chore: routine maintenance

system/modules/security.nix

@@ -1,12 +1,34 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 
 {
   services.udev.packages = [ pkgs.yubikey-personalization ];
 
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  security.sudo-rs = {
+    enable = true;
+    execWheelOnly = true;
+    extraConfig = ''
+      Defaults timestamp_timeout=0
+    '';
+  };
+
+  security.sudo.enable = !config.security.sudo-rs.enable;
+
+  # ==== PAM u2f ===== #
+  # $ nix shell nixpkgs#pam_u2f
+  # $ mkdir -p ~/.config/Yubico
+  # $ pamu2fcfg > ~/.config/Yubico/u2f_keys
   security.pam = {
-    services.hyprlock = { };
+    services.hyprlock = {
+      u2fAuth = false;
+    };
     services = {
       sudo.u2fAuth = true;
+      login.u2fAuth = true;
     };
 
     u2f = {
@@ -16,7 +38,5 @@
     };
   };
 
-  environment.systemPackages = with pkgs; [
-    yubikey-manager
-  ];
+  programs.yubikey-manager.enable = true;
 }