diff --git a/.gitignore b/.gitignore index 7617572..25dfd80 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ secrets/ssh_config/*.* !secrets/ssh_config/*.gpg secrets/*.* !secrets/*.gpg +**/*.keys # SHA256 hashes of the encrypted secrets *.sha256 \ No newline at end of file diff --git a/bin/actions/update.sh b/bin/actions/update.sh index 98f3f3f..96c1b3b 100755 --- a/bin/actions/update.sh +++ b/bin/actions/update.sh @@ -254,6 +254,9 @@ if [ "$#" -eq 0 ]; then else for arg in "$@"; do case $arg in + --nixos) + sys_packages + ;; --home-manager) homemanager ;; diff --git a/config/config.yaml b/config/config.yaml index b7948a8..a741099 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -18,6 +18,16 @@ config: wsl: ~/dotfiles/config/gitconfig.wsl target: ~/.gitconfig + # Yubico u2f keys + u2f: + sources: + mennos-laptop: ~/dotfiles/secrets/yubico/u2f.work.keys + mennos-desktop: ~/dotfiles/secrets/yubico/u2f.personal.keys + mennos-gamingpc: ~/dotfiles/secrets/yubico/u2f.personal.keys + homeserver-pc: ~/dotfiles/secrets/yubico/u2f.personal.keys + target: ~/.config/Yubico/u2f_keys + chmod: 644 + # VSCode settings vscode: source: ~/dotfiles/vscode/settings.json diff --git a/config/nixos/configuration.nix b/config/nixos/configuration.nix index accfa19..883361a 100644 --- a/config/nixos/configuration.nix +++ b/config/nixos/configuration.nix @@ -6,6 +6,7 @@ ./users.nix ./flatpak.nix ./hosts.nix + ./yubikey.nix ]; # Bootloader. @@ -86,6 +87,7 @@ text = '' firefox brave + zen ''; mode = "0755"; }; @@ -115,9 +117,6 @@ ]; }; - # Set hostname to DOTF_HOSTNAME if defined, otherwise use the hostname of the system. - networking.hostName = builtins.getEnv "DOTF_HOSTNAME"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/config/nixos/hardware/mennos-gamingpc.nix b/config/nixos/hardware/mennos-gamingpc.nix index 18df645..fcc18d7 100644 --- a/config/nixos/hardware/mennos-gamingpc.nix +++ b/config/nixos/hardware/mennos-gamingpc.nix @@ -68,6 +68,7 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; + networking.hostName = "mennos-gamingpc"; # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true; diff --git a/config/nixos/hardware/mennos-laptop.nix b/config/nixos/hardware/mennos-laptop.nix index ba7fe25..e748f5f 100644 --- a/config/nixos/hardware/mennos-laptop.nix +++ b/config/nixos/hardware/mennos-laptop.nix @@ -82,6 +82,7 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; + networking.hostName = "mennos-laptop"; # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; diff --git a/config/nixos/yubikey.nix b/config/nixos/yubikey.nix new file mode 100644 index 0000000..3847033 --- /dev/null +++ b/config/nixos/yubikey.nix @@ -0,0 +1,51 @@ +{ config, pkgs, ... }: +{ + services.udev.packages = [ pkgs.yubikey-personalization ]; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Install pam_u2f command + environment.systemPackages = with pkgs; [ + pam_u2f + libnotify + ]; + + security.pam.services = { + sudo.u2fAuth = true; + lock.u2fAuth = true; + gnome-screensaver.u2fAuth = true; + "polkit-1".u2fAuth = true; + }; + + # Enable polkit + security.polkit.enable = true; + + # Add custom polkit rules for 1Password + environment.etc."polkit-1/rules.d/90-1password-yubikey.rules".text = '' + polkit.addRule(function(action, subject) { + if (action.id == "com.1password.1Password.unlock") { + var authtype = subject.local ? "auth_admin_keep" : "auth_admin"; + return polkit.Result.AUTH_ADMIN; + } + }); + ''; + + # Make sure polkit is using the right authentication agent + services.xserver.displayManager.gdm = { + enable = true; + autoSuspend = false; + }; + + # GNOME keyring configuration + security.pam.services."gnome-keyring" = { + text = '' + auth optional pam_u2f.so + auth optional pam_unix.so nullok try_first_pass + session optional pam_keyinit.so force revoke + session optional pam_gnome_keyring.so auto_start + ''; + }; +} diff --git a/secrets/yubico/u2f.personal.keys.gpg b/secrets/yubico/u2f.personal.keys.gpg new file mode 100644 index 0000000..14b4b9f --- /dev/null +++ b/secrets/yubico/u2f.personal.keys.gpg @@ -0,0 +1,10 @@ +-----BEGIN PGP MESSAGE----- + +jA0ECQMIqPhBhesphqL/0sBBAV7jafDz2CgpxF6mvxXURS8XAS28yrsKRU4+eA33 +5eOMsSxUPzFSX9fzYAaZcD/JfTuFA9iwdxriy1+WV9sFmg2bcHBKcWo/SeuPyTkM +n6NktaxpMuB5B4rPr3xDk38L5Nba4n3SEZVIMqUMJMimQMMQPBfWSI8Ari4xTCda +0yFWgxrX0ZjNNhHFLf0jAi4pBhfh2S0+N/cKIs9rG4vT726jXXfouRwgxrIq02/Z +2zBgGvfmIwiztbfMF5fexc4XnAPwNcv6T0F04sZXmc87IMc1sdeIGfRc7frcBrUO +t/glUtStoaJBa4Y6V3xzBs2797v18PVlcFmwl5wBVHKwU9k= +=RK27 +-----END PGP MESSAGE-----