Janik-Haag/yubikey.nix

## yubikey.nix
{ config, pkgs, ... }:
{
  services.udev.packages = with pkgs; [
    yubikey-personalization
  ];

  environment.systemPackages = with pkgs; [
    libfido2
    pam_u2f
  ];

  # smart-card mode
  services.pcscd.enable = true;

  # Currently there is a few imperative config parts
  # That is creating doing these steps for all users and their yubikeys:
  # #Create the coresponding folder
  # mkdir -p ~/.config/Yubico
  # #Add the first key
  # pamu2fcfg > ~/.config/Yubico/u2f_keys
  # #Add the backup key
  # pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
  security.pam.services = {
    su.text = ''
      # Account management.
      account required pam_unix.so

      # Password management.
      password sufficient pam_unix.so nullok yescrypt

      # Authentication management.
      auth sufficient pam_rootok.so
      auth required pam_faillock.so
      auth requisite pam_unix.so
      auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so

      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
    '';
    login.text = ''
      # Account management.
      account required pam_unix.so

      # Password management.
      password sufficient pam_unix.so nullok yescrypt

      # Authentication management.
      auth requisite pam_unix.so
      auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so

      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
      session required pam_loginuid.so
      session required ${pkgs.linux-pam}/lib/security/pam_lastlog.so silent
      session optional ${pkgs.systemd}/lib/security/pam_systemd.so
    '';

    swaylock.text = ''
      # Account management.
      account required pam_unix.so

      # Password management.
      password sufficient pam_unix.so nullok yescrypt

      # Authentication management.
      auth requisite pam_unix.so
      auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so

      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
    '';
    sudo.text = ''
      # Account management.
      account required pam_unix.so

      # Password management.
      password required pam_unix.so nullok yescrypt

      # Authentication management.
      auth requisite pam_unix.so
      auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so

      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
    '';
  };
}
	{ config, pkgs, ... }:
	{
	services.udev.packages = with pkgs; [
	yubikey-personalization
	];

	environment.systemPackages = with pkgs; [
	libfido2
	pam_u2f
	];

	# smart-card mode
	services.pcscd.enable = true;

	# Currently there is a few imperative config parts
	# That is creating doing these steps for all users and their yubikeys:
	# #Create the coresponding folder
	# mkdir -p ~/.config/Yubico
	# #Add the first key
	# pamu2fcfg > ~/.config/Yubico/u2f_keys
	# #Add the backup key
	# pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
	security.pam.services = {
	su.text = ''
	# Account management.
	account required pam_unix.so

	# Password management.
	password sufficient pam_unix.so nullok yescrypt

	# Authentication management.
	auth sufficient pam_rootok.so
	auth required pam_faillock.so
	auth requisite pam_unix.so
	auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so

	# Session management.
	session required pam_env.so conffile=/etc/pam/environment readenv=0
	session required pam_unix.so
	'';
	login.text = ''
	# Account management.
	account required pam_unix.so

	# Password management.
	password sufficient pam_unix.so nullok yescrypt

	# Authentication management.
	auth requisite pam_unix.so
	auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so

	# Session management.
	session required pam_env.so conffile=/etc/pam/environment readenv=0
	session required pam_unix.so
	session required pam_loginuid.so
	session required ${pkgs.linux-pam}/lib/security/pam_lastlog.so silent
	session optional ${pkgs.systemd}/lib/security/pam_systemd.so
	'';

	swaylock.text = ''
	# Account management.
	account required pam_unix.so

	# Password management.
	password sufficient pam_unix.so nullok yescrypt

	# Authentication management.
	auth requisite pam_unix.so
	auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so

	# Session management.
	session required pam_env.so conffile=/etc/pam/environment readenv=0
	session required pam_unix.so
	'';
	sudo.text = ''
	# Account management.
	account required pam_unix.so

	# Password management.
	password required pam_unix.so nullok yescrypt

	# Authentication management.
	auth requisite pam_unix.so
	auth requisite ${pkgs.pam_u2f}/lib/security/pam_u2f.so

	# Session management.
	session required pam_env.so conffile=/etc/pam/environment readenv=0
	session required pam_unix.so
	'';
	};
	}