me like nix
add yubikey signing
author
Sean Aye
date
(Mar 22, 2026, 8:03 PM -0400)
commit
881a723a
881a723a862965e2f9f3d6d1eccba4b98888574b
parent
b168fa35
b168fa3501d0be03bcd0c0d9f2eee7aa35c6de5b
change-id
uuklslkm
uuklslkmkuttyqrxrwrxszqnxkkxvomq
+15
-1
+9
hosts/common/common.nix
+9
hosts/common/common.nix
···
104
104
services.tailscale.enable = true;
105
105
services.pcscd.enable = true; # Smart card daemon for Yubikey
106
106
107
+
security.pam.u2f = {
108
+
enable = true;
109
+
control = "sufficient";
110
+
cue = true;
111
+
};
112
+
security.pam.services.sudo.u2fAuth = true;
113
+
114
+
programs.yubikey-touch-detector.enable = true;
115
+
107
116
# ZSA Keyboard udev rules for Oryx web flashing and live training
108
117
services.udev.extraRules = ''
109
118
# Rules for Oryx web flashing and live training
+6
-1
hosts/common/home.nix
+6
-1
hosts/common/home.nix
···
306
306
enableDefaultConfig = false;
307
307
matchBlocks = {
308
308
"*" = {
309
+
identityFile = [ "${config.home.homeDirectory}/.ssh/id_ed25519_sk" ];
309
310
extraOptions = {
310
311
IdentityAgent = "${config.home.homeDirectory}/.1password/agent.sock";
311
312
};
···
483
484
sign-all = true;
484
485
behavior = "own";
485
486
backend = "ssh";
486
-
key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCIqgZ7kedxo+mOW7YG73Vp3zel3h180y3GKvHtRsXfGlpIIvRDy7pgCBQ4AGXYD4y78URQmFohYSAPqCPOPaWcU2un3XG9KvCzEsHmsbskPonitUmCiKvrKkb6oW4jCBtd7AEtBn+AiajAQFtPZ7NN2Df3AmTypvR6Irg7R+nxnfc9NTIHmGvxSDyWcbb4pguL20sctUSqGL6xGh8q/bqhdOThSimM+z9bEUNxK/5rPhwkNniMrp4pJcUrUiAh5/4DiRFG6KT+oeg+/myoz/Z1sPvAs7u/8JDQI4RshRD8Hu0oTkRBN6Hxj478q2SXbeBUZlD6IdjP3RhGpmSecoDdtWqKbpuV3eVRtQtba3KL86GBeV/bugaOdJ1Aud+1SOFJreAAuvxzMMKT+cdQZk6oOPP148DA/No+mDm/2S43lcdCXh79wA6YRAmKQ8jmZxTCtPutrvuZK1rguvvUlEoG/vhdNHh7eDa4Td07V6bjCRPUl8qk/e4M0E3pwsTlZc=";
487
+
key = "${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk";
487
488
backends.ssh.allowed-signers = "${config.home.homeDirectory}/.ssh/allowed_signers";
488
489
};
489
490
};
···
760
761
# Name: agenix
761
762
# Recipient: age1yubikey1qw64ag5lzvn9ekrflu5ruj4a6ucycscl6ctk39fjzf76jptsay39z442pxv
762
763
AGE-PLUGIN-YUBIKEY-1304E5QVZZD74FKSP8FMCT
764
+
'';
765
+
766
+
home.file.".config/Yubico/u2f_keys".text = ''
767
+
sean:6sa1fnimjshdqKgadDlgQXqSXD6qQ7eSOZneMQZNAzO2OVCViQlxAZXHVf8kDOLKQ4uzcrHMj/t3889Sqi3Dyw==,1jm0HwRmNFFRMGu/DsVrwIBZc6HyNDSlvDhwQd73f0f3KWVxHo6PdSu4OUr+7GwOAfASKGakwyyetv73463CQw==,es256,+presence
763
768
'';
764
769
765
770
# Set the state version for Home Manager