From a81f667f946b6d91bf212d91ed1e9fa491340f5b Mon Sep 17 00:00:00 2001
From: "Wyatt J. Miller" <wyatt@wyattjmiller.com>
Date: Fri, 29 May 2026 15:44:32 -0400
Subject: [PATCH 1/2] add: yubilock nix package

---
 pkgs/default.nix                | 10 ++++++----
 pkgs/linux/yubilock/default.nix | 21 +++++++++++++++++++++
 pkgs/linux/yubilock/yubilock.sh | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+), 4 deletions(-)
 create mode 100644 pkgs/linux/yubilock/default.nix
 create mode 100644 pkgs/linux/yubilock/yubilock.sh

diff --git a/pkgs/default.nix b/pkgs/default.nix
index a9051c0..0002e38 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,6 +1,8 @@
-{ pkgs }: {
+{ pkgs }:
+{
   # sable-web = pkgs.callPackage ./common/sable.nix {};
-  swaytreesave = pkgs.callPackage ./linux/swaytreesave.nix {};
-  musicpresence = pkgs.callPackage ./linux/musicpresence.nix {};
-  vintage-story = pkgs.callPackage ./linux/vintage-story.nix {};
+  swaytreesave = pkgs.callPackage ./linux/swaytreesave.nix { };
+  musicpresence = pkgs.callPackage ./linux/musicpresence.nix { };
+  vintage-story = pkgs.callPackage ./linux/vintage-story.nix { };
+  yubilock = pkgs.callPackage ./linux/yubilock/default.nix { };
 }
diff --git a/pkgs/linux/yubilock/default.nix b/pkgs/linux/yubilock/default.nix
new file mode 100644
index 0000000..078456e
--- /dev/null
+++ b/pkgs/linux/yubilock/default.nix
@@ -0,0 +1,21 @@
+{ pkgs }:
+let
+  name = "yubilock";
+  runtimeInputs = with pkgs; [
+    systemd
+    coreutils
+    yubikey-manager
+    gawk
+    getent
+    logger
+  ];
+  yubilock = (pkgs.writeScriptBin name (builtins.readFile ./yubilock.sh)).overrideAttrs (old: {
+    buildCommand = "${old.buildCommand}\n patchShebangs $out";
+  });
+in
+pkgs.symlinkJoin {
+  inherit name;
+  paths = [ yubilock ] ++ runtimeInputs;
+  buildInputs = [ pkgs.makeWrapper ];
+  postBuild = "wrapProgram $out/bin/${name} --prefix PATH : $out/bin";
+}
diff --git a/pkgs/linux/yubilock/yubilock.sh b/pkgs/linux/yubilock/yubilock.sh
new file mode 100644
index 0000000..6c7ce17
--- /dev/null
+++ b/pkgs/linux/yubilock/yubilock.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+SESSIONS=($(loginctl list-sessions --no-legend | awk '{ print $1 }'))
+
+for SESSION_ID in "${SESSIONS[@]}"
+do
+  USERNAME=$(loginctl show-session ${SESSION_ID} -p Name --value)
+  SESSION_TYPE=$(loginctl show-session ${SESSION_ID} -p Type --value) # should be x11 or wayland
+  SESSION_LOCKED=$(loginctl show-session ${SESSION_ID} -p LockedHint --value) # yes/no
+  USER_DIR=$(getent passwd "$USERNAME" | cut -d: -f6)
+  KEY_FILE="$USER_DIR/.yubikeys"
+
+  if ! [[ "$SESSION_TYPE" == "x11" || "$SESSION_TYPE" == "wayland" ]]; then
+    continue
+  fi
+  if ! [ -e "$KEY_FILE" ]; then
+    continue
+  fi
+
+  MATCHING_KEYS=$(comm -12 <(ykman list --serials | sort) <(sort $KEY_FILE))
+
+  if [[ $MATCHING_KEYS == "" ]]; then
+    if [[ $SESSION_LOCKED == "no" ]]; then
+      logger "All YubiKeys Removed ($USERNAME)"
+      loginctl lock-session ${SESSION_ID}
+    fi
+  else
+    if [[ $SESSION_LOCKED == "yes" ]]; then
+      logger "YubiKey Found, Unlocking ($USERNAME)"
+      loginctl activate ${SESSION_ID}
+      loginctl unlock-session ${SESSION_ID}
+    fi
+  fi
+done
-- 
2.49.1


From 0f78716e90d8d17807861695cdbad3d3d73aaafd Mon Sep 17 00:00:00 2001
From: "Wyatt J. Miller" <wyatt@wyattjmiller.com>
Date: Fri, 29 May 2026 16:38:58 -0400
Subject: [PATCH 2/2] add: readme addition

---
 pkgs/linux/yubilock/README.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 pkgs/linux/yubilock/README.md

diff --git a/pkgs/linux/yubilock/README.md b/pkgs/linux/yubilock/README.md
new file mode 100644
index 0000000..5134204
--- /dev/null
+++ b/pkgs/linux/yubilock/README.md
@@ -0,0 +1,3 @@
+# Yubilock
+
+A Yubikey unlocking script that allows unlocking of sessions when attached.
-- 
2.49.1