From 8b786bdc42d7a2b5d759c7b66b06ef5b5b1fa5c7 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 26 Sep 2024 17:48:59 +0200
Subject: [PATCH] rework wpa supplicants

---
 hosts/thinkpad/default.nix                  |  88 ++++++++++----------
 hosts/thinkpad/modules/networks/default.nix |  20 ++---
 hosts/thinkpad/modules/networks/uni.nix     |  41 +++++++--
 secrets/thinkpad/dyport-auth.age            | Bin 966 -> 354 bytes
 secrets/thinkpad/wireless.age               | Bin 692 -> 692 bytes
 5 files changed, 89 insertions(+), 60 deletions(-)

diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix
index ddc413d..c9bee3f 100755
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@@ -53,56 +53,56 @@
   console.keyMap = "dvorak";
 
 
-  services.openldap = {
-    enable = true;
-    urlList = [ "ldap:///" ];
-    settings = {
-      attrs = {
-        olcLogLevel = "conns config";
-      };
-      children = {
-        "cn=schema".includes = [
-          "${pkgs.openldap}/etc/schema/core.ldif"
-          # attributetype ( 9999.1.1 NAME 'isMemberOf'
-          # DESC 'back-reference to groups this user is a member of'
-          # SUP distinguishedName )
-          "${pkgs.openldap}/etc/schema/cosine.ldif"
-          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-          "${pkgs.openldap}/etc/schema/nis.ldif"
-          # "${pkgs.writeText "openssh.schema" ''
-          # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
-          # 		DESC 'SSH public key used by this user'
-          # 		SUP name )
-          # ''}"
-        ];
+  # services.openldap = {
+  #   enable = true;
+  #   urlList = [ "ldap:///" ];
+  #   settings = {
+  #     attrs = {
+  #       olcLogLevel = "conns config";
+  #     };
+  #     children = {
+  #       "cn=schema".includes = [
+  #         "${pkgs.openldap}/etc/schema/core.ldif"
+  #         # attributetype ( 9999.1.1 NAME 'isMemberOf'
+  #         # DESC 'back-reference to groups this user is a member of'
+  #         # SUP distinguishedName )
+  #         "${pkgs.openldap}/etc/schema/cosine.ldif"
+  #         "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+  #         "${pkgs.openldap}/etc/schema/nis.ldif"
+  #         # "${pkgs.writeText "openssh.schema" ''
+  #         # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
+  #         # 		DESC 'SSH public key used by this user'
+  #         # 		SUP name )
+  #         # ''}"
+  #       ];
 
-        "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+  #       "olcDatabase={1}mdb".attrs = {
+  #         objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
 
-          olcDatabase = "{1}mdb";
-          olcDbDirectory = "/var/lib/openldap/data";
+  #         olcDatabase = "{1}mdb";
+  #         olcDbDirectory = "/var/lib/openldap/data";
 
-          olcSuffix = "dc=ifsr,dc=de";
+  #         olcSuffix = "dc=ifsr,dc=de";
 
-          /* your admin account, do not use writeText on a production system */
-          olcRootDN = "cn=portunus,dc=ifsr,dc=de";
-          olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
+  #         /* your admin account, do not use writeText on a production system */
+  #         olcRootDN = "cn=portunus,dc=ifsr,dc=de";
+  #         olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
 
-          olcAccess = [
-            /* custom access rules for userPassword attributes */
-            ''{0}to attrs=userPassword
-                by self write
-                by anonymous auth
-                by * none''
+  #         olcAccess = [
+  #           /* custom access rules for userPassword attributes */
+  #           ''{0}to attrs=userPassword
+  #               by self write
+  #               by anonymous auth
+  #               by * none''
 
-            /* allow read on anything else */
-            ''{1}to *
-                by * read''
-          ];
-        };
-      };
-    };
-  };
+  #           /* allow read on anything else */
+  #           ''{1}to *
+  #               by * read''
+  #         ];
+  #       };
+  #     };
+  #   };
+  # };
 
