From d994ac06503a1d7d5559677220067ebbbc97d8c8 Mon Sep 17 00:00:00 2001
From: Till <till@ktiu.net>
Date: Thu, 11 Jan 2024 14:58:08 +0100
Subject: [PATCH] refactor yubikey

---
 flake.nix          |  3 ++-
 system/default.nix |  1 -
 system/yubikey.nix | 19 +++++++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 system/yubikey.nix

diff --git a/flake.nix b/flake.nix
index 08932c8..9994e9d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,9 +18,10 @@
             networking.hostName = "nova";
           }
           ./system
+          ./system/hardware-nova.nix
           ./system/gnome.nix
           ./system/btrbk.nix
-          ./system/hardware-nova.nix
+          ./system/yubikey.nix
           ./system/alt.nix
         ];
       };
diff --git a/system/default.nix b/system/default.nix
index f36f4c1..4c01bdb 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -94,7 +94,6 @@
     mullvad-vpn.enable = true;
   };
 
-  services.udev.packages = [ pkgs.yubikey-personalization ];
   virtualisation.libvirtd.enable = true;
   programs.dconf.enable = true;
 
diff --git a/system/yubikey.nix b/system/yubikey.nix
new file mode 100644
index 0000000..f9a4406
--- /dev/null
+++ b/system/yubikey.nix
@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+
+{
+  services.udev = {
+    packages = [ pkgs.yubikey-personalization ];
+    extraRules = ''
+      ACTION=="remove",\
+       ENV{ID_BUS}=="usb",\
+       ENV{ID_MODEL_ID}=="0407",\
+       ENV{ID_VENDOR_ID}=="1050",\
+       ENV{ID_VENDOR}=="Yubico",\
+       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+    '';
+  };
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+}