Yubikey update

nixos/system/packages/sops/secrets/secrets.yaml

@@ -2,6 +2,7 @@ kogami:
     password-hash: ENC[AES256_GCM,data:HXuzumA7zAzBUcOBszeslYVDLA7r3W7gINn2FvMCTEHkc+y3zWftK4CVnk+TuRcgP9/htUphs2BmusogFAdmRQ3HmQU8WGQN0A==,iv:n2063dWbEmFKEvXbY2uk+C6lwF7WzA8jalKOFHPVICc=,tag:wb5bq4Dk3a9UnzYFBInHEA==,type:str]
 ginoza:
     password-hash: ENC[AES256_GCM,data:xqE0y3Z7+kasYFQLn4Wuo+/c9L8BEakf2HKgN5BsttC2iDuzYSvXrP8K6pe5Skdi5Aq0MVz9LixJFM3PBgLORL1C6k0iDSardw==,iv:bKL40h0rGNmnnkA7EieKAD5KyENXOiTNsTVH1V0B7HU=,tag:c1MsRuiOK/j2b0iKOyO8FQ==,type:str]
+yubikey_id: ENC[AES256_GCM,data:ZyamX5gxoW4=,iv:4tW7muk6AaJf9VmXmFd6Ut63U27fFD8QgYSBx3RgOfw=,tag:IFlSiOffMyc33Rw1gxwCPA==,type:int]
 sops:
     kms: []
     gcp_kms: []
@@ -17,8 +18,8 @@ sops:
             T0cxV21SN0hJaFg3R3hpTjIxa3lJNVEKdIrR5XDHxpCojk2A1pxc4dYtSJRrObbY
             JS/nDgu74LugEchiOhuIJ7nh3MS5XBOmmt2GTHrqxZEZFoIykjIGug==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-26T14:50:21Z"
+    lastmodified: "2024-12-26T19:06:52Z"
-    mac: ENC[AES256_GCM,data:db57wvxR3NK0OgI9qAzpjOg2dvcb5H7kY1GvyZmfyUoQpapwTuci36sEwFHDPSUXynzobmhiv49kAEsYm0xhvOhTW1tPReVKi4pKh4EFYl0qOeMs0/cM0pwDCyVkjTQh3qlRR+PFB2oSxDdi7rZFfz26P1iFlEHhvsYug/v16Rs=,iv:m40T1K279d5/7u2jtytwS5UMv6V7RDFpNXQxFEAOauU=,tag:+UQ61SLtcVUIixsT0JnXYA==,type:str]
+    mac: ENC[AES256_GCM,data:1n5O72DFe6dgvEfE6ZOAP1JR4TFZQAWeDYU/NLtisjoVliREcVmaZEM3vxDnrLueLFdNZ0jxu9fEjG0cnwUDkJNIeFyj8mhzY3bIC5LiSVriKPLGiJW3fMBsK6btJTa8OJ7xJsFIKgXpVHAgOit9ZBT24VnLZ9zFgWk84whR1eE=,iv:RaKCWl5zfKsD0502WVRv8Vx2+jGz3J7yhRkSzb/RFPM=,tag:JT2sKaoK7SCKCk1nWrHZMQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.2

nixos/system/packages/sops/sops.nix

@@ -19,5 +19,6 @@
     };
 
     users.users.${userSettings.username}.hashedPasswordFile = "${config.sops.secrets."${userSettings.hostname}/password-hash".path}";
+    security.pam.yubico.id = ["${config.sops.secrets.yubikey_id}".value];
   };
 }

nixos/system/packages/yubikey.nix

@@ -6,7 +6,7 @@
 }: {
   options = {
     program.yubikey = {
-      enable = lib.mkEnableOption "Enable YubiKey support";
+      enable = lib.mkEnableOption "Enable YubiKey authentication";
     };
   };
 
@@ -17,30 +17,30 @@
       pam_u2f
     ];
 
+    # Only have to be connected to the notebook
+    #security.pam.services = {
+    #  login.u2fAuth = true;
+    #  sudo.u2fAuth = true;
+    #};
+
+    security.pam.yubico = {
+      enable = true;
+      debug = false;
+      mode = "challenge-response";
+      control = "sufficient";
+      #! id = [ "1234567890" ];
+      #! YubiKey ID is stored in SOPS
+      #! and is set in the module configuration
+      #! file ./sops/sops.nix
+    };
+
     services.pcscd = {
       enable = true;
     };
-    #services.udev.packages = [pkgs.yubikey-personalization];
+
-#
+    programs.gnupg.agent = {
-    #services.yubikey-agent.enable = true;
+      enable = true;
-#
+      enableSSHSupport = true;
-    #security.pam = {
+    };
-    #  sshAgentAuth.enable = true;
-    #  u2f = {
-    #    enable = true;
-    #    settings = {
-    #      cue = false;
-    #      authfile = "${config.home.homeDirectory}/.config/yubikeys/u2f_keys";
-    #      # debug = true;
-    #    };
-    #  };
-    #  services = {
-    #    login.u2fAuth = true;
-    #    sudo = {
-    #      u2fAuth = true;
-    #      sshAgentAuth = true;
-    #    };
-    #  };
-    #};
   };
 }

nixos/system/settings/user.nix

@@ -4,6 +4,7 @@
     isNormalUser = true;
     description = "${userSettings.username}";
     extraGroups = ["wheel"];
+    #! hashedPasswordFile = "password-hash";
     #! User Hashed password is stored in SOPS
     #! and is set in the module configuration
     #! file ../packages/sops/sops.nix