Yubikey stuff

2026-04-30 16:52:45 -07:00 · 2026-04-30 16:52:45 -07:00 · b3eeccf114
commit b3eeccf114
parent 63f906cecd
3 changed files with 31 additions and 14 deletions
--- a/flake.lock
+++ b/flake.lock
@ -6,11 +6,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1775271377,
-        "narHash": "sha256-0ru4G0uQeokPTlJGuRHf3ApBZMeuIRdUyp0SYi//RWM=",
+        "lastModified": 1777436347,
+        "narHash": "sha256-RD/HyNMkmeN4zqENph5Xzks/fz/ZwdUyL1x8rr5tQyA=",
        "owner": "sadjow",
        "repo": "claude-code-nix",
-        "rev": "214fdf6592f40a8bb472e80283c029d01fb6653d",
+        "rev": "bf3e43090b15d1e335f08e21c80678d6457458e8",
        "type": "github"
      },
      "original": {
@ -277,11 +277,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1775126147,
-        "narHash": "sha256-J0dZU4atgcfo4QvM9D92uQ0Oe1eLTxBVXjJzdEMQpD0=",
+        "lastModified": 1777270315,
+        "narHash": "sha256-yKB4G6cKsQsWN7M6rZGk6gkJPDNPIzT05y4qzRyCDlI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8d8c1fa5b412c223ffa47410867813290cdedfef",
+        "rev": "6368eda62c9775c38ef7f714b2555a741c20c72d",
        "type": "github"
      },
      "original": {
--- a/hosts/dellserv/configuration.nix
+++ b/hosts/dellserv/configuration.nix
@ -17,6 +17,7 @@
        inputs.home-manager.nixosModules.default
        ../../modules/nixos/user-jack.nix
        ../../modules/nixos/syncthingServer.nix
+        ../../modules/nixos/yubikey-auth.nix
    ];

    # Use the systemd-boot EFI boot loader.
@ -52,15 +53,10 @@
    services.openssh.enable = true;

    services.openssh.settings = {
-        PasswordAuthentication = true;
-        KbdInteractiveAuthentication = true;
-        ChallengeResponseAuthentication = true;
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
    };

-    # 2FA
-    security.pam.services.login.googleAuthenticator.enable = true;
-    security.pam.services.sshd.googleAuthenticator.enable = true;
-
    ##  services.nginx = {
    ##      enable = true;
    ##      virtualHosts."your.domain.or.ip" = {
@ -138,7 +134,7 @@
        unzip
        python3
        nodejs
-        google-authenticator
+        inputs.claude-code.packages.${pkgs.system}.claude-code
    ];

    virtualisation.docker.enable = true;
--- a/modules/nixos/yubikey-auth.nix
+++ b/modules/nixos/yubikey-auth.nix
@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    yubikey-manager
+    libfido2
+  ];
+
+  # sudo authenticates via the forwarded SSH agent.
+  # Requires: ssh -A when connecting, and an ed25519-sk key in your agent.
+  # Generate one locally if you haven't:
+  #   ssh-keygen -t ed25519-sk
+  # Then add the public key to ~/.ssh/authorized_keys on the server.
+  security.pam.sshAgentAuth.enable = true;
+  security.pam.services.sudo.sshAgentAuth = true;
+
+  # Preserve the forwarded agent socket across the sudo boundary
+  security.sudo.extraConfig = ''
+    Defaults env_keep+=SSH_AUTH_SOCK
+  '';
+}