···

       
1
       
1
       
-
       
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJxpXpPlPEZPfnw2mIuWJEy/C/5h1bb6pIMeFsHAICQ+lLdEkbBSeDXQuA8feLN0MJw8KaB9jqrJbYgFadV/nVA= YubiKey #19302295 PIV Slot 9a

     

       
1
       
1
       
+
       
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILJ3mxaweLrFL//bYIJvE1XVmjQf2Dq/CjKIPkIVmDpXAAAABHNzaDo= YubiKey #19302295

     

···

       
1
       
1
       
 
       
# If I had an option, I would not use ecdsa keys.

     

       
2
       
2
       
 
       
# SmartCards

     

       
3
       
3
       
-
       
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvCpt7yWIptJ9XFBhwVIj9zR30OzkWI976B/P5+0whD YubiKey #13901056 OpenPGP

     

       
3
       
3
       
+
       
# ssh-keygen -t ed25519-sk -C "YubiKey #${invalid:?gock}" -O{resident,verify-required}

     

       
4
       
4
       
 
       
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJxpXpPlPEZPfnw2mIuWJEy/C/5h1bb6pIMeFsHAICQ+lLdEkbBSeDXQuA8feLN0MJw8KaB9jqrJbYgFadV/nVA= YubiKey #19302295 PIV Slot 9a

     

       
5
       
5
       
-
       
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMjRM3BNkLbU57RyfUx7kOlZeBEj/NByr1PfXri82aP YubiKey #19302432 OpenPGP

     

       
6
       
6
       
-
       


     

       
7
       
7
       
-
       
# Static devices

     

       
8
       
8
       
-
       
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPTbZL0dq0ynBl8fy9yZmrKVWd/fOybZoqBKchP0MPM sophie@marisa.d.soopy.moe

     

       
5
       
5
       
+
       
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEP1oum6r6bTb4My/ZRqhVWxYKYGEqDyijUqqL1ZCIWjAAAABHNzaDo= YubiKey #13901056

     

       
6
       
6
       
+
       
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILJ3mxaweLrFL//bYIJvE1XVmjQf2Dq/CjKIPkIVmDpXAAAABHNzaDo= YubiKey #19302295

     

       
9
       
7
       
 
       


     

       
10
       
8
       
 
       
# Phones and Portables (portals)

     

       
11
       
9
       
 
       
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPydYsQOmcjpsuhwi+w7TD5DRPXIe3pemUYyUbmOLMt pixel7a+graphite@portal.d.soopy.moe

     

···

       
20
       
20
       
 
       
    inputs.nix-index-database.nixosModules.nix-index

     

       
21
       
21
       
 
       


     

       
22
       
22
       
 
       
    inputs.mystia.nixosModules.arrpc

     

       
23
       
23
       
-
       
    (inputs.self + "/modules/staging/yubikey-agent.nix")

     

       
24
       
23
       
 
       
  ];

     

       
25
       
24
       
 
       
}

     

···

       
10
       
10
       
 
       
    ./fonts.nix

     

       
11
       
11
       
 
       


     

       
12
       
12
       
 
       
    ./browser.nix

     

       
13
       
13
       
-
       
    ./security.nix

     

       
14
       
13
       
 
       
    ./development.nix

     

       
15
       
14
       
 
       


     

       
16
       
15
       
 
       
    ./degeneracy.nix

     

···

       
1
       
1
       
-
       
{

     

       
2
       
2
       
-
       
  pkgs,

     

       
3
       
3
       
-
       
  lib,

     

       
4
       
4
       
-
       
  config,

     

       
5
       
5
       
-
       
  ...

     

       
6
       
6
       
-
       
}:

     

       
7
       
7
       
-
       
lib.mkIf config.gensokyo.traits.gui {

     

       
8
       
8
       
-
       
  services.yubikey-agent-socket.enable = true;

     

       
9
       
9
       
-
       
  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt;

     

       
10
       
10
       
-
       
  # FIXME: fix yubikey-agent being stubborn

     

       
11
       
11
       
-
       
}

     

···

       
27
       
27
       
 
       
    '';

     

       
28
       
28
       
 
       
  };

     

       
29
       
29
       
 
       


     

       
30
       
30
       
-
       
  programs.ssh.extraConfig = ''

     

       
31
       
31
       
-
       
    ConnectTimeout 5

     

       
32
       
32
       
-
       
  ''; # if things exceed 5 seconds to connect something has gone wrong. Fail fast to not wait.

