From 9953f8231b7cba5b0ceeca33dbda1807a51dcc83 Mon Sep 17 00:00:00 2001
From: nx2 <nx2@local>
Date: Fri, 22 Mar 2024 16:17:03 +0100
Subject: [PATCH] HSMW VPN Certificate Missing

---
 secrets/passwords-and-certificates.nix | Bin 1580 -> 1633 bytes
 system-modules/hsmw.nix                |  70 ++++++++++++++++++++++---
 2 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/secrets/passwords-and-certificates.nix b/secrets/passwords-and-certificates.nix
index 51e8171bc248089d032e8dad19bca8077cddb865..6575e9f7343bbb5a8ecca7390b12d42c276e89a7 100644
GIT binary patch
literal 1633
zcmZQ@_Y83kiVO&0@SPp-C4A#z$J~u)dqo;r3nOd_FUm^JTBN2I)OD{awzs#YIIXPP
zSaUm@<}AINPgHKI8w+2o6+7v?Sv>O43&-P`QD+<~SkDPh{INEZ@!~8^IbOHjo7^54
zh^(v^|HySGQZ-<*cluvtQ~u?tSyxYM<y=g&=~*E<H*qby{om78>e}mM?#uiwoOAmB
z+N!Qj%`b1}Dm4br`@TW3#pz>a@W#Vm<aqM@&J|ozoIW*>cdj1y(OrvnOg)!ubn8cf
zdgSr8leIe6I=$T9H#Q5GU+q7+=?_clvHc3a4^0hs`pq9=w#7iJ^=)%3%d!>QCj2bP
z|2@%j={Dn*{YUpl9JWij5zP|&YER(WbMLq9(Khth{iU)a&NM<j@plH-=4~&NQjXlR
znwh-u9dAVNsz+;Oa%v}OOJ|4VMQKNQq$=<Qm2N6}5d3fQjx!beIZgOGV}qVY=S0q0
zb8pqR$W+w|P7j9I{Q9%^m6kcoIy~|G%og>(n<uXC|E2n7v5WZ9h*M%mb>G}7QMtIp
z=bv-sye&HC7uoIp?R_O)Tra$lEvw+#yYGEfax1e_BEEmV+3Hjv9X7|5>DE$VFZ0Y}
z>z3Ya7rk)DEF?1eRq2lN8)PTjP5iRI=xc~d5TB{gfs5XcYG)l5ja_rFhWSL9s^><R
zSEps9_Habk=r7&ETNZLu`OAas5c}3C8}Huc+v^s^J5`=9)KgDtLFg9EUl*<#+uT{%
z&>{Kx{o)wojHz$0mpC8a+*zx$nRjo)_ceJ3cf4O>?K!vlv1he*X^-yIFCo8fFt;kE
z{9Iz*!xZpQDxs}1tX^V?!H?ce_UEm%@&p8RgI{gU5M2LD_2e$AjZde%PRq{xzN>!g
zYtgIT9O~aVr!zdf%%v0l^xP|#DUHvj2Q7PK{hVXV)hAKA%2w4e-SJQinVrwv_3aRM
zib{*>Rldz1qwhZNE;%-1e$Nhzrf2mU1~WOdEb5lYUR+)1aEgQV`n)H5kMH`u>_uj*
z?d{1g&TUHkb-3h$hSay7XRQC@N|opQo;S%{!oqar^+&Uq?*5Twy&wHS#n?*V^wShc
zq4(QdPIH~(bhMwmule`VijT1!$rFBW+{d85^?*=N;`&1^%Ab5L>8vhXseji**ZQaD
z93TDdVvBqeqVCswU%tJ!kAo+2@5PusQw751jVd?{Gt%DOUNrTPq@Y-=!wSbMW_s<5
zwh8WylND;r4A~Iz%-ZET=U$nh3qI0ntc}N-zdnrVP^^_I;@cGcG9=>6vmUR~z0clE
z{ACoT8))zKetN{gz^zQY3HMh0478v9>hcxeg*m&uLmD0{h|2|S-?PYG=IFCS($kI|
z;yc0p+&(?Qq`cnE=JFG%$yb<C80{o>K2Ku%P&ns=Oz7ewnbvQKOB&A1vNQj*y?E1%
z`Xbq#^S@TzY5o><sqf-4&zUBT-de16D^gjOXWC^rb@{9a+Eem+#WW>8mKe9=&37-H
zooQl{x9jCH_p9&r^Gd(C)~$EXDqLsvU3T5a%7XVD-|%uvp0GctEwbueq_H1U$8ove
zOgFFHS@Fi?{PJBlJE|A534LNqz54GX-|CFJ%hx@=W*ioCz1)KT%m&$=DIZv*mIcVg
zs!s@Bvt)k#y*m=sm#-Bo`aKk=;p9DizoRm~b@o+}Gwxj5W47(^{JCEzap%8BT}K(d
zT~6}d$@jiNY>Hi<<CM5XJZrSdZ=PCgKVSH{tEHsLqoZf%+14}hJ8=}ud;2HS=<lDS
zaToK>TK2tVIGTQU$9eg5se+mB&4lhb&a5(0+QH=`_RP<lZ?o}v_QKvb^BkjgrO(@%
zHTiKv5x<n;pAYR)Px~Lom(Rahz%y@F_npW_w}pJyD{QYYDEYOVC@|#Kdh&eFf!5T=
zp(l20Og5OlrubuN<k{F4UQJufg^tAuNzdu-_ga7A*PG`mZOlBJs?VQ$F$I=4+g|G3
zc1P56R_xP2@pA=<3YzU@H%$ty3!JrE4=G9h$jnd3+O{*1X|M37Czp9Yow>%sXy~=y
zuuS-!LEGGE(%+<`Z!2HkVyCI5`|{bZoc}gklC~)?7Cz@+q1|(4mc|-|^+*0&XZ(KY
zUD?6;WKT;+d{x+y+3hRmXW#07thMp#NpG89(<^4A919Sred2vlVz))u$&A1hXY+~x
z87If9iI3B@qVp;_y%U`o8adM+M*4hi&U05?xJW<wr`t&m?*O~LU99PEMa@DcoS1DM
K!RGywBN_nBX&&SN

