Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/hardware: add udev rules for Ledger Nano S #49106

Closed
wants to merge 1 commit into from
Closed

nixos/hardware: add udev rules for Ledger Nano S #49106

wants to merge 1 commit into from
+33 −0

Conversation

abrenk
Copy link
Contributor

@abrenk abrenk commented Oct 25, 2018

They are enabled using the option

hardware.ledger-nano-s.enabled = true;

Motivation for this change

In order to use a Ledger Nano S the user needs access to the corresponding /dev/hidraw* devices. This change adds a config option to create a corresponding udev rule.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@abrenk
nixos/hardware: add udev rules for Ledger Nano S

Unverified

No user is associated with the committer email.
Learn about vigilant mode
cbd08f6 
They are enabled using the option

  hardware.ledger-nano-s.enabled = true;
@GrahamcOfBorg GrahamcOfBorg added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Oct 25, 2018
rycee
rycee reviewed Oct 25, 2018
View reviewed changes
nixos/modules/hardware/ledger-nano-s.nix
type = types.bool;
default = false;
description = ''
Enables udev rules for Ledger Nano S devices (https://www.ledger.com/products/ledger-nano-s).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice for the link to be a real link:

Suggested change
Enables udev rules for Ledger Nano S devices (https://www.ledger.com/products/ledger-nano-s).
Enables udev rules for Ledger Nano S devices
(<link xlink:href="https://www.ledger.com/products/ledger-nano-s"/>).

@symphorien
Copy link
Member

Creating the udev rule is not much longer than setting the option; maybe it would be better to "just" document this in the wiki (for example) and let people copy the udev rule from the wiki to their conf if they have this hardware.
By "better" I mean that, for example, each option makes the evaluation time longer for everyone.

@abrenk
Copy link
Contributor Author

abrenk commented Oct 26, 2018

There are already options for similar devices:

  • hardware.onlykey.enable (defunct at the moment, uses 'builtin' instead of 'builtins' and requires a non-existing plugdev group, I have a pull request to fix this in progress)
  • hardware.nitrokey.enable (plus hardware.nitrokey.group, which is not needed if the udev rule uses the uaccess tag to add an ACL entry for the current console user)
  • services.trezord.enable (has similar udev rules, but also adds a systemd unit for a custom daemon)

The YubiKey (or any other security token) also needs udev rules to allow the console user to access the corresponding hidraw device, which is why systemd/udev introduced the ENV{ID_SECURITY_TOKEN} variable in lib/udev/rules.d/70-uaccess.rules to declaratively add the uaccess tag.

Using services.udev.extraRules in configuration.nix is not possible, because those rules end up in 99-local.rules after the 70-uaccess.rules that enable ENV{ID_SECURITY_TOKEN} and the uaccess tag.

Maybe a single option to enable support for all known security tokens would be the best solution.

@asymmetric
Copy link
Contributor

This is has been done in #55741.

@abrenk what functionality would not work without ENV{ID_SECURITY_TOKEN}?

@rycee
Copy link
Member

rycee commented Sep 29, 2019

I'll close this since hardware.ledger exists now as @asymmetric highlighted. I think the ENV{ID_SECURITY_TOKEN} issue that @abrenk mentioned belongs in it's own issue, if it still is applicable.

@rycee rycee closed this Sep 29, 2019
@Janik-Haag Janik-Haag added the 12. first-time contribution This PR is the author's first one; please be gentle! label Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rycee rycee

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux 12. first-time contribution This PR is the author's first one; please be gentle!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@abrenk @symphorien @asymmetric @rycee @GrahamcOfBorg @Janik-Haag