From b3eeccf11419c757e177f4ba751f7393e4eaaa68 Mon Sep 17 00:00:00 2001 From: Jack Mechem Date: Thu, 30 Apr 2026 16:52:45 -0700 Subject: [PATCH] Yubikey stuff --- flake.lock | 12 ++++++------ hosts/dellserv/configuration.nix | 12 ++++-------- modules/nixos/yubikey-auth.nix | 21 +++++++++++++++++++++ 3 files changed, 31 insertions(+), 14 deletions(-) create mode 100644 modules/nixos/yubikey-auth.nix diff --git a/flake.lock b/flake.lock index 07224c5..af3efa2 100644 --- a/flake.lock +++ b/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1775271377, - "narHash": "sha256-0ru4G0uQeokPTlJGuRHf3ApBZMeuIRdUyp0SYi//RWM=", + "lastModified": 1777436347, + "narHash": "sha256-RD/HyNMkmeN4zqENph5Xzks/fz/ZwdUyL1x8rr5tQyA=", "owner": "sadjow", "repo": "claude-code-nix", - "rev": "214fdf6592f40a8bb472e80283c029d01fb6653d", + "rev": "bf3e43090b15d1e335f08e21c80678d6457458e8", "type": "github" }, "original": { @@ -277,11 +277,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1775126147, - "narHash": "sha256-J0dZU4atgcfo4QvM9D92uQ0Oe1eLTxBVXjJzdEMQpD0=", + "lastModified": 1777270315, + "narHash": "sha256-yKB4G6cKsQsWN7M6rZGk6gkJPDNPIzT05y4qzRyCDlI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8d8c1fa5b412c223ffa47410867813290cdedfef", + "rev": "6368eda62c9775c38ef7f714b2555a741c20c72d", "type": "github" }, "original": { diff --git a/hosts/dellserv/configuration.nix b/hosts/dellserv/configuration.nix index b7d20cc..5a41798 100644 --- a/hosts/dellserv/configuration.nix +++ b/hosts/dellserv/configuration.nix @@ -17,6 +17,7 @@ inputs.home-manager.nixosModules.default ../../modules/nixos/user-jack.nix ../../modules/nixos/syncthingServer.nix + ../../modules/nixos/yubikey-auth.nix ]; # Use the systemd-boot EFI boot loader. @@ -52,15 +53,10 @@ services.openssh.enable = true; services.openssh.settings = { - PasswordAuthentication = true; - KbdInteractiveAuthentication = true; - ChallengeResponseAuthentication = true; + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; }; - # 2FA - security.pam.services.login.googleAuthenticator.enable = true; - security.pam.services.sshd.googleAuthenticator.enable = true; - ## services.nginx = { ## enable = true; ## virtualHosts."your.domain.or.ip" = { @@ -138,7 +134,7 @@ unzip python3 nodejs - google-authenticator + inputs.claude-code.packages.${pkgs.system}.claude-code ]; virtualisation.docker.enable = true; diff --git a/modules/nixos/yubikey-auth.nix b/modules/nixos/yubikey-auth.nix new file mode 100644 index 0000000..f699a3c --- /dev/null +++ b/modules/nixos/yubikey-auth.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + yubikey-manager + libfido2 + ]; + + # sudo authenticates via the forwarded SSH agent. + # Requires: ssh -A when connecting, and an ed25519-sk key in your agent. + # Generate one locally if you haven't: + # ssh-keygen -t ed25519-sk + # Then add the public key to ~/.ssh/authorized_keys on the server. + security.pam.sshAgentAuth.enable = true; + security.pam.services.sudo.sshAgentAuth = true; + + # Preserve the forwarded agent socket across the sudo boundary + security.sudo.extraConfig = '' + Defaults env_keep+=SSH_AUTH_SOCK + ''; +}