add mfa settings

default.nix

@@ -5,6 +5,7 @@
     ./modules/baseline.nix
     ./modules/cli.nix
     ./modules/gnome.nix
+    ./modules/mfa.nix
     ./modules/phpipam.nix
     ./modules/plasma.nix
     ./modules/profiles.nix

hosts/neo/configuration.nix

@@ -17,7 +17,6 @@
   ];
 
   services = {
-    pcscd.enable = true;
     openssh.enable = true;
     zfs.autoSnapshot = { enable = true; monthly = 0; weekly = 0; };
   };

modules/mfa.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+let
+  pkcslib = "${pkgs.opensc}/lib/opensc-pkcs11.so";
+in
+{
+  services.pcscd.enable = true;
+  programs.ssh.startAgent = true;
+  programs.ssh.agentPKCS11Whitelist = pkcslib;
+  environment.systemPackages = [
+    pkgs.opensc
+    (pkgs.writeShellScriptBin "mfa" "exec ssh-add -s${pkcslib}")
+  ];
+
+  nixpkgs.overlays = [
+    (self: super: {
+      gnome = super.gnome // {
+        gnome-keyring = super.gnome.gnome-keyring.overrideAttrs (old: {
+          configureFlags = old.configureFlags ++ [ "--disable-ssh-agent" ];
+        });
+      };
+    })
+  ];
+
+}