{ pkgs, lib, host, secrets, ... }: { # sops.secrets = { # "wireless-networking.env" = {}; # }; networking = { nameservers = [ "1.1.1.1" "8.8.8.8" ]; hostName = host; networkmanager = { enable = true; }; enableIPv6 = false; firewall.allowedTCPPorts = [ 80 443 ]; }; # Eduroam environment.etc = { "ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt"; # this comment blow is just for people reading my config # I use sops-nix to place the actual file there (read below). # identity and password have been replaced with "<...>" in the comment # There the "email" and the password from the IDM portal of the HRZ should go # Notice the toda-eduroam-root.crt that I am using (specified above) # The method im using means that the password for the network is accessable locally as root user # an even more secure way is for example using something like this https://wiki.archlinux.org/title/NetworkManager#Encrypted_Wi-Fi_passwords # "NetworkManager/system-connections/eduroam.nmconnection" = { # text = '' # [connection] # id=eduroam # uuid=09ce7f02-0c1d-4e11-9f69-e91031176d9d # type=wifi # permissions=user:nx2:; # [wifi] # mode=infrastructure # ssid=eduroam # [wifi-security] # key-mgmt=wpa-eap # [802-1x] # anonymous-identity=eduroam@tu-darmstadt.de # ca-cert=/etc/ssl/certs/tuda-eduroam-root.crt # domain=radius.hrz.tu-darmstadt.de # eap=peap; # identity=<...>@tu-darmstadt.de # password=<...> # phase2-auth=mschapv2 # [ipv4] # method=auto # [ipv6] # addr-gen-mode=stable-privacy # ip6-privacy=2 # method=auto # ''; # mode = "0600"; # }; }; sops.secrets = { "eduroam/tuda_nmconnection" = { mode = "0600"; owner = "root"; path = "/etc/NetworkManager/system-connections/eduroam.nmconnection"; }; }; }