diff --git a/nixos/system/packages/sops/secrets/secrets.yaml b/nixos/system/packages/sops/secrets/secrets.yaml index 9e807a8..2935f41 100644 --- a/nixos/system/packages/sops/secrets/secrets.yaml +++ b/nixos/system/packages/sops/secrets/secrets.yaml @@ -2,6 +2,7 @@ kogami: password-hash: ENC[AES256_GCM,data:HXuzumA7zAzBUcOBszeslYVDLA7r3W7gINn2FvMCTEHkc+y3zWftK4CVnk+TuRcgP9/htUphs2BmusogFAdmRQ3HmQU8WGQN0A==,iv:n2063dWbEmFKEvXbY2uk+C6lwF7WzA8jalKOFHPVICc=,tag:wb5bq4Dk3a9UnzYFBInHEA==,type:str] ginoza: password-hash: ENC[AES256_GCM,data:xqE0y3Z7+kasYFQLn4Wuo+/c9L8BEakf2HKgN5BsttC2iDuzYSvXrP8K6pe5Skdi5Aq0MVz9LixJFM3PBgLORL1C6k0iDSardw==,iv:bKL40h0rGNmnnkA7EieKAD5KyENXOiTNsTVH1V0B7HU=,tag:c1MsRuiOK/j2b0iKOyO8FQ==,type:str] +yubikey_id: ENC[AES256_GCM,data:ZyamX5gxoW4=,iv:4tW7muk6AaJf9VmXmFd6Ut63U27fFD8QgYSBx3RgOfw=,tag:IFlSiOffMyc33Rw1gxwCPA==,type:int] sops: kms: [] gcp_kms: [] @@ -17,8 +18,8 @@ sops: T0cxV21SN0hJaFg3R3hpTjIxa3lJNVEKdIrR5XDHxpCojk2A1pxc4dYtSJRrObbY JS/nDgu74LugEchiOhuIJ7nh3MS5XBOmmt2GTHrqxZEZFoIykjIGug== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-26T14:50:21Z" - mac: ENC[AES256_GCM,data:db57wvxR3NK0OgI9qAzpjOg2dvcb5H7kY1GvyZmfyUoQpapwTuci36sEwFHDPSUXynzobmhiv49kAEsYm0xhvOhTW1tPReVKi4pKh4EFYl0qOeMs0/cM0pwDCyVkjTQh3qlRR+PFB2oSxDdi7rZFfz26P1iFlEHhvsYug/v16Rs=,iv:m40T1K279d5/7u2jtytwS5UMv6V7RDFpNXQxFEAOauU=,tag:+UQ61SLtcVUIixsT0JnXYA==,type:str] + lastmodified: "2024-12-26T19:06:52Z" + mac: ENC[AES256_GCM,data:1n5O72DFe6dgvEfE6ZOAP1JR4TFZQAWeDYU/NLtisjoVliREcVmaZEM3vxDnrLueLFdNZ0jxu9fEjG0cnwUDkJNIeFyj8mhzY3bIC5LiSVriKPLGiJW3fMBsK6btJTa8OJ7xJsFIKgXpVHAgOit9ZBT24VnLZ9zFgWk84whR1eE=,iv:RaKCWl5zfKsD0502WVRv8Vx2+jGz3J7yhRkSzb/RFPM=,tag:JT2sKaoK7SCKCk1nWrHZMQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 diff --git a/nixos/system/packages/sops/sops.nix b/nixos/system/packages/sops/sops.nix index 072d96c..6810656 100644 --- a/nixos/system/packages/sops/sops.nix +++ b/nixos/system/packages/sops/sops.nix @@ -19,5 +19,6 @@ }; users.users.${userSettings.username}.hashedPasswordFile = "${config.sops.secrets."${userSettings.hostname}/password-hash".path}"; + security.pam.yubico.id = ["${config.sops.secrets.yubikey_id}".value]; }; } diff --git a/nixos/system/packages/yubikey.nix b/nixos/system/packages/yubikey.nix index fc8d11c..8649bc2 100644 --- a/nixos/system/packages/yubikey.nix +++ b/nixos/system/packages/yubikey.nix @@ -6,7 +6,7 @@ }: { options = { program.yubikey = { - enable = lib.mkEnableOption "Enable YubiKey support"; + enable = lib.mkEnableOption "Enable YubiKey authentication"; }; }; @@ -17,30 +17,30 @@ pam_u2f ]; + # Only have to be connected to the notebook + #security.pam.services = { + # login.u2fAuth = true; + # sudo.u2fAuth = true; + #}; + + security.pam.yubico = { + enable = true; + debug = false; + mode = "challenge-response"; + control = "sufficient"; + #! id = [ "1234567890" ]; + #! YubiKey ID is stored in SOPS + #! and is set in the module configuration + #! file ./sops/sops.nix + }; + services.pcscd = { enable = true; }; - #services.udev.packages = [pkgs.yubikey-personalization]; -# - #services.yubikey-agent.enable = true; -# - #security.pam = { - # sshAgentAuth.enable = true; - # u2f = { - # enable = true; - # settings = { - # cue = false; - # authfile = "${config.home.homeDirectory}/.config/yubikeys/u2f_keys"; - # # debug = true; - # }; - # }; - # services = { - # login.u2fAuth = true; - # sudo = { - # u2fAuth = true; - # sshAgentAuth = true; - # }; - # }; - #}; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; }; } diff --git a/nixos/system/settings/user.nix b/nixos/system/settings/user.nix index 8e44583..b461d3b 100644 --- a/nixos/system/settings/user.nix +++ b/nixos/system/settings/user.nix @@ -4,6 +4,7 @@ isNormalUser = true; description = "${userSettings.username}"; extraGroups = ["wheel"]; + #! hashedPasswordFile = "password-hash"; #! User Hashed password is stored in SOPS #! and is set in the module configuration #! file ../packages/sops/sops.nix