根据man configuration.nix,启用services.yubikey-agent应该yubikey-agent在登录时开始:
services.yubikey-agent.enable
Whether to start yubikey-agent when you log in. Also sets SSH_AUTH_SOCK to point
at yubikey-agent.
Note that yubikey-agent will use whatever pinentry is specified in
programs.gnupg.agent.pinentryFlavor.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/security/yubikey-agent.nix>
但这对我来说似乎不再起作用,即使重新启动后也是如此:
➤ grep yubikey-agent /etc/nixos/configuration.nix
services.yubikey-agent.enable = true; # used for SSH agent
➤ ssh-add -l
Error connecting to agent: Connection refused
➤ pgrep -f yubikey || echo "not found"
not found
更让我困惑的是,systemctl甚至找不到yubikey-agent.service:
➤ systemctl start yubikey-agent.service
Failed to start yubikey-agent.service: Unit yubikey-agent.service not found.
看起来它对我来说是在正确的位置:
➤ ls -l /run/current-system/sw/lib/systemd/user/yubikey-agent.service
lrwxrwxrwx 1 root root 102 Dec 31 1969 /run/current-system/sw/lib/systemd/user/yubikey-agent.service -> /nix/store/x7ln7dxjyfakn9cq8g1lwhlbmmyx0bzy-yubikey-agent-0.1.6/lib/systemd/user/yubikey-agent.service
➤ cat /run/current-system/sw/lib/systemd/user/yubikey-agent.service
[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent
[Service]
ExecStart=/nix/store/x7ln7dxjyfakn9cq8g1lwhlbmmyx0bzy-yubikey-agent-0.1.6/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent
[Install]
WantedBy=default.target
这是在 NixOS 22.11 上:
➤ sudo nix-channel --list
nixos https://nixos.org/channels/nixos-22.11