diff options
Diffstat (limited to 'trivionomicon/modules/athena-bccr/sys.nix')
| -rw-r--r-- | trivionomicon/modules/athena-bccr/sys.nix | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/trivionomicon/modules/athena-bccr/sys.nix b/trivionomicon/modules/athena-bccr/sys.nix new file mode 100644 index 0000000..bd7d758 --- /dev/null +++ b/trivionomicon/modules/athena-bccr/sys.nix @@ -0,0 +1,100 @@ +{ + config, + pkgs, + lib, + cfg, + doctrine, + ... +}: let + athena = + (pkgs.${doctrine.prefix}.athena-bccr.override { + inherit (cfg) mirror; + }).${ + cfg.release + }; + + inherit (athena) vendor; + + driver = athena.card-driver.lib; + scmiddleware = "${driver}/lib/SCMiddleware"; +in { + environment = { + etc = + { + "pkcs11/modules/${vendor}".text = '' + module: ${athena.pkcs11-module} + ''; + } + // lib.optionalAttrs (vendor == "athena") { + "Athena".source = "${driver}/etc/Athena"; + } + // lib.optionalAttrs (vendor == "idopte") { + "idoss.conf".source = "${driver}/etc/idoss.conf"; + "idoss.lic".source = "${driver}/etc/idoss.lic"; + "SCMiddleware".source = scmiddleware; + }; + + systemPackages = [athena.card-driver]; + }; + + security = { + #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar polĂtica nacional de root CA + pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"]; + + polkit = { + enable = lib.mkDefault true; + + extraConfig = '' + polkit.addRule(function(action, subject) { + if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") && + subject.isInGroup("users")) { + return polkit.Result.YES; + } + }); + ''; + }; + }; + + services = { + pcscd.enable = true; + + udev.extraRules = + lib.optionalString (vendor == "athena") '' + # Athena Smartcard Solutions, Inc. ASEDrive V3CR + ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess" + '' + + lib.optionalString (vendor == "idopte") '' + # Bit4id Srl miniLector-s + ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="25dd/1101*", RUN+="${config.systemd.package}/bin/systemctl start --no-block idopte-reader.target" + ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="25dd/1101*", RUN+="${config.systemd.package}/bin/systemctl stop --no-block idopte-reader.target" + ''; + }; + + systemd = lib.mkIf (vendor == "idopte") { + #TODO: make this run as a non-root user + services.idopte-cache = { + description = "Idopte cache server"; + + after = ["smartcard.target"]; + bindsTo = ["idopte-reader.target"]; + wantedBy = ["idopte-reader.target"]; + + serviceConfig = { + Type = "forking"; + PIDFile = "/run/idoCacheSrv.pid"; + RuntimeDirectory = "idoss"; + + ExecStart = "${scmiddleware}/idocachesrv"; + }; + }; + + targets.idopte-reader = { + description = "Idopte USB reader inserted"; + + wants = ["smartcard.target"]; + before = ["smartcard.target"]; + }; + }; + + users.groups.${cfg.group} = {}; +} |