From 26d060e672a980bde6ae33d9edec68231c6faeb7 Mon Sep 17 00:00:00 2001
From: blake <me@blakedheld.xyz>
Date: Thu, 16 Oct 2025 21:48:44 -0500
Subject: [PATCH] add yubikey config

---
 hosts/snowbelle/configuration.nix  |  1 +
 modules/system/default.nix         |  1 +
 modules/system/yubikey/default.nix | 34 +++++++++++++++++++++++++++++-
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix
index f0d23da..ade220c 100644
--- a/hosts/snowbelle/configuration.nix
+++ b/hosts/snowbelle/configuration.nix
@@ -22,6 +22,7 @@ in
     backups.repo = "/holocron/archives/servers/snowbelle";
     sops.enable = true;
     podman.enable = true;
+    yubikey.enable = true;
     syncthing.enable = true;
     tailscale.enable = true;
     nvidia.enable = true;
diff --git a/modules/system/default.nix b/modules/system/default.nix
index c5f77f4..f8aba3b 100644
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -10,6 +10,7 @@
     ./sops
     ./docker
     ./podman
+    ./yubikey
     ./tailscale
     ./vpns
     ./vpn-confinement
diff --git a/modules/system/yubikey/default.nix b/modules/system/yubikey/default.nix
index 9e4c339..ef51f23 100644
--- a/modules/system/yubikey/default.nix
+++ b/modules/system/yubikey/default.nix
@@ -6,7 +6,7 @@
 }:
 
 let
-  service = "";
+  service = "yubikey";
   cfg = config.system.${service};
   sec = config.sops.secrets;
   homelab = config.homelab;
@@ -14,9 +14,41 @@ in
 {
   options.system.${service} = {
     enable = lib.mkEnableOption "enables ${service}";
+    mode = lib.mkOption {
+        type = lib.types.str;
+        default = "u2f";
+        description = "weather to run pam in u2f or challenge-response)";
+    };
+    lock_on_remove = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "enable automatic locking of device upon removal of yubikey";
+    };
   };
 
   config = lib.mkIf cfg.enable {
 
+    security.pam.services = lib.mkIf (cfg.mode == "u2f") {
+      login.u2fAuth = true;
+      sudo.u2fAuth = true;
+    };
+
+    security.pam.yubico = lib.mkIf (cfg.mode == "challenge-response") {
+       enable = true;
+       debug = true;
+       mode = "challenge-response";
+       id = [ "<placeholder>" ];
+    };
+
+    services.udev.extraRules = lib.mkIf (cfg.lock_on_remove == true) ''
+      ACTION=="remove",\
+       ENV{ID_BUS}=="usb",\
+       ENV{ID_MODEL_ID}=="0407",\
+       ENV{ID_VENDOR_ID}=="1050",\
+       ENV{ID_VENDOR}=="Yubico",\
+       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+  '';
+
   };
+
 }