From 00468fd9f8b0df8060149e5fb34d959bd5b43e69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20B=C3=B6hme?= <mail@moritzboeh.me>
Date: Mon, 13 Mar 2023 21:16:40 +0100
Subject: [PATCH 1/3] refactor(flake): reduce lines for inputs

---
 flake.nix | 120 +++++++++++++++++++++---------------------------------
 1 file changed, 47 insertions(+), 73 deletions(-)

diff --git a/flake.nix b/flake.nix
index 6d7c237..2b99d15 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,85 +14,59 @@
 
     flake-utils.url = "github:numtide/flake-utils";
 
-    utils = {
-      url = "github:gytis-ivaskevicius/flake-utils-plus";
-      inputs.flake-utils.follows = "flake-utils";
-    };
+    utils.url = "github:gytis-ivaskevicius/flake-utils-plus";
+    utils.inputs.flake-utils.follows = "flake-utils";
 
-    agenix = {
-      url = "github:ryantm/agenix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
 
-    home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.utils.follows = "flake-utils";
-    };
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    home-manager.inputs.utils.follows = "flake-utils";
 
     # Zsh specific
-    forgit-git = {
-      url = "github:wfxr/forgit";
-      flake = false;
-    };
+    forgit-git.url = "github:wfxr/forgit";
+    forgit-git.flake = false;
 
     # Laptop Touchpad
-    asus-touchpad-numpad-driver = {
-      url = "github:MoritzBoehme/asus-touchpad-numpad-driver/german-layout";
-      flake = false;
-    };
+    asus-touchpad-numpad-driver.url = "github:MoritzBoehme/asus-touchpad-numpad-driver/german-layout";
+    asus-touchpad-numpad-driver.flake = false;
 
-    arkenfox-userjs = {
-      url = "github:arkenfox/user.js";
-      flake = false;
-    };
+    arkenfox-userjs.url = "github:arkenfox/user.js";
+    arkenfox-userjs.flake = false;
 
-    howdy = {
-      url = "sourcehut:~moritzboehme/howdy";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    howdy.url = "sourcehut:~moritzboehme/howdy";
+    howdy.inputs.nixpkgs.follows = "nixpkgs";
 
     emacs.url = "git+ssh://git@gitea.moritzboeh.me/moritz/emacs.git?ref=main";
 
     neovim.url = "github:neovim/neovim?dir=contrib";
 
-    nil = {
-      url = "github:oxalica/nil";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
+    nil.url = "github:oxalica/nil";
+    nil.inputs.nixpkgs.follows = "nixpkgs";
+    nil.inputs.flake-utils.follows = "flake-utils";
 
     # Hyprland
     hyprland.url = "github:hyprwm/Hyprland";
     hyprpaper.url = "github:hyprwm/hyprpaper";
     hypr-contrib.url = "github:hyprwm/contrib";
 
-    nvim-treesitter-textsubjects = {
-      url = "github:RRethy/nvim-treesitter-textsubjects";
-      flake = false;
-    };
+    nvim-treesitter-textsubjects.url = "github:RRethy/nvim-treesitter-textsubjects";
+    nvim-treesitter-textsubjects.flake = false;
 
-    smartcolumn-nvim = {
-      url = "github:m4xshen/smartcolumn.nvim";
-      flake = false;
-    };
+    smartcolumn-nvim.url = "github:m4xshen/smartcolumn.nvim";
+    smartcolumn-nvim.flake = false;
 
-    copilot-lua = {
-      url = "github:zbirenbaum/copilot.lua";
-      flake = false;
-    };
+    copilot-lua.url = "github:zbirenbaum/copilot.lua";
+    copilot-lua.flake = false;
 
-    lspsaga-nvim = {
-      url = "github:glepnir/lspsaga.nvim";
-      flake = false;
-    };
+    lspsaga-nvim.url = "github:glepnir/lspsaga.nvim";
+    lspsaga-nvim.flake = false;
 
-    attic = {
-      url = "github:zhaofengli/attic";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs-stable.follows = "stable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
+    attic.url = "github:zhaofengli/attic";
+    attic.inputs.nixpkgs.follows = "nixpkgs";
+    attic.inputs.nixpkgs-stable.follows = "stable";
+    attic.inputs.flake-utils.follows = "flake-utils";
   };
 
   outputs =
@@ -140,23 +114,23 @@
         ./modules/profiles/gaming.nix
         ./modules/profiles/desktop.nix
       ];
-      hostDefaults = {
-        modules = [
-          ./modules/default.nix
-          self.nixosModules.base
-          inputs.home-manager.nixosModule
-          {
-            home-manager = {
-              useGlobalPkgs = true;
-              useUserPackages = true;
-              extraSpecialArgs = { inherit inputs self; };
-            };
-          }
-          inputs.hyprland.nixosModules.default
-          inputs.agenix.nixosModules.age
-          inputs.howdy.nixosModules.default
-        ];
-      };
+
+      hostDefaults.modules = [
+        ./modules/default.nix
+        self.nixosModules.base
+        inputs.home-manager.nixosModule
+        {
+          home-manager = {
+            useGlobalPkgs = true;
+            useUserPackages = true;
+            extraSpecialArgs = { inherit inputs self; };
+          };
+        }
+        inputs.hyprland.nixosModules.default
+        inputs.agenix.nixosModules.age
+        inputs.howdy.nixosModules.default
+      ];
+
 
       hosts.nixos-laptop.modules = [
         ./hosts/nixos-laptop

From ab6cbc0cdcc7ba30c629c6937d89b82de2a3e00d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20B=C3=B6hme?= <mail@moritzboeh.me>
Date: Mon, 13 Mar 2023 21:39:44 +0100
Subject: [PATCH 2/3] feat(laptop): optionally unlock disk with fido2