 
   services = {
diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix
index 58f1953..c1fbc64 100644
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@@ -49,29 +49,29 @@
       userControlled.enable = true;
       # sadly broken on my machine
       scanOnLowSignal = false;
-      environmentFile = config.age.secrets.wireless.path;
+      secretsFile = config.age.secrets.wireless.path;
       networks = {
-        "@HOME_SSID@" = {
-          psk = "@HOME_PSK@";
+        "Smoerrebroed" = {
+          pskRaw = "ext:HOME_PSK";
           authProtocols = [ "WPA-PSK" ];
         };
-        "@DORM_SSID@" = {
-          psk = "@DORM_PSK@";
+        "Cudy-6140" = {
+          pskRaw = "ext:DORM_PSK";
           authProtocols = [ "SAE" ];
           extraConfig = "disabled=1";
         };
-        "@DORM5_SSID@" = {
+        "Cudy-6150" = {
           priority = 5;
-          psk = "@DORM_PSK@";
+          pskRaw = "ext:DORM_PSK";
           authProtocols = [ "SAE" ];
           extraConfig = "disabled=1";
         };
         "LKG-Gast" = {
-          psk = "@LKGDD_GUEST_PSK@";
+          pskRaw = "ext:LKGDD_GUEST_PSK";
           authProtocols = [ "WPA-PSK" ];
         };
-        "@PIXEL_SSID@" = {
-          psk = "@PIXEL_PSK@";
+        "Pxl" = {
+          pskRaw = "ext:PIXEL_PSK";
           authProtocols = [ "WPA-PSK" ];
         };
         "WIFI@DB" = {
diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix
index d4e3f2b..7db4fbd 100644
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@@ -12,7 +12,36 @@
       "LAN" = {
         userControlled.enable = true;
         driver = "wired";
-        configFile.path = config.age.secrets.dyport-auth.path;
+        configFile.path = pkgs.writeText "supplicant-lan.conf" ''
+          ctrl_interface=/run/wpa_supplicant
+          ap_scan=0
+          network={
+            ssid="apb-ifsr"
+          	key_mgmt=IEEE8021X
+          	eap=TTLS
+          	anonymous_identity="rose159e@apb-ifsr"
+          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
+          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
+          	identity="rose159e@apb-ifsr"
+          	password=ext:TUD_AUTH
+          	phase2="auth=PAP"
+          	disabled=1
+          }
+          network={
+          	ssid="zih-ma"
+          	key_mgmt=IEEE8021X
+          	eap=TTLS
+          	anonymous_identity="rose159e@zih-ma"
+          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
+          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
+          	identity="rose159e@zih-ma"
+          	password=ext:TUD_AUTH
+          	phase2="auth=PAP"
+          	disabled=1
+          }
+          ext_password_backend=file:${config.age.secrets.dyport-auth.path}
+        '';
+        # configFile.path = config.age.secrets.dyport-auth.path;
       };
     };
     wireless.networks = {
@@ -23,7 +52,7 @@
           ca_cert="/etc/ssl/certs/ca-certificates.crt"
           domain_suffix_match="radius-eduroam.zih.tu-dresden.de"
           identity="rose159e@tu-dresden.de"
-          password="@EDUROAM_AUTH@"
+          password=ext:EDUROAM_AUTH
           phase2="auth=PAP"
           bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b
         '';
@@ -39,7 +68,7 @@
           ca_cert="/etc/ssl/certs/ca-certificates.crt"
           domain_suffix_match="radius.agdsn.de"
           identity="r5"
-          password="@AGDSN_WIFI_AUTH@"
+          password=ext:AGDSN_WIFI_AUTH
           phase2="auth=PAP"
           bssid_ignore=b8:3a:5a:8b:96:c2
         '';
@@ -54,18 +83,18 @@
           domain_suffix_match="radius.agdsn.de"
           identity="r5"
           proto=WPA2
-          password="@AGDSN_AUTH@"
+          password=ext:AGDSN_AUTH
           phase2="auth=PAP"
         '';
         extraConfig = "disabled=1";
         authProtocols = [ "WPA-EAP" ];
       };
       agdsn_fritzbox = {
-        psk = "@AGDSN_FRITZBOX_PSK@";
+        psk = "ext:AGDSN_FRITZBOX_PSK";
         authProtocols = [ "WPA-PSK" ];
       };
       FSR = {
-        psk = "@FSR_PSK@";
+        psk = "ext:FSR_PSK";
         authProtocols = [ "WPA-PSK" ];
       };
     };
diff --git a/secrets/thinkpad/dyport-auth.age b/secrets/thinkpad/dyport-auth.age
index 4fba776a6fa02d14e91db4bb2299ed07713f19db..3ce1f2edafba96cd3129d9b245ec1842a00fead0 100644
GIT binary patch
delta 319
zcmV-F0l@yo2jT*dEPp{(W@K|jX-7suHfmvYdU7;oPex{1Pc~0Cb5l}LXJu$BRXI#h
zY)4U7FbZu_F-|d9FE?U2O;$BAH*IZpM0hbWS1)>FaCS#iS8GRaT3Ah0d1OgLMG7rG
zAaiqQEoEdfH8n9gAVpSsbU9HVWnwo@b8|;AWqK=dQC4Y9SAR))b~G|<PB3+ET60J*
zHAF))P*gN-V`^zd3TI?)Qc_M)WN=bND>XtvOh{pFM0sLDWot!gZF6EYHcC)bcvM+T
zPEAH{3N0-yAZA%McX&i*WpX)kb#h~FPC-RycsVzDHhO1Sa#1UJNI`CGZ&OlIOj1fX
z3iC1TtYJ-QV>nx<zh-!Ry_}Y&+yJw_G{d=?uB>uIcIP`wv1|W(2PFkf2h)^Z-JkiE
R#NN9qR_AU<q=;A7fih3bbVmRH

