diff --git a/nixos-config/default.nix b/nixos-config/default.nix index 6cc3f712..672f7d6d 100644 --- a/nixos-config/default.nix +++ b/nixos-config/default.nix @@ -11,6 +11,7 @@ ./greeter ./sway.nix ./wireguard.nix + ./yubikey.nix ../modules ]; @@ -239,12 +240,9 @@ pulse.enable = true; }; - udev.packages = [pkgs.yubikey-personalization]; - nscd.enableNsncd = true; blueman.enable = true; chrony.enable = true; - pcscd.enable = true; flatpak.enable = true; fstrim.enable = true; fwupd.enable = true; diff --git a/nixos-config/yubikey.nix b/nixos-config/yubikey.nix new file mode 100644 index 00000000..f99db401 --- /dev/null +++ b/nixos-config/yubikey.nix @@ -0,0 +1,19 @@ +{pkgs, ...}: { + services = { + udev.packages = [pkgs.yubikey-personalization]; + pcscd.enable = true; + }; + + hardware.gpgSmartcards.enable = true; + + # sops-nix will launch an scdaemon instance on boot, which will stay + # alive and prevent the yubikey from working with any users that log + # in later. + systemd.services.shutdownSopsGpg = { + path = [pkgs.gnupg]; + script = '' + gpgconf --homedir /var/lib/sops --kill gpg-agent + ''; + wantedBy = ["multi-user.target"]; + }; +}