     

       
30
       
30
       
+
       
  programs.ssh = {

     

       
31
       
31
       
+
       
    startAgent = true;

     

       
32
       
32
       
+
       
    pubkeyAcceptedKeyTypes = ["ssh-ed25519"];

     

       
33
       
33
       
+
       
    enableAskPassword = true;

     

       
34
       
34
       
+
       


     

       
35
       
35
       
+
       
    extraConfig = ''

     

       
36
       
36
       
+
       
      ConnectTimeout 5

     

       
37
       
37
       
+
       
    ''; # if things exceed 5 seconds to connect something has gone wrong. Fail fast to not wait.

     

       
38
       
38
       
+
       
  };

     

       
33
       
39
       
 
       
}

     

···

       
1
       
1
       
-
       
# from https://github.com/NixOS/nixpkgs/blob/e9be42459999a253a9f92559b1f5b72e1b44c13d/nixos/modules/services/security/yubikey-agent.nix

     

       
2
       
2
       
-
       
{

     

       
3
       
3
       
-
       
  config,

     

       
4
       
4
       
-
       
  lib,

     

       
5
       
5
       
-
       
  pkgs,

     

       
6
       
6
       
-
       
  ...

     

       
7
       
7
       
-
       
}:

     

       
8
       
8
       
-
       
with lib; let

     

       
9
       
9
       
-
       
  cfg = config.services.yubikey-agent-socket;

     

       
10
       
10
       
-
       
in {

     

       
11
       
11
       
-
       
  ###### interface

     

       
12
       
12
       
-
       


     

       
13
       
13
       
-
       
  meta.maintainers = with maintainers; [philandstuff rawkode jwoudenberg];

     

       
14
       
14
       
-
       


     

       
15
       
15
       
-
       
  options = {

     

       
16
       
16
       
-
       
    services.yubikey-agent-socket = {

     

       
17
       
17
       
-
       
      enable = mkOption {

     

       
18
       
18
       
-
       
        type = types.bool;

     

       
19
       
19
       
-
       
        default = false;

     

       
20
       
20
       
-
       
        description = ''

     

       
21
       
21
       
-
       
          Whether to start yubikey-agent when you log in.  Also sets

     

       
22
       
22
       
-
       
          SSH_AUTH_SOCK to point at yubikey-agent.

     

       
23
       
23
       
-
       


     

       
24
       
24
       
-
       
          Note that yubikey-agent will use whatever pinentry is

     

       
25
       
25
       
-
       
          specified in programs.gnupg.agent.pinentryPackage.

     

       
26
       
26
       
-
       
        '';

     

       
27
       
27
       
-
       
      };

     

       
28
       
28
       
-
       


     

       
29
       
29
       
-
       
      package = mkPackageOption pkgs "yubikey-agent" {};

     

       
30
       
30
       
-
       
    };

     

       
31
       
31
       
-
       
  };

     

       
32
       
32
       
-
       


     

       
33
       
33
       
-
       
  config = mkIf cfg.enable {

     

       
34
       
34
       
-
       
    environment.systemPackages = [cfg.package];

     

       
35
       
35
       
-
       
    systemd.packages = [cfg.package];

     

       
36
       
36
       
-
       


     

       
37
       
37
       
-
       
    # This overrides the systemd user unit shipped with the

     

       
38
       
38
       
-
       
    # yubikey-agent package

     

       
39
       
39
       
-
       
    systemd.user.services.yubikey-agent = mkIf (config.programs.gnupg.agent.pinentryPackage != null) {

     

       
40
       
40
       
-
       
      path = [config.programs.gnupg.agent.pinentryPackage];

     

       
41
       
41
       
-
       
      wantedBy = ["default.target"];

     

       
42
       
42
       
-
       
      after = ["graphical-session.target"];

     

       
43
       
43
       
-
       
    };

     

       
44
       
44
       
-
       


     

       
45
       
45
       
-
       
    # Yubikey-agent expects pcsd to be running in order to function.

     

       
46
       
46
       
-
       
    services.pcscd.enable = true;

     

       
47
       
47
       
-
       


     

       
48
       
48
       
-
       
    environment.extraInit = ''

     

       
49
       
49
       
-
       
      if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then

     

       
50
       
50
       
-
       
        export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock"

     

       
51
       
51
       
-
       
      fi

     

       
52
       
52
       
-
       
    '';

     

       
53
       
53
       
-
       
  };

     

       
54
       
54
       
-
       
}