yubikey-agent: init at 0.1.3

This adds yubikey-agent as a package and a nixos module.

On macOS, we use `wrapProgram` to set pinentry_mac as default in PATH;
on Linux we rely on the user to set their preferred pinentry in PATH.
In particular, we use a systemd override to prefix PATH to select a
chosen pinentry program if specified.

On Linux, we need libnotify to provide the notify-send utility for
desktop notifications (such as "Waiting for Yubikey touch...").

This might work on other flavors of unix, but I haven't tested.

We reuse the programs.gnupg.agent.pinentryFlavor option for
yubikey-agent, but in doing so I hit a problem: pinentryFlavour's
default value is specified in a mkDefault, but only conditionally.  We
ought to be able to pick up the pinentryFlavour whether or not gpg-agent
is running.  As a result, this commit moves the default value to the
definition of programs.gnupg.agent.enable.

nixos/modules/programs/gnupg.nix

@@ -70,6 +70,7 @@ in
     agent.pinentryFlavor = mkOption {
       type = types.nullOr (types.enum pkgs.pinentry.flavors);
       example = "gnome3";
+      default = defaultPinentryFlavor;
       description = ''
         Which pinentry interface to use. If not null, the path to the
         pinentry binary will be passed to gpg-agent via commandline and
@@ -91,8 +92,6 @@ in
   };
 
   config = mkIf cfg.agent.enable {
-    programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor;
-
     # This overrides the systemd user unit shipped with the gnupg package
     systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) {
       serviceConfig.ExecStart = [ "" ''