HSMW-VPN Working

2024-03-27 11:05:57 +01:00
parent 9953f8231b
commit 4e3b643d20
4 changed files with 82 additions and 14 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -22,10 +22,73 @@
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub = {
    enable = true;
+    configurationLimit = 30;
 #    device = "/dev/nvme0n1p1";
    device = "nodev";
    # useOSProber = true;
    efiSupport = true;
+    # theme = "${(pkgs.fetchFromGitea {
+    #     domain = "git.nx2.site";
+    #     owner = "nx2";
+    #     repo = "grub-theme-ascii-diana";
+    #     rev = "0.1.0";
+    #     hash = "sha256-uqhj77CX6EaqF9SBDRKS8dfwSVyR9wb9xG9St4gJmFA=";
+    #   })
+    #   }/out/
+    # ";
+
+    extraEntries = ''
+      menuentry 'Windows Boot Manager (on /dev/nvme0n1p1)' --class windows --class os $menuentry_id_option 'osprober-efi-0A97-7A2D' {
+        insmod part_gpt
+        insmod fat
+        search --no-floppy --fs-uuid --set=root 0A97-7A2D
+        chainloader /EFI/Microsoft/Boot/bootmgfw.efi
+      }
+      menuentry 'Arch Linux (on /dev/nvme0n1p5)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-simple-0c11547f-0294-419b-93d0-45c6d1f1c546' {
+        insmod part_gpt
+        insmod ext2
+        search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+        linux /boot/vmlinuz-linux-lts root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+        initrd /boot/intel-ucode.img /boot/initramfs-linux-lts.img
+      }
+      submenu 'Advanced options for Arch Linux (on /dev/nvme0n1p5)' $menuentry_id_option 'osprober-gnulinux-advanced-0c11547f-0294-419b-93d0-45c6d1f1c546' {
+        menuentry 'Arch Linux (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux-lts--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux-lts root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux-lts.img
+        }
+        menuentry 'Arch Linux, with Linux linux-lts (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux-lts--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux-lts root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux-lts.img
+        }
+        menuentry 'Arch Linux, with Linux linux-lts (fallback initramfs) (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux-lts--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux-lts root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux-lts-fallback.img
+        }
+        menuentry 'Arch Linux, with Linux linux (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux.img
+        }
+        menuentry 'Arch Linux, with Linux linux (fallback initramfs) (on /dev/nvme0n1p5)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-linux--0c11547f-0294-419b-93d0-45c6d1f1c546' {
+          insmod part_gpt
+          insmod ext2
+          search --no-floppy --fs-uuid --set=root 0c11547f-0294-419b-93d0-45c6d1f1c546
+          linux /boot/vmlinuz-linux root=UUID=0c11547f-0294-419b-93d0-45c6d1f1c546 rw loglevel=3 quiet splash snd_hda_intel.dmic_detect=0
+          initrd /boot/intel-ucode.img /boot/initramfs-linux-fallback.img
+        }
+      }
+    '';
  };
  

--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1706981411,
-        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
+        "lastModified": 1710888565,
+        "narHash": "sha256-s9Hi4RHhc6yut4EcYD50sZWRDKsugBJHSbON8KFwoTw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
+        "rev": "f33900124c23c4eca5831b9b5eb32ea5894375ce",
        "type": "github"
      },
      "original": {
@@ -23,11 +23,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1710838473,
-        "narHash": "sha256-RLvwdQSENKOaLdKhNie8XqHmTXzNm00/M/THj6zplQo=",
+        "lastModified": 1711124224,
+        "narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fa9f817df522ac294016af3d40ccff82f5fd3a63",
+        "rev": "56528ee42526794d413d6f244648aaee4a7b56c0",
        "type": "github"
      },
      "original": {
@@ -38,11 +38,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1710806803,
-        "narHash": "sha256-qrxvLS888pNJFwJdK+hf1wpRCSQcqA6W5+Ox202NDa0=",
+        "lastModified": 1711163522,
+        "narHash": "sha256-YN/Ciidm+A0fmJPWlHBGvVkcarYWSC+s3NTPk/P+q3c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b06025f1533a1e07b6db3e75151caa155d1c7eb3",
+        "rev": "44d0940ea560dee511026a53f0e2e2cde489b4d4",
        "type": "github"
      },
      "original": {
--- a/system-modules/health_reminder.nix
+++ b/system-modules/health_reminder.nix
@@ -5,8 +5,8 @@
    enable = true;
    wantedBy = [ "timers.target" ];
      timerConfig = {
-        OnBootSec = "10m";
-        OnUnitActiveSec = "10m";
+        OnBootSec = "5m";
+        OnUnitActiveSec = "5m";
        Unit = "health_reminder.service";
      };
  };
--- a/system-modules/hsmw.nix
+++ b/system-modules/hsmw.nix
@@ -24,6 +24,8 @@
    # '';

    "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"'';
+    "ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
+    "ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
  };

  services.strongswan = {
@@ -77,8 +79,11 @@
      "resolve"
    ];
    secrets = [ "/etc/ipsec.d/hsmw.secrets" ];
-    # ca = {
-      # ??? # https://mynixos.com/nixpkgs/option/services.strongswan.ca
-    # }
+    ca = {
+      hsmw = {
+        auto = "add";
+        cacert = "/etc/ipsec.d/USERTrust-RSA.pem";
+      };
+    };
  };
 }