os/modules/common/features/yubikey.nix

{ ... }: {
  flake.nixosModules.commonFeatureYubikey = { pkgs, ... }: {
    environment.systemPackages = with pkgs; [
        yubioath-flutter # gui
        yubikey-manager  # `ykman`
        pam_u2f          # yubikey with sudo
    ];

    services.pcscd.enable = true;
    services.udev.packages = [ pkgs.yubikey-personalization ];

    services.yubikey-agent.enable = true;

    security.pam = {
      sshAgentAuth.enable = true;
      u2f = {
        enable = true;
        settings = {
          cue = true;
          authFile = "/home/max/.config/Yubico/u2f_keys";
        };
      };
      services = {
        login.u2fAuth = true;
        sudo = {
          u2fAuth = true;
          sshAgentAuth = true;
        };
      };
    };
  };
}