nixos: Make yubikey work on boot

nixos-config/default.nix

@@ -11,6 +11,7 @@
     ./greeter
     ./sway.nix
     ./wireguard.nix
+    ./yubikey.nix
     ../modules
   ];
 
@@ -239,12 +240,9 @@
       pulse.enable = true;
     };
 
-    udev.packages = [pkgs.yubikey-personalization];
-
     nscd.enableNsncd = true;
     blueman.enable = true;
     chrony.enable = true;
-    pcscd.enable = true;
     flatpak.enable = true;
     fstrim.enable = true;
     fwupd.enable = true;

nixos-config/yubikey.nix

@@ -0,0 +1,19 @@
+{pkgs, ...}: {
+  services = {
+    udev.packages = [pkgs.yubikey-personalization];
+    pcscd.enable = true;
+  };
+
+  hardware.gpgSmartcards.enable = true;
+
+  # sops-nix will launch an scdaemon instance on boot, which will stay
+  # alive and prevent the yubikey from working with any users that log
+  # in later.
+  systemd.services.shutdownSopsGpg = {
+    path = [pkgs.gnupg];
+    script = ''
+      gpgconf --homedir /var/lib/sops --kill gpg-agent
+    '';
+    wantedBy = ["multi-user.target"];
+  };
+}