nixos-config/hosts/thinkpad/modules/networks/uni.nix

{ config, pkgs, lib, ... }:
{
  age.secrets = {
    tud.file = ../../../../secrets/thinkpad/tud.age;
    agdsn.file = ../../../../secrets/thinkpad/agdsn.age;
    dyport-auth = {
      file = ../../../../secrets/thinkpad/dyport-auth.age;
    };
  };
  networking = {
    supplicant = {
      "LAN" = {
        userControlled.enable = true;
        driver = "wired";
        configFile.path = pkgs.writeText "supplicant-lan.conf" ''
          ctrl_interface=/run/wpa_supplicant
          ap_scan=0
          network={
            ssid="apb-ifsr"
          	key_mgmt=IEEE8021X
          	eap=TTLS
          	anonymous_identity="rose159e@apb-ifsr"
          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
          	identity="rose159e@apb-ifsr"
          	password=ext:TUD_AUTH
          	phase2="auth=PAP"
          	disabled=1
          }
          network={
          	ssid="zih-ma"
          	key_mgmt=IEEE8021X
          	eap=TTLS
          	anonymous_identity="rose159e@zih-ma"
          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
          	identity="rose159e@zih-ma"
          	password=ext:TUD_AUTH
          	phase2="auth=PAP"
          	disabled=1
          }
          ext_password_backend=file:${config.age.secrets.dyport-auth.path}
        '';
        # configFile.path = config.age.secrets.dyport-auth.path;
      };
    };
    wireless.networks = {
      eduroam = {
        auth = ''
          eap=TTLS
          anonymous_identity="anonymous@tu-dresden.de"
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius-eduroam.zih.tu-dresden.de"
          identity="rose159e@tu-dresden.de"
          password=ext:EDUROAM_AUTH
          phase2="auth=PAP"
          bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b 82:5a:1c:02:3d:8b
        '';
        extraConfig = ''
          scan_ssid=1
        '';
        authProtocols = [ "WPA-EAP" ];
      };
      agdsn = {
        auth = ''
          eap=TTLS
          anonymous_identity="wifi@agdsn.de"
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius.agdsn.de"
          identity="r5"
          password=ext:AGDSN_WIFI_AUTH
          phase2="auth=PAP"
          bssid_ignore=b8:3a:5a:8b:96:c2
        '';
        authProtocols = [ "WPA-EAP" ];
      };
      agdsn-office = {
        priority = 5;
        auth = ''
          eap=TTLS
          anonymous_identity="wifi@agdsn.de"
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius.agdsn.de"
          identity="r5"
          proto=WPA2
          password=ext:AGDSN_AUTH
          phase2="auth=PAP"
        '';
        extraConfig = "disabled=1";
        authProtocols = [ "WPA-EAP" ];
      };
      agdsn_fritzbox = {
        psk = "ext:AGDSN_FRITZBOX_PSK";
        authProtocols = [ "WPA-PSK" ];
      };
      FSR = {
        psk = "ext:FSR_PSK";
        authProtocols = [ "WPA-PSK" ];
      };
    };
    openconnect.interfaces = {
      TUD-A-Tunnel = {
        # apparently device names have a character limit
        protocol = "anyconnect";
        gateway = "vpn2.zih.tu-dresden.de";
        user = "rose159e@tu-dresden.de";
