diff options
author | lassulus <lassulus@lassul.us> | 2022-01-15 12:22:15 +0100 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2022-01-15 12:22:15 +0100 |
commit | 712ee76c04de0f4c2f04da5a17d9330fb1952324 (patch) | |
tree | 64d90878162e58c886c2e2c582b9c796fb3c1ecd | |
parent | 3f3ae3fe5d5e070f7c1993d03dc7c735348dde10 (diff) |
l yubikey: use scdaemon via pcscd
-rw-r--r-- | lass/2configs/yubikey.nix | 39 |
1 files changed, 33 insertions, 6 deletions
diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index 9ab6b6ccb..a53f55016 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -9,12 +9,39 @@ services.pcscd.enable = true; systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ]; - ##restart pcscd if yubikey is plugged in - #services.udev.extraRules = '' - # ACTION=="add", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="2013", RUN+="${pkgs.writeDash "restart_pcscd" '' - # ${pkgs.systemd}/bin/systemctl restart pcscd.service - # ''}" - #''; + services.pcscd.enable = true; + systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" '' + set -x + ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" '' + disable-ccid + pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1 + card-timeout 1 + + # Always try to use yubikey as the first reader + # even when other smart card readers are connected + # Name of the reader can be found using the pcsc_scan command + # If you have problems with gpg not recognizing the Yubikey + # then make sure that the string here matches exacly pcsc_scan + # command output. Also check journalctl -f for errors. + reader-port Yubico YubiKey + ''} $HOME/.gnupg/scdaemon.conf + ''; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + ( + action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.debian.pcsc-lite.access_card" + ) && subject.user == "lass" + ) { + return polkit.Result.YES; + } + }); + polkit.addRule(function(action, subject) { + polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + }); + ''; environment.shellInit = '' if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then |