Skip to content

Commit

Permalink
Move tpm to its own folder
Browse files Browse the repository at this point in the history
  • Loading branch information
arunoruto committed Nov 2, 2024
1 parent f5478de commit 807eba6
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 32 deletions.
2 changes: 1 addition & 1 deletion modules/nixos/security/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
./fingerprint.nix
./rssh.nix
./secrets.nix
./tpm.nix
./tpm
./yubikey
];

Expand Down
22 changes: 0 additions & 22 deletions modules/nixos/security/tpm.nix

This file was deleted.

54 changes: 45 additions & 9 deletions modules/nixos/security/tpm/ssh-tpm-agent.nix
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
...
}:
let
cfg = config.services.ssh-tpm.agent;
cfg = config.services.ssh-tpm-agent;
# socket = "/run/ssh-tpm-agent/socket";
socket = "/var/tmp/ssh-tpm-agent.sock";
in
Expand All @@ -23,18 +23,17 @@ in
};

config = lib.mkIf cfg.enable {
# security.tpm2 = {
# enable = true;
# pkcs11.enable = true;
# abrmd.enable = true;
# # tctiEnvironment.enable = true;
# };
security.tpm2 = {
enable = lib.mkDefault true;
pkcs11.enable = lib.mkDefault true;
};

environment.systemPackages = [ cfg.package ];

systemd = {
packages = [ cfg.package ];

# System services
services = {
ssh-tpm-genkeys = rec {
description = "SSH TPM Key Generation";
Expand Down Expand Up @@ -69,7 +68,7 @@ in
};

serviceConfig = {
ExecStart = "${cfg.package}/bin/ssh-tpm-agent --key-dir /etc/ssh";
ExecStart = "${cfg.package}/bin/ssh-tpm-agent -d -l ${socket} --key-dir /etc/ssh";
PassEnvironment = "SSH_AGENT_PID";
KillMode = "process";
Restart = "always";
Expand All @@ -87,7 +86,44 @@ in

socketConfig = {
ListenStream = socket;
SocketMode = "0666";
SocketMode = "0600";
Service = "ssh-tpm-agent.service";
};

wantedBy = [ "sockets.target" ];
};
};

# User services
user = {
services.ssh-tpm-agent = {
unitConfig = {
ConditionEnvironment = "!SSH_AGENT_PID";
Description = "ssh-tpm-agent service";
Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)";
Requires = "ssh-tpm-agent.socket";
};

serviceConfig = {
Environment = "SSH_AUTH_SOCK=%t/ssh-tpm-agent.sock";
ExecStart = "${cfg.package}/bin/ssh-tpm-agent -d";
PassEnvironment = "SSH_AGENT_PID";
SuccessExitStatus = "2";
Type = "simple";
};

wantedBy = [ "default.target" ];
};

sockets.ssh-tpm-agent = {
unitConfig = {
Description = "SSH TPM agent socket";
Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)";
};

socketConfig = {
ListenStream = "%t/ssh-tpm-agent.sock";
SocketMode = "0600";
Service = "ssh-tpm-agent.service";
};

Expand Down

0 comments on commit 807eba6

Please sign in to comment.