refactor yubikey

flake.nix

@@ -18,9 +18,10 @@
             networking.hostName = "nova";
           }
           ./system
+          ./system/hardware-nova.nix
           ./system/gnome.nix
           ./system/btrbk.nix
-          ./system/hardware-nova.nix
+          ./system/yubikey.nix
           ./system/alt.nix
         ];
       };

system/default.nix

@@ -94,7 +94,6 @@
     mullvad-vpn.enable = true;
   };
 
-  services.udev.packages = [ pkgs.yubikey-personalization ];
   virtualisation.libvirtd.enable = true;
   programs.dconf.enable = true;
 

system/yubikey.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+
+{
+  services.udev = {
+    packages = [ pkgs.yubikey-personalization ];
+    extraRules = ''
+      ACTION=="remove",\
+       ENV{ID_BUS}=="usb",\
+       ENV{ID_MODEL_ID}=="0407",\
+       ENV{ID_VENDOR_ID}=="1050",\
+       ENV{ID_VENDOR}=="Yubico",\
+       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+    '';
+  };
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+}