literal 1580
zcmZQ@_Y83kiVO&0czkQ$_E{-+o_+C>XjGT{o&COF;h~vo!^*Od2keKho@)Ijk-UGN
z<fr7x%Zi+Xf|vdG?vUP`@UHjSoKp|_uDqEQZeOrQ=75G?*(>*pK0h~ivjj{&k<Rga
z3s*pu&4eRNhp%scp=}n^`QsyJzd@mDVaBOb|1K+CH4su3{v22)Q}<7H$D*goGN=Eg
z|E+wN$0+dUhVXg$*Bf|lZMtOQ;lseNLftuT?!p^kD)VfQeCT+4f+gpwck_&Z)#{N-
z!E4)C`Hb4<`UJ_`zaP1EiLC0zM=|q1inlEfxxByr1f!xwS%|fdhMSYtcJ>o>XP3vX
zSWx&b{Rxjg>w#VG1lP*0b6E9w52u~_X3tk?H*fLm{XCsD&Q)^x)Pu5*QXX|RUA~zx
zEyK_Cl9t|$!V8?<KfY~#DbFB0;o+2(Ms;>#%5O!_O);9ir}XCiA05-)-D0^dGw04-
zHb%GGH%(6J{|Sm*`(W0bz{`xb6|Gi#pR%M+dtUyULAB^#dwfFaCy9`Xb)lygzAQdh
ze2gXL&5fI`ZyaC!;TNCS_WgWJ!~PoatiHs&+CS^tcdvWKeSf>~M9;56>Cso_oU}Z+
z=)<AHliC;Z(<j_)XI{1YS)ImX?uHfZ_nLBD-~3xO^~oB2Ntsx~$+i=WwfGMuDjkoI
zja2^KeDUY{Ki^lbaA~xYp0_#qT=R_B=N3}aJLcNX_A~Mc+<0}x+TA}Ix0!GG5h;9H
zLU}%qO?i01<jZdpUHXrmbC!yeznx|Hqp5yr(T}Q9clq~CiPCIgw+nh$>*vT%IKU^h
zH=g_7&aF$7_O23Jd~2(^%~F@W(q<CQ{l=kJG*}*4YX;lI`sA}o9t@sVx>79ZTiVm}
zhjbH7>KCgg_;2su&zr(36knLNX|Hp4(Zq{h%uNmE+vlxba`+~1;Fq-mYJTTr7IJM0
zI`h9@b-Ld43nusFx5)_CYoFe;bK$D4EvseSZcZ0TKeXIdFxc3me3Fop<&FCc-7%K$
zguI_GTRw%^B<ShJ{y(qlCttq4+_~V+v9J8nciJazj26y~m^CTLjs5rkSv$fa>R7Ky
zUGlkPR22AU%Z2Jm5+#)vl-Rnz`)&wHP1RpnG0oO|!P!M(m2W@E&M+wX*c5WYzva$0
zqm!?1%vvHM+qq0d;GW!k>%|#HO~MM2mNOce?2js6dn93ePQ!VHWTTQ>S7x=sih7Po
z?xG+5->tbH`?$M%rug>vokw<mk;+m16*Onh6M=P~qCOvfdB6PQjo>Sq-{+mK54;gu
zV({{=Ubq(TUfxBbIdYEY4&1Wa(ZlB*`Q38zoHgmMr}3SgF!|GuN0;_LlGd#M_c!a@
zb;g~s=l2KSiIYDN%(>Ba{<HGW>W}}YCtP^ZIe%7&eeRW<mrk?P|4(OpuI+Mh>Y-V(
zuBQ*UxhcH!necy|+%(4z>cQcxj3vy{E4nuaF{Z7xDbp3_5b|cvvgVfw{E)MMVNlHR
z7@6tizUP)-=u*0;BmArHykzZ_Uz3j49o$o}>f>Y;u0@Xf&lYL1)$hG>Y%ae}({<lf
zDWyxjKC13J_Q9dMq$%rsuKcn^rAh3cw(mK3=!N2noh4UGHz{3dU&y*%Jc?agU!i-(
zVz&*svg`GIoOnVy#eV*d)LWp`-Thl&)5^Ua-u0`?B}0vN>N=X)urq6=d0!55o!I9#
zF}uDa>QSn6yy_gGlo@@3jIVZaNiG&q?%_UV)A`=1c;>Wwb~!Qp77_pJj!H#vtUT^`
zqb)A^op{KWmlF!_7Os>08`^V#KfUZ#mYeD%$Gew%1i#HU&wlgl;^YN;VlSoneMvr+
z#ID%Pk~42%bcX4!t?^v>Ugxg!zgv;#f9js|*Y#y3OPg#Keo0vs_P@-h;g@nx%A9}C
zXNQWbm`nfM_I-Va^zP32*FR63E}+|RpinaC_pHMq^UM9zPUo_{c6#%ybH%Dn#)j8U
z+NUJW>8bc2v+E$AiVlCk>QFz`O|nVq!LN*NKlc59>4$cUlmGS3EmJp_O-R|c<%Y3B
z;@dw_jsF*J_E4?fBBpG3o8iT_T#XN}bT2%Zx1#02{f{>_`p+0W+8Ft8joYPN=WdpV
zztQ4)>~6dC^z!tL=YHKg=*N*5Q?@oyh405xr)9Br$7XU&RQ$f);NtJ;PYjg4m?oS!
L7Wb}E^tC?#VMY}U

