Last active
June 19, 2023 19:31
-
-
Save Janik-Haag/dbd632c9c27eaf03bed7d2177652bf89 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ config, pkgs, ... }: | |
{ | |
services.udev.packages = with pkgs; [ | |
yubikey-personalization | |
]; | |
environment.systemPackages = with pkgs; [ | |
libfido2 | |
pam_u2f | |
]; | |
# smart-card mode | |
services.pcscd.enable = true; | |
# Currently there is a few imperative config parts | |
# That is creating doing these steps for all users and their yubikeys: | |
# #Create the coresponding folder | |
# mkdir -p ~/.config/Yubico | |
# #Add the first key | |
# pamu2fcfg > ~/.config/Yubico/u2f_keys | |
# #Add the backup key | |
# pamu2fcfg -n >> ~/.config/Yubico/u2f_keys | |
security.pam.services = { | |
su.text = '' | |
# Account management. | |
account required pam_unix.so | |
# Password management. | |
password sufficient pam_unix.so nullok yescrypt | |
# Authentication management. | |
auth sufficient pam_rootok.so | |
auth required pam_faillock.so | |
auth requisite pam_unix.so | |
auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so | |
# Session management. | |
session required pam_env.so conffile=/etc/pam/environment readenv=0 | |
session required pam_unix.so | |
''; | |
login.text = '' | |
# Account management. | |
account required pam_unix.so | |
# Password management. | |
password sufficient pam_unix.so nullok yescrypt | |
# Authentication management. | |
auth requisite pam_unix.so | |
auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so | |
# Session management. | |
session required pam_env.so conffile=/etc/pam/environment readenv=0 | |
session required pam_unix.so | |
session required pam_loginuid.so | |
session required ${pkgs.linux-pam}/lib/security/pam_lastlog.so silent | |
session optional ${pkgs.systemd}/lib/security/pam_systemd.so | |
''; | |
swaylock.text = '' | |
# Account management. | |
account required pam_unix.so | |
# Password management. | |
password sufficient pam_unix.so nullok yescrypt | |
# Authentication management. | |
auth requisite pam_unix.so | |
auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so | |
# Session management. | |
session required pam_env.so conffile=/etc/pam/environment readenv=0 | |
session required pam_unix.so | |
''; | |
sudo.text = '' | |
# Account management. | |
account required pam_unix.so | |
# Password management. | |
password required pam_unix.so nullok yescrypt | |
# Authentication management. | |
auth requisite pam_unix.so | |
auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so | |
# Session management. | |
session required pam_env.so conffile=/etc/pam/environment readenv=0 | |
session required pam_unix.so | |
''; | |
}; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment