diff options
Diffstat (limited to 'trivionomicon/modules/athena-bccr')
| -rw-r--r-- | trivionomicon/modules/athena-bccr/default.nix | 14 | ||||
| -rw-r--r-- | trivionomicon/modules/athena-bccr/hm.nix | 19 | ||||
| -rw-r--r-- | trivionomicon/modules/athena-bccr/options.nix | 42 | ||||
| -rw-r--r-- | trivionomicon/modules/athena-bccr/sys.nix | 100 |
4 files changed, 175 insertions, 0 deletions
diff --git a/trivionomicon/modules/athena-bccr/default.nix b/trivionomicon/modules/athena-bccr/default.nix new file mode 100644 index 0000000..93c5660 --- /dev/null +++ b/trivionomicon/modules/athena-bccr/default.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + pkgs, + doctrine, + ... +}: +doctrine.lib.mkModule { + inherit config; + name = "athena-bccr"; + hm = ./hm.nix; + sys = ./sys.nix; + options = ./options.nix; +} diff --git a/trivionomicon/modules/athena-bccr/hm.nix b/trivionomicon/modules/athena-bccr/hm.nix new file mode 100644 index 0000000..df41f12 --- /dev/null +++ b/trivionomicon/modules/athena-bccr/hm.nix @@ -0,0 +1,19 @@ +{ + pkgs, + lib, + cfg, + doctrine, + ... +}: let + athena = + (pkgs.${doctrine.prefix}.athena-bccr.override { + inherit (cfg) mirror; + }).${ + cfg.release + }; +in { + home.packages = [ + athena.firmador + (athena.gaudi.override {inherit (cfg) gaudiHash;}) + ]; +} diff --git a/trivionomicon/modules/athena-bccr/options.nix b/trivionomicon/modules/athena-bccr/options.nix new file mode 100644 index 0000000..7b6cf93 --- /dev/null +++ b/trivionomicon/modules/athena-bccr/options.nix @@ -0,0 +1,42 @@ +{lib, ...}: +with lib.types; { + hm = { + gaudiHash = lib.mkOption { + type = nullOr str; + default = null; + description = "hash of the Gaudi client"; + }; + + mirror = lib.mkOption { + type = nullOr str; + default = null; + description = "release zip mirror base URL, if null then the release zip must be manually added to the Nix store"; + }; + + release = lib.mkOption { + type = str; + default = "latest"; + description = "pinned athena-bccr release tag"; + }; + }; + + sys = { + group = lib.mkOption { + type = str; + default = "users"; + description = "user group with full access to the smartcard reader"; + }; + + mirror = lib.mkOption { + type = nullOr str; + default = null; + description = "release zip mirror base URL, if null then the release zip must be manually added to the Nix store"; + }; + + release = lib.mkOption { + type = str; + default = "latest"; + description = "pinned athena-bccr release tag"; + }; + }; +} diff --git a/trivionomicon/modules/athena-bccr/sys.nix b/trivionomicon/modules/athena-bccr/sys.nix new file mode 100644 index 0000000..bd7d758 --- /dev/null +++ b/trivionomicon/modules/athena-bccr/sys.nix @@ -0,0 +1,100 @@ +{ + config, + pkgs, + lib, + cfg, + doctrine, + ... +}: let + athena = + (pkgs.${doctrine.prefix}.athena-bccr.override { + inherit (cfg) mirror; + }).${ + cfg.release + }; + + inherit (athena) vendor; + + driver = athena.card-driver.lib; + scmiddleware = "${driver}/lib/SCMiddleware"; +in { + environment = { + etc = + { + "pkcs11/modules/${vendor}".text = '' + module: ${athena.pkcs11-module} + ''; + } + // lib.optionalAttrs (vendor == "athena") { + "Athena".source = "${driver}/etc/Athena"; + } + // lib.optionalAttrs (vendor == "idopte") { + "idoss.conf".source = "${driver}/etc/idoss.conf"; + "idoss.lic".source = "${driver}/etc/idoss.lic"; + "SCMiddleware".source = scmiddleware; + }; + + systemPackages = [athena.card-driver]; + }; + + security = { + #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar polĂtica nacional de root CA + pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"]; + + polkit = { + enable = lib.mkDefault true; + + extraConfig = '' + polkit.addRule(function(action, subject) { + if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") && + subject.isInGroup("users")) { + return polkit.Result.YES; + } + }); + ''; + }; + }; + + services = { + pcscd.enable = true; + + udev.extraRules = + lib.optionalString (vendor == "athena") '' + # Athena Smartcard Solutions, Inc. ASEDrive V3CR + ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess" + '' + + lib.optionalString (vendor == "idopte") '' + # Bit4id Srl miniLector-s + ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="25dd/1101*", RUN+="${config.systemd.package}/bin/systemctl start --no-block idopte-reader.target" + ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="25dd/1101*", RUN+="${config.systemd.package}/bin/systemctl stop --no-block idopte-reader.target" + ''; + }; + + systemd = lib.mkIf (vendor == "idopte") { + #TODO: make this run as a non-root user + services.idopte-cache = { + description = "Idopte cache server"; + + after = ["smartcard.target"]; + bindsTo = ["idopte-reader.target"]; + wantedBy = ["idopte-reader.target"]; + + serviceConfig = { + Type = "forking"; + PIDFile = "/run/idoCacheSrv.pid"; + RuntimeDirectory = "idoss"; + + ExecStart = "${scmiddleware}/idocachesrv"; + }; + }; + + targets.idopte-reader = { + description = "Idopte USB reader inserted"; + + wants = ["smartcard.target"]; + before = ["smartcard.target"]; + }; + }; + + users.groups.${cfg.group} = {}; +} |