diff --git a/system-modules/hsmw.nix b/system-modules/hsmw.nix
index a61ae5e..66ee729 100644
--- a/system-modules/hsmw.nix
+++ b/system-modules/hsmw.nix
@@ -7,22 +7,78 @@
   
   environment.etc = {
 
-    # easyroam HSMW
+    # Easyroam 
     "ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
     "ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
     "ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
-    
-
-    # VPN
     "NetworkManager/system-connections/eduroam.nmconnection" = {
       text = secrets.easyroamHSMW.nmconfig; 
       mode = "0600";
     };
 
+    # VPN
+    # "strongswan.conf".text = ''
+    #   charon {
+    #     load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown openssl resolve
+    #   }
+    # '';
 
+    "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"'';
   };
 
-
+  services.strongswan = {
+    enable = true;
+    setup = {
+      cachecrls = "yes";
+      strictcrlpolicy = "yes";
+    };
+    connections = {
+      hsmw = {
+          keyexchange = "ikev2";
+          left = "%defaultroute";
+          leftid = "%any";
+          leftauth = "eap";
+          eap_identity = secrets.email.hsmw.mail;
+          leftsourceip = "%config";
+          leftdns = "%config4";
+          leftfirewall = "no";
+          right = "141.55.128.84";
+          rightid = "@vpn4.hs-mittweida.de";
+          rightsubnet = "0.0.0.0/0";
+          rightauth = "pubkey";
+          auto = "add";
+      };
+    };
+    managePlugins = true;
+    enabledPlugins = [ 
+      "curl"
+      "aes"
+      "des"
+      "sha1"
+      "sha2"
+      "md5"
+      "pem"
+      "pkcs1"
+      "gmp"
+      "random"
+      "nonce"
+      "x509"
+      "revocation"
+      "hmac"
+      "xcbc"
+      "stroke"
+      "kernel-netlink"
+      "socket-default"
+      "fips-prf"
+      "eap-mschapv2"
+      "eap-identity"
+      "updown"
+      "openssl"
+      "resolve"
+    ];
+    secrets = [ "/etc/ipsec.d/hsmw.secrets" ];
+    # ca = {
+      # ??? # https://mynixos.com/nixpkgs/option/services.strongswan.ca
+    # }
+  };
 }
-
-