rework wpa supplicants

2024-11-15 05:13:10 +01:00 · 2024-09-26 17:48:59 +02:00 · 2024-09-26 17:48:59 +02:00 · 8b786bdc42
parent 43af3e872c
commit 8b786bdc42
5 changed files with 89 additions and 60 deletions
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -53,56 +53,56 @@
  console.keyMap = "dvorak";


-  services.openldap = {
-    enable = true;
-    urlList = [ "ldap:///" ];
-    settings = {
-      attrs = {
-        olcLogLevel = "conns config";
-      };
-      children = {
-        "cn=schema".includes = [
-          "${pkgs.openldap}/etc/schema/core.ldif"
-          # attributetype ( 9999.1.1 NAME 'isMemberOf'
-          # DESC 'back-reference to groups this user is a member of'
-          # SUP distinguishedName )
-          "${pkgs.openldap}/etc/schema/cosine.ldif"
-          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-          "${pkgs.openldap}/etc/schema/nis.ldif"
-          # "${pkgs.writeText "openssh.schema" ''
-          # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
-          # 		DESC 'SSH public key used by this user'
-          # 		SUP name )
-          # ''}"
-        ];
+  # services.openldap = {
+  #   enable = true;
+  #   urlList = [ "ldap:///" ];
+  #   settings = {
+  #     attrs = {
+  #       olcLogLevel = "conns config";
+  #     };
+  #     children = {
+  #       "cn=schema".includes = [
+  #         "${pkgs.openldap}/etc/schema/core.ldif"
+  #         # attributetype ( 9999.1.1 NAME 'isMemberOf'
+  #         # DESC 'back-reference to groups this user is a member of'
+  #         # SUP distinguishedName )
+  #         "${pkgs.openldap}/etc/schema/cosine.ldif"
+  #         "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+  #         "${pkgs.openldap}/etc/schema/nis.ldif"
+  #         # "${pkgs.writeText "openssh.schema" ''
+  #         # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
+  #         # 		DESC 'SSH public key used by this user'
+  #         # 		SUP name )
+  #         # ''}"
+  #       ];

-        "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+  #       "olcDatabase={1}mdb".attrs = {
+  #         objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];

-          olcDatabase = "{1}mdb";
-          olcDbDirectory = "/var/lib/openldap/data";
+  #         olcDatabase = "{1}mdb";
+  #         olcDbDirectory = "/var/lib/openldap/data";

-          olcSuffix = "dc=ifsr,dc=de";
+  #         olcSuffix = "dc=ifsr,dc=de";

-          /* your admin account, do not use writeText on a production system */
-          olcRootDN = "cn=portunus,dc=ifsr,dc=de";
-          olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
+  #         /* your admin account, do not use writeText on a production system */
+  #         olcRootDN = "cn=portunus,dc=ifsr,dc=de";
+  #         olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";

-          olcAccess = [
-            /* custom access rules for userPassword attributes */
-            ''{0}to attrs=userPassword
-                by self write
-                by anonymous auth
-                by * none''
+  #         olcAccess = [
+  #           /* custom access rules for userPassword attributes */
+  #           ''{0}to attrs=userPassword
+  #               by self write
+  #               by anonymous auth
+  #               by * none''

-            /* allow read on anything else */
-            ''{1}to *
-                by * read''
-          ];
-        };
-      };
-    };
-  };
+  #           /* allow read on anything else */
+  #           ''{1}to *
+  #               by * read''
+  #         ];
+  #       };
+  #     };
+  #   };
+  # };


