From c01f195d59eeab96525f9edaf842202467720d85 Mon Sep 17 00:00:00 2001
From: Fabian Montero <fabian@posixlycorrect.com>
Date: Fri, 13 Feb 2026 00:08:14 -0600
Subject: [PATCH 1/4] update config to new 25.11 options

---
 flake.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index 2b53ebd..151c3d3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -210,7 +210,7 @@
         }:
           flakes.nixpkgs.lib.makeOverridable flakes.nixpkgs.lib.nixosSystem {
             inherit pkgs;
-            inherit (pkgs) system;
+            inherit (pkgs.stdenv.hostPlatform) system;
 
             modules = [self.nixosModules.default] ++ modules;
 

From f133a894d89bbedfc17e56189d3ef77005b6b877 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Wed, 18 Feb 2026 18:56:39 -0600
Subject: [PATCH 2/4] trivionomicon: athena-bccr: fix Polkit authentication
 failures

---
 modules/athena-bccr/sys.nix | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/modules/athena-bccr/sys.nix b/modules/athena-bccr/sys.nix
index 631185d..9532358 100644
--- a/modules/athena-bccr/sys.nix
+++ b/modules/athena-bccr/sys.nix
@@ -19,8 +19,22 @@ in {
     systemPackages = [athena.ase-pkcs11];
   };
 
-  #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
-  security.pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];
+  security = {
+    #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
+    pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];
+
+    polkit = {
+      enable = lib.mkDefault true;
+
+      extraConfig = ''
+        polkit.addRule(function(action, subject) {
+            if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.isInGroup("users")) {
+                    return polkit.Result.YES;
+            }
+        });
+      '';
+    };
+  };
 
   services = {
     pcscd.enable = true;

From cbc0180d60888b0eaf005e9042f7bccbc4afbc7d Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Wed, 18 Feb 2026 19:06:23 -0600
Subject: [PATCH 3/4] trivionomicon: athena-bccr: allow the 'users' group to
 access any card

---
 modules/athena-bccr/sys.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/athena-bccr/sys.nix b/modules/athena-bccr/sys.nix
index 9532358..2dd56e2 100644
--- a/modules/athena-bccr/sys.nix
+++ b/modules/athena-bccr/sys.nix
@@ -28,7 +28,8 @@ in {
 
       extraConfig = ''
         polkit.addRule(function(action, subject) {
-            if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.isInGroup("users")) {
+            if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
+                subject.isInGroup("users")) {
                     return polkit.Result.YES;
             }
         });

From d835588135cdac30b5bf0fe0479636b85a0240cc Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Wed, 18 Feb 2026 19:25:49 -0600
Subject: [PATCH 4/4] trivionomicon: athena-bccr: update 1.9.8 -> latest master

---
 ...01-Remove-CheckUpdatePlugin-from-default-list.patch | 10 +++++-----
 pkgs/athena-bccr/firmador.nix                          | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch b/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch
index e7fc5d5..a15896a 100644
--- a/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch
+++ b/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch
@@ -8,18 +8,18 @@ Subject: [PATCH] Remove CheckUpdatePlugin from default list
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/main/java/cr/libre/firmador/Settings.java b/src/main/java/cr/libre/firmador/Settings.java
-index e5ddf01..a028d6e 100644
+index e392a82..c2ab5e4 100644
 --- a/src/main/java/cr/libre/firmador/Settings.java
 +++ b/src/main/java/cr/libre/firmador/Settings.java
-@@ -81,7 +81,7 @@ public class Settings {
- 
+@@ -160,7 +160,7 @@ public class Settings {
+     @SuppressWarnings("this-escape")
      public Settings() {
          activePlugins.add("cr.libre.firmador.plugins.DummyPlugin");
 -        activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
 +        // activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
+         // activePlugins.add("cr.libre.firmador.plugins.DocumentSignLogs");
          availablePlugins.add("cr.libre.firmador.plugins.DummyPlugin");
          availablePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
-     }
 -- 
-2.49.0
+2.51.2
 
diff --git a/pkgs/athena-bccr/firmador.nix b/pkgs/athena-bccr/firmador.nix
index 8ae8750..e07235b 100644
--- a/pkgs/athena-bccr/firmador.nix
+++ b/pkgs/athena-bccr/firmador.nix
@@ -11,7 +11,7 @@
     enableJavaFX = true;
   };
 
-  version = "1.9.8";
+  version = "1.9.8+master";
 in
   maven.buildMavenPackage {
     pname = "firmador";
@@ -19,15 +19,15 @@ in
 
     src = fetchgit {
       url = "https://codeberg.org/firmador/firmador";
-      rev = version;
-      hash = "sha256-xdiVPjihRADPK4nG+WQHWsDzVYLCeN6ouQ6SDtjf1qQ=";
+      rev = "676b0e3c0dc5adb0628d4d98efcfccfca3daa8a7";
+      hash = "sha256-f/EKll1csvUCRSt4G1SeDB4gVW+ZtUgJjlmM7PlafyQ=";
     };
 
     patches = [
       ./0001-Remove-CheckUpdatePlugin-from-default-list.patch
     ];
 
-    mvnHash = "sha256-m3UaOLNyIlVAOI5tzxMlxg4KZ1N5gT2O2WSka+jBat4=";
+    mvnHash = "sha256-0vwJ1f+0UXxrXRaJ1BHqfOXDU/pxrSPdYYEQ71m4jJQ=";
 
     nativeBuildInputs = [
       makeWrapper
@@ -35,7 +35,7 @@ in
     ];
 
     postPatch = lib.optionalString (libasep11 != null) ''
-      sed -i 's@/usr/lib/x64-athena/libASEP11.so@${libasep11}@g' src/main/java/cr/libre/firmador/CRSigner.java
+      sed -i 's@/usr/lib/x64-athena/libASEP11.so@${libasep11}@g' src/main/java/cr/libre/firmador/signers/CRSigner.java
     '';
 
     installPhase = ''