diff options
| author | makefu <github@syntax-fehler.de> | 2022-01-26 17:59:53 +0100 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2022-01-26 17:59:53 +0100 |
| commit | 54aaf5af8ed4d62a2e6645b7ca662ffac310e86c (patch) | |
| tree | b3b1a1797791cd8cf763254a3fd88f7d35a2340c /lass/2configs/yubikey.nix | |
| parent | ef48f536a3e539b215bb004b512e62c2d0f96907 (diff) | |
| parent | 31fc5a95c735ab3b9b832d407195e422c07cd4c0 (diff) | |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/2configs/yubikey.nix')
| -rw-r--r-- | lass/2configs/yubikey.nix | 43 |
1 files changed, 36 insertions, 7 deletions
diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index 9ab6b6ccb..d92b18f81 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -6,15 +6,41 @@ ]; services.udev.packages = with pkgs; [ yubikey-personalization ]; - services.pcscd.enable = true; systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ]; - ##restart pcscd if yubikey is plugged in - #services.udev.extraRules = '' - # ACTION=="add", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="2013", RUN+="${pkgs.writeDash "restart_pcscd" '' - # ${pkgs.systemd}/bin/systemctl restart pcscd.service - # ''}" - #''; + services.pcscd.enable = true; + systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" '' + set -x + ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" '' + disable-ccid + pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1 + card-timeout 1 + + # Always try to use yubikey as the first reader + # even when other smart card readers are connected + # Name of the reader can be found using the pcsc_scan command + # If you have problems with gpg not recognizing the Yubikey + # then make sure that the string here matches exacly pcsc_scan + # command output. Also check journalctl -f for errors. + reader-port Yubico YubiKey + ''} $HOME/.gnupg/scdaemon.conf + ''; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + ( + action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.debian.pcsc-lite.access_card" + ) && subject.user == "lass" + ) { + return polkit.Result.YES; + } + }); + polkit.addRule(function(action, subject) { + polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + }); + ''; environment.shellInit = '' if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then @@ -28,6 +54,9 @@ fi ''; + # allow nix to acces remote builders via yubikey + systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh"; + programs = { ssh.startAgent = false; gnupg.agent = { |