adds support for yubikeys

2024-11-02 04:23:30 +01:00 · 2024-11-02 04:23:30 +01:00 · 55c9fe6cea
commit 55c9fe6cea
parent e38ed1532a
8 changed files with 79 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,6 +9,7 @@ secrets/ssh_config/*.*
 !secrets/ssh_config/*.gpg
 secrets/*.*
 !secrets/*.gpg
+**/*.keys

 # SHA256 hashes of the encrypted secrets
 *.sha256
--- a/bin/actions/update.sh
+++ b/bin/actions/update.sh
@ -254,6 +254,9 @@ if [ "$#" -eq 0 ]; then
 else
  for arg in "$@"; do
    case $arg in
+    --nixos)
+      sys_packages
+      ;;
    --home-manager)
      homemanager
      ;;
--- a/config/config.yaml
+++ b/config/config.yaml
@ -18,6 +18,16 @@ config:
        wsl: ~/dotfiles/config/gitconfig.wsl
      target: ~/.gitconfig

+    # Yubico u2f keys
+    u2f:
+      sources:
+        mennos-laptop: ~/dotfiles/secrets/yubico/u2f.work.keys
+        mennos-desktop: ~/dotfiles/secrets/yubico/u2f.personal.keys
+        mennos-gamingpc: ~/dotfiles/secrets/yubico/u2f.personal.keys
+        homeserver-pc: ~/dotfiles/secrets/yubico/u2f.personal.keys
+      target: ~/.config/Yubico/u2f_keys
+      chmod: 644
+
    # VSCode settings
    vscode:
      source: ~/dotfiles/vscode/settings.json
--- a/config/nixos/configuration.nix
+++ b/config/nixos/configuration.nix
@ -6,6 +6,7 @@
    ./users.nix
    ./flatpak.nix
    ./hosts.nix
+    ./yubikey.nix
  ];

  # Bootloader.
@ -86,6 +87,7 @@
      text = ''
        firefox
        brave
+        zen
      '';
      mode = "0755";
    };
@ -115,9 +117,6 @@
    ];
  };

-  # Set hostname to DOTF_HOSTNAME if defined, otherwise use the hostname of the system.
-  networking.hostName = builtins.getEnv "DOTF_HOSTNAME";
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/config/nixos/hardware/mennos-gamingpc.nix
+++ b/config/nixos/hardware/mennos-gamingpc.nix
@ -68,6 +68,7 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
+  networking.hostName = "mennos-gamingpc";
  # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;

--- a/config/nixos/hardware/mennos-laptop.nix
+++ b/config/nixos/hardware/mennos-laptop.nix
@ -82,6 +82,7 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
+  networking.hostName = "mennos-laptop";
  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;

--- a/config/nixos/yubikey.nix
+++ b/config/nixos/yubikey.nix
@ -0,0 +1,51 @@
+{ config, pkgs, ... }:
+{
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Install pam_u2f command
+  environment.systemPackages = with pkgs; [
+    pam_u2f
+    libnotify
+  ];
+
+  security.pam.services = {
+    sudo.u2fAuth = true;
+    lock.u2fAuth = true;
+    gnome-screensaver.u2fAuth = true;
+    "polkit-1".u2fAuth = true;
+  };
+
+  # Enable polkit
+  security.polkit.enable = true;
+
+  # Add custom polkit rules for 1Password
+  environment.etc."polkit-1/rules.d/90-1password-yubikey.rules".text = ''
+    polkit.addRule(function(action, subject) {
+      if (action.id == "com.1password.1Password.unlock") {
+        var authtype = subject.local ? "auth_admin_keep" : "auth_admin";
+        return polkit.Result.AUTH_ADMIN;
+      }
+    });
+  '';
+
+  # Make sure polkit is using the right authentication agent
+  services.xserver.displayManager.gdm = {
+    enable = true;
+    autoSuspend = false;
+  };
+
+  # GNOME keyring configuration
+  security.pam.services."gnome-keyring" = {
+    text = ''
+      auth optional pam_u2f.so
+      auth optional pam_unix.so nullok try_first_pass
+      session optional pam_keyinit.so force revoke
+      session optional pam_gnome_keyring.so auto_start
+    '';
+  };
+}
--- a/secrets/yubico/u2f.personal.keys.gpg
+++ b/secrets/yubico/u2f.personal.keys.gpg
@ -0,0 +1,10 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMIqPhBhesphqL/0sBBAV7jafDz2CgpxF6mvxXURS8XAS28yrsKRU4+eA33
+5eOMsSxUPzFSX9fzYAaZcD/JfTuFA9iwdxriy1+WV9sFmg2bcHBKcWo/SeuPyTkM
+n6NktaxpMuB5B4rPr3xDk38L5Nba4n3SEZVIMqUMJMimQMMQPBfWSI8Ari4xTCda
+0yFWgxrX0ZjNNhHFLf0jAi4pBhfh2S0+N/cKIs9rG4vT726jXXfouRwgxrIq02/Z
+2zBgGvfmIwiztbfMF5fexc4XnAPwNcv6T0F04sZXmc87IMc1sdeIGfRc7frcBrUO
+t/glUtStoaJBa4Y6V3xzBs2797v18PVlcFmwl5wBVHKwU9k=
+=RK27
+-----END PGP MESSAGE-----