vleeuwenmenno/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adds support for yubikeys

Browse Source
This commit is contained in:
Menno van Leeuwen 2024-11-02 04:23:30 +01:00
parent e38ed1532a
commit 55c9fe6cea
Signed by: vleeuwenmenno
SSH Key Fingerprint: SHA256:OJFmjANpakwD3F2Rsws4GLtbdz1TJ5tkQF0RZmF0TRE
8 changed files with 79 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -9,6 +9,7 @@ secrets/ssh_config/*.*
!secrets/ssh_config/*.gpg !secrets/ssh_config/*.gpg
secrets/*.* secrets/*.*
!secrets/*.gpg !secrets/*.gpg
**/*.keys
# SHA256 hashes of the encrypted secrets # SHA256 hashes of the encrypted secrets
*.sha256 *.sha256

3
bin/actions/update.sh
View File

@ -254,6 +254,9 @@ if [ "$#" -eq 0 ]; then
else else
for arg in "$@"; do for arg in "$@"; do
case $arg in case $arg in
--nixos)
sys_packages
;;
--home-manager) --home-manager)
homemanager homemanager
;; ;;

10
config/config.yaml
View File

@ -18,6 +18,16 @@ config:
wsl: ~/dotfiles/config/gitconfig.wsl wsl: ~/dotfiles/config/gitconfig.wsl
target: ~/.gitconfig target: ~/.gitconfig
# Yubico u2f keys
u2f:
sources:
mennos-laptop: ~/dotfiles/secrets/yubico/u2f.work.keys
mennos-desktop: ~/dotfiles/secrets/yubico/u2f.personal.keys
mennos-gamingpc: ~/dotfiles/secrets/yubico/u2f.personal.keys
homeserver-pc: ~/dotfiles/secrets/yubico/u2f.personal.keys
target: ~/.config/Yubico/u2f_keys
chmod: 644
# VSCode settings # VSCode settings
vscode: vscode:
source: ~/dotfiles/vscode/settings.json source: ~/dotfiles/vscode/settings.json

5
config/nixos/configuration.nix
View File

@ -6,6 +6,7 @@
./users.nix ./users.nix
./flatpak.nix ./flatpak.nix
./hosts.nix ./hosts.nix
./yubikey.nix
]; ];
# Bootloader. # Bootloader.
@ -86,6 +87,7 @@
text = '' text = ''
firefox firefox
brave brave
zen
''; '';
mode = "0755"; mode = "0755";
}; };
@ -115,9 +117,6 @@
]; ];
}; };
# Set hostname to DOTF_HOSTNAME if defined, otherwise use the hostname of the system.
networking.hostName = builtins.getEnv "DOTF_HOSTNAME";
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave # on your system were taken. Its perfectly fine and recommended to leave

1
config/nixos/hardware/mennos-gamingpc.nix
View File

@ -68,6 +68,7 @@
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
networking.hostName = "mennos-gamingpc";
# networking.interfaces.enp8s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;

1
config/nixos/hardware/mennos-laptop.nix
View File

@ -82,6 +82,7 @@
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
networking.hostName = "mennos-laptop";
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true; # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;

51
config/nixos/yubikey.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, pkgs, ... }:
{
services.udev.packages = [ pkgs.yubikey-personalization ];
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
# Install pam_u2f command
environment.systemPackages = with pkgs; [
pam_u2f
libnotify
];
security.pam.services = {
sudo.u2fAuth = true;
lock.u2fAuth = true;
gnome-screensaver.u2fAuth = true;
"polkit-1".u2fAuth = true;
};
# Enable polkit
security.polkit.enable = true;
# Add custom polkit rules for 1Password
environment.etc."polkit-1/rules.d/90-1password-yubikey.rules".text = ''
polkit.addRule(function(action, subject) {
if (action.id == "com.1password.1Password.unlock") {
var authtype = subject.local ? "auth_admin_keep" : "auth_admin";
return polkit.Result.AUTH_ADMIN;
}
});
'';
# Make sure polkit is using the right authentication agent
services.xserver.displayManager.gdm = {
enable = true;
autoSuspend = false;
};
# GNOME keyring configuration
security.pam.services."gnome-keyring" = {
text = ''
auth optional pam_u2f.so
auth optional pam_unix.so nullok try_first_pass
session optional pam_keyinit.so force revoke
session optional pam_gnome_keyring.so auto_start
'';
};
}

10
secrets/yubico/u2f.personal.keys.gpg Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP MESSAGE-----
jA0ECQMIqPhBhesphqL/0sBBAV7jafDz2CgpxF6mvxXURS8XAS28yrsKRU4+eA33
5eOMsSxUPzFSX9fzYAaZcD/JfTuFA9iwdxriy1+WV9sFmg2bcHBKcWo/SeuPyTkM
n6NktaxpMuB5B4rPr3xDk38L5Nba4n3SEZVIMqUMJMimQMMQPBfWSI8Ari4xTCda
0yFWgxrX0ZjNNhHFLf0jAi4pBhfh2S0+N/cKIs9rG4vT726jXXfouRwgxrIq02/Z
2zBgGvfmIwiztbfMF5fexc4XnAPwNcv6T0F04sZXmc87IMc1sdeIGfRc7frcBrUO
t/glUtStoaJBa4Y6V3xzBs2797v18PVlcFmwl5wBVHKwU9k=
=RK27
-----END PGP MESSAGE-----