From 3e31099962b701bc009bda5f4e996756492af143 Mon Sep 17 00:00:00 2001 From: Samuli Leivo Date: Thu, 1 Aug 2024 12:16:04 +0300 Subject: [PATCH] Include test Yubikeys only in debug mode Signed-off-by: Samuli Leivo --- .../development/authorized_yubikeys.nix | 15 +++++++++++++++ modules/common/development/default.nix | 1 + modules/common/development/yubikey.nix | 19 +++++++++++++++++++ modules/common/profiles/debug.nix | 1 + 4 files changed, 36 insertions(+) create mode 100644 modules/common/development/authorized_yubikeys.nix create mode 100644 modules/common/development/yubikey.nix diff --git a/modules/common/development/authorized_yubikeys.nix b/modules/common/development/authorized_yubikeys.nix new file mode 100644 index 000000000..75be5667b --- /dev/null +++ b/modules/common/development/authorized_yubikeys.nix @@ -0,0 +1,15 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + authorizedYubikeys = [ + # Yubikey public keys for testing team, enabled only in debug mode + #1 + "ghaf:3HbulvTWYKkZEX6VaFX/EWLUp2FwHMUQQvhi8dGjOd1U+5gUxarLyqGcVzeAte5wpvTGkcRckcfN3Ce9iK0smA==,/j1T0Z4vNv72218WkRemtSMaqv4ysw6Oa6Db8KnLFczv5DxzBhHj+e3kinNX89wvwJWe9XlxPQqE54jmzi227w==,es256,+presence" + #2 + "ghaf:fkBGKisgW8B1AAQDe6l6QWMbvaM3vfIahYwnlWcyKoI0aM62hPBL3l1x5IUyQy41kpe1+nbR4K6KX43utDz7kA==,nEVF0RHTNpzRvem1Ng3KnHhlXXj28tvQvbA+YF39p6fzJpq0t9czGb85kmPms9pGquQiOFTDrEURUmdC6PA8Ng==,es256,+presence" + #3 + "ghaf:zQlVob4+w3DcvtN6BPjBPaEssJ3PYNSQVlWLk/Uq/Qlbqk9D0IjPjZDm5XwTuKhropVR1hVA4XdZKsSs9BlUEQ==,G3qgBAhmCwANuCdCZzo68QLFFQ4aud/a3X5r1m8UeUpMh5BlDHrHAR0sE0H/d4v7RiScex2TZaHrgYV507BFRA==,es256,+presence" + #4 + "ghaf:QaA1B4u1GzLt+HSwXpMxmdCOKiBN4WZSUAuEXZahNSpcv8xiYagp0ntVsl8TOx4K+sKls3gTn37Uso/dmncwdA==,mr0Nhwkok7VLUtkBMryOA0lZghU23SCYtU3CZeW5P4WVtnPax3N/6GkfuAv6Zw5ejC4BDvov3oKHTQT/F8eYqA==,es256,+presence" + ]; +} diff --git a/modules/common/development/default.nix b/modules/common/development/default.nix index 55620bf2a..3da8132bf 100644 --- a/modules/common/development/default.nix +++ b/modules/common/development/default.nix @@ -6,5 +6,6 @@ ./usb-serial.nix ./nix.nix ./ssh.nix + ./yubikey.nix ]; } diff --git a/modules/common/development/yubikey.nix b/modules/common/development/yubikey.nix new file mode 100644 index 000000000..816b76a02 --- /dev/null +++ b/modules/common/development/yubikey.nix @@ -0,0 +1,19 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + ... +}: let + cfg = config.ghaf.development.yubikey; + inherit ((import ./authorized_yubikeys.nix)) authorizedYubikeys; + inherit (lib) mkEnableOption mkIf concatStrings mkForce; +in { + options.ghaf.development.yubikey = { + enable = mkEnableOption "Yubikey test"; + }; + + config = mkIf cfg.enable { + ghaf.services.yubikey.u2fKeys = mkForce (concatStrings authorizedYubikeys); + }; +} diff --git a/modules/common/profiles/debug.nix b/modules/common/profiles/debug.nix index 15645e96e..9eb5e133f 100644 --- a/modules/common/profiles/debug.nix +++ b/modules/common/profiles/debug.nix @@ -23,6 +23,7 @@ in { debug.tools.enable = true; # Let us in. ssh.daemon.enable = true; + yubikey.enable = true; usb-serial.enable = true; }; };