dotfiles/system-modules/hsmw.nix

{ pkgs, ... }@all: with all;
{
  environment.systemPackages = with pkgs; [
    strongswanNM
  ];
  
  environment.etc = {

  #   # Easyroam 
  #   "ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
  #   "ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
  #   "ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
  #   "NetworkManager/system-connections/eduroam.nmconnection" = {
  #     text = secrets.easyroamHSMW.nmconfig; 
  #     mode = "0600";
  #   };

    # "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.un}@hs-mittweida.de : EAP "megasecret"'';
  #   "ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
  #   "ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
  };


  sops.secrets = {
    "USERTrust/ECC" = { path = "/etc/ipsec.d/USERTrust-ECC.pem"; };
    "USERTrust/RSA" = { path = "/etc/ipsec.d/USERTrust-RSA.pem"; };
    "hsmw-vpn-secret" = { path = "/etc/ipsec.d/hsmw.secret"; mode = "600"; };
  };
  
  networking.networkmanager.enableStrongSwan = true;

  services.strongswan = {
    enable = true;
    setup = {
      cachecrls = "yes";
      strictcrlpolicy = "yes";
    };
    connections = {
      hsmw = {
        keyexchange = "ikev2";
        left = "%defaultroute";
        leftid = "%any";
        leftauth = "eap";
        eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de";
        leftsourceip = "%config";
        leftdns = "%config4";  # Ensure that DNS resolution works as expected
        leftfirewall = "no";  # Keep firewall disabled, but manually check rules
        right = "141.55.128.84";
        rightid = "@vpn4.hs-mittweida.de";
        rightsubnet = "141.55.128.0/16";  # Split tunneling: Only route traffic for the VPN subnet
        rightauth = "pubkey";
        auto = "add";
      };
    };
    managePlugins = true;
    enabledPlugins = [ 
      "curl"
      "aes"
      "des"
      "sha1"
      "sha2"
      "md5"
      "pem"
      "pkcs1"
      "gmp"
      "random"
      "nonce"
      "x509"
      "revocation"
      "hmac"
      "xcbc"
      "stroke"
      "kernel-netlink"
      "socket-default"
      "fips-prf"
      "eap-mschapv2"
      "eap-identity"
      "updown"
      "openssl"
      "resolve"
    ];
    secrets = [ "/etc/ipsec.d/hsmw.secret" ];
    ca = {
      hsmw = {
        auto = "add";
        cacert = "/etc/ipsec.d/USERTrust-RSA.pem";
      };
    };
  };
}