add yubikey config

hosts/snowbelle/configuration.nix

@@ -22,6 +22,7 @@ in
     backups.repo = "/holocron/archives/servers/snowbelle";
     sops.enable = true;
     podman.enable = true;
+    yubikey.enable = true;
     syncthing.enable = true;
     tailscale.enable = true;
     nvidia.enable = true;

modules/system/default.nix

@@ -10,6 +10,7 @@
     ./sops
     ./docker
     ./podman
+    ./yubikey
     ./tailscale
     ./vpns
     ./vpn-confinement

modules/system/yubikey/default.nix

@@ -6,7 +6,7 @@
 }:
 
 let
-  service = "";
+  service = "yubikey";
   cfg = config.system.${service};
   sec = config.sops.secrets;
   homelab = config.homelab;
@@ -14,9 +14,41 @@ in
 {
   options.system.${service} = {
     enable = lib.mkEnableOption "enables ${service}";
+    mode = lib.mkOption {
+        type = lib.types.str;
+        default = "u2f";
+        description = "weather to run pam in u2f or challenge-response)";
+    };
+    lock_on_remove = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "enable automatic locking of device upon removal of yubikey";
+    };
   };
 
   config = lib.mkIf cfg.enable {
 
+    security.pam.services = lib.mkIf (cfg.mode == "u2f") {
+      login.u2fAuth = true;
+      sudo.u2fAuth = true;
+    };
+
+    security.pam.yubico = lib.mkIf (cfg.mode == "challenge-response") {
+       enable = true;
+       debug = true;
+       mode = "challenge-response";
+       id = [ "<placeholder>" ];
+    };
+
+    services.udev.extraRules = lib.mkIf (cfg.lock_on_remove == true) ''
+      ACTION=="remove",\
+       ENV{ID_BUS}=="usb",\
+       ENV{ID_MODEL_ID}=="0407",\
+       ENV{ID_VENDOR_ID}=="1050",\
+       ENV{ID_VENDOR}=="Yubico",\
+       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+  '';
+
   };
+
 }