nixos/ausweisapp: init module with firewall option

Optional functionality of AusweisApp2 requires an UDP port to be opened. The module allows for convenient configuration and serves as documentation. See also https://github.com/NixOS/nixpkgs/issues/136269
2021-09-04 23:03:26 +02:00 · 2021-09-04 23:03:26 +02:00 · b20df24e2c
parent d68d3438fc
commit b20df24e2c
4 changed files with 36 additions and 0 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -265,6 +265,14 @@
          <link linkend="opt-services.tempo.enable">services.tempo</link>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://www.ausweisapp.bund.de/">AusweisApp2</link>,
+          the authentication software for the German ID card. Available
+          as
+          <link linkend="opt-programs.ausweisapp.enable">programs.ausweisapp</link>.
+        </para>
+      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/zalando/patroni">Patroni</link>,
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -94,6 +94,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).

+- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable).
+
 - [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
 Available as [services.patroni](options.html#opt-services.patroni.enable).

--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -128,6 +128,7 @@
  ./programs/adb.nix
  ./programs/appgate-sdp.nix
  ./programs/atop.nix
+  ./programs/ausweisapp.nix
  ./programs/autojump.nix
  ./programs/bandwhich.nix
  ./programs/bash/bash.nix
--- a/nixos/modules/programs/ausweisapp.nix
+++ b/nixos/modules/programs/ausweisapp.nix
@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg  = config.programs.ausweisapp;
+in
+{
+  options.programs.ausweisapp = {
+    enable = mkEnableOption (lib.mdDoc "AusweisApp2");
+
+    openFirewall = mkOption {
+      description = lib.mdDoc ''
+        Whether to open the required firewall ports for the Smartphone as Card Reader (SaC) functionality of AusweisApp2.
+      '';
+      default = false;
+      type = lib.types.bool;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [ AusweisApp2 ];
+    networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 24727 ];
+  };
+}