From a17426d4f0ef2c340659c5eecc30363ee5b2b758 Mon Sep 17 00:00:00 2001 From: Srylax <71783705+srylax@users.noreply.github.com> Date: Thu, 9 Apr 2026 19:23:50 +0200 Subject: [PATCH 1/7] :wip: init step-agent module --- modules/default.nix | 1 + modules/step-agent.nix | 72 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 modules/step-agent.nix diff --git a/modules/default.nix b/modules/default.nix index ff6c7c0..de571f8 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,4 +2,5 @@ # Add your NixOS modules here # # my-module = ./my-module; + step-agent = ./step-agent.nix; } diff --git a/modules/step-agent.nix b/modules/step-agent.nix new file mode 100644 index 0000000..ea3db78 --- /dev/null +++ b/modules/step-agent.nix @@ -0,0 +1,72 @@ +{ + lib, + config, + pkgs, + ... +}: +let + cfg = config.services.step-agent; +in +{ + options.services.step-agent = { + enable = lib.mkEnableOption "Smallstep step-agent-plugin service https://github.com/smallstep/step-agent-plugin"; + package = lib.mkPackageOption pkgs "step-agent" { }; + + }; + config = lib.mkIf cfg.enable { + + users = { + users.step-agent = { + isSystemUser = true; + group = "step-agent"; + home = "/var/lib/step-agent"; + }; + groups.step-agent = { }; + }; + + systemd.services.step-agent = { + after = [ + "network-online.target" + ]; + description = "Smallstep Agent"; + documentation = [ + "https://u.step.sm/docs/agent" + ]; + requires = [ + "network-online.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + environment = { + HOME = "/var/lib/step-agent"; + }; + unitConfig = { + conditionPathIsReadWrite = "/etc/step-agent/agent.yaml"; + }; + serviceConfig = { + User = "step-agent"; + Group = "step-agent"; + ConfigurationDirectory = "step-agent"; + RuntimeDirectory = "step-agent"; + StateDirectory = "step-agent"; + Type = "notify"; + WatchdogSec = "60s"; + ProtectSystem = "true"; + ProtectHome = "read-only"; + PrivateTmp = "true"; + SecureBits = "keep-caps"; + AmbientCapabilities = "CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; + CapabilityBoundingSet = "CAP_SYSLOG CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; + ExecStart = "${lib.getExe cfg.package} start"; + ExecReload = "/bin/kill -HUP $MAINPID"; + DeviceAllow = "/dev/tpmrm0 rw"; + ReadWritePaths = "-/dev/tpmrm0"; + LimitNOFILE = "65536"; + LimitMEMLOCK = "infinity"; + Restart = "always"; + RestartSec = "10"; + }; + }; + }; +} From dfbb30874eea2b48d108211fa08bb24fcd90213d Mon Sep 17 00:00:00 2001 From: Srylax <71783705+srylax@users.noreply.github.com> Date: Fri, 10 Apr 2026 06:46:46 +0200 Subject: [PATCH 2/7] module: update to 0.65.0.rc19 --- modules/step-agent.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/step-agent.nix b/modules/step-agent.nix index ea3db78..302a2de 100644 --- a/modules/step-agent.nix +++ b/modules/step-agent.nix @@ -25,8 +25,10 @@ in }; systemd.services.step-agent = { + after = [ "network-online.target" + "step-agent-swtpm.service" ]; description = "Smallstep Agent"; documentation = [ @@ -38,8 +40,12 @@ in wantedBy = [ "multi-user.target" ]; + wants = [ + "step-agent-swtpm.service" + ]; environment = { HOME = "/var/lib/step-agent"; + RUNTIME_DIRECTORY = "/run/step-agent"; }; unitConfig = { conditionPathIsReadWrite = "/etc/step-agent/agent.yaml"; @@ -48,7 +54,6 @@ in User = "step-agent"; Group = "step-agent"; ConfigurationDirectory = "step-agent"; - RuntimeDirectory = "step-agent"; StateDirectory = "step-agent"; Type = "notify"; WatchdogSec = "60s"; @@ -61,12 +66,13 @@ in ExecStart = "${lib.getExe cfg.package} start"; ExecReload = "/bin/kill -HUP $MAINPID"; DeviceAllow = "/dev/tpmrm0 rw"; - ReadWritePaths = "-/dev/tpmrm0"; + ReadWritePaths = "-/dev/tpmrm0 -/run/step-agent/swtpm.sock"; LimitNOFILE = "65536"; LimitMEMLOCK = "infinity"; Restart = "always"; RestartSec = "10"; }; + }; }; } From 1911bfb766b69d9e19b1a794bd81dbbec5c14cbd Mon Sep 17 00:00:00 2001 From: Srylax <71783705+srylax@users.noreply.github.com> Date: Fri, 10 Apr 2026 07:09:01 +0200 Subject: [PATCH 3/7] module: set default package --- default.nix | 28 +++++++++++++--------------- modules/default.nix | 6 ------ 2 files changed, 13 insertions(+), 21 deletions(-) delete mode 100644 modules/default.nix diff --git a/default.nix b/default.nix index 22d82ea..07a076f 100644 --- a/default.nix +++ b/default.nix @@ -6,24 +6,22 @@ # commands such as: # nix-build -A mypackage -{ pkgs ? import { } }: - { + pkgs ? import { }, +}: + +rec { # The `lib`, `modules`, and `overlays` names are special lib = import ./lib { inherit pkgs; }; # functions - modules = import ./modules; # NixOS modules overlays = import ./overlays; # nixpkgs overlays - # : DO NOT REMOVE THIS LINE - step-agent_0_65_6 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.6.nix { }; - step-agent_0_65_5-rc2 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.5-rc2.nix { }; - step-agent_0_65_5-rc1 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.5-rc1.nix { }; - step-agent_0_65_4 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.4.nix { }; - step-agent_0_65_2 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.2.nix { }; - step-agent_0_65_1 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.1.nix { }; - step-agent_0_65_0-rc21 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc21.nix { }; - step-agent_0_65_0-rc20 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc20.nix { }; - step-agent_0_65_0-rc19 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc19.nix { }; - step-agent = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc11.nix { }; - step-agent_0_65_0-rc11 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc11.nix { }; + nixosModules.step-agent = { + imports = [ ./modules/step-agent.nix ]; + services.step-agent.package = pkgs.lib.mkDefault packages.step-agent; + }; + + packages = { + step-agent = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.6.nix { }; + }; + } diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index de571f8..0000000 --- a/modules/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - # Add your NixOS modules here - # - # my-module = ./my-module; - step-agent = ./step-agent.nix; -} From 4396b793e90603062156ca22c7fee251050ccf0e Mon Sep 17 00:00:00 2001 From: Srylax <71783705+srylax@users.noreply.github.com> Date: Fri, 10 Apr 2026 07:25:46 +0200 Subject: [PATCH 4/7] fix: set mainProgram manually --- pkgs/step-agent/step-agent_0.65.0-rc11.nix | 19 +++++++++++++++++-- pkgs/step-agent/step-agent_0.65.0-rc19.nix | 18 ++++++++++++++++-- pkgs/step-agent/step-agent_0.65.4.nix | 19 +++++++++++++++++-- pkgs/step-agent/step-agent_0.65.6.nix | 19 +++++++++++++++++-- 4 files changed, 67 insertions(+), 8 deletions(-) diff --git a/pkgs/step-agent/step-agent_0.65.0-rc11.nix b/pkgs/step-agent/step-agent_0.65.0-rc11.nix index 88dbec1..0588460 100644 --- a/pkgs/step-agent/step-agent_0.65.0-rc11.nix +++ b/pkgs/step-agent/step-agent_0.65.0-rc11.nix @@ -36,7 +36,11 @@ stdenvNoCC.mkDerivation { sourceRoot = "."; - nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ] + ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; buildInputs = lib.optionals stdenvNoCC.isLinux [ stdenv.cc.cc.lib @@ -45,10 +49,21 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir -p $out/bin cp -vr ./step-agent $out/bin/step-agent - wrapProgram $out/bin/step-agent --prefix PATH : ${lib.makeBinPath (lib.optionals stdenvNoCC.isLinux [ tpm2-tss tpm2-openssl desktop-file-utils polkit p11-kit ])} + wrapProgram $out/bin/step-agent --prefix PATH : ${ + lib.makeBinPath ( + lib.optionals stdenvNoCC.isLinux [ + tpm2-tss + tpm2-openssl + desktop-file-utils + polkit + p11-kit + ] + ) + } ''; meta = { + mainProgram = "step-agent"; description = "step-agent-plugin is an automated certificate management agent plugin for step-cli."; homepage = "https://github.com/smallstep/step-agent-plugin/"; diff --git a/pkgs/step-agent/step-agent_0.65.0-rc19.nix b/pkgs/step-agent/step-agent_0.65.0-rc19.nix index b3365f6..c96e45d 100644 --- a/pkgs/step-agent/step-agent_0.65.0-rc19.nix +++ b/pkgs/step-agent/step-agent_0.65.0-rc19.nix @@ -36,7 +36,11 @@ stdenvNoCC.mkDerivation { sourceRoot = "."; - nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ] + ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; buildInputs = lib.optionals stdenvNoCC.isLinux [ stdenv.cc.cc.lib @@ -45,7 +49,17 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir -p $out/bin cp -vr ./step-agent $out/bin/step-agent - wrapProgram $out/bin/step-agent --prefix PATH : ${lib.makeBinPath (lib.optionals stdenvNoCC.isLinux [ tpm2-tss tpm2-openssl desktop-file-utils polkit p11-kit ])} + wrapProgram $out/bin/step-agent --prefix PATH : ${ + lib.makeBinPath ( + lib.optionals stdenvNoCC.isLinux [ + tpm2-tss + tpm2-openssl + desktop-file-utils + polkit + p11-kit + ] + ) + } ''; meta = { diff --git a/pkgs/step-agent/step-agent_0.65.4.nix b/pkgs/step-agent/step-agent_0.65.4.nix index 727fb1c..b01ecf2 100644 --- a/pkgs/step-agent/step-agent_0.65.4.nix +++ b/pkgs/step-agent/step-agent_0.65.4.nix @@ -36,7 +36,11 @@ stdenvNoCC.mkDerivation { sourceRoot = "."; - nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ] + ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; buildInputs = lib.optionals stdenvNoCC.isLinux [ stdenv.cc.cc.lib @@ -45,10 +49,21 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir -p $out/bin cp -vr ./step-agent $out/bin/step-agent - wrapProgram $out/bin/step-agent --prefix PATH : ${lib.makeBinPath (lib.optionals stdenvNoCC.isLinux [ tpm2-tss tpm2-openssl desktop-file-utils polkit p11-kit ])} + wrapProgram $out/bin/step-agent --prefix PATH : ${ + lib.makeBinPath ( + lib.optionals stdenvNoCC.isLinux [ + tpm2-tss + tpm2-openssl + desktop-file-utils + polkit + p11-kit + ] + ) + } ''; meta = { + mainProgram = "step-agent"; description = "step-agent-plugin is an automated certificate management agent plugin for step-cli."; homepage = "https://github.com/smallstep/step-agent-plugin/"; diff --git a/pkgs/step-agent/step-agent_0.65.6.nix b/pkgs/step-agent/step-agent_0.65.6.nix index c58d95a..e4366d6 100644 --- a/pkgs/step-agent/step-agent_0.65.6.nix +++ b/pkgs/step-agent/step-agent_0.65.6.nix @@ -36,7 +36,11 @@ stdenvNoCC.mkDerivation { sourceRoot = "."; - nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ] + ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; buildInputs = lib.optionals stdenvNoCC.isLinux [ stdenv.cc.cc.lib @@ -45,10 +49,21 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir -p $out/bin cp -vr ./step-agent $out/bin/step-agent - wrapProgram $out/bin/step-agent --prefix PATH : ${lib.makeBinPath (lib.optionals stdenvNoCC.isLinux [ tpm2-tss tpm2-openssl desktop-file-utils polkit p11-kit ])} + wrapProgram $out/bin/step-agent --prefix PATH : ${ + lib.makeBinPath ( + lib.optionals stdenvNoCC.isLinux [ + tpm2-tss + tpm2-openssl + desktop-file-utils + polkit + p11-kit + ] + ) + } ''; meta = { + mainProgram = "step-agent"; description = "step-agent-plugin is an automated certificate management agent plugin for step-cli."; homepage = "https://github.com/smallstep/step-agent-plugin/"; From 34d5dff1d9deb56fa2f7ab0b37be68b877599b63 Mon Sep 17 00:00:00 2001 From: Srylax <71783705+srylax@users.noreply.github.com> Date: Fri, 10 Apr 2026 07:54:43 +0200 Subject: [PATCH 5/7] module: add start flags as nix options --- modules/step-agent.nix | 334 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 324 insertions(+), 10 deletions(-) diff --git a/modules/step-agent.nix b/modules/step-agent.nix index 302a2de..cb0e4f7 100644 --- a/modules/step-agent.nix +++ b/modules/step-agent.nix @@ -10,22 +10,282 @@ in { options.services.step-agent = { enable = lib.mkEnableOption "Smallstep step-agent-plugin service https://github.com/smallstep/step-agent-plugin"; - package = lib.mkPackageOption pkgs "step-agent" { }; + # TODO: make user / group configurable + settings = { + config = lib.mkOption { + type = lib.types.str; + default = "/etc/step-agent/agent.yaml"; + description = "The configuration file to use"; + }; + + kms = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The KMS uri to use"; + }; + + att = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The attester KMS uri to use"; + }; + + certificate = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The certificate to use for bootstrapping"; + }; + + token = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The login token to use"; + }; + + tokenFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The path to the login token to use"; + }; + + contact = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The contact email to use in the acme accounts"; + }; + + cloud = lib.mkOption { + type = lib.types.nullOr ( + lib.types.enum [ + "aws" + "gcp" + "azure" + ] + ); + default = null; + description = "Force agent to run as if cloud was detected (aws, gcp, azure)"; + }; + + skipCloud = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Skip cloud detection"; + }; + + team = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The team slug"; + }; + + teamId = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The uuid of the team"; + }; + + hostId = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The uuid of the host"; + }; + + caUrl = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The certificate authority 'url' used to get the bootstrap token"; + }; + + fingerprint = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The certificate authority root fingerprint"; + }; + + provisioner = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The certificate authority provisioner to use"; + }; + + password = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The password of a JWK provisioner key"; + }; + + passwordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The file containing the password of JWK provisioner key"; + }; + + apiUrl = lib.mkOption { + type = lib.types.str; + default = "https://gateway.smallstep.com"; + description = "The url where the Smallstep API can be found"; + }; + + attestationCaUrl = lib.mkOption { + type = lib.types.str; + default = "https://att.smallstep.com/1.0"; + description = "The url for the Smallstep Attestation CA"; + }; + + attestationCaSlug = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The slug for the Attestation CA to use"; + }; + + tpmDevice = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The name of the TPM device to use"; + }; + + tpmStorageDirectory = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The TPM storage directory path"; + }; + + x5cCert = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The