add yubikey module

Author: redxtech

hosts/common/users/gabe.nix

@@ -43,6 +43,14 @@ in {
     ];
   };
 
+  base.yubiauth = {
+    enable = true;
+
+    mappings = [
+      "gabe:MW9BvJEnapPkyE/UOpnT0skNdNyiTW/zk+ys+NJQIpcS9Ej7rHDL2AOdf8Wb/jYHAC9DSLRqf8SRbpjbW/I8wA==,6D2e7W3byi0MYF4CUfCjMwKTv0JVNL1izKYeKNOpzLlyEG4sKNfmqZWaS+9bfV6A+OlMbCT5g8v++D7nwnkNXg==,es256,+presence:MKn57WF5JlA9mSEhOEqJLJH2LMVS4wb44sR3Q8V/7D2H1xGuBuEMOc5pthRWC+5yN3URP1Ticw/o7bPWpOva0g==,CC6Ber5JNcC0I7IwXyL87reTvfZqZ+FVZQaiizTNS+g7QtxOeh6aDV/ztOoeRkS+wallUlKK9J3u4nco114fjw==,es256,+presence"
+    ];
+  };
+
   sops.secrets.gabe-pw.neededForUsers = true;
 
   home-manager.users.gabe =

modules/nixos/base/default.nix

@@ -18,6 +18,7 @@ in {
     ./services.nix
     ./ssh.nix
     ./virtualization.nix
+    ./yubikey.nix
   ];
 
   options.base = with lib.types; {

modules/nixos/base/yubikey.nix

@@ -0,0 +1,72 @@
+{ config, pkgs, lib, ... }:
+
+let
+  inherit (lib) mkIf;
+  cfg = config.base.yubiauth;
+in {
+  options.base.yubiauth = let
+    inherit (lib) mkOption mkEnableOption;
+    inherit (lib.types) listOf str bool;
+  in {
+    enable = mkEnableOption "Enable YubiAuth";
+
+    login = mkOption {
+      type = bool;
+      default = true;
+      description = "Enable U2F authentication for login";
+    };
+
+    sudo = mkOption {
+      type = bool;
+      default = true;
+      description = "Enable U2F authentication for sudo";
+    };
+
+    mappings = mkOption {
+      type = listOf str;
+      default = [ ];
+      description = "List of mappings for U2F devices";
+      example = ''
+        [
+          "<username>:<KeyHandle1>,<UserKey1>,<CoseType1>,<Options1>:<KeyHandle2>,<UserKey2>,<CoseType2>,<Options2>:..."
+        ]
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # yibikey required packages
+    environment.systemPackages = with pkgs; [
+      yubikey-personalization
+      yubikey-manager
+      yubico-pam
+    ];
+
+    # enable smartcard support
+    hardware.gpgSmartcards.enable = true;
+
+    # enable polkit to use yubikey for authentication
+    security.polkit.enable = true;
+
+    # enable u2f support in pam for login and sudo
+    security.pam = {
+      # enable u2f support in pam
+      u2f = {
+        enable = true;
+        cue = true;
+        authFile = "/etc/u2f-mappings";
+      };
+
+      # enable u2f for login and sudo
+      services = {
+        login.u2fAuth = cfg.login;
+        sudo.u2fAuth = cfg.sudo;
+      };
+    };
+
+    # add u2f mappings if they are defined
+    environment.etc."u2f-mappings".text =
+      mkIf (builtins.length cfg.mappings > 0)
+      (lib.concatStringsSep "\n" cfg.mappings);
+  };
+}