enable = true; # Enable PCSC-Lite daemon
};
# Additional packages used with the Yubikey
environment = {
systemPackages = with pkgs; [
paperkey # Store OpenPGP or GnuPG on paper
pinentry-curses # GnuPGs interface to passphrase input
pinentry-qt # GnuPGs interface to passphrase input
yubikey-manager # CLI tool for configuring any YubiKey over USB
yubikey-manager-qt # Configure any YubiKey over USB interfaces
yubikey-personalization # Lib & CLI tool to personalize YubiKeys
yubikey-personalization-gui # QT based utility to facilitate Yubikey reconfiguration
yubioath-flutter # Yubikey Desktop Authenticator
];
shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
};
programs = {
ssh.startAgent = false; # Disable the SSH Agent
gnupg.agent = with pkgs; {
enable = true; # Enable GPG Agent
enableSSHSupport = true; # Enable SSH agent support in GnuPG agent
pinentryPackage = pinentry-qt;
};
};
}
Reference in a new issue View git blame Copy permalink