91 lines
2.5 KiB
Nix
Executable File
91 lines
2.5 KiB
Nix
Executable File
{ pkgs, lib, host, secrets, ... }:
|
|
{
|
|
environment.systemPackages = with pkgs; [
|
|
strongswanNM
|
|
];
|
|
|
|
environment.etc = {
|
|
|
|
# # Easyroam
|
|
# "ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
|
|
# "ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
|
|
# "ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
|
|
# "NetworkManager/system-connections/eduroam.nmconnection" = {
|
|
# text = secrets.easyroamHSMW.nmconfig;
|
|
# mode = "0600";
|
|
# };
|
|
|
|
# "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.un}@hs-mittweida.de : EAP "megasecret"'';
|
|
# "ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
|
|
# "ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
|
|
};
|
|
|
|
|
|
sops.secrets = {
|
|
"USERTrust/ECC" = { path = "/etc/ipsec.d/USERTrust-ECC.pem"; };
|
|
"USERTrust/RSA" = { path = "/etc/ipsec.d/USERTrust-RSA.pem"; };
|
|
"hsmw-vpn-secret" = { path = "/etc/ipsec.d/hsmw.secret"; mode = "600"; };
|
|
};
|
|
|
|
networking.networkmanager.enableStrongSwan = true;
|
|
|
|
services.strongswan = {
|
|
enable = true;
|
|
setup = {
|
|
cachecrls = "yes";
|
|
strictcrlpolicy = "yes";
|
|
};
|
|
connections = {
|
|
hsmw = {
|
|
keyexchange = "ikev2";
|
|
left = "%defaultroute";
|
|
leftid = "%any";
|
|
leftauth = "eap";
|
|
eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de";
|
|
leftsourceip = "%config";
|
|
leftdns = "%config4"; # Ensure that DNS resolution works as expected
|
|
leftfirewall = "no"; # Keep firewall disabled, but manually check rules
|
|
right = "141.55.128.84";
|
|
rightid = "@vpn4.hs-mittweida.de";
|
|
rightsubnet = "141.55.128.0/16"; # Split tunneling: Only route traffic for the VPN subnet
|
|
rightauth = "pubkey";
|
|
auto = "add";
|
|
};
|
|
};
|
|
managePlugins = true;
|
|
enabledPlugins = [
|
|
"curl"
|
|
"aes"
|
|
"des"
|
|
"sha1"
|
|
"sha2"
|
|
"md5"
|
|
"pem"
|
|
"pkcs1"
|
|
"gmp"
|
|
"random"
|
|
"nonce"
|
|
"x509"
|
|
"revocation"
|
|
"hmac"
|
|
"xcbc"
|
|
"stroke"
|
|
"kernel-netlink"
|
|
"socket-default"
|
|
"fips-prf"
|
|
"eap-mschapv2"
|
|
"eap-identity"
|
|
"updown"
|
|
"openssl"
|
|
"resolve"
|
|
];
|
|
secrets = [ "/etc/ipsec.d/hsmw.secret" ];
|
|
ca = {
|
|
hsmw = {
|
|
auto = "add";
|
|
cacert = "/etc/ipsec.d/USERTrust-RSA.pem";
|
|
};
|
|
};
|
|
};
|
|
}
|