deepState/trivionomicon
3
0
Fork 1
Code Issues Pull requests Releases Wiki Activity Actions
trivionomicon/modules/athena-bccr/sys.nix
Alejandro Soto f7ec31843d trivionomicon: athena-bccr: add idopte cache server
2026-03-09 12:55:19 -06:00

94 lines
2.6 KiB
Nix
Raw Blame History

{
config,
pkgs,
lib,
cfg,
doctrine,
...
}: let
athena = pkgs.${doctrine.prefix}.athena-bccr.${cfg.release};
inherit (athena) vendor;
driver = athena.card-driver.lib;
scmiddleware = "${driver}/lib/SCMiddleware";
in {
environment = {
etc =
{
"pkcs11/modules/${vendor}".text = ''
module: ${athena.pkcs11-module}
'';
}
// lib.optionalAttrs (vendor == "athena") {
"Athena".source = "${driver}/etc/Athena";
}
// lib.optionalAttrs (vendor == "idopte") {
"idoss.conf".source = "${driver}/etc/idoss.conf";
"idoss.lic".source = "${driver}/etc/idoss.lic";
"SCMiddleware".source = scmiddleware;
};
systemPackages = [athena.card-driver];
};
security = {
#FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];
polkit = {
enable = lib.mkDefault true;
extraConfig = ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
subject.isInGroup("users")) {
return polkit.Result.YES;
}
});
'';
};
};
services = {
pcscd.enable = true;
udev.extraRules =
lib.optionalString (vendor == "athena") ''
# Athena Smartcard Solutions, Inc. ASEDrive V3CR
ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess"
''
+ lib.optionalString (vendor == "idopte") ''
# Bit4id Srl miniLector-s
ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="25dd/1101*", RUN+="${config.systemd.package}/bin/systemctl start --no-block idopte-reader.target"
ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="25dd/1101*", RUN+="${config.systemd.package}/bin/systemctl stop --no-block idopte-reader.target"
'';
};
systemd = lib.mkIf (vendor == "idopte") {
#TODO: make this run as a non-root user
services.idopte-cache = {
description = "Idopte cache server";
after = ["smartcard.target"];
bindsTo = ["idopte-reader.target"];
wantedBy = ["idopte-reader.target"];
serviceConfig = {
Type = "forking";
PIDFile = "/run/idoCacheSrv.pid";
RuntimeDirectory = "idoss";
ExecStart = "${scmiddleware}/idocachesrv";
};
};
targets.idopte-reader = {
description = "Idopte USB reader inserted";
wants = ["smartcard.target"];
before = ["smartcard.target"];
};
};
users.groups.${cfg.group} = {};
}
Reference in a new issue View git blame Copy permalink