I recently got my YubiKey (w GPG keys) working on NixOS, but hit some snags along the way around udev rules.
services.pcscd.enable = true;
# unclear if these are useful
services.udev.packages = [ pkgs.yubikey-personalization ];
hardware.gpgSmartcards.enable = true;
As root, gpg --card-status
worked, but as the nixos
user (“wheel” group) it didn’t, which ruled out various issues.
gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
# gpg-agent logs with guru log level
scdaemon[13819]: check permission of USB device at Bus 002 Device 010
Looking into /etc/udev/rules.d
, I saw 60-scdaemon.rules
has a rule matching my card.
# Yubikey 4 OTP+U2F+CCID
SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
and a device file is created with user root, group root.
ls -al /dev/bus/usb/002
crw-rw-r-- 1 root root 189, 137 Oct 9 21:05 010
But wait, scdaemon
(nor pcscd
) don’t run as root these days. scdaemon
runs per-user - one for root and another as a regular user. Which explains why scdaemon can’t read the usb device.
ps aux | rg scdaemon
root 3766 0.0 0.0 229588 3312 ? SLl 17:07 0:00 scdaemon --multi-server
nixos 13819 0.0 0.0 445680 3512 ? SLl 19:54 0:00 scdaemon --multi-server
Reading this writeup about this area, there are a lot of options.
- Run
scdaemon
as root - Run
pcscd
as root - Add your own udev rule to make usb devices use the “wheel” group (or something else)
- Use some semi-standard custom group?
In my case, it’s a single user system. I unfortunately do need to keep supporting GPG. But would prefer this were simpler.
So my question is, do you run scdaemon
or pcscd
or both? Are they per-user or a shared root one? Do you use a custom group for Yubikey-like devices?
Approach 3:
services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0407", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel"
'';