modules/athena-bccr: initial commit

2025-08-06 14:59:33 -06:00 · 2025-08-06 14:59:33 -06:00 · c651b8c470
commit c651b8c470
parent e72efe6b59
4 changed files with 93 additions and 0 deletions
--- a/modules/athena-bccr/default.nix
+++ b/modules/athena-bccr/default.nix
@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "athena-bccr";
+  hm = ./hm.nix;
+  sys = ./sys.nix;
+  options = ./options.nix;
+}
--- a/modules/athena-bccr/hm.nix
+++ b/modules/athena-bccr/hm.nix
@ -0,0 +1,14 @@
+{
+  pkgs,
+  lib,
+  cfg,
+  doctrine,
+  ...
+}: let
+  athena = pkgs.${doctrine.prefix}.athena-bccr.${cfg.release};
+in {
+  home.packages = [
+    athena.firmador
+    (athena.gaudi.override {inherit (cfg) gaudiHash;})
+  ];
+}
--- a/modules/athena-bccr/options.nix
+++ b/modules/athena-bccr/options.nix
@ -0,0 +1,30 @@
+{lib, ...}:
+with lib.types; {
+  hm = {
+    gaudiHash = lib.mkOption {
+      type = nullOr str;
+      default = null;
+      description = "hash of the Gaudi client";
+    };
+
+    release = lib.mkOption {
+      type = str;
+      default = "latest";
+      description = "pinned athena-bccr release tag";
+    };
+  };
+
+  sys = {
+    group = lib.mkOption {
+      type = str;
+      default = "users";
+      description = "user group with full access to the smartcard reader";
+    };
+
+    release = lib.mkOption {
+      type = str;
+      default = "latest";
+      description = "pinned athena-bccr release tag";
+    };
+  };
+}
--- a/modules/athena-bccr/sys.nix
+++ b/modules/athena-bccr/sys.nix
@ -0,0 +1,35 @@
+{
+  pkgs,
+  lib,
+  cfg,
+  doctrine,
+  ...
+}: let
+  athena = pkgs.${doctrine.prefix}.athena-bccr.${cfg.release};
+in {
+  environment = {
+    etc = {
+      "Athena".source = "${athena.ase-pkcs11}/etc/Athena";
+
+      "pkcs11/modules/asep11".text = ''
+        module: ${athena.libasep11}
+      '';
+    };
+
+    systemPackages = [athena.ase-pkcs11];
+  };
+
+  #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
+  security.pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];
+
+  services = {
+    pcscd.enable = true;
+
+    udev.extraRules = ''
+      # Athena Smartcard Solutions, Inc. ASEDrive V3CR
+      ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess"
+    '';
+  };
+
+  users.groups.${cfg.group} = {};
+}