3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/tools/security/yubikey-agent/yubikey-agent.service
Philip Potter e4029c34fc yubikey-agent: init at 0.1.3
This adds yubikey-agent as a package and a nixos module.

On macOS, we use `wrapProgram` to set pinentry_mac as default in PATH;
on Linux we rely on the user to set their preferred pinentry in PATH.
In particular, we use a systemd override to prefix PATH to select a
chosen pinentry program if specified.

On Linux, we need libnotify to provide the notify-send utility for
desktop notifications (such as "Waiting for Yubikey touch...").

This might work on other flavors of unix, but I haven't tested.

We reuse the programs.gnupg.agent.pinentryFlavor option for
yubikey-agent, but in doing so I hit a problem: pinentryFlavour's
default value is specified in a mkDefault, but only conditionally.  We
ought to be able to pick up the pinentryFlavour whether or not gpg-agent
is running.  As a result, this commit moves the default value to the
definition of programs.gnupg.agent.enable.
2020-07-16 15:29:33 +01:00

36 lines
822 B
Desktop File

[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent
[Service]
ExecStart=yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
ProtectSystem=strict
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
CapabilityBoundingSet=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent
[Install]
WantedBy=default.target