fix: u2f auth file actually works again, now only requires pin for sudo

+4 -2

just/u2f.just

··· 4 4 mkdir -p ~/.config/Yubico 5 5 [ -e ~/.config/Yubico/u2f_keys ] \ 6 6 && pamu2fcfg \ 7 + --appid="pam://auth" \ 7 8 --origin="pam://localhost" \ 8 - --appid="pam://auth" \ 9 + --no-user-presence \ 9 10 --nouser \ 10 11 >> ~/.config/Yubico/u2f_keys \ 11 12 || pamu2fcfg \ 13 + --appid="pam://auth" \ 12 14 --origin="pam://localhost" \ 13 - --appid="pam://auth" \ 15 + --no-user-presence \ 14 16 > ~/.config/Yubico/u2f_keys 15 17 16 18 # Clear enrolled security keys, if any

+5 -3

nix/lib/config.nix

··· 55 55 auto-optimise-store = true; 56 56 extra-experimental-features = "flakes nix-command pipe-operator"; 57 57 extra-substituters = [ 58 - # The NixOS and nix-community ones are set by default 58 + # cache.nixos.org is set by default 59 59 "https://lpchaim.cachix.org" 60 - "https://hyprland.cachix.org" 60 + "https://nix-comunity.cachix.org" 61 61 "https://nix-gaming.cachix.org" 62 62 ]; 63 63 extra-trusted-public-keys = [ 64 - "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" 65 64 "lpchaim.cachix.org-1:2xOuvojcUDNhJRzCpvgewQ2DdNZz3QzGVV4Z/7C+Lio=" 65 + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 66 66 "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" 67 67 ]; 68 + http-connections = 100; 68 69 keep-derivations = true; 69 70 keep-outputs = true; 70 71 max-jobs = "auto"; 72 + max-substitution-jobs = 100; 71 73 trusted-users = ["root" "@wheel"]; 72 74 }; 73 75 };

+6 -5

nix/nixos/modules/security/default.nix

··· 1 1 { 2 2 config, 3 - inputs, 4 3 lib, 5 4 options, 6 5 pkgs, 7 6 ... 8 7 }: let 9 - inherit (inputs.self.lib.secrets.helpers) mkSecret; 8 + inherit (config.my.secret.helpers) mkSecret; 10 9 cfg = config.my.security; 11 10 in { 12 11 options.my.security = { ··· 35 34 mode = "0440"; 36 35 }; 37 36 }; 37 + 38 38 environment.etc = let 39 39 patch = svc: 40 40 lib.replaceStrings ··· 50 50 }; 51 51 security.pam = { 52 52 services = { 53 - login.u2fAuth = false; 54 - sshd.u2fAuth = true; 53 + login.u2fAuth = true; 55 54 sudo.u2fAuth = true; 56 55 }; 57 56 sshAgentAuth.enable = true; 58 57 u2f = { 59 58 inherit (cfg.u2f) control; 60 59 enable = true; 61 - settings.authfile = "${config.my.secrets."u2f-mappings".path}"; 62 60 settings = { 63 61 cue = true; 64 62 appid = "pam://auth"; 65 63 origin = "pam://localhost"; 64 + authfile = "${config.my.secrets."u2f-mappings".path}"; 65 + pinverification = 1; 66 + userpresence = 0; 66 67 }; 67 68 }; 68 69 };

+2 -1

nix/shared/theming.nix

··· 1 1 { 2 + config, 2 3 inputs, 3 4 lib, 4 5 pkgs, ··· 13 14 image = lib.mkDefault wallpaper; 14 15 polarity = lib.mkDefault "dark"; 15 16 base16Scheme = lib.mkDefault "${base16}/stella.yaml"; 16 - cursor = { 17 + cursor = lib.mkIf config.my.profiles.graphical { 17 18 name = "catppuccin-latte-light-cursors"; 18 19 package = pkgs.catppuccin-cursors.latteLight; 19 20 size = 32;

+8

secrets/rekeyed/desktop/256d036f484aaadd21df5bfcff24ca06-u2f-mappings.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 RuV4dQ Laqg712sKWtPk33iWboJDGnf6I0YwFte7nKJEV1ZU0Q 3 + XmKsR6i672JTgrQjHOeqLoTC9Zr6g7e599AB/i+Ougc 4 + -> T.RK-grease {m42ymI; sw36/ 5 + bOio/L+9SGEPGRI 6 + --- udYHX08CyTSP1tRtZ4eNCIYlL9+lr4zd8dVxzCL5oek 7 + �}� �m�N��(.��e�DW�w��j��L��f,�� 8 + m�/�� m�j�i�a��iη�Y�U(^�l��N��fkAO>��FQ$W�/�a�ӮH�)K��Z[5`&8�u*y��.��:��9\��V;Ʈy�>��8��?��%�^0�I��Y�/��h�s^��+q�Y�]��*3)P��~y�S�Fy��h5�rH�J��c��ɌQ�3�=�Ǯ�D�=.�1rJ�J��O1�t��V[��O��]��cQbDl�ȓcr�~WH6��BN�NgcHb�~1�M��<%��[i<��7GKx��T��W�+4�#�:�'@��W�Gg�b�RahT�� /j�ra?6�T��k=�-��@�/�7�=�y�

secrets/rekeyed/desktop/3de6f93d67eced91f4cfe2c09faf04d6-u2f-mappings.age