uri or file containing the certificate chain to use with an X5C provisioner"; + }; + + x5cKey = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The uri or file containing the key to use with an X5C provisioner"; + }; + + permanentIdentifier = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The permanent-identifier value to use"; + }; + + identityToken = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "A one-time-token for accessing the CA during the agent identity signing request"; + }; + + agentPath = lib.mkOption { + type = lib.types.str; + default = "/run/step-agent"; + description = "The path to the directory to write the service certificates"; + }; + + pidfile = lib.mkOption { + type = lib.types.str; + default = "/run/step-agent/step-agent.pid"; + description = "The path to the file to read the process ID from"; + }; + + ipc = lib.mkOption { + type = lib.types.str; + default = "@step-agent-ipc"; + description = "The path to the UNIX socket the IPC service binds on. May be prefixed with an '@' to denote an abstract socket"; + }; + + disableReloader = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Disable endpoint reloader server"; + }; + + reloader = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The path to the UNIX socket the endpoint reloader service binds on. May be prefixed with an '@' to denote an abstract socket"; + }; + + register = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Register this host with the provided login token"; + }; + + ipcBootstrap = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Wait for bootstrapping via IPC"; + }; + + login = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Use the interactive login method"; + }; + + loginDomain = lib.mkOption { + type = lib.types.str; + default = "smallstep.com"; + description = "Specify the login domain"; + }; + + pkcs11 = lib.mkOption { + type = lib.types.str; + default = "/run/step-agent/step-agent-pkcs11.sock"; + description = "The path to the UNIX socket the PKCS11 server binds on"; + }; + + sshAgent = lib.mkOption { + type = lib.types.str; + default = "/run/step-agent/step-agent-ssh.sock"; + description = "The path to the UNIX socket the ssh-agent service binds on"; + }; + + sshKey = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The path to the SSH key"; + }; + + logDir = lib.mkOption { + type = lib.types.str; + default = "/var/log/step-agent"; + description = "Directory path for storing agent logs"; + }; + + logLevel = lib.mkOption { + type = lib.types.enum [ + "debug" + "info" + "warn" + "error" + ]; + default = "info"; + description = "Log level: debug, info, warn or error"; + }; + + pprof = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable the pprof server for debugging"; + }; + }; + + package = lib.mkPackageOption pkgs "step-agent" { }; }; - config = lib.mkIf cfg.enable { + config = lib.mkIf cfg.enable { users = { users.step-agent = { isSystemUser = true; group = "step-agent"; home = "/var/lib/step-agent"; + createHome = true; }; groups.step-agent = { }; }; systemd.services.step-agent = { - after = [ "network-online.target" "step-agent-swtpm.service" @@ -48,7 +308,7 @@ in RUNTIME_DIRECTORY = "/run/step-agent"; }; unitConfig = { - conditionPathIsReadWrite = "/etc/step-agent/agent.yaml"; + ConditionPathIsReadWrite = "/etc/step-agent/agent.yaml"; }; serviceConfig = { User = "step-agent"; @@ -57,22 +317,76 @@ in StateDirectory = "step-agent"; Type = "notify"; WatchdogSec = "60s"; - ProtectSystem = "true"; + ProtectSystem = "strict"; ProtectHome = "read-only"; - PrivateTmp = "true"; + PrivateTmp = true; SecureBits = "keep-caps"; AmbientCapabilities = "CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; CapabilityBoundingSet = "CAP_SYSLOG CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; - ExecStart = "${lib.getExe cfg.package} start"; + ExecStart = + let + flags = lib.cli.toGNUCommandLine { } { + config = cfg.settings.config; + kms = cfg.settings.kms; + att = cfg.settings.att; + certificate = cfg.settings.certificate; + token = cfg.settings.token; + token-file = cfg.settings.tokenFile; + contact = cfg.settings.contact; + cloud = cfg.settings.cloud; + skip-cloud = cfg.settings.skipCloud; + team = cfg.settings.team; + team-id = cfg.settings.teamId; + host-id = cfg.settings.hostId; + ca-url = cfg.settings.caUrl; + fingerprint = cfg.settings.fingerprint; + provisioner = cfg.settings.provisioner; + password = cfg.settings.password; + password-file = cfg.settings.passwordFile; + api-url = cfg.settings.apiUrl; + attestation-ca-url = cfg.settings.attestationCaUrl; + attestation-ca-slug = cfg.settings.attestationCaSlug; + tpm-device = cfg.settings.tpmDevice; + tpm-storage-directory = cfg.settings.tpmStorageDirectory; + x5c-cert = cfg.settings.x5cCert; + x5c-key = cfg.settings.x5cKey; + permanent-identifier = cfg.settings.permanentIdentifier; + identity-token = cfg.settings.identityToken; + agent-path = cfg.settings.agentPath; + pidfile = cfg.settings.pidfile; + ipc = cfg.settings.ipc; + disable-reloader = cfg.settings.disableReloader; + reloader = cfg.settings.reloader; + register = cfg.settings.register; + ipc-bootstrap = cfg.settings.ipcBootstrap; + login = cfg.settings.login; + login-domain = cfg.settings.loginDomain; + pkcs11 = cfg.settings.pkcs11; + ssh-agent = cfg.settings.sshAgent; + ssh-key = cfg.settings.sshKey; + log-dir = cfg.settings.logDir; + log-level = cfg.settings.logLevel; + pprof = cfg.settings.pprof; + }; + in + "${lib.getExe cfg.package} start ${lib.escapeShellArgs flags}"; + ExecReload = "/bin/kill -HUP $MAINPID"; DeviceAllow = "/dev/tpmrm0 rw"; - ReadWritePaths = "-/dev/tpmrm0 -/run/step-agent/swtpm.sock"; - LimitNOFILE = "65536"; + ReadWritePaths = [ + "-/dev/tpmrm0" + "-/run/step-agent/swtpm.sock" + cfg.settings.agentPath + ]; + LimitNOFILE = 65536; LimitMEMLOCK = "infinity"; Restart = "always"; - RestartSec = "10"; + RestartSec = 10; }; }; + systemd.tmpfiles.rules = [ + "d /run/step-agent 0750 step-agent step-agent - -" + ]; }; } From a674007f70bce72adf82e2a5561ee67f7f994264 Mon Sep 17 00:00:00 2001 From: Srylax <71783705+srylax@users.noreply.github.com> Date: Fri, 10 Apr 2026 14:42:22 +0200 Subject: [PATCH 6/7] module: make all flags nullable --- modules/step-agent.nix | 54 ++++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/modules/step-agent.nix b/modules/step-agent.nix index cb0e4f7..3c585ec 100644 --- a/modules/step-agent.nix +++ b/modules/step-agent.nix @@ -14,8 +14,8 @@ in # TODO: make user / group configurable settings = { config = lib.mkOption { - type = lib.types.str; - default = "/etc/step-agent/agent.yaml"; + type = lib.types.nullOr lib.types.str; + default = null; description = "The configuration file to use"; }; @@ -122,14 +122,14 @@ in }; apiUrl = lib.mkOption { - type = lib.types.str; - default = "https://gateway.smallstep.com"; + type = lib.types.nullOr lib.types.str; + default = null; description = "The url where the Smallstep API can be found"; }; attestationCaUrl = lib.mkOption { - type = lib.types.str; - default = "https://att.smallstep.com/1.0"; + type = lib.types.nullOr lib.types.str; + default = null; description = "The url for the Smallstep Attestation CA"; }; @@ -176,8 +176,8 @@ in }; agentPath = lib.mkOption { - type = lib.types.str; - default = "/run/step-agent"; + type = lib.types.nullOr lib.types.str; + default = null; description = "The path to the directory to write the service certificates"; }; @@ -188,8 +188,8 @@ in }; ipc = lib.mkOption { - type = lib.types.str; - default = "@step-agent-ipc"; + type = lib.types.nullOr lib.types.str; + default = null; description = "The path to the UNIX socket the IPC service binds on. May be prefixed with an '@' to denote an abstract socket"; }; @@ -224,20 +224,20 @@ in }; loginDomain = lib.mkOption { - type = lib.types.str; - default = "smallstep.com"; + type = lib.types.nullOr lib.types.str; + default = null; description = "Specify the login domain"; }; pkcs11 = lib.mkOption { - type = lib.types.str; - default = "/run/step-agent/step-agent-pkcs11.sock"; + type = lib.types.nullOr lib.types.str; + default = null; description = "The path to the UNIX socket the PKCS11 server binds on"; }; sshAgent = lib.mkOption { - type = lib.types.str; - default = "/run/step-agent/step-agent-ssh.sock"; + type = lib.types.nullOr lib.types.str; + default = null; description = "The path to the UNIX socket the ssh-agent service binds on"; }; @@ -248,19 +248,21 @@ in }; logDir = lib.mkOption { - type = lib.types.str; - default = "/var/log/step-agent"; + type = lib.types.nullOr lib.types.str; + default = null; description = "Directory path for storing agent logs"; }; logLevel = lib.mkOption { - type = lib.types.enum [ - "debug" - "info" - "warn" - "error" - ]; - default = "info"; + type = lib.types.nullOr ( + lib.types.enum [ + "debug" + "info" + "warn" + "error" + ] + ); + default = null; description = "Log level: debug, info, warn or error"; }; @@ -317,7 +319,7 @@ in StateDirectory = "step-agent"; Type = "notify"; WatchdogSec = "60s"; - ProtectSystem = "strict"; + ProtectSystem = "yes"; # what stops us from using strict ProtectHome = "read-only"; PrivateTmp = true; SecureBits = "keep-caps"; From cc21198a4c8b063a4d862d8479b71bab3697a2b3 Mon Sep 17 00:00:00 2001 From: Srylax <71783705+srylax@users.noreply.github.com> Date: Mon, 13 Apr 2026 13:33:26 +0200 Subject: [PATCH 7/7] wip dbus access --- modules/step-agent.nix | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/step-agent.nix b/modules/step-agent.nix index 3c585ec..a985c18 100644 --- a/modules/step-agent.nix +++ b/modules/step-agent.nix @@ -282,7 +282,7 @@ in isSystemUser = true; group = "step-agent"; home = "/var/lib/step-agent"; - createHome = true; + createHome = false; }; groups.step-agent = { }; }; @@ -319,12 +319,12 @@ in StateDirectory = "step-agent"; Type = "notify"; WatchdogSec = "60s"; - ProtectSystem = "yes"; # what stops us from using strict - ProtectHome = "read-only"; - PrivateTmp = true; - SecureBits = "keep-caps"; - AmbientCapabilities = "CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; - CapabilityBoundingSet = "CAP_SYSLOG CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; + # ProtectSystem = "yes"; # what stops us from using strict + # ProtectHome = "read-only"; + # PrivateTmp = true; + # SecureBits = "keep-caps"; + # AmbientCapabilities = "CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; + # CapabilityBoundingSet = "CAP_SYSLOG CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; ExecStart = let flags = lib.cli.toGNUCommandLine { } { @@ -375,11 +375,11 @@ in ExecReload = "/bin/kill -HUP $MAINPID"; DeviceAllow = "/dev/tpmrm0 rw"; - ReadWritePaths = [ - "-/dev/tpmrm0" - "-/run/step-agent/swtpm.sock" - cfg.settings.agentPath - ]; + # ReadWritePaths = [ + # "-/dev/tpmrm0" + # "-/run/step-agent/swtpm.sock" + # cfg.settings.agentPath + # ]; LimitNOFILE = 65536; LimitMEMLOCK = "infinity"; Restart = "always";