nixos/pcscd: allow use without polkit

The polkit support in pcsclite is entirely optional but package enables it unconditionally and this breaks connecting to the pcscd daemon on systems without polkit. The fix is making this configurable and automatically disabling `polkitSupport` when the polkit service is disabled.
2022-09-04 11:36:39 +02:00 · 2022-09-04 11:36:39 +02:00 · c90b6a859b
commit c90b6a859b
parent f3a270008f
3 changed files with 22 additions and 12 deletions
--- a/nixos/modules/services/hardware/pcscd.nix
+++ b/nixos/modules/services/hardware/pcscd.nix
@ -5,6 +5,10 @@ with lib;
 let
  cfgFile = pkgs.writeText "reader.conf" config.services.pcscd.readerConfig;

+  package = if config.security.polkit.enable
+              then pkgs.pcscliteWithPolkit
+              else pkgs.pcsclite;
+
  pluginEnv = pkgs.buildEnv {
    name = "pcscd-plugins";
    paths = map (p: "${p}/pcsc/drivers") config.services.pcscd.plugins;
@ -49,8 +53,8 @@ in

    environment.etc."reader.conf".source = cfgFile;

-    environment.systemPackages = [ pkgs.pcsclite ];
-    systemd.packages = [ (getBin pkgs.pcsclite) ];
+    environment.systemPackages = [ package ];
+    systemd.packages = [ (getBin package) ];

    systemd.sockets.pcscd.wantedBy = [ "sockets.target" ];

@ -66,7 +70,7 @@ in
      # around it, we force the path to the cfgFile.
      #
      # https://github.com/NixOS/nixpkgs/issues/121088
-      serviceConfig.ExecStart = [ "" "${getBin pkgs.pcsclite}/bin/pcscd -f -x -c ${cfgFile}" ];
+      serviceConfig.ExecStart = [ "" "${getBin package}/bin/pcscd -f -x -c ${cfgFile}" ];
    };
  };
 }
--- a/pkgs/tools/security/pcsclite/default.nix
+++ b/pkgs/tools/security/pcsclite/default.nix
@ -10,10 +10,12 @@
 , polkit
 , systemdMinimal
 , IOKit
+, pname ? "pcsclite"
+, polkitSupport ? false
 }:

 stdenv.mkDerivation rec {
-  pname = "pcsclite";
+  inherit pname;
  version = "1.9.5";

  outputs = [ "bin" "out" "dev" "doc" "man" ];
@ -34,14 +36,12 @@ stdenv.mkDerivation rec {
    "--enable-confdir=/etc"
    # The OS should care on preparing the drivers into this location
    "--enable-usbdropdir=/var/lib/pcsc/drivers"
-  ]
-  ++ (if stdenv.isLinux then [
+    (lib.enableFeature stdenv.isLinux "systemd")
+    (lib.enableFeature polkitSupport "polkit")
+  ] ++ lib.optionals stdenv.isLinux [
    "--enable-ipcdir=/run/pcscd"
-    "--enable-polkit"
    "--with-systemdsystemunitdir=${placeholder "bin"}/lib/systemd/system"
-  ] else [
-    "--disable-libsystemd"
-  ]);
+  ];

  postConfigure = ''
    sed -i -re '/^#define *PCSCLITE_HP_DROPDIR */ {
@ -59,8 +59,9 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ autoreconfHook autoconf-archive pkg-config perl ];

  buildInputs = [ python3 ]
-    ++ lib.optionals stdenv.isLinux [ dbus polkit systemdMinimal ]
-    ++ lib.optionals stdenv.isDarwin [ IOKit ];
+    ++ lib.optionals stdenv.isLinux [ systemdMinimal ]
+    ++ lib.optionals stdenv.isDarwin [ IOKit ]
+    ++ lib.optionals polkitSupport [ dbus polkit ];

  meta = with lib; {
    description = "Middleware to access a smart card using SCard API (PC/SC)";
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -10154,6 +10154,11 @@ with pkgs;
    inherit (darwin.apple_sdk.frameworks) IOKit;
  };

+  pcscliteWithPolkit = pcsclite.override {
+    pname = "pcsclite-with-polkit";
+    polkitSupport = true;
+  };
+
  pcsctools = callPackage ../tools/security/pcsctools { };

  pcsc-cyberjack = callPackage ../tools/security/pcsc-cyberjack { };