From a88447111708a284afd786b48daff0d8dec5cb41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 28 Jan 2024 04:04:19 +0100
Subject: [PATCH] nixos: Make yubikey work on boot

---
 nixos-config/default.nix |  4 +---
 nixos-config/yubikey.nix | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 nixos-config/yubikey.nix

diff --git a/nixos-config/default.nix b/nixos-config/default.nix
index 6cc3f712..672f7d6d 100644
--- a/nixos-config/default.nix
+++ b/nixos-config/default.nix
@@ -11,6 +11,7 @@
     ./greeter
     ./sway.nix
     ./wireguard.nix
+    ./yubikey.nix
     ../modules
   ];
 
@@ -239,12 +240,9 @@
       pulse.enable = true;
     };
 
-    udev.packages = [pkgs.yubikey-personalization];
-
     nscd.enableNsncd = true;
     blueman.enable = true;
     chrony.enable = true;
-    pcscd.enable = true;
     flatpak.enable = true;
     fstrim.enable = true;
     fwupd.enable = true;
diff --git a/nixos-config/yubikey.nix b/nixos-config/yubikey.nix
new file mode 100644
index 00000000..f99db401
--- /dev/null
+++ b/nixos-config/yubikey.nix
@@ -0,0 +1,19 @@
+{pkgs, ...}: {
+  services = {
+    udev.packages = [pkgs.yubikey-personalization];
+    pcscd.enable = true;
+  };
+
+  hardware.gpgSmartcards.enable = true;
+
+  # sops-nix will launch an scdaemon instance on boot, which will stay
+  # alive and prevent the yubikey from working with any users that log
+  # in later.
+  systemd.services.shutdownSopsGpg = {
+    path = [pkgs.gnupg];
+    script = ''
+      gpgconf --homedir /var/lib/sops --kill gpg-agent
+    '';
+    wantedBy = ["multi-user.target"];
+  };
+}