try to add u2f and also lock screen when yubikey is removed

2022-02-02 20:01:25 +01:00 · 2022-02-02 20:01:25 +01:00 · 7a9063e85b
commit 7a9063e85b
parent 4533a3d76d
2 changed files with 27 additions and 1 deletions
--- a/config/desktop.nix
+++ b/config/desktop.nix
@ -1,4 +1,14 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+let
+  lockscreen-all = pkgs.writeScript "lockscreen-all" ''
+    #!${pkgs.bash}/bin/bash
+
+    if ${pkgs.coreutils}/bin/[ -z "$(${pkgs.usbutils}/bin/lsusb | grep Yubico)" ]; then
+      ${pkgs.systemd}/bin/loginctl list-sessions | ${pkgs.gnugrep}/bin/grep '^\ ' | ${pkgs.gawk}/bin/awk '{print $1}' | ${pkgs.findutils}/bin/xargs -i ${pkgs.systemd}/bin/loginctl lock-session {}
+    fi
+  '';
+in
+{
  imports = [
    ./services/sway.nix
    ./services/pipewire.nix
@ -24,4 +34,17 @@

  time.timeZone = "Etc/GMT-1"; # Confusing naming, it's 1 hour east of GMT
  services.pcscd.enable = true;
+
+  security.pam = {
+    services.login.u2fAuth = true;
+    services.sddm.u2fAuth = true;
+    services.swaylock.u2fAuth = true;
+    u2f = {
+      enable = true;
+      control = "sufficient";
+    };
+  };
+  services.udev.extraRules = ''
+    ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", RUN+="${lockscreen-all}"
+  '';
 }
--- a/config/users/darkkirb.nix
+++ b/config/users/darkkirb.nix
@ -9,6 +9,9 @@
    home = "/home/darkkirb";
    isNormalUser = true;
    uid = 1000;
+    openssh.authorizedKeys.keys = [
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDXQlfvRUm/z6eP1EjsajIbMibkq9n+ymlbBi7NFiOuaAAAABHNzaDo= ssh:"
+    ];
  };
  sops.secrets."email/darkkirb@darkkirb.de" = { owner = "darkkirb"; };
  sops.secrets."email/lotte@chir.rs" = { owner = "darkkirb"; };