83 lines
2.1 KiB
Nix
83 lines
2.1 KiB
Nix
{ config, pkgs, lib, system, user, allowed, secrets, ... }:
|
|
|
|
{
|
|
environment.systemPackages = [
|
|
pkgs.strongswan
|
|
];
|
|
|
|
environment.etc = {
|
|
|
|
# Easyroam
|
|
"ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
|
|
"ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
|
|
"ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
|
|
"NetworkManager/system-connections/eduroam.nmconnection" = {
|
|
text = secrets.easyroamHSMW.nmconfig;
|
|
mode = "0600";
|
|
};
|
|
|
|
"ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"'';
|
|
"ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
|
|
"ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
|
|
};
|
|
|
|
services.strongswan = {
|
|
enable = true;
|
|
setup = {
|
|
cachecrls = "yes";
|
|
strictcrlpolicy = "yes";
|
|
};
|
|
connections = {
|
|
hsmw = {
|
|
keyexchange = "ikev2";
|
|
left = "%defaultroute";
|
|
leftid = "%any";
|
|
leftauth = "eap";
|
|
eap_identity = secrets.email.hsmw.mail;
|
|
leftsourceip = "%config";
|
|
leftdns = "%config4";
|
|
leftfirewall = "no";
|
|
right = "141.55.128.84";
|
|
rightid = "@vpn4.hs-mittweida.de";
|
|
rightsubnet = "0.0.0.0/0";
|
|
rightauth = "pubkey";
|
|
auto = "add";
|
|
};
|
|
};
|
|
managePlugins = true;
|
|
enabledPlugins = [
|
|
"curl"
|
|
"aes"
|
|
"des"
|
|
"sha1"
|
|
"sha2"
|
|
"md5"
|
|
"pem"
|
|
"pkcs1"
|
|
"gmp"
|
|
"random"
|
|
"nonce"
|
|
"x509"
|
|
"revocation"
|
|
"hmac"
|
|
"xcbc"
|
|
"stroke"
|
|
"kernel-netlink"
|
|
"socket-default"
|
|
"fips-prf"
|
|
"eap-mschapv2"
|
|
"eap-identity"
|
|
"updown"
|
|
"openssl"
|
|
"resolve"
|
|
];
|
|
secrets = [ "/etc/ipsec.d/hsmw.secrets" ];
|
|
ca = {
|
|
hsmw = {
|
|
auto = "add";
|
|
cacert = "/etc/ipsec.d/USERTrust-RSA.pem";
|
|
};
|
|
};
|
|
};
|
|
}
|