1 files changed, 57 insertions, 0 deletions

diff --git a/trivionomicon/modules/athena-bccr/sys.nix b/trivionomicon/modules/athena-bccr/sys.nix
new file mode 100644
index 0000000..ce63b01
--- /dev/null
+++ b/trivionomicon/modules/athena-bccr/sys.nix
@@ -0,0 +1,57 @@
+{
+  pkgs,
+  lib,
+  cfg,
+  doctrine,
+  ...
+}: let
+  athena = pkgs.${doctrine.prefix}.athena-bccr.${cfg.release};
+  inherit (athena) vendor;
+in {
+  environment = {
+    etc =
+      {
+        "pkcs11/modules/${vendor}".text = ''
+          module: ${athena.pkcs11-module}
+        '';
+      }
+      // lib.optionalAttrs (vendor == "athena") {
+        "Athena".source = "${athena.card-driver.lib}/etc/Athena";
+      }
+      // lib.optionalAttrs (vendor == "idopte") {
+        "idoss.conf".source = "${athena.card-driver.lib}/etc/idoss.conf";
+        "idoss.lic".source = "${athena.card-driver.lib}/etc/idoss.lic";
+      };
+
+    systemPackages = [athena.card-driver];
+  };
+
+  security = {
+    #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
+    pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];
+
+    polkit = {
+      enable = lib.mkDefault true;
+
+      extraConfig = ''
+        polkit.addRule(function(action, subject) {
+            if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
+                subject.isInGroup("users")) {
+                    return polkit.Result.YES;
+            }
+        });
+      '';
+    };
+  };
+
+  services = {
+    pcscd.enable = true;
+
+    udev.extraRules = ''
+      # Athena Smartcard Solutions, Inc. ASEDrive V3CR
+      ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess"
+    '';
+  };
+
+  users.groups.${cfg.group} = {};
+}