From 6f36d70cdfa7fdf3d97e77b781b6ed4754d81144 Mon Sep 17 00:00:00 2001
From: twoneis <git@chpu.eu>
Date: Fri, 7 Mar 2025 11:27:49 +0100
Subject: [PATCH] added pam u2f auth

---
 devices/inkvine/options.nix |  1 +
 modules/yubikey/default.nix | 36 ++++++++++++++++++++++++------------
 options.nix                 |  9 ++++++---
 3 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/devices/inkvine/options.nix b/devices/inkvine/options.nix
index 2951a1d..f850b75 100644
--- a/devices/inkvine/options.nix
+++ b/devices/inkvine/options.nix
@@ -8,6 +8,7 @@
     containers.enable = true;
     networkmanager.enable = true;
     yubikey.enable = true;
+    yubikey.login = true;
 
     stateVersion = "24.11";
     hmStateVersion = "24.11";
diff --git a/modules/yubikey/default.nix b/modules/yubikey/default.nix
index 657748e..d05aa1a 100644
--- a/modules/yubikey/default.nix
+++ b/modules/yubikey/default.nix
@@ -4,19 +4,31 @@
   pkgs,
   ...
 }: let
-  inherit (lib) mkIf;
+  inherit (lib) mkMerge mkIf;
   inherit (config) conf;
 in
-  mkIf conf.yubikey.enable {
-    services.udev.packages = [pkgs.yubikey-personalization];
-    services.pcscd.enable = true;
+  mkMerge [
+    (mkIf
+      conf.yubikey.enable
+      {
+        services.udev.packages = [pkgs.yubikey-personalization];
+        services.pcscd.enable = true;
 
-    programs.gnupg.agent = {
-      enable = true;
-      enableSSHSupport = true;
-    };
+        programs.gnupg.agent = {
+          enable = true;
+          enableSSHSupport = true;
+        };
 
-    home-manager.users.${conf.username}.home.packages = with pkgs; [
-      yubioath-flutter
-    ];
-  }
+        home-manager.users.${conf.username}.home.packages = with pkgs; [
+          yubioath-flutter
+        ];
+      })
+    (mkIf
+      conf.yubikey.login
+      {
+        security.pam.services = {
+          login.u2fAuth = true;
+          sudo.u2fAuth = true;
+        };
+      })
+  ]
diff --git a/options.nix b/options.nix
index 4d6bf95..d673c8c 100644
--- a/options.nix
+++ b/options.nix
@@ -12,9 +12,12 @@ in {
       games.enable = mkEnableOption "Enable games.";
       secureboot.enable = mkEnableOption "Enable secure boot utilities (manual key-enrolling required).";
       extraLayout.enable = mkEnableOption "Enable additional custom layout.";
-      fonts.enable = mkEnableOption "Install and set preferred fonts";
-      networkmanager.enable = mkEnableOption "Enable network manager and some related configuration";
-      yubikey.enable = mkEnableOption "Enable support for yubikey";
+      fonts.enable = mkEnableOption "Install and set preferred fonts.";
+      networkmanager.enable = mkEnableOption "Enable network manager and some related configuration.";
+      yubikey = {
+        enable = mkEnableOption "Enable support for yubikey.";
+        login = mkEnableOption "Enable login with yubikey, make sure ~/.config/Yubico/u2f_keys is set up.";
+      };
 
       # Generally server options
       ssh.enable = mkEnableOption "Install my public key to allow accessing this machine via ssh.";