nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
4e3b643d2029910db6711a4dee738be42a65f51d
dotfiles/system-modules/hsmw.nix
nx2 4e3b643d20 HSMW-VPN Working
2024-03-27 11:05:57 +01:00

90 lines
2.3 KiB
Nix
Raw Blame History

{ config, pkgs, lib, system, user, allowed, secrets, ... }:
{
environment.systemPackages = [
pkgs.strongswan
];
environment.etc = {
# Easyroam
"ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
"ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
"ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
"NetworkManager/system-connections/eduroam.nmconnection" = {
text = secrets.easyroamHSMW.nmconfig;
mode = "0600";
};
# VPN
# "strongswan.conf".text = ''
# charon {
# load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown openssl resolve
# }
# '';
"ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"'';
"ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
"ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
};
services.strongswan = {
enable = true;
setup = {
cachecrls = "yes";
strictcrlpolicy = "yes";
};
connections = {
hsmw = {
keyexchange = "ikev2";
left = "%defaultroute";
leftid = "%any";
leftauth = "eap";
eap_identity = secrets.email.hsmw.mail;
leftsourceip = "%config";
leftdns = "%config4";
leftfirewall = "no";
right = "141.55.128.84";
rightid = "@vpn4.hs-mittweida.de";
rightsubnet = "0.0.0.0/0";
rightauth = "pubkey";
auto = "add";
};
};
managePlugins = true;
enabledPlugins = [
"curl"
"aes"
"des"
"sha1"
"sha2"
"md5"
"pem"
"pkcs1"
"gmp"
"random"
"nonce"
"x509"
"revocation"
"hmac"
"xcbc"
"stroke"
"kernel-netlink"
"socket-default"
"fips-prf"
"eap-mschapv2"
"eap-identity"
"updown"
"openssl"
"resolve"
];
secrets = [ "/etc/ipsec.d/hsmw.secrets" ];
ca = {
hsmw = {
auto = "add";
cacert = "/etc/ipsec.d/USERTrust-RSA.pem";
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink