stuff

2024-06-29 14:33:24 -07:00
parent 0b63217f7b
commit b45f539fb1
1 changed files with 24 additions and 0 deletions
--- a/fw/apex.nix
+++ b/fw/apex.nix
@@ -13,4 +13,28 @@
  services.pcscd.enable = true;
  # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
  boot.blacklistedKernelModules = [ "pn533_usb" "pn533" "nfc" ];
+
+  # bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
+  
+  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
+  # (PIN1 for authentication/decryption, PIN2 for signing).
+  environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
+    module: ${pkgs.opensc}/lib/opensc-pkcs11.so
+  '';
+
+  environment.systemPackages = with pkgs; [
+    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
+    # security devices, so they can be used for TLS client auth.
+    # Each user needs to run this themselves, it does not work on a system level
+    # due to a bug in Chromium:
+    #
+    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
+    (pkgs.writeShellScriptBin "setup-browser-eid" ''
+      NSSDB="''${HOME}/.pki/nssdb"
+      mkdir -p ''${NSSDB}
+
+      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
+        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
+    '')
+  ];
 }