        passwordFile = config.age.secrets.tud.path;
        autoStart = false;
        extraOptions = {
          authgroup = "A-Tunnel-TU-Networks";
          compression = "stateless";
        };
      };
      TUD-C-Tunnel = {
        protocol = "anyconnect";
        gateway = "vpn2.zih.tu-dresden.de";
        user = "rose159e@tu-dresden.de";
        passwordFile = config.age.secrets.tud.path;
        autoStart = false;
        extraOptions = {
          authgroup = "C-Tunnel-All-Networks";
          compression = "stateless";
        };
      };
      ZIH = {
        protocol = "anyconnect";
        gateway = "vpn2.zih.tu-dresden.de";
        user = "rose159e@zih-ma-vpn";
        passwordFile = config.age.secrets.tud.path;
        autoStart = false;
        extraOptions = {
          authgroup = "A-Tunnel-TU-Networks";
          compression = "stateless";
        };
      };
    };
  };
  systemd.services = {
    openfortivpn-agdsn = {
      description = "AG DSN Fortinet VPN";
      script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert 249db14f96c8ea6174d80a3b964868bfbe8c56bc27bf031bf0afb9aeca8eb978";
      requires = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      serviceConfig = {
        Type = "simple";
        LoadCredential = [
          "password:${config.age.secrets.agdsn.path}"
        ];
        ProtectSystem = true;
        ProtectKernelLogs = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;

        ProtectHome = true;
        ProtectClock = true;
        PrivateTmp = true;

        LockPersonality = true;
      };
    };
    # fix systemd dependencies for supplicant services
    "supplicant-lan@" = {
      wantedBy = lib.mkForce [ ];
    };
  };
}
network: rework wpa supplicant 2024-08-22 11:39:42 +02:00			`{ config, pkgs, lib, ... }:`
configured networks vpn isn't configured yet, for cable I don't know 2022-12-29 15:05:26 +01:00			`{`
network: add openfortivpn and wifi@db 2023-12-17 17:22:12 +01:00			`age.secrets = {`
			`tud.file = ../../../../secrets/thinkpad/tud.age;`
			`agdsn.file = ../../../../secrets/thinkpad/agdsn.age;`
updates 2024-08-07 13:40:02 +02:00			`dyport-auth = {`
			`file = ../../../../secrets/thinkpad/dyport-auth.age;`
networking: fix ifsr-apb password 2023-12-24 23:40:01 +01:00			`};`
start replacing sops with agenix 2023-11-16 13:29:18 +01:00			`};`
added tu vpn 2022-12-29 20:25:07 +01:00			`networking = {`
network: rework wpa supplicant 2024-08-22 11:39:42 +02:00			`supplicant = {`
			`"LAN" = {`
updates 2024-08-07 13:40:02 +02:00			`userControlled.enable = true;`
			`driver = "wired";`
rework wpa supplicants 2024-09-26 17:48:59 +02:00			`configFile.path = pkgs.writeText "supplicant-lan.conf" ''`
			`ctrl_interface=/run/wpa_supplicant`
			`ap_scan=0`
			`network={`
			`ssid="apb-ifsr"`
			`key_mgmt=IEEE8021X`
			`eap=TTLS`
			`anonymous_identity="rose159e@apb-ifsr"`
			`ca_cert="/etc/ssl/certs/ca-certificates.crt"`
			`domain_suffix_match="radius-tud.zih.tu-dresden.de"`
			`identity="rose159e@apb-ifsr"`
			`password=ext:TUD_AUTH`
			`phase2="auth=PAP"`
			`disabled=1`
			`}`
			`network={`
			`ssid="zih-ma"`
			`key_mgmt=IEEE8021X`
			`eap=TTLS`
