52 lines
1.3 KiB
Nix
52 lines
1.3 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
services.udev.packages = [ pkgs.yubikey-personalization ];
|
|
|
|
programs.gnupg.agent = {
|
|
enable = true;
|
|
enableSSHSupport = true;
|
|
};
|
|
|
|
# Install pam_u2f command
|
|
environment.systemPackages = with pkgs; [
|
|
pam_u2f
|
|
libnotify
|
|
];
|
|
|
|
security.pam.services = {
|
|
sudo.u2fAuth = true;
|
|
lock.u2fAuth = true;
|
|
gnome-screensaver.u2fAuth = true;
|
|
"polkit-1".u2fAuth = true;
|
|
};
|
|
|
|
# Enable polkit
|
|
security.polkit.enable = true;
|
|
|
|
# Add custom polkit rules for 1Password
|
|
environment.etc."polkit-1/rules.d/90-1password-yubikey.rules".text = ''
|
|
polkit.addRule(function(action, subject) {
|
|
if (action.id == "com.1password.1Password.unlock") {
|
|
var authtype = subject.local ? "auth_admin_keep" : "auth_admin";
|
|
return polkit.Result.AUTH_ADMIN;
|
|
}
|
|
});
|
|
'';
|
|
|
|
# Make sure polkit is using the right authentication agent
|
|
services.xserver.displayManager.gdm = {
|
|
enable = true;
|
|
autoSuspend = false;
|
|
};
|
|
|
|
# GNOME keyring configuration
|
|
security.pam.services."gnome-keyring" = {
|
|
text = ''
|
|
auth optional pam_u2f.so
|
|
auth optional pam_unix.so nullok try_first_pass
|
|
session optional pam_keyinit.so force revoke
|
|
session optional pam_gnome_keyring.so auto_start
|
|
'';
|
|
};
|
|
}
|