calcite: add ssh-tpm-agent

2024-03-25 16:26:48 +08:00 · 2024-03-25 16:26:48 +08:00 · aa230d639f
commit aa230d639f
parent 26a11e0df0
10 changed files with 136 additions and 29 deletions
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -7,5 +7,6 @@
    ./hedgedoc.nix
    ./sing-box.nix
    ./kanidm-client.nix
+    ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
  ];
 }
--- a/modules/nixos/ssh-tpm-agent.nix
+++ b/modules/nixos/ssh-tpm-agent.nix
@ -0,0 +1,48 @@
+# Temporary workaround
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.ssh-tpm-agent;
+in
+{
+  options = {
+    services.ssh-tpm-agent.enable = lib.mkEnableOption "TPM supported ssh agent in go";
+  };
+  config = lib.mkIf cfg.enable {
+    systemd.user.services.ssh-tpm-agent = {
+      enable = true;
+      unitConfig = {
+        Description = "SSH TPM agent service";
+        Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)";
+        Requires = "ssh-tpm-agent.socket";
+        ConditionEnvironment = "!SSH_AGENT_PID";
+      };
+      serviceConfig = {
+        Environment = "SSH_AUTH_SOCK=%t/ssh-tpm-agent.socket";
+        ExecStart = "${pkgs.ssh-tpm-agent}/bin/ssh-tpm-agent";
+        PassEnvironment = "SSH_AGENT_PID";
+        SuccessExitStatus = 2;
+        Type = "simple";
+      };
+      wants = [ "ssh-tpm-agent.socket" ];
+    };
+
+    systemd.user.sockets.ssh-tpm-agent = {
+      enable = true;
+      description = "SSH TPM agent socket";
+      socketConfig = {
+        ListenStream = "%t/ssh-tpm-agent.sock";
+        SocketMode = "0600";
+        Service = "ssh-tpm-agent.service";
+      };
+
+      wantedBy = [ "sockets.target" ];
+    };
+
+    environment = {
+      systemPackages = [ pkgs.ssh-tpm-agent ];
+      extraInit = ''
+        export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-tpm-agent.sock"
+      '';
+    };
+  };
+}