trivionomicon/modules/athena-bccr/sys.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

{
  pkgs,
  lib,
  cfg,
  doctrine,
  ...
}: let
  athena = pkgs.${doctrine.prefix}.athena-bccr.${cfg.release};
  inherit (athena.card-driver) vendor;
in {
  environment = {
    etc = lib.optionalAttrs (vendor == "athena") {
      "Athena".source = "${athena.card-driver}/etc/Athena";

      "pkcs11/modules/asep11".text = ''
        module: ${athena.pkcs11-module}
      '';
    };

    systemPackages = [athena.card-driver];
  };

  security = {
    #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
    pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];

    polkit = {
      enable = lib.mkDefault true;

      extraConfig = ''
        polkit.addRule(function(action, subject) {
            if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
                subject.isInGroup("users")) {
                    return polkit.Result.YES;
            }
        });
      '';
    };
  };

  services = {
    pcscd.enable = true;

    udev.extraRules = ''
      # Athena Smartcard Solutions, Inc. ASEDrive V3CR
      ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess"
    '';
  };

  users.groups.${cfg.group} = {};
}