added pam u2f auth

devices/inkvine/options.nix

@@ -8,6 +8,7 @@
     containers.enable = true;
     networkmanager.enable = true;
     yubikey.enable = true;
+    yubikey.login = true;
 
     stateVersion = "24.11";
     hmStateVersion = "24.11";

modules/yubikey/default.nix

@@ -4,10 +4,13 @@
   pkgs,
   ...
 }: let
-  inherit (lib) mkIf;
+  inherit (lib) mkMerge mkIf;
   inherit (config) conf;
 in
-  mkIf conf.yubikey.enable {
+  mkMerge [
+    (mkIf
+      conf.yubikey.enable
+      {
         services.udev.packages = [pkgs.yubikey-personalization];
         services.pcscd.enable = true;
 
@@ -19,4 +22,13 @@ in
         home-manager.users.${conf.username}.home.packages = with pkgs; [
           yubioath-flutter
         ];
-  }
+      })
+    (mkIf
+      conf.yubikey.login
+      {
+        security.pam.services = {
+          login.u2fAuth = true;
+          sudo.u2fAuth = true;
+        };
+      })
+  ]

options.nix

@@ -12,9 +12,12 @@ in {
       games.enable = mkEnableOption "Enable games.";
       secureboot.enable = mkEnableOption "Enable secure boot utilities (manual key-enrolling required).";
       extraLayout.enable = mkEnableOption "Enable additional custom layout.";
-      fonts.enable = mkEnableOption "Install and set preferred fonts";
-      networkmanager.enable = mkEnableOption "Enable network manager and some related configuration";
-      yubikey.enable = mkEnableOption "Enable support for yubikey";
+      fonts.enable = mkEnableOption "Install and set preferred fonts.";
+      networkmanager.enable = mkEnableOption "Enable network manager and some related configuration.";
+      yubikey = {
+        enable = mkEnableOption "Enable support for yubikey.";
+        login = mkEnableOption "Enable login with yubikey, make sure ~/.config/Yubico/u2f_keys is set up.";
+      };
 
       # Generally server options
       ssh.enable = mkEnableOption "Install my public key to allow accessing this machine via ssh.";