delta 936
zcmV;Z16Taw0>%fBEPq5sXjExJcxOjBVpl>mVRtfUNoPe)LV8wFF-2xYP*_P&Ra8b+
zPh~?@Zwg^oM>0ZCVn#PsMR`?5MS4;&M_E~HdQmiUWOGDCT2?VaZ+KEjM|CteMG7rG
zAaiqQEoEdfH8n9gAVpSsbU9HVYI;s?aCkINHd<##GiYT_VSiOcP(^lHMQu1lT5(fM
zZ%cMqMoe#RFE&wU3Nlf8H7jXGHAGovO-g2LL3dPZYEDf~G-O9`T5&6NR%CWDZDKch
zbV^}G3N0-yAZs^FNHuXtF=uLQQfg6AP+==ja7j6DFgIpwZ%=wSS}$TubXG-8Xfb3(
z3Ku(YZmjEVp?{%IWcM;4tGw}>1FsG%;fjR*<r-9;Fc(x_3W4Xb5`}1dw!owFKs+tt
zJ+zZXpN!I)D`1$*quy0`RsSmHodZ}pE?)*g{q(?Y-$1QfsR}s_DM8hbX<u1sK<V&;
z3TeJ$=xiSuJ(r1~N(A7Xz9aBz#)_a?(-v6xJE^WbVSko4`(MH&tgqcoq&vE6M}j$c
z)Mas(dQAT?5l_dt#Je1h9mc9ve%xl`%ef(@UtzNe!U8^7^6)?wk)cW5ogOqMxBUNM
z(*Ha}p)?aurCCsC6$ZqW8ENh{Z!(Iew@@?IamHLJz{X7%R!w_it|cE_ci<LjwuN&b
z5n5fzK!0{(#R?q97^Yf9HfkEO8{PcR1pHWN+#c+})0BiQS;B?)&aVuE6w-s&x7jNd
zr?Ca^Hmr^-+=>|BFdq4_b~}$DkU<9O94(0e=aGGJKtbc1Yb0BqUT;Mh{~?a0jH!QM
z?X85OSXjyS5}LDXi2ws>P}6t49|x*$i4mO#Q-95jFL&r^-v2x8DA#H#`rf@*i$EXO
zsqiK_Cycmq*`j%IJyvDQe(@6c<yw#`#lAq?A%TW~3@6GHA+JD87U3nPH$$`1lx~mN
zw-%Hch>KimA#o63lBZ3!sRb4#Y+t3woFd9=;@_D@5^q!<Ny!As0|6K}KE0!P5FzCE
z+<(|1f<LPol)7MJ(X>fd=|HZ&$&~a9JOq;|`N}Xgc58YD|H}^-N>9n3YIp06((3wS
z|K=O3x#%dr@9)k!$lxHeP71bA@%4_(f_9lXNTf=D74G}t!Uk?VBqgN*0PXY;g3zmt
z{mH1DQD8z^g6H6rSNw-t>D})jXuubU*dg2d0S4f42;}n(-VIxu;P*Ta1lKzStv-Hq
K3~Fe52c<fn>72L#

diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age
index 36d09c9ba88635a307c90c4dc7f16e7caa7b15f2..89bc53aea88af047e37b4c6a4804418a9e26b16c 100644
GIT binary patch
delta 660
zcmV;F0&D%W1+)c_EPq9MPhv`VdQnJLOKmkTZ%a{ecXC%RHEBmVaAah5XLB-XLP#`q
zPGo9$MGALsMR7TJbV*8cbyRINFE?d3a7#mQH9>7@dTUQ`P)l}DF<DtuLu7YvV+t)k
zAaiqQEoEdfH8n9gAVpSsbU9HVPi#(ZLqkh9Lv2K7NK;2}R)1JWFKa?KH)S?yOKEp(
zQ!q9;XL58oVq;N73UW+gc209NK{HWza7tKpS4eJFc5GQ$IY%o>VRBbCO=?tYMRiAR
zV{%1F3N0-yAW1MuHbP7}aYth?F?DoTOm}y4Ggfa=cy}~NId5q*D^6B0Qf6*yXG}6t
z3Q&D13%XGgOn-ddyFS!k?HNk=P$>hB6pynx6L<mG6)&vlsG6LK4<hAVxMk|3Lb|Wx
z`CCs<04Ea|Nu3g-!|3!{0hf-?(R40f*m;+Aev%DH+z+M(`9FWP<<-j<_NP<3JT*4w
zy!%seStDKhI@D1dB&C~~!|f(^_f%AKf=}{br4M=a5r2yyJxR<TefQ!=&O4#{8_`?|
z-EEvm3P56TXpcQ|AZ`hKDo@`pjZ6=r&ySzDNHrpx<o;j?PPVGKDFTLcazJ}AHr)wI
z+Ds0OSWgMX8GuhJ4o29i1rsF2O*RnZhAqHfqW4M1#B<xq)Ng#|(`UJWi;`OoHC$xF
zLi<~>B7ZAv%fJR!Eia>*x$2_i8RYLy$eviX99D|tOcU}mwwrNPf2}RM&Bb^5&u`tB
z&nA!%=LY6MV%MPu<wjTM7T;Hj`N#oZt(pYH^=a&W#fqXo5;*bmkaJ80*p-eK88e<5
uTgc>-%4_^pd@ByV4F>Y~zR0s=k=n0O<>+?l`wg3Tq^BI_uEW`#obb?B3maGf

delta 660
zcmV;F0&D%W1+)c_EProiNn<%>Vp&!<WO*xVP;^f@T6jt{HDzg8YIJTyH8V72QfhBD
zH#BBwYYIwBdTTLdGi6FSWif1SNJ(RQO-*e`cWHA@Vog?PO?gLiS8_QxN=J5CI0`L3
zAaiqQEoEdfH8n9gAVpSsbU9HVSVC4>D|caTb8u5MT532mW`8$OX>M&VH)caGXI6M_
zZfQ<%V{B7yMsaCL3Pey<a8+zMFM2_5OKwnBNoY4=HZW3aV^LK?Xm&YeSYtI!PIqi@
zG*NFj3N0-yAbB%LMp|%YbZ|{|K~6(*aAbHwS2A~1c{ep#VnsJbG<9%JS$1M$Vn<n3
z3QPe6@7>i7M}I2i&Um2%(NRfhh1}8DRMvs!9k%uJ)9=1+RZdOLd56VgFM8jd^%rr2
zJ=^vuW{8+@on{!`xV34R*?7+Jt*fRd&NXY;=EX1jU&#hB`tD&3p%<vZaXfmIQ|a{S
zkwgGHi=={yjht{um$x8^@VN<+y{TU*Vn;116RcA^*nc8(;3->cxyt-wNIw$~a=BvG
z=lQ%(uyUbMwmzQ%fIdgyyrE+(%}YXc!`^-MVGVsOnk~XenZ1Y<qiG~>XHJ)6)t2y2
z!VaINTohnHa>$HMfDEuzB1tgHuf1JbOalAAQ_QaS3E>T7Rw(dBSaik$PKPQQ`t`c`
zU-CPaQGd|0KWYmep}s<O-Lcp8y+8-u={pnpb8FH;#k!6~039I<4eF3ygBcbbdI>2;
z#^hyoTekEDK_LjjAz>tgtjJni{H0Ms9){Hf{52DAy^S<}3`6Mk%0mTk#%J|xn8=Hn
u$xQ~&{H&EW-)buGQg)fW`zzU<1d~!{fOKWM!43Hrz;ahjZpN_uJp^r9UmYC)