diff --git a/common/yubikey.nix b/common/yubikey.nix new file mode 100644 index 0000000..9f62e9a --- /dev/null +++ b/common/yubikey.nix @@ -0,0 +1,24 @@ +{ + config, + pkgs, + ... +}: { + environment.systemPackages = with pkgs; [ + yubikey-manager + yubikey-agent + yubico-pam + ]; + + services.pcscd.enable = true; + + security.pam.yubico = { + enable = true; + #debug = true; + mode = "challenge-response"; + # Uncomment below for 2FA + #control = "required"; + }; + # To set up, need to run (might need to run as root) + # ykman otp chalresp --touch --generate 2 + # ykpamcfg -2 -v +} diff --git a/flake.nix b/flake.nix index bd42f8f..d4bf63a 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,7 @@ modules = [ ./system/carbon/configuration.nix + ./common/yubikey.nix ]; }; @@ -59,6 +60,7 @@ modules = [ ./system/gospel/configuration.nix + ./common/yubikey.nix ]; }; }; diff --git a/system/carbon/configuration.nix b/system/carbon/configuration.nix index d096e50..5d94b83 100644 --- a/system/carbon/configuration.nix +++ b/system/carbon/configuration.nix @@ -109,10 +109,6 @@ wireguard-tools prusa-slicer - - yubikey-manager - yubikey-agent - yubico-pam ]; # Some programs need SUID wrappers, can be configured further or are @@ -165,19 +161,6 @@ pulse.enable = true; }; - services.pcscd.enable = true; - - security.pam.yubico = { - enable = true; - #debug = true; - mode = "challenge-response"; - # Uncomment below for 2FA - #control = "required"; - }; - # To set up, need to run (might need to run as root) - # ykman otp chalresp --touch --generate 2 - # ykpamcfg -2 -v - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; diff --git a/users/alejandro/gpg.nix b/users/alejandro/gpg.nix index c548a86..25395a1 100644 --- a/users/alejandro/gpg.nix +++ b/users/alejandro/gpg.nix @@ -10,6 +10,10 @@ programs.gpg = { enable = true; + scdaemonSettings = { + # Fix conflicts with config in common/yubikey.nix + disable-ccid = true; + }; }; services.gpg-agent = {