---
 hosts/nixos-laptop/hardware-configuration.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hosts/nixos-laptop/hardware-configuration.nix b/hosts/nixos-laptop/hardware-configuration.nix
index 0a7d47b..9d88a4c 100644
--- a/hosts/nixos-laptop/hardware-configuration.nix
+++ b/hosts/nixos-laptop/hardware-configuration.nix
@@ -11,9 +11,11 @@
 
   boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
+  boot.initrd.systemd.enable = true;
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
+
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/4a91d3eb-1633-42d9-8304-c10e49a61154";
     fsType = "btrfs";
@@ -21,6 +23,7 @@
   };
 
   boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/078b81ba-238e-471d-9951-b743588532b8";
+  boot.initrd.luks.devices."enc".crypttabExtraOpts = [ "fido2-device=auto" ];
 
   fileSystems."/log" = {
     device = "/dev/disk/by-uuid/4a91d3eb-1633-42d9-8304-c10e49a61154";

From 2a30af014eb67730ff4c92f8f43651a0ea2fa1c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20B=C3=B6hme?= <mail@moritzboeh.me>
Date: Tue, 14 Mar 2023 09:52:28 +0100
Subject: [PATCH 3/3] refactor(yubikey)!: add supportLuks option

---
 .../nixos-desktop/hardware-configuration.nix  |  2 --
 hosts/nixos-laptop/hardware-configuration.nix |  2 --
 modules/config/yubikey.nix                    | 22 +++++++++++++++++--
 modules/profiles/desktop.nix                  |  9 ++++++--
 4 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/hosts/nixos-desktop/hardware-configuration.nix b/hosts/nixos-desktop/hardware-configuration.nix
index 888ff0a..fab68a6 100644
--- a/hosts/nixos-desktop/hardware-configuration.nix
+++ b/hosts/nixos-desktop/hardware-configuration.nix
@@ -11,7 +11,6 @@
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.initrd.systemd.enable = true;
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
@@ -22,7 +21,6 @@
   };
 
   boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/30025a9f-44cf-4074-8ae2-d4925efd67dd";
-  boot.initrd.luks.devices."enc".crypttabExtraOpts = [ "fido2-device=auto" ];
 
   fileSystems."/home" = {
     device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
diff --git a/hosts/nixos-laptop/hardware-configuration.nix b/hosts/nixos-laptop/hardware-configuration.nix
index 9d88a4c..216b8da 100644
--- a/hosts/nixos-laptop/hardware-configuration.nix
+++ b/hosts/nixos-laptop/hardware-configuration.nix
@@ -11,7 +11,6 @@
 
   boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
-  boot.initrd.systemd.enable = true;
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
@@ -23,7 +22,6 @@
   };
 
   boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/078b81ba-238e-471d-9951-b743588532b8";
-  boot.initrd.luks.devices."enc".crypttabExtraOpts = [ "fido2-device=auto" ];
 
   fileSystems."/log" = {
     device = "/dev/disk/by-uuid/4a91d3eb-1633-42d9-8304-c10e49a61154";
diff --git a/modules/config/yubikey.nix b/modules/config/yubikey.nix
index 4695434..e1b993a 100644
--- a/modules/config/yubikey.nix
+++ b/modules/config/yubikey.nix
@@ -9,9 +9,20 @@ let
   cfg = config.my.yubikey;
 in
 {
-  options.my.yubikey = mkEnableOption "yubikey";
+  options.my.yubikey = {
+    enable = mkEnableOption "yubikey";
+    luksSupport = {
+      enable = mkEnableOption "fido2 luks support";
+      devices = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = "List of luks devices to enable fido2 support for.";
+      };
+    };
+  };
 
-  config = {
+
+  config = mkIf cfg.enable {
     services.udev.packages = [ pkgs.yubikey-personalization ];
     environment.systemPackages = with pkgs; [
       # cli
@@ -22,5 +33,12 @@ in
       yubikey-manager-qt
       yubikey-personalization-gui
     ];
+
+    boot = mkIf cfg.luksSupport.enable {
+      initrd.systemd.enable = true;
+      initrd.luks.devices = genAttrs cfg.luksSupport.devices (_: {
+        crypttabExtraOpts = [ "fido2-device=auto" ];
+      });
+    };
   };
 }
diff --git a/modules/profiles/desktop.nix b/modules/profiles/desktop.nix
index 8ac556f..cc73d24 100644
--- a/modules/profiles/desktop.nix
+++ b/modules/profiles/desktop.nix
@@ -5,8 +5,13 @@
 }:
 with lib; {
   my = {
-    # config
-    yubikey.enable = true;
+    yubikey = {
+      enable = true;
+      luksSupport = {
+        enable = true;
+        devices = [ "enc" ];
+      };
+    };
     wallpapers.enable = true;
     theming = {
       enable = true;