Derivation that fires off $SSH_ASKPASS when a yubikey is attached. When askpass finishes, the yk is added to ssh-agent

ssh-fido-agent.nix

{ config, lib, pkgs, ... }:
let
  fidoAddDevice = pkgs.writeScriptBin "fido-add-device" ''
    #! ${pkgs.runtimeShell} -e
    DISPLAY="$(systemctl --user show-environment | ${pkgs.gawk}/bin/awk -F= '/^DISPLAY/ {print $NF}')"
    SSH_AUTH_SOCK="$(echo $XDG_RUNTIME_DIR/ssh-agent)";

    export DISPLAY SSH_AUTH_SOCK

    function agent_add() {
      ${pkgs.openssh}/bin/ssh-add -K
    }

    trap agent_add USR1

    while true; do sleep .1; done
  '';
  fidoSendSig = pkgs.writeScriptBin "fido-send-sig" ''
    #! ${pkgs.runtimeShell} -e

    ${pkgs.procps}/bin/pkill -USR1 -xf "${pkgs.runtimeShell} -e ${fidoAddDevice}/bin/fido-add-device"
  '';
  askPassWrapper = pkgs.writeScript "my-ssh-askpass-wrapper" ''
    #! ${pkgs.runtimeShell} -e
    export DISPLAY="$(systemctl --user show-environment | ${pkgs.gawk}/bin/awk -F= '/^DISPLAY/ {print $NF}')"
    export SSH_AUTH_SOCK="$(echo $XDG_RUNTIME_DIR/ssh-agent)";
    exec ${config.programs.ssh.askPassword} "$@"
  '';
in {
  options = {
    sshFidoAgent = {
      enable = lib.mkEnableOption "Add FIDO keys to ssh-agent when attached.";
    };
  };

  config = lib.mkMerge [
    (lib.mkIf config.sshFidoAgent.enable {
      environment.systemPackages = with pkgs; [ fidoAddDevice ];
      systemd.user.services.sshfidoagent = {
        script = ''
          ${fidoAddDevice}/bin/fido-add-device
        '';
        wantedBy = [ "graphical-session.target" ];
        partOf = [ "graphical-session.target" ];
        environment.DISPLAY = "fake";
        environment.SSH_ASKPASS = askPassWrapper;
      };
      services.udev.extraRules = ''
        SUBSYSTEM=="hidraw", ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", RUN+="${fidoSendSig}/bin/fido-send-sig"
      '';
    })
  ];
}