From 4e3b643d2029910db6711a4dee738be42a65f51d Mon Sep 17 00:00:00 2001
From: nx2 <nx2@local>
Date: Wed, 27 Mar 2024 11:05:57 +0100
Subject: [PATCH] HSMW-VPN Working

---
 configuration.nix                  | 63 ++++++++++++++++++++++++++++++
 flake.lock                         | 18 ++++-----
 system-modules/health_reminder.nix |  4 +-
 system-modules/hsmw.nix            | 11 ++++--
 4 files changed, 82 insertions(+), 14 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 687ae67..06b317e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -22,10 +22,73 @@
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.grub = {
     enable = true;
+    configurationLimit = 30;
 #    device = "/dev/nvme0n1p1";
     device = "nodev";
     # useOSProber = true;
     efiSupport = true;
+    # theme = "${(pkgs.fetchFromGitea {
+    #     domain = "git.nx2.site";
+    #     owner = "nx2";
+    #     repo = "grub-theme-ascii-diana";
+    #     rev = "0.1.0";
+    #     hash = "sha256-uqhj77CX6EaqF9SBDRKS8dfwSVyR9wb9xG9St4gJmFA=";
+    #   })
+    #   }/out/
+    # ";
+
+    extraEntries = ''
+      menuentry 'Windows Boot Manager (on /dev/nvme0n1p1)' --class windows --class os $menuentry_id_option 'osprober-efi-0A97-7A2D' {
+        insmod part_gpt
+        insmod fat
+        search --no-floppy --fs-uuid --set=root 0A97-7A2D
+        chainloader /EFI/Microsoft/Boot/bootmgfw.efi
+      }
+      menuentry 'Arch Linux (on /dev/nvme0n1p5)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-simple-0c11547f-0294-419b-93d0-45c6d1f1c546' {
+        insmod part_gpt
+        insmod ext2
+        search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+        linux /boot/vmlinuz-linux-lts root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+        initrd /boot/intel-ucode.img /boot/initramfs-linux-lts.img
+      }
+      submenu 'Advanced options for Arch Linux (on /dev/nvme0n1p5)' $menuentry_id_option 'osprober-gnulinux-advanced-0c11547f-0294-419b-93d0-45c6d1f1c546' {
+        menuentry 'Arch Linux (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux-lts--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux-lts root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux-lts.img
+        }
+        menuentry 'Arch Linux, with Linux linux-lts (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux-lts--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux-lts root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux-lts.img
+        }
+        menuentry 'Arch Linux, with Linux linux-lts (fallback initramfs) (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux-lts--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux-lts root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux-lts-fallback.img
+        }
+        menuentry 'Arch Linux, with Linux linux (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux.img
+        }
+        menuentry 'Arch Linux, with Linux linux (fallback initramfs) (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux-fallback.img
+        }
+      }
+    '';
   };
   
 
diff --git a/flake.lock b/flake.lock
index 5529acd..9210709 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706981411,
-        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
+        "lastModified": 1710888565,
+        "narHash": "sha256-s9Hi4RHhc6yut4EcYD50sZWRDKsugBJHSbON8KFwoTw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
+        "rev": "f33900124c23c4eca5831b9b5eb32ea5894375ce",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1710838473,
-        "narHash": "sha256-RLvwdQSENKOaLdKhNie8XqHmTXzNm00/M/THj6zplQo=",
+        "lastModified": 1711124224,
+        "narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fa9f817df522ac294016af3d40ccff82f5fd3a63",
+        "rev": "56528ee42526794d413d6f244648aaee4a7b56c0",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1710806803,
-        "narHash": "sha256-qrxvLS888pNJFwJdK+hf1wpRCSQcqA6W5+Ox202NDa0=",
+        "lastModified": 1711163522,
+        "narHash": "sha256-YN/Ciidm+A0fmJPWlHBGvVkcarYWSC+s3NTPk/P+q3c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b06025f1533a1e07b6db3e75151caa155d1c7eb3",
+        "rev": "44d0940ea560dee511026a53f0e2e2cde489b4d4",
         "type": "github"
       },
       "original": {
diff --git a/system-modules/health_reminder.nix b/system-modules/health_reminder.nix
index c986b75..c14c7de 100644
--- a/system-modules/health_reminder.nix
+++ b/system-modules/health_reminder.nix
@@ -5,8 +5,8 @@
     enable = true;
     wantedBy = [ "timers.target" ];
       timerConfig = {
-        OnBootSec = "10m";
-        OnUnitActiveSec = "10m";
+        OnBootSec = "5m";
+        OnUnitActiveSec = "5m";
         Unit = "health_reminder.service";
       };
   };
diff --git a/system-modules/hsmw.nix b/system-modules/hsmw.nix
index 66ee729..4b5cee1 100644
--- a/system-modules/hsmw.nix
+++ b/system-modules/hsmw.nix
@@ -24,6 +24,8 @@
     # '';
 
     "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"'';
+    "ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
+    "ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
   };
 
   services.strongswan = {
@@ -77,8 +79,11 @@
       "resolve"
     ];
     secrets = [ "/etc/ipsec.d/hsmw.secrets" ];
-    # ca = {
-      # ??? # https://mynixos.com/nixpkgs/option/services.strongswan.ca
-    # }
+    ca = {
+      hsmw = {
+        auto = "add";
+        cacert = "/etc/ipsec.d/USERTrust-RSA.pem";
+      };
+    };
   };
 }