diff options
| -rw-r--r-- | secrets/default.nix | 3 | ||||
| -rw-r--r-- | secrets/pamu2f-mappings.age | 18 | ||||
| -rw-r--r-- | secrets/secrets.nix | 1 | ||||
| -rw-r--r-- | sys/security/pam/default.nix | 19 |
4 files changed, 39 insertions, 2 deletions
diff --git a/secrets/default.nix b/secrets/default.nix index 76da48d..a8d410a 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -12,5 +12,8 @@ resticpass = { file = ./resticpass.age; }; + pamu2f-mappings = { + file = ./pamu2f-mappings.age; + }; }; } diff --git a/secrets/pamu2f-mappings.age b/secrets/pamu2f-mappings.age new file mode 100644 index 0000000..f27f3b9 --- /dev/null +++ b/secrets/pamu2f-mappings.age @@ -0,0 +1,18 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUkJmdWNUMDFEWHBERzd2 +WEdiWGl3dWFoYk5aU3FlRHNjYjd6N2k5Y0hFCm9DLzVPRzcvV3JRa1dPLzQrUmpN +cEViK1hVQ2JzcFZFK2hZYmFlOGErb3cKLT4gc3NoLWVkMjU1MTkgL1BReS9BIHpw +YmFjSE9XUllPaUVlSlV6dGVQU1hCMVpBbU1YVU9hakJ4THdKMldvekEKM3Vnb04r +WEg1dFVXN0VaV0JScFE4SEJNQ3hxQzVJbkdhT3JPcEJwRVhGTQotPiBdMC1ncmVh +c2UgdjhYcHpeagp0UlZIYXFEemt5T0N6cFFtNzFnS0cxaXNkR01jOGM5b1diZVRU +eUdJbkVmOXc0NHd2QzVHOXRnRGxuNTNNS3RTCnJVSHhJcTJqY3EyNHhuQnhVdXoz +RTRZeHBZamtPNXcKLS0tIGVITXVQbHNOaUFpSHJBNUNaRGgwc1ZCMjc2TXZkV1Ny +M25xRE91OUl6YW8KZq0S2CbVJ+1ChCFifwdY5Vi5TITH5Wq7psSEM/AAPxHHzYiF +sc1AD0t6g7kzGKCjYa/drneMc06i4ZD/+tjZLUgv3vDj9jNDs76+otnSdsMwMLjE +Rm74hTb8yRg/kVUzifX1v8s8hDyVwwVecNdI65KGL2Ty4I+cRFUxGTMWUlXtXeAg +X1IztHCod46XrjmD0UfZe8LdepKOV3r9qFGYWuiawE8rh/1YuUYCR5Frtmscq6Ec +UwUg/A9/rf/SrKxdVX3rnfm6VPSjtp8CkF9oQwww6anO8Sa9wnZd/AbsYnBuR1Hi +XRPosbATW85O3LTUwVuPfPXENfbDGA7jlhj9OzmgLCF0eB8z6mvde6RoesjFCgmg +H/5mgEHd/4HfTOdTmkdQR+wU1AwpJznusWKR/rdkr5U6b3kw/fnfYCAhUow9xK77 +M1GRuEivHtE1VcyJ3qE3BtViQ5WvLuyZ8pLbtKB4iy/gaOc= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b168cfb..434cad6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,4 +10,5 @@ in { "nixremote.age".publicKeys = allSecrets; "resticssh.age".publicKeys = allSecrets; "resticpass.age".publicKeys = allSecrets; + "pamu2f-mappings.age".publicKeys = allSecrets; } diff --git a/sys/security/pam/default.nix b/sys/security/pam/default.nix index eef9213..ee0d843 100644 --- a/sys/security/pam/default.nix +++ b/sys/security/pam/default.nix @@ -1,3 +1,18 @@ -{...}: { - security.pam.services.swaylock = {}; +{config, ...}: { + security.pam = { + services = { + swaylock = {}; + sudo = { + u2fAuth = true; + }; + login = { + u2fAuth = true; + }; + }; + u2f = { + enable = true; + cue = true; + authFile = config.age.secrets.pamu2f-mappings.path; + }; + }; } |