From efae851a9aad00fa511d66710fabc289e9d10a39 Mon Sep 17 00:00:00 2001
From: Val Packett <val@invisiblethingslab.com>
Date: Thu, 17 Jul 2025 23:16:39 -0300
Subject: [PATCH] agent: use socket activation, port credential + provide nixos
 module

---
 Cargo.lock                | 103 +++++++++++++++++++++++++++++++++++++-
 flake.nix                 |  18 +++++++
 sidebus-agent/Cargo.toml  |   2 +-
 sidebus-agent/src/main.rs |  25 ++++-----
 4 files changed, 134 insertions(+), 14 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index c7e3ef5..202dcef 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -134,6 +134,12 @@ version = "2.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b8e56985ec62d17e9c1001dc89c88ecd7dc08e47eba5ec7c29c7b5eeecde967"
 
+[[package]]
+name = "bumpalo"
+version = "3.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43"
+
 [[package]]
 name = "busd"
 version = "0.4.0"
@@ -484,6 +490,16 @@ version = "1.70.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
 
+[[package]]
+name = "js-sys"
+version = "0.3.77"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.5.0"
@@ -502,6 +518,17 @@ version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cd945864f07fe9f5371a27ad7b52a172b4b499999f1d97574c9fa68373937e12"
 
+[[package]]
+name = "listenfd"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b87bc54a4629b4294d0b3ef041b64c40c611097a677d9dc07b2c67739fe39dba"
+dependencies = [
+ "libc",
+ "uuid",
+ "winapi",
+]
+
 [[package]]
 name = "lock_api"
 version = "0.4.13"
@@ -776,6 +803,12 @@ dependencies = [
  "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "rustversion"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d"
+
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
@@ -826,8 +859,8 @@ dependencies = [
 name = "sidebus-agent"
 version = "0.1.0"
 dependencies = [
- "clap",
  "eyre",
+ "listenfd",
  "sidebus-common",
  "tokio",
  "tokio-stream",
@@ -1086,6 +1119,16 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
+[[package]]
+name = "uuid"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3cf4199d1e5d15ddd86a694e4d0dffa9c323ce759fea589f00fef9d81cc1931d"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "valuable"
 version = "0.1.1"
@@ -1117,6 +1160,64 @@ dependencies = [
  "wit-bindgen-rt",
 ]
 
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6"
+dependencies = [
+ "bumpalo",
+ "log",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d"
+dependencies = [
+ "unicode-ident",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"
diff --git a/flake.nix b/flake.nix
index 8fd62a0..7b0e010 100644
--- a/flake.nix
+++ b/flake.nix
@@ -41,6 +41,24 @@
 
         packages.sidebus-agent = rustPackage "sidebus-agent";
         packages.sidebus-broker = rustPackage "sidebus-broker";
+
+        nixosModules.sidebus-vm = { ... }: {
+          environment.sessionVariables.DBUS_SESSION_BUS_ADDRESS = "unix:path=/run/sidebus.sock";
+          systemd.sockets.sidebus-agent = {
+            # SocketMode= is 0666 by default
+            listenStreams = [ "/run/sidebus.sock" ];
+            wantedBy = [ "sockets.target" ];
+            documentation = [ "https://git.clan.lol/valpackett/sidebus" ];
+          };
+          systemd.services.sidebus-agent = {
+            # TODO: confinement (can do a lot)
+            serviceConfig = {
+              ExecStart = "${rustPackage "sidebus-agent"}/bin/sidebus-agent";
+              ImportCredential = "sidebus.*";
+            };
+            documentation = [ "https://git.clan.lol/valpackett/sidebus" ];
+          };
+        };
       }
     );
 }
diff --git a/sidebus-agent/Cargo.toml b/sidebus-agent/Cargo.toml
index a0e1650..254d37b 100644
--- a/sidebus-agent/Cargo.toml
+++ b/sidebus-agent/Cargo.toml
@@ -5,7 +5,6 @@ edition = "2024"
 
 [dependencies]
 sidebus-common = { workspace = true }
-clap = { version = "4.5.40", features = ["derive"] }
 eyre = "0.6.12"
 tokio = { version = "1.46.0", features = ["full"] }
 tokio-stream = "0.1.17"
@@ -13,3 +12,4 @@ tokio-vsock = "0.7.1"
 tracing = "0.1.41"
 tracing-subscriber = "0.3.19"
 zbus = { workspace = true }
+listenfd = "1.0.2"
diff --git a/sidebus-agent/src/main.rs b/sidebus-agent/src/main.rs
index 2d687f3..984a59f 100644
--- a/sidebus-agent/src/main.rs
+++ b/sidebus-agent/src/main.rs
@@ -1,27 +1,28 @@
-use clap::Parser;
+use eyre::OptionExt;
 use tokio::net::UnixListener;
 use tracing::info;
 
-#[derive(Parser)]
-#[command(version, about, long_about = None)]
-struct AgentCli {
-    listen_path: String,
-}
-
 #[tokio::main]
 async fn main() -> eyre::Result<()> {
     tracing_subscriber::fmt::init();
 
-    let cli = AgentCli::parse();
+    let creds_dir = std::path::PathBuf::try_from(std::env::var("CREDENTIALS_DIRECTORY")?)?;
+    let vsock_port = std::fs::read_to_string(creds_dir.join("sidebus.port"))?
+        .trim()
+        .parse::<u32>()?;
+
+    let unix_listener = UnixListener::from_std(
+        listenfd::ListenFd::from_env()
+            .take_unix_listener(0)?
+            .ok_or_eyre("no unix listener provided")?,
+    )?;
+    info!("listening for unix clients");
 
-    let unix_addr = cli.listen_path;
-    let unix_listener = UnixListener::bind(unix_addr.clone())?;
-    info!(%unix_addr, "listening for unix clients");
     while let Ok((unix_client, client_addr)) = unix_listener.accept().await {
         info!(?client_addr, "new unix client");
         tokio::spawn(async move {
             let vsock_addr = zbus::Address::from(zbus::address::Transport::Vsock(
-                zbus::address::transport::Vsock::new(2, 4269),
+                zbus::address::transport::Vsock::new(2, vsock_port),
             ));
             let vsock_conn = zbus::connection::Builder::address(vsock_addr)
                 .unwrap()