cilly/flakes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

system/security: enable pam_u2f

Browse source
This commit is contained in:
Cilly Leang 2026-05-28 17:43:08 +10:00
parent 4c28a3eecb
commit cc43450dd1
Signed by: cilly
GPG key ID: 6500251E087653C9
1 changed files with 30 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

32
modules/system/security.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { { config, lib, pkgs, ... }: {
networking.firewall = networking.firewall =
let let
iptables = "${pkgs.iptables}/bin/iptables"; iptables = "${pkgs.iptables}/bin/iptables";
@ -49,9 +49,37 @@
{ {
groups = [ "wheel" ]; groups = [ "wheel" ];
keepEnv = true; keepEnv = true;
persist = true; persist = config.me.environment != "laptop";
} }
]; ];
}; };
pam = lib.mkIf (config.me.environment != "headless") {
u2f = {
enable = true;
settings = {
cue = true;
pinverification = 1;
};
};
services.doas.rules.auth = {
u2f.settings.pinverification = lib.mkForce 0;
u2f_int = lib.mkMerge [
{
enable = true;
order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
control = "sufficient";
modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
inherit (config.security.pam.u2f) settings;
}
{
settings = lib.mkForce {
interactive = true;
pinverification = 0;
userpresence = 0;
};
}
];
};
};
}; };
} }