tvl-depot/ops/modules/open_eid.nix

# NixOS module to configure the Estonian e-ID software.
{ pkgs, ... }:

{
  services.pcscd.enable = true;

  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
  # (PIN1 for authentication/decryption, PIN2 for signing).
  environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
    module: ${pkgs.opensc}/lib/opensc-pkcs11.so
  '';

  # Configure Firefox (in case users set `programs.firefox.enable = true;`)
  programs.firefox = {
    # Allow a possibly installed "Web eID" extension to do native messaging with
    # the "web-eid-app" native component.
    # Users not using `programs.firefox.enable` can override their firefox
    # derivation, by setting `extraNativeMessagingHosts = [ pkgs.web-eid-app ]`.
    nativeMessagingHosts.euwebid = true;
    # Configure Firefox to load smartcards via p11kit-proxy.
    # Users not using `programs.firefox.enable` can override their firefox
    # derivation, by setting
    # `extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so"`.
    policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
  };

  # Chromium users need a symlink to their (slightly different) .json file
  # in the native messaging hosts' manifest file location.
  environment.etc."chromium/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
  environment.etc."opt/chrome/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";

  environment.systemPackages = with pkgs; [
    libdigidocpp.bin # provides digidoc-tool(1)
    qdigidoc

    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
    # security devices, so they can be used for TLS client auth.
    # Each user needs to run this themselves, it does not work on a system level
    # due to a bug in Chromium:
    #
    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
    #
    # Firefox users can just set
    # extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
    # when overriding the firefox derivation.
    (pkgs.writeShellScriptBin "setup-browser-eid" ''
      NSSDB="''${HOME}/.pki/nssdb"
      mkdir -p ''${NSSDB}

      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
    '')
  ];
}
feat(ops/modules): Add module for using Estonian e-residency card Someone already packaged the required software, so I didn't have to do that. Change-Id: Ifc6a68fd4cd89f4718368a05acb6c6f536e01aab Reviewed-on: https://cl.tvl.fyi/c/depot/+/5431 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: tazjin <tazjin@tvl.su> 2022-04-03 20:46:56 +02:00			`# NixOS module to configure the Estonian e-ID software.`
			`{ pkgs, ... }:`

			`{`
			`services.pcscd.enable = true;`

feat(ops/modules/open_eid.nix): Access all key slots `onepin-opensc-pkcs11.so` only enables PIN1, but PIN2 is also required. Change-Id: Ic1c34ca58a46c2978c7e27e7a9b7e6a4d335ac0c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5648 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: kn <klemens@posteo.de> Reviewed-by: tazjin <tazjin@tvl.su> 2022-05-23 01:52:51 +02:00			`# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots`
			`# (PIN1 for authentication/decryption, PIN2 for signing).`
			`environment.etc."pkcs11/modules/opensc-pkcs11".text = ''`
			`module: ${pkgs.opensc}/lib/opensc-pkcs11.so`
feat(ops/modules/open_eid.nix): use p11-kit-proxy … instead of onepin-opensc-pkcs11. This acts as a glue to multiple PKCS#11 modules, and reads configuration files from /etc/pkcs11/modules. p11-kit is also used to propagate the system trust store to NSS: https://p11-glue.github.io/p11-glue/sharing-trust-policy.html See-Also: https://p11-glue.github.io/p11-glue/p11-kit.html Change-Id: I135c3a80a4eea0bd06f6b00089dc197c82476746 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5533 Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI 2022-05-07 21:02:48 +02:00			`'';`

feat(ops/modules/open_eid): add support for Web eID extension Most likely due to bad UX in browsers for hardware-backed TLS client cert auth, most websites have switched from client-side TLS to the "Web eID" extension. Once installed, the extension uses [Native Messaging] to talk to a `web-eid-app` application, which handles the communication with the smart card itself. This can be tested on https://web-eid.eu/ . The commit needs nixpkgs to be bumped past https://github.com/NixOS/nixpkgs/pull/227354 . [Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI 2023-04-21 00:04:23 +02:00			# Configure Firefox (in case users set `programs.firefox.enable = true;`)
			`programs.firefox = {`
			`# Allow a possibly installed "Web eID" extension to do native messaging with`
			`# the "web-eid-app" native component.`
			# Users not using `programs.firefox.enable` can override their firefox
			# derivation, by setting `extraNativeMessagingHosts = [ pkgs.web-eid-app ]`.
			`nativeMessagingHosts.euwebid = true;`
			`# Configure Firefox to load smartcards via p11kit-proxy.`
			# Users not using `programs.firefox.enable` can override their firefox
			`# derivation, by setting`
			# `extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so"`.
			`policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";`
			`};`

			`# Chromium users need a symlink to their (slightly different) .json file`
			`# in the native messaging hosts' manifest file location.`
			`environment.etc."chromium/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";`
			`environment.etc."opt/chrome/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";`

feat(ops/modules): Add module for using Estonian e-residency card Someone already packaged the required software, so I didn't have to do that. Change-Id: Ifc6a68fd4cd89f4718368a05acb6c6f536e01aab Reviewed-on: https://cl.tvl.fyi/c/depot/+/5431 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: tazjin <tazjin@tvl.su> 2022-04-03 20:46:56 +02:00			`environment.systemPackages = with pkgs; [`
fix(ops/modules/open_eid): use libdigidocpp.bin nixpkgs commit 134036f642a7f3ba9efeab509727c0989458b02b moved the digidoc-tool binary to the `bin` output, so this wasn't actually providing the digidoc-tool binary anymore. Change-Id: Id5f7cc69d55b7cc058a6361512cc74de0e7bc1b2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8487 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de> 2023-04-19 01:02:58 +02:00			`libdigidocpp.bin # provides digidoc-tool(1)`
feat(ops/modules): Add module for using Estonian e-residency card Someone already packaged the required software, so I didn't have to do that. Change-Id: Ifc6a68fd4cd89f4718368a05acb6c6f536e01aab Reviewed-on: https://cl.tvl.fyi/c/depot/+/5431 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: tazjin <tazjin@tvl.su> 2022-04-03 20:46:56 +02:00			`qdigidoc`
feat(ops/modules/open_eid): add support for Web eID extension Most likely due to bad UX in browsers for hardware-backed TLS client cert auth, most websites have switched from client-side TLS to the "Web eID" extension. Once installed, the extension uses [Native Messaging] to talk to a `web-eid-app` application, which handles the communication with the smart card itself. This can be tested on https://web-eid.eu/ . The commit needs nixpkgs to be bumped past https://github.com/NixOS/nixpkgs/pull/227354 . [Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI 2023-04-21 00:04:23 +02:00
			`# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load`
			`# security devices, so they can be used for TLS client auth.`
			`# Each user needs to run this themselves, it does not work on a system level`
			`# due to a bug in Chromium:`
			`#`
			`# https://bugs.chromium.org/p/chromium/issues/detail?id=16387`
			`#`
			`# Firefox users can just set`
			`# extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";`
			`# when overriding the firefox derivation.`
			`(pkgs.writeShellScriptBin "setup-browser-eid" ''`
			`NSSDB="''${HOME}/.pki/nssdb"`
			`mkdir -p ''${NSSDB}`

			`${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \`
			`-libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so`
			`'')`
feat(ops/modules): Add module for using Estonian e-residency card Someone already packaged the required software, so I didn't have to do that. Change-Id: Ifc6a68fd4cd89f4718368a05acb6c6f536e01aab Reviewed-on: https://cl.tvl.fyi/c/depot/+/5431 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: tazjin <tazjin@tvl.su> 2022-04-03 20:46:56 +02:00			`];`
			`}`