ctucx.git: nixfiles

machines/lollo: add yubikey support

diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
 

@@ -21,6 +21,8 @@
     ./gotosocial.nix
     ./scanner-sftp.nix
     ./airsane.nix
+
+    ./remote-admin.nix
   ];
 
   age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age;

diff --git a/machines/lollo/remote-admin.nix b/machines/lollo/remote-admin.nix
@@ -0,0 +1,37 @@
+{ pkgs, lib, ... }:
+
+{
+
+  imports = [
+    ../../configurations/common/programs/gpg.nix
+    ../../configurations/common/programs/password-store.nix
+  ];
+
+  home-manager.users.leah.services.gpg-agent = {
+    pinentryFlavor     = lib.mkForce "tty";
+    defaultCacheTtl    = lib.mkForce 300;
+    defaultCacheTtlSsh = lib.mkForce 300;
+    maxCacheTtl        = lib.mkForce 300;
+    maxCacheTtlSsh     = lib.mkForce 300;
+  };
+
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") && subject.isInGroup("wheel")) {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+
+  systemd.services.lockGPGCard = {
+    wantedBy = [ "multi-user.target" ];
+    startAt  = [ "*-*-* *:*/5" ];
+    serviceConfig.User  = "leah";
+    serviceConfig.Group = "users";
+    script   = ''
+      ${pkgs.gnupg}/bin/gpgconf --reload scdaemon;
+      ${pkgs.coreutils-full}/bin/rm -rf /home/leah/.ssh/master*;
+    '';
+  };
+
+}