From 807eba6219bc63b173486e145bedd205e9eb5f75 Mon Sep 17 00:00:00 2001 From: arunoruto Date: Sat, 2 Nov 2024 16:08:05 +0100 Subject: [PATCH] Move tpm to its own folder --- modules/nixos/security/default.nix | 2 +- modules/nixos/security/tpm.nix | 22 -------- modules/nixos/security/tpm/ssh-tpm-agent.nix | 54 ++++++++++++++++---- 3 files changed, 46 insertions(+), 32 deletions(-) delete mode 100644 modules/nixos/security/tpm.nix diff --git a/modules/nixos/security/default.nix b/modules/nixos/security/default.nix index 3b55865..702b4eb 100644 --- a/modules/nixos/security/default.nix +++ b/modules/nixos/security/default.nix @@ -9,7 +9,7 @@ ./fingerprint.nix ./rssh.nix ./secrets.nix - ./tpm.nix + ./tpm ./yubikey ]; diff --git a/modules/nixos/security/tpm.nix b/modules/nixos/security/tpm.nix deleted file mode 100644 index b5c750a..0000000 --- a/modules/nixos/security/tpm.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - options.tpm.enable = lib.mkEnableOption "Enable TPM secuirty options"; - config = lib.mkIf config.tpm.enable { - security.tpm2 = { - enable = true; - pkcs11.enable = true; - abrmd.enable = true; - tctiEnvironment.enable = true; - }; - - environment.systemPackages = with pkgs.unstable; [ - ssh-tpm-agent - tpm2-tools - ]; - }; -} diff --git a/modules/nixos/security/tpm/ssh-tpm-agent.nix b/modules/nixos/security/tpm/ssh-tpm-agent.nix index e63e22e..1355831 100644 --- a/modules/nixos/security/tpm/ssh-tpm-agent.nix +++ b/modules/nixos/security/tpm/ssh-tpm-agent.nix @@ -5,7 +5,7 @@ ... }: let - cfg = config.services.ssh-tpm.agent; + cfg = config.services.ssh-tpm-agent; # socket = "/run/ssh-tpm-agent/socket"; socket = "/var/tmp/ssh-tpm-agent.sock"; in @@ -23,18 +23,17 @@ in }; config = lib.mkIf cfg.enable { - # security.tpm2 = { - # enable = true; - # pkcs11.enable = true; - # abrmd.enable = true; - # # tctiEnvironment.enable = true; - # }; + security.tpm2 = { + enable = lib.mkDefault true; + pkcs11.enable = lib.mkDefault true; + }; environment.systemPackages = [ cfg.package ]; systemd = { packages = [ cfg.package ]; + # System services services = { ssh-tpm-genkeys = rec { description = "SSH TPM Key Generation"; @@ -69,7 +68,7 @@ in }; serviceConfig = { - ExecStart = "${cfg.package}/bin/ssh-tpm-agent --key-dir /etc/ssh"; + ExecStart = "${cfg.package}/bin/ssh-tpm-agent -d -l ${socket} --key-dir /etc/ssh"; PassEnvironment = "SSH_AGENT_PID"; KillMode = "process"; Restart = "always"; @@ -87,7 +86,44 @@ in socketConfig = { ListenStream = socket; - SocketMode = "0666"; + SocketMode = "0600"; + Service = "ssh-tpm-agent.service"; + }; + + wantedBy = [ "sockets.target" ]; + }; + }; + + # User services + user = { + services.ssh-tpm-agent = { + unitConfig = { + ConditionEnvironment = "!SSH_AGENT_PID"; + Description = "ssh-tpm-agent service"; + Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)"; + Requires = "ssh-tpm-agent.socket"; + }; + + serviceConfig = { + Environment = "SSH_AUTH_SOCK=%t/ssh-tpm-agent.sock"; + ExecStart = "${cfg.package}/bin/ssh-tpm-agent -d"; + PassEnvironment = "SSH_AGENT_PID"; + SuccessExitStatus = "2"; + Type = "simple"; + }; + + wantedBy = [ "default.target" ]; + }; + + sockets.ssh-tpm-agent = { + unitConfig = { + Description = "SSH TPM agent socket"; + Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)"; + }; + + socketConfig = { + ListenStream = "%t/ssh-tpm-agent.sock"; + SocketMode = "0600"; Service = "ssh-tpm-agent.service"; };