From d93ae4a78ba3e8d2c5fb9011c9d904dd81b587ca Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Thu, 17 Oct 2024 17:18:07 +0200 Subject: [PATCH] tuda eduroam --- sops-secrets.yaml | 5 ++- system-modules/networking.nix | 77 ++++++++++++++++++++++++++--------- 2 files changed, 61 insertions(+), 21 deletions(-) diff --git a/sops-secrets.yaml b/sops-secrets.yaml index 3446bc3..b441604 100644 --- a/sops-secrets.yaml +++ b/sops-secrets.yaml @@ -31,6 +31,7 @@ eduroam: client-key: ENC[AES256_GCM,data:SVOx/EueqUGo2b4/NywnYt8clWWSeLCcO/WZn49eTX9jxpcOw0PM9kj11bg3W+dQvJ+KCewbRotkrtpshI+F+iIm1KCNMYN0lWAmgjR5tqqfqsCgaXCQrjGGHtNcNYAu4wPXja7xXnPbS347p6PXSiOMUlQuk0cFo/rTcpGnGNSV+VPDNLxV5Yx1cVy6qX+9/BcXvDkXPrx43Ug1BBYOmWLTvlk32nQVpTjjD97Tl1EDIbrXDDJ4xsS/zvly3z6ylPZyeoQuMKFXo97ajVGhJGOROhqG9R3shgd/KzHrr5mbKA/MrlU5vAQL0PUQwUxbKoCzybDi65Pd6gQiHyJYCM1GvWnxdku9vptNVXeMHQCfyyVWxn2SxXMjG/CNyqSKSflQiylStIUKjxIPE0zMEC+41sxGcRuNe1L6BxyzOPAe95GzaZYbENU2jg0Gg7cdSPjOGI9/I+3GoObud5/8w8+Ezq1FFfYd1uwXz2ER6A3dzbHTuJn4lYZl8ctLJD9dL6vO4AueOZv6we52//RpTOD1k6Zt1lgXBLFrEykfV2gW21iHFk+giZ3dxn81zsEgZmLLm4SRlvdH0JROl2cAmCf9bgYKNd59rL2DE7sAEyHeCLKjqX4hClAGKYSQ+FOWdL2L/QmW0cpdkLSZ7yuf9ZlEQhg77Nmxqtmrz69itoWftf0GtaZg/AtInf35gS83lxkcbbOe4p+2Mme/TYo8Inj3/2hz3OOQQpL/Zavpmer4Zwy4h5SOudPAkSeC692Q997+ERNQSfTnT8acSOJY5aNU3ELWo9JiXJbJEDdONOiROsmyv7VPk4tkGuOdfuYAZNLXsohwKlFcgddFbaCVJL2e1Qho4dIY0c6c3oPg7FO5EMlmq8rKrf9YqfIvfB0p98AE8heIbcHXJj9b+cLtff551HsTpD+PMIyDXr3MbEpnK8XDtdVy0mr6F3EBwDrPUxtgeuhuXKSgrT6vgPmSXblN71OVGftiF3x9UvQ3xHG0AKE5Nbsv5S6czOixeiqG9YdKEWo/GL/cu4Cv3mRI2XFJ7qMnWwvvG6sXzcp+XG4eBIHX2epjCNZ1TVxRWH8U2a8nczQeERT//onahHLsD0/qfuulgi8whQHTd1FcPq3+nV/u4L3oIvN/kepIgUaT6NGhAiTUuwYfBDRUyFk/SSN+A5SmoqaXtQ0D2hVs/LhY++lC2O95WUo40pJxdYWJDRBDVzA9e2FHfWlpElWXtTJG4P51/XT2cLZr355xBB/0nPG5fEcQT352HkXjbXaG8UfON5b8EJsxDBomRU9h0RfLmo6Sj2KR79DIUiMskNUbqC/pQxku5Cgk6xjy7B/sIL7ek0dKfifOTH6Rm/J22qRao00lJNEUnsoTfp6lWRpOhAL8hNa26TioXwLEJm4y7nuEjBbn2MmcnoOPa/KO3Ps8iFvhTG02IAgy8++gfRBX4YSd6ifQLAvNALzLbaS9QlezBOJX9ut9ZQqhOmLcoWEnNN2RcrJ2ior2oz/Vy4a1petQfTIAVSO7dPdHXxDH/RefaxbCHVWIpisv+5kATS3xyYfXXPZLRJbrEhsvxUQUFQ1TfwaRbuW2240V6rvBN1I8QN7HFHrTLjju1wD9NpxXPKXlb4Ua/BR3Eg0XezooSYOs/B37+72Cn4ui972mkbnbePtnifzuUJVgIzKnHdHFwfClHmt9SVKxdO9icxQiURdY+kCzV5uznvxHTf0f2XCy+Yze5GTjBlf4OMnrQuoBk9mfofln94ruEo4NvtIUVlXjxu77j4LYcl9ZegiwM+/Y5XH2SHuaq7KfJH1ayJgnkNvZ+/zUE0uTOJIGH9uv/LS9OTvD6HModlMgq5Sk77XmLu0BJpV68MVJ7DK12W/CWHILU/8hUKohpLpWmp0KPJd9XYzOwbF4kNagKurKXVF7Pp89ooLsoG2nACYC0ZAohGws9sVny8XFmxEcOPqmO1jj5j+Blizei82AuWu2/lQV7mNRTKJGN1AebdvvY3OUn2Ir2D5d48+j7pDC59I7Jk3p5ghGWSZI1l1EFyR/bLyqRTdvJjdwNZxVSC5WvP3HIlMXyyqyfnaBTHmkcX5VBur0ye91iRhNwXmpi5aMZeQhzRYKpiq4cBX5zEkSIfnqGTaqHknHidGXaDaOuOnf/iWHqJ2mEENGZ1u3lT7zhDbDmbjVyrrCQ3ybBs6G2hcPbTR7CRQ+F3qUR2l1SvCx/ksMJPTwUJyFit8yhxFIPPukuL4bFcHgW9i7W4Sp+kCZF1vPJExUrG6UpYJ7Vsm9rSiWA8BqSKBCPFx6nweD/cf6CjVi4v+DM13Q55IL7C+k0rqp4Opt27AqCmxAxjCe+ZR1AFq1LDd0RG2+oYdJ365Nll3xnlZiF+i5Su3rDqbOlsm1S/6cmI+Wu4hPZrm0dP1s1uIuIYcIFkxPyB+jv/VG8OPt11ojujrlLTfscssruA8f/bdZBqhPnMuQojALySLp7hnT1eN1ei0ECXFPrY0=,iv:elOnzTpyIwv49ErwOZRINMSXryBwiwP8Kus83+tAzks=,tag:QN3WdC+TUB01X2p76+ng3w==,type:str] root-ca: ENC[AES256_GCM,data:FZrNXRgqHVkPcH1QYc+UGRANki2syD4mSvdx3LN5A3aSoQe2x8NxaNv9t6FB9DRTtwY9jM4i4uIWS/0n2j67LrdB/4ftpX1o2CoTQ6K72XzwU4wUlkqIIJSoaB11olJL0yRjTRHihjjswJoEGVfEpnMqYSEplj7cuMHlLJTJq6vNJDJRD769aVK7eFHmbhfZxj58g5kCSrknGcBfJkFH1nR9ONhib/C7CzcJz2vU46XmhHuVOpKojHQzLn9RF8FN61QxinrXmI+tZmmccc63y1HiqOMWj0SuXlpXcNY0/RHS7Zl1oajNTlJ73NC8Nc6yuvvlTgaCM+DrecumHhlK82rmwihWyEmrWJq1Xi+Pw1wjxp+2dW3+w1shqf+rqDUCSwNWHmnVdJOkwCY5e3QX69YHFeS5Aq3rckjNPyN9Nyyhq9bXweMLd74GohMHORVvvklgqn1k0pmLS27+MAUIpiRMjNSqTzqYfBICoYQaIqMV1Y1XfskmWtcpv8B26vrZxTZCl9SEQzuKO19zaJelYd86C9+q3YbB1w682qOw/4frM8Y6ohjfDjquELeqRLVZNPs0RAA4eCqWsEUGgjisT4MaepOSxSug6nhxVX4a7skqiarV9WWaiSIrvSP7O/NKcZgyVYqsj3818Ut7ZmzobUapdiwpojdxYeaofMWDcq+OLVAGBGktq1HoVNO5z+KEbBjhpPzyNvtfHvCsd7GetQ3Nk4pkj6ENL8MA4m7gZvwdZG/u+3rAqhMVxBLGzPl686Mbln7MVhpEos9LNmHOFdEk4d1sdXHzxcgsjUmvFoc0RlcD/wkO2ImvZJZN/hXnEC8hWiUen0bXECVzZql+OXF79ZekmES8XqjddhQ47/8OxgszAPPMtNL1NgK5nQDS31LH9/Q7jDGjdRj4TDSQmHyQuhVTGBC9BBlO4rRvwbndfO5Vv8fo7oRn2kJMKtEoB0PkVKFBReDW4XSkgibWfy4wqpUNoQ8kHkINZM79qdx6zaAQ+6KOawVObd3+WgC0IUKYxNxQCvJOdYyCuGgDgH2iPJIaR2GaUNwFHEwBtGbD/nPelM7Je3xhqfTPUPAsoUWM3sQGo/1Li272RhR/2qZtHIVpyKkJcHa/bcuvByOB8W0V/TlP6FFMPXRk+X/blpDrZiRW/5yTgfDVL+orGQd1LVJojRORPtvNwMJAqN9ZsTO3/bdcUd1bKn5X+wSbepH7pqH9hPcsTHIO7O3T3Bs5YMFUT6zpeu/SDi8vf/KjQwH3sa45PHxQSr8r68onYrsHJl8l65e7RifzsPhSbc1nvHv42b7S8874EuBWjTrQcibM1prxJONg+yJQy7adf4cV5GHZozirMulSxEPAOZ5WqyYgrOkwyVSupT9xhGphT4FYYya0OkNLIl1XmHyb36/qP68fVVHQ37CQpXTqqzvSoWkjFQXb9XF+3erKLQPYNa5wK9RFtffbMrZsDLufR/FXaRPQ/nxN50yxLnjKkGMqM3t10fbztocXIE9Xc+W7qqIwvjstWt8n2p5QjyditH9kFka50HH99G2xO+5jeiY30ffqg69glWrfkys2TT29vIbVd9ljbA4zZwYZ5KyZZSZN47EOBtOe7CCaPJws0zyq+z1JQCYiupKDqRBKv6IJSRY4g+5GS1o7srYng0Llx7XqhGoWXyScP4LElF5sFGvouV8KV/P0P133mxLaAjmHmBxno/16Q+lbIQ0ytgph8OUfLK/lybLCasH07AnPPwAnNfULTKIs5aBS9hOGz//HyNFuoKaOzMPoFxwToIdF7+EvaY0dnsUrvCvxq4lGLwkGfO4ptt6y2FfTUzoKDAZFfd76EVLSQq1gTZ+lXxXK+sYgRT5gZ/EPcZE8sjgINKsOcj1AqcVZm2KvdSS1HE6fUQVm87cgVtEHOT7B5zMnJrFFrdRMSAbxUx4KBv4AzLUEhMyxfKLQm5NH5srvxPsKqhKl71Hestd8cWvJV+SmnU98m18A9Ck1MnjcSsQshuGHPWQGx0s/tkkeScIm/t7D4tbfKWdvN44KTnpeJCAmxO/vI5BOzTerYta0ViiV/bR2a5JtGVLC9yP3Zurk4lfcXNAMYKqf/CjBXRfNUNXVw+k/LdxKLYQCt8F+HBTpqGDdsO8RGofvfFJqM0PQcwf4GbbXFWBq5BsstonXAl/vsnAdcPcKr9KuArr6BHdRvY0HMlpSPMmGeEW94gA7Hg9IFJLTZrwOekg54xAe5KfNfkJZGb6oBU9f8D98zhw0KciHO993gNXeONuQMxVB/n33polT4vBjYOu9FuQQeJ6de94rnObIgpiKhaOCht2HF7s9kdOSN3/h6PfRJ8xI2e/9tolP6g==,iv:8UyU8fVq8YaSsurOOgsKGIAelaxWR7+AITwwf7ts4qk=,tag:K/zGiCthB6Vyh0ijRDxM6w==,type:str] nxxpspw: ENC[AES256_GCM,data:JANZ4+70xZWr0KrkkQgm+0oN0esZ6xIPBIzJTeF+MA==,iv:zVAQZXN+3QXImHIDPQcKmHnDiQvzQRGwSxFJZZZtfH4=,tag:HfH0J0b4Nu3RrZtrAaJmKQ==,type:str] + tuda_nmconnection: ENC[AES256_GCM,data:s+hA090pX8V8ateI4KtR2+wLvo4lH8Vih9dbpi6/EVLf7EKPMTSfBXbdmY9c2XWDDYmVEw+k1NjnkXk/+2Ch+RqBT4l9D+h19EPf6UwK/s7WP3ymDxpXexBb99JOw+jAEe677UcCxOsnPawXH03bI/vYtM/MdyRIIz8wdayB4IVIklCTIp9FqQUR2HsMAV+dS1ihqy0DMSlAJ0JyW2/5FcDFupGyhg4TT8d6QNYzT8goS2Wdq0pnJ+2fCL9XK4dhWtsvL5qwKd7MLu2YZDvM2H2r2r36Liz55bugR97+RXZ+xmwZAWJ+unMAeOG+bpOJoKgtMLjkHjtLmrxiJysCjCSsAkJc4zBy+YTkwk/SQxq+vbmQyefE/ARvsRINyUhFjVeOkRyVzUgIPiSf5cSB1b4lnAkODDLL3bH589i4YAIwR3RiLl5tZO8dHd02Ba7ufBMJ4szV+cUABbfKiYwhS8eQKfQnxf16Gizo11cOOyWU+3Qlw9TRPOcMO8jo/mYw3CF/ZQu+1+uM47Bzia5Xm7xIQ7hVyqjPtdYc9cSSc30hUQlS9CspCvhrA+ePnRnuXp7glX5V+9cP5pqeu5L2idbyaxVXv6DJvJ4rT14kiuLLtvg1+/Q=,iv:4iXVSvYMzppxYqCPH84cTfai6BdKRHD4BUF0BI9JYHc=,tag:DgAP7HZ38XgD1SYIMw0tYg==,type:str] hsmw-vpn-secret: ENC[AES256_GCM,data:3bKxRGTQcbhRjzARSpYBW5ekQW/U/ixzNiFmO36gw0NKyDMLlbVbJBqXvi71M0GXgmo/FA==,iv:7bVDA8u9apDNXFY/vEMbz/0HywG5Pyrl5JfZrcNCr8w=,tag:xz4j7cEc5hvLwrItWjkx0Q==,type:str] sops: kms: [] @@ -74,8 +75,8 @@ sops: SHJLR3lvdlFiRmJuU25RUHFFTmpjamMKbzycdDvQBAuOiRROTZEQSnaXoPapz73L yVS9EUP25FSx/sGqRqaCefbeaybuM1aso6LDnlomv4Bib7zjugWKSw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-09T21:28:13Z" - mac: ENC[AES256_GCM,data:EGpSDaYbOeupFjAmTgymLIYnEZnvZ9XzbNc+3wZemWYojtlnZX5bWn8aN7KEPactIeKcRg2Qx3FFaz24cLQiS58iM1Ig7QmChLlQFe/4JdGpuNJLcrXwGDjCvOZWEVvNcm51t0Ky+TTXQccluEwr2yPQZkLYbbJJQhmH5KQZ7lM=,iv:w8QF1TkWph2zBFzYBWPxpZDvCXl64aPcpLeTjT5JQNg=,tag:0Vcd0+nfeMo+MB/j1gPOxA==,type:str] + lastmodified: "2024-10-17T14:47:27Z" + mac: ENC[AES256_GCM,data:J3JGkxl3ifg054bvjRsWnAdkpJ/Ne1S1em5oTTM8eJ4vveFTBsmQgZFn9Z9Dj0mCgX1nd8VWebS2ABrZn44O1t+4L1bdYDjUS03JbN6wK/QXmLjuJeHl9qMdnPO8X2aLLS+Ej4PKlTFBDu/OEavhFmiUcW7wdEssl/D+ExV76zs=,iv:CEzRAmvu32vQ3CkyS0w90jEwlFzrKiH219zhTvM7INA=,tag:nYZ3lUGgvgRoPLA/l/4YDQ==,type:str] pgp: - created_at: "2024-06-09T19:44:41Z" enc: |- diff --git a/system-modules/networking.nix b/system-modules/networking.nix index 0248d66..f962e2f 100755 --- a/system-modules/networking.nix +++ b/system-modules/networking.nix @@ -1,4 +1,4 @@ -{ config, lib, host, secrets, ... }: +{ pkgs, lib, host, secrets, ... }: { # sops.secrets = { # "wireless-networking.env" = {}; @@ -18,24 +18,63 @@ 80 443 ]; - # wireless = { - # enable = true; - # environmentFile = config.sops.secrets."wireless-networking.env"; - # networks = { - # eduroam = lib.mkIf (host == "NxXPS") { - # auth = '' - # ssid="eduroam" - # key_mgmt=WPA-EAP - # eap=PEAP - # identity=${secrets.email.tuda.tuid}lan01@tu-darmstadt.de - # password="@NXXPSEDUROAMPW@" - # domain_suffix_match="radius.hrz.tu-darmstadt.de" - # anonymous_identity="eduroam@tu-darmstadt.de" - # phase2="auth=MSCHAPV2" - # ca_cert="/etc/ssl/certs/ca-bundle.crt" - # ''; - # }; - # }; + }; + + + # Eduroam + + environment.etc = { + "ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt"; + + # this comment blow is just for people reading my config + # I use sops-nix to place the actual file there (read below). + # identity and password have been replaced with "<...>" in the comment + # There the "email" and the password from the IDM portal of the HRZ should go + # Notice the toda-eduroam-root.crt that I am using (specified above) + # The method im using means that the password for the network is accessable locally as root user + # an even more secure way is for example using something like this https://wiki.archlinux.org/title/NetworkManager#Encrypted_Wi-Fi_passwords + + # "NetworkManager/system-connections/eduroam.nmconnection" = { + # text = '' + # [connection] + # id=eduroam + # uuid=09ce7f02-0c1d-4e11-9f69-e91031176d9d + # type=wifi + # permissions=user:nx2:; + + # [wifi] + # mode=infrastructure + # ssid=eduroam + + # [wifi-security] + # key-mgmt=wpa-eap + + # [802-1x] + # anonymous-identity=eduroam@tu-darmstadt.de + # ca-cert=/etc/ssl/certs/tuda-eduroam-root.crt + # domain=radius.hrz.tu-darmstadt.de + # eap=peap; + # identity=<...>@tu-darmstadt.de + # password=<...> + # phase2-auth=mschapv2 + + # [ipv4] + # method=auto + + # [ipv6] + # addr-gen-mode=stable-privacy + # ip6-privacy=2 + # method=auto + # ''; + # mode = "0600"; # }; }; + + sops.secrets = { + "eduroam/tuda_nmconnection" = { + mode = "0600"; + owner = "root"; + path = "/etc/NetworkManager/system-connections/eduroam.nmconnection"; + }; + }; }