  services = {
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@ -49,29 +49,29 @@
      userControlled.enable = true;
      # sadly broken on my machine
      scanOnLowSignal = false;
-      environmentFile = config.age.secrets.wireless.path;
+      secretsFile = config.age.secrets.wireless.path;
      networks = {
-        "@HOME_SSID@" = {
-          psk = "@HOME_PSK@";
+        "Smoerrebroed" = {
+          pskRaw = "ext:HOME_PSK";
          authProtocols = [ "WPA-PSK" ];
        };
-        "@DORM_SSID@" = {
-          psk = "@DORM_PSK@";
+        "Cudy-6140" = {
+          pskRaw = "ext:DORM_PSK";
          authProtocols = [ "SAE" ];
          extraConfig = "disabled=1";
        };
-        "@DORM5_SSID@" = {
+        "Cudy-6150" = {
          priority = 5;
-          psk = "@DORM_PSK@";
+          pskRaw = "ext:DORM_PSK";
          authProtocols = [ "SAE" ];
          extraConfig = "disabled=1";
        };
        "LKG-Gast" = {
-          psk = "@LKGDD_GUEST_PSK@";
+          pskRaw = "ext:LKGDD_GUEST_PSK";
          authProtocols = [ "WPA-PSK" ];
        };
-        "@PIXEL_SSID@" = {
-          psk = "@PIXEL_PSK@";
+        "Pxl" = {
+          pskRaw = "ext:PIXEL_PSK";
          authProtocols = [ "WPA-PSK" ];
        };
        "WIFI@DB" = {
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@ -12,7 +12,36 @@
      "LAN" = {
        userControlled.enable = true;
        driver = "wired";
-        configFile.path = config.age.secrets.dyport-auth.path;
+        configFile.path = pkgs.writeText "supplicant-lan.conf" ''
+          ctrl_interface=/run/wpa_supplicant
+          ap_scan=0
+          network={
+            ssid="apb-ifsr"
+          	key_mgmt=IEEE8021X
+          	eap=TTLS
+          	anonymous_identity="rose159e@apb-ifsr"
+          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
+          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
+          	identity="rose159e@apb-ifsr"
+          	password=ext:TUD_AUTH
+          	phase2="auth=PAP"
+          	disabled=1
+          }
+          network={
+          	ssid="zih-ma"
+          	key_mgmt=IEEE8021X
+          	eap=TTLS
+          	anonymous_identity="rose159e@zih-ma"
+          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
+          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
+          	identity="rose159e@zih-ma"
+          	password=ext:TUD_AUTH
+          	phase2="auth=PAP"
+          	disabled=1
+          }
+          ext_password_backend=file:${config.age.secrets.dyport-auth.path}
+        '';
+        # configFile.path = config.age.secrets.dyport-auth.path;
      };
    };
    wireless.networks = {
@ -23,7 +52,7 @@
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius-eduroam.zih.tu-dresden.de"
          identity="rose159e@tu-dresden.de"
-          password="@EDUROAM_AUTH@"
+          password=ext:EDUROAM_AUTH
          phase2="auth=PAP"
          bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b
        '';
@ -39,7 +68,7 @@
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius.agdsn.de"
          identity="r5"
-          password="@AGDSN_WIFI_AUTH@"
+          password=ext:AGDSN_WIFI_AUTH
          phase2="auth=PAP"
          bssid_ignore=b8:3a:5a:8b:96:c2
        '';
@ -54,18 +83,18 @@
          domain_suffix_match="radius.agdsn.de"
          identity="r5"
          proto=WPA2
-          password="@AGDSN_AUTH@"
+          password=ext:AGDSN_AUTH
          phase2="auth=PAP"
        '';
        extraConfig = "disabled=1";
        authProtocols = [ "WPA-EAP" ];
      };
      agdsn_fritzbox = {
-        psk = "@AGDSN_FRITZBOX_PSK@";
+        psk = "ext:AGDSN_FRITZBOX_PSK";
        authProtocols = [ "WPA-PSK" ];
      };
      FSR = {
-        psk = "@FSR_PSK@";
+        psk = "ext:FSR_PSK";
        authProtocols = [ "WPA-PSK" ];
      };
    };
--- a/secrets/thinkpad/dyport-auth.age
+++ b/secrets/thinkpad/dyport-auth.age
--- a/secrets/thinkpad/wireless.age
+++ b/secrets/thinkpad/wireless.age