			`anonymous_identity="rose159e@zih-ma"`
			`ca_cert="/etc/ssl/certs/ca-certificates.crt"`
			`domain_suffix_match="radius-tud.zih.tu-dresden.de"`
			`identity="rose159e@zih-ma"`
			`password=ext:TUD_AUTH`
			`phase2="auth=PAP"`
			`disabled=1`
			`}`
			`ext_password_backend=file:${config.age.secrets.dyport-auth.path}`
			`'';`
			`# configFile.path = config.age.secrets.dyport-auth.path;`
updates 2024-08-07 13:40:02 +02:00			`};`
networking: fix ifsr-apb password 2023-12-24 23:40:01 +01:00			`};`
added tu vpn 2022-12-29 20:25:07 +01:00			`wireless.networks = {`
formatting 2022-12-29 20:50:01 +01:00			`eduroam = {`
added tu vpn 2022-12-29 20:25:07 +01:00			`auth = ''`
eduroam is kinda broken, fixing with pxl hotspot 2023-04-14 11:14:53 +02:00			`eap=TTLS`
added tu vpn 2022-12-29 20:25:07 +01:00			`anonymous_identity="anonymous@tu-dresden.de"`
			`ca_cert="/etc/ssl/certs/ca-certificates.crt"`
			`domain_suffix_match="radius-eduroam.zih.tu-dresden.de"`
			`identity="rose159e@tu-dresden.de"`
rework wpa supplicants 2024-09-26 17:48:59 +02:00			`password=ext:EDUROAM_AUTH`
eduroam is kinda broken, fixing with pxl hotspot 2023-04-14 11:14:53 +02:00			`phase2="auth=PAP"`
misc fixes 2024-11-05 16:01:36 +01:00			`bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b 82:5a:1c:02:3d:8b`
eduroam is kinda broken, fixing with pxl hotspot 2023-04-14 11:14:53 +02:00			`'';`
			`extraConfig = ''`
			`scan_ssid=1`
added tu vpn 2022-12-29 20:25:07 +01:00			`'';`
			`authProtocols = [ "WPA-EAP" ];`
			`};`
formatting 2022-12-29 20:50:01 +01:00			`agdsn = {`
added tu vpn 2022-12-29 20:25:07 +01:00			`auth = ''`
			`eap=TTLS`
some agdsn related changes 2023-10-08 14:22:52 +02:00			`anonymous_identity="wifi@agdsn.de"`
added tu vpn 2022-12-29 20:25:07 +01:00			`ca_cert="/etc/ssl/certs/ca-certificates.crt"`
			`domain_suffix_match="radius.agdsn.de"`
			`identity="r5"`
rework wpa supplicants 2024-09-26 17:48:59 +02:00			`password=ext:AGDSN_WIFI_AUTH`
wireguard and fail2ban 2023-10-22 15:45:30 +02:00			`phase2="auth=PAP"`
thinkpad: blacklist unwanted APs 2024-04-19 11:34:01 +02:00			`bssid_ignore=b8:3a:5a:8b:96:c2`
wireguard and fail2ban 2023-10-22 15:45:30 +02:00			`'';`
			`authProtocols = [ "WPA-EAP" ];`
			`};`
			`agdsn-office = {`
falkenstein-1 -> falkenstein 2023-11-20 22:46:51 +01:00			`priority = 5;`
wireguard and fail2ban 2023-10-22 15:45:30 +02:00			`auth = ''`
			`eap=TTLS`
			`anonymous_identity="wifi@agdsn.de"`
			`ca_cert="/etc/ssl/certs/ca-certificates.crt"`
			`domain_suffix_match="radius.agdsn.de"`
			`identity="r5"`
			`proto=WPA2`
rework wpa supplicants 2024-09-26 17:48:59 +02:00			`password=ext:AGDSN_AUTH`
added tu vpn 2022-12-29 20:25:07 +01:00			`phase2="auth=PAP"`
			`'';`
updates and fixes 2024-08-13 11:38:01 +02:00			`extraConfig = "disabled=1";`
added tu vpn 2022-12-29 20:25:07 +01:00			`authProtocols = [ "WPA-EAP" ];`
			`};`
a lot of updates and misc fixes 2024-07-31 14:16:33 +02:00			`agdsn_fritzbox = {`
rework wpa supplicants 2024-09-26 17:48:59 +02:00			`psk = "ext:AGDSN_FRITZBOX_PSK";`
a lot of updates and misc fixes 2024-07-31 14:16:33 +02:00			`authProtocols = [ "WPA-PSK" ];`
			`};`
added fsr wifi 2022-12-30 22:44:05 +01:00			`FSR = {`
rework wpa supplicants 2024-09-26 17:48:59 +02:00			`psk = "ext:FSR_PSK";`
added fsr wifi 2022-12-30 22:44:05 +01:00			`authProtocols = [ "WPA-PSK" ];`
			`};`
configured networks vpn isn't configured yet, for cable I don't know 2022-12-29 15:05:26 +01:00			`};`
added tu vpn 2022-12-29 20:25:07 +01:00			`openconnect.interfaces = {`
formatting and updates 2023-01-10 11:31:33 +01:00			`TUD-A-Tunnel = {`
			`# apparently device names have a character limit`
added tu vpn 2022-12-29 20:25:07 +01:00			`protocol = "anyconnect";`
			`gateway = "vpn2.zih.tu-dresden.de";`
			`user = "rose159e@tu-dresden.de";`
start replacing sops with agenix 2023-11-16 13:29:18 +01:00			`passwordFile = config.age.secrets.tud.path;`
added tu vpn 2022-12-29 20:25:07 +01:00			`autoStart = false;`
			`extraOptions = {`
			`authgroup = "A-Tunnel-TU-Networks";`
			`compression = "stateless";`
			`};`
			`};`
formatting and updates 2023-01-10 11:31:33 +01:00			`TUD-C-Tunnel = {`
enhanced TUD vpn 2023-01-02 22:46:26 +01:00			`protocol = "anyconnect";`
			`gateway = "vpn2.zih.tu-dresden.de";`
			`user = "rose159e@tu-dresden.de";`
start replacing sops with agenix 2023-11-16 13:29:18 +01:00			`passwordFile = config.age.secrets.tud.path;`
enhanced TUD vpn 2023-01-02 22:46:26 +01:00			`autoStart = false;`
			`extraOptions = {`
			`authgroup = "C-Tunnel-All-Networks";`
			`compression = "stateless";`
			`};`
			`};`
updates 2024-08-07 13:40:02 +02:00			`ZIH = {`
			`protocol = "anyconnect";`
			`gateway = "vpn2.zih.tu-dresden.de";`
			`user = "rose159e@zih-ma-vpn";`
			`passwordFile = config.age.secrets.tud.path;`
updates and fixes 2024-08-13 11:38:01 +02:00			`autoStart = false;`
			`extraOptions = {`
			`authgroup = "A-Tunnel-TU-Networks";`
			`compression = "stateless";`
updates 2024-08-07 13:40:02 +02:00			`};`
			`};`
configured networks vpn isn't configured yet, for cable I don't know 2022-12-29 15:05:26 +01:00			`};`
			`};`
network: add openfortivpn and wifi@db 2023-12-17 17:22:12 +01:00			`systemd.services = {`
			`openfortivpn-agdsn = {`
			`description = "AG DSN Fortinet VPN";`
thinkpad: update certs and passwords 2024-10-30 11:00:28 +01:00			`script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert 249db14f96c8ea6174d80a3b964868bfbe8c56bc27bf031bf0afb9aeca8eb978";`
network: add openfortivpn and wifi@db 2023-12-17 17:22:12 +01:00			`requires = [ "network-online.target" ];`
			`after = [ "network.target" "network-online.target" ];`
			`serviceConfig = {`
			`Type = "simple";`
			`LoadCredential = [`
			`"password:${config.age.secrets.agdsn.path}"`
			`];`
			`ProtectSystem = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`

			`ProtectHome = true;`
			`ProtectClock = true;`
			`PrivateTmp = true;`

			`LockPersonality = true;`
			`};`
			`};`
network: rework wpa supplicant 2024-08-22 11:39:42 +02:00			`# fix systemd dependencies for supplicant services`
			`"supplicant-lan@" = {`
			`wantedBy = lib.mkForce [ ];`
			`};`
network: add openfortivpn and wifi@db 2023-12-17 17:22:12 +01:00			`};`
configured networks vpn isn't configured yet, for cable I don't know 2022-12-29 15:05:26 +01:00			`}`