merge north master

system-modules/hsmw.nix

@@ -1,24 +1,31 @@
 { pkgs, lib, host, secrets, ... }: 
 lib.mkIf (host != "NxACE") 
 {
-  environment.systemPackages = [
-    pkgs.strongswanNM
+  environment.systemPackages = with pkgs; [
+    strongswanNM
   ];
   
   environment.etc = {
 
-    # Easyroam 
-    "ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
-    "ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
-    "ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
-    "NetworkManager/system-connections/eduroam.nmconnection" = {
-      text = secrets.easyroamHSMW.nmconfig; 
-      mode = "0600";
-    };
+  #   # Easyroam 
+  #   "ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
+  #   "ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
+  #   "ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
+  #   "NetworkManager/system-connections/eduroam.nmconnection" = {
+  #     text = secrets.easyroamHSMW.nmconfig; 
+  #     mode = "0600";
+  #   };
 
-    "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"'';
-    "ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
-    "ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
+    # "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.un}@hs-mittweida.de : EAP "megasecret"'';
+  #   "ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
+  #   "ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
+  };
+
+
+  sops.secrets = {
+    "USERTrust/ECC" = { path = "/etc/ipsec.d/USERTrust-ECC.pem"; };
+    "USERTrust/RSA" = { path = "/etc/ipsec.d/USERTrust-RSA.pem"; };
+    "hsmw-vpn-secret" = { path = "/etc/ipsec.d/hsmw.secret"; mode = "600"; };
   };
   
   networking.networkmanager.enableStrongSwan = true;
@@ -35,7 +42,7 @@ lib.mkIf (host != "NxACE")
           left = "%defaultroute";
           leftid = "%any";
           leftauth = "eap";
-          eap_identity = secrets.email.hsmw.mail;
+          eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de";
           leftsourceip = "%config";
           leftdns = "%config4";
           leftfirewall = "no";
@@ -73,7 +80,7 @@ lib.mkIf (host != "NxACE")
       "openssl"
       "resolve"
     ];
-    secrets = [ "/etc/ipsec.d/hsmw.secrets" ];
+    secrets = [ "/etc/ipsec.d/hsmw.secret" ];
     ca = {
       hsmw = {
         auto = "add";

system-modules/ollama.nix

@@ -5,41 +5,6 @@ let p = pkgs-unstable; in
     ollama
   ];
   
-  # services.ollama.environmentVariables = {
-  #   OLLAMA_ORIGINS = "*"; 
-  # };
-
-  # systemd.services.ollama = {
-  #   environment.OLLAMA_ORIGINS = "*";
-  #   description = "Ollama Service";
-  #   after = [ "network-online.target" "ollama-doesnt-respect-xdg-data-home.service" ];
-  #   serviceConfig = {
-  #     Type = "simple";
-  #     # Environment = "\"XDG_DATA_HOME=/run/current-system/sw/share\"";
-  #     ExecStart = "${pkgs.ollama}/bin/ollama serve";
-  #     User = "ollama";
-  #     Group = "ollama";
-  #     Restart = "always";
-  #     RestartSec = "3";
-  #   };
-  #   wantedBy = [ "default.target" ];
-  # };
-
-  # users.users.ollama = {
-  #   isSystemUser = true;
-  #   home = "/usr/share/ollama";
-  #   shell = "/bin/false";
-  #   group = "ollama";
-  # };
-  # users.groups.ollama = {};
-
-  # systemd.services.ollama-doesnt-respect-xdg-data-home = {
-  #   wantedBy = ["multi-user.target"];
-  #   script = ''
-  #     mkdir -p /usr/share/ollama/.ollama
-  #     chown ollama:ollama -R /usr/share/ollama
-  #   '';
-  # };
   services.ollama = {
     package = p.ollama;
     enable = true;