adds support for yubikeys

config/config.yaml

@@ -18,6 +18,16 @@ config:
         wsl: ~/dotfiles/config/gitconfig.wsl
       target: ~/.gitconfig
 
+    # Yubico u2f keys
+    u2f:
+      sources:
+        mennos-laptop: ~/dotfiles/secrets/yubico/u2f.work.keys
+        mennos-desktop: ~/dotfiles/secrets/yubico/u2f.personal.keys
+        mennos-gamingpc: ~/dotfiles/secrets/yubico/u2f.personal.keys
+        homeserver-pc: ~/dotfiles/secrets/yubico/u2f.personal.keys
+      target: ~/.config/Yubico/u2f_keys
+      chmod: 644
+
     # VSCode settings
     vscode:
       source: ~/dotfiles/vscode/settings.json

config/nixos/configuration.nix

@@ -6,6 +6,7 @@
     ./users.nix
     ./flatpak.nix
     ./hosts.nix
+    ./yubikey.nix
   ];
 
   # Bootloader.
@@ -86,6 +87,7 @@
       text = ''
         firefox
         brave
+        zen
       '';
       mode = "0755";
     };
@@ -115,9 +117,6 @@
     ];
   };
 
-  # Set hostname to DOTF_HOSTNAME if defined, otherwise use the hostname of the system.
-  networking.hostName = builtins.getEnv "DOTF_HOSTNAME";
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

config/nixos/hardware/mennos-gamingpc.nix

@@ -68,6 +68,7 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
+  networking.hostName = "mennos-gamingpc";
   # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;
 

config/nixos/hardware/mennos-laptop.nix

@@ -82,6 +82,7 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
+  networking.hostName = "mennos-laptop";
   # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
 

config/nixos/yubikey.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, ... }:
+{
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Install pam_u2f command
+  environment.systemPackages = with pkgs; [
+    pam_u2f
+    libnotify
+  ];
+
+  security.pam.services = {
+    sudo.u2fAuth = true;
+    lock.u2fAuth = true;
+    gnome-screensaver.u2fAuth = true;
+    "polkit-1".u2fAuth = true;
+  };
+
+  # Enable polkit
+  security.polkit.enable = true;
+
+  # Add custom polkit rules for 1Password
+  environment.etc."polkit-1/rules.d/90-1password-yubikey.rules".text = ''
+    polkit.addRule(function(action, subject) {
+      if (action.id == "com.1password.1Password.unlock") {
+        var authtype = subject.local ? "auth_admin_keep" : "auth_admin";
+        return polkit.Result.AUTH_ADMIN;
+      }
+    });
+  '';
+
+  # Make sure polkit is using the right authentication agent
+  services.xserver.displayManager.gdm = {
+    enable = true;
+    autoSuspend = false;
+  };
+
+  # GNOME keyring configuration
+  security.pam.services."gnome-keyring" = {
+    text = ''
+      auth optional pam_u2f.so
+      auth optional pam_unix.so nullok try_first_pass
+      session optional pam_keyinit.so force revoke
+      session optional pam_gnome_keyring.so auto_start
+    '';
+  };
+}