pyrox.dev
1# Global configuration for yubikey-agent.
2{
3 config,
4 lib,
5 pkgs,
6 ...
7}:
8let
9 cfg = config.services.yubikey-agent;
10in
11{
12 ###### interface
13
14 meta.maintainers = with lib.maintainers; [
15 philandstuff
16 rawkode
17 ];
18
19 options = {
20
21 services.yubikey-agent = {
22 enable = lib.mkOption {
23 type = lib.types.bool;
24 default = false;
25 description = ''
26 Whether to start yubikey-agent when you log in. Also sets
27 SSH_AUTH_SOCK to point at yubikey-agent.
28
29 Note that yubikey-agent will use whatever pinentry is
30 specified in programs.gnupg.agent.pinentryPackage.
31 '';
32 };
33
34 package = lib.mkPackageOption pkgs "yubikey-agent" { };
35 };
36 };
37
38 config = lib.mkIf cfg.enable {
39 environment.systemPackages = [ cfg.package ];
40 systemd.packages = [ cfg.package ];
41
42 # This overrides the systemd user unit shipped with the
43 # yubikey-agent package
44 systemd.user.services.yubikey-agent =
45 lib.mkIf (config.programs.gnupg.agent.pinentryPackage != null)
46 {
47 path = [ config.programs.gnupg.agent.pinentryPackage ];
48 wantedBy = [ "default.target" ];
49 };
50
51 # Yubikey-agent expects pcsd to be running in order to function.
52 services.pcscd.enable = true;
53
54 environment.extraInit = ''
55 if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
56 export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock"
57 fi
58 '';
59 };
60}