tuda eduroam

2024-10-17 17:18:07 +02:00
parent 8f3b04c191
commit d93ae4a78b
2 changed files with 61 additions and 21 deletions
--- a/system-modules/networking.nix
+++ b/system-modules/networking.nix
@@ -1,4 +1,4 @@
-{ config, lib, host, secrets, ... }:
+{ pkgs, lib, host, secrets, ... }:
 {
  # sops.secrets = {
  #   "wireless-networking.env" = {};
@@ -18,24 +18,63 @@
      80
      443
    ];
-    # wireless = {
-    #   enable = true;
-    #   environmentFile = config.sops.secrets."wireless-networking.env";
-    #   networks = {
-    #     eduroam = lib.mkIf (host == "NxXPS") {
-    #       auth = ''
-    #         ssid="eduroam"
-    #         key_mgmt=WPA-EAP
-    #         eap=PEAP
-    #         identity=${secrets.email.tuda.tuid}lan01@tu-darmstadt.de
-    #         password="@NXXPSEDUROAMPW@"
-    #         domain_suffix_match="radius.hrz.tu-darmstadt.de"
-    #         anonymous_identity="eduroam@tu-darmstadt.de"
-    #         phase2="auth=MSCHAPV2"
-    #         ca_cert="/etc/ssl/certs/ca-bundle.crt"
-    #       '';
-    #     };
-    #   };
+  };
+
+
+  # Eduroam
+
+  environment.etc = {
+    "ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt";
+
+    # this comment blow is just for people reading my config
+    # I use sops-nix to place the actual file there (read below). 
+    # identity and password have been replaced with "<...>" in the comment
+    # There the "email" and the password from the IDM portal of the HRZ should go
+    # Notice the toda-eduroam-root.crt that I am using (specified above)
+    # The method im using means that the password for the network is accessable locally as root user
+    # an even more secure way is for example using something like this https://wiki.archlinux.org/title/NetworkManager#Encrypted_Wi-Fi_passwords
+    
+    # "NetworkManager/system-connections/eduroam.nmconnection" = {
+    #   text = ''
+    #     [connection]
+    #     id=eduroam
+    #     uuid=09ce7f02-0c1d-4e11-9f69-e91031176d9d
+    #     type=wifi
+    #     permissions=user:nx2:;
+
+    #     [wifi]
+    #     mode=infrastructure
+    #     ssid=eduroam
+
+    #     [wifi-security]
+    #     key-mgmt=wpa-eap
+
+    #     [802-1x]
+    #     anonymous-identity=eduroam@tu-darmstadt.de
+    #     ca-cert=/etc/ssl/certs/tuda-eduroam-root.crt
+    #     domain=radius.hrz.tu-darmstadt.de
+    #     eap=peap;
+    #     identity=<...>@tu-darmstadt.de
+    #     password=<...>
+    #     phase2-auth=mschapv2
+
+    #     [ipv4]
+    #     method=auto
+
+    #     [ipv6]
+    #     addr-gen-mode=stable-privacy
+    #     ip6-privacy=2
+    #     method=auto
+    #   ''; 
+    #   mode = "0600";
    # };
  };
+
+  sops.secrets = {
+    "eduroam/tuda_nmconnection" = {
+      mode = "0600";
+      owner = "root";
+      path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";
+    };
+  };
 }