{ pkgs, lib, host, secrets, ... }: lib.mkIf (host != "NxACE") { environment.systemPackages = [ pkgs.strongswanNM ]; environment.etc = { # Easyroam "ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem; "ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem; "ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem; "NetworkManager/system-connections/eduroam.nmconnection" = { text = secrets.easyroamHSMW.nmconfig; mode = "0600"; }; "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"''; "ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem; "ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem; }; networking.networkmanager.enableStrongSwan = true; services.strongswan = { enable = true; setup = { cachecrls = "yes"; strictcrlpolicy = "yes"; }; connections = { hsmw = { keyexchange = "ikev2"; left = "%defaultroute"; leftid = "%any"; leftauth = "eap"; eap_identity = secrets.email.hsmw.mail; leftsourceip = "%config"; leftdns = "%config4"; leftfirewall = "no"; right = "141.55.128.84"; rightid = "@vpn4.hs-mittweida.de"; rightsubnet = "0.0.0.0/0"; rightauth = "pubkey"; auto = "add"; }; }; managePlugins = true; enabledPlugins = [ "curl" "aes" "des" "sha1" "sha2" "md5" "pem" "pkcs1" "gmp" "random" "nonce" "x509" "revocation" "hmac" "xcbc" "stroke" "kernel-netlink" "socket-default" "fips-prf" "eap-mschapv2" "eap-identity" "updown" "openssl" "resolve" ]; secrets = [ "/etc/ipsec.d/hsmw.secrets" ]; ca = { hsmw = { auto = "add"; cacert = "/etc/ipsec.d/USERTrust-RSA.pem"; }; }; }; }