From dd997624a97a01c1a470fe3a1260629bdb68c327 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Sun, 17 Dec 2023 17:22:12 +0100
Subject: [PATCH] network: add openfortivpn and wifi@db

---
 hosts/thinkpad/modules/networks/default.nix |  3 ++
 hosts/thinkpad/modules/networks/uni.nix     | 31 +++++++++++++++++++--
 secrets.nix                                 |  1 +
 secrets/thinkpad/agdsn.age                  | 10 +++++++
 4 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 secrets/thinkpad/agdsn.age

diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix
index 4a22e70..5a51b68 100644
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@@ -66,6 +66,9 @@
           psk = "@PIXEL_PSK@";
           authProtocols = [ "WPA-PSK" ];
         };
+        "WIFI@DB" = {
+          authProtocols = [ "NONE" ];
+        };
       };
     };
   };
diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix
index 29d9e3f..e739add 100644
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@@ -1,7 +1,8 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 {
-  age.secrets.tud = {
-    file = ../../../../secrets/thinkpad/tud.age;
+  age.secrets = {
+    tud.file = ../../../../secrets/thinkpad/tud.age;
+    agdsn.file = ../../../../secrets/thinkpad/agdsn.age;
   };
   networking = {
     wireless.networks = {
@@ -82,4 +83,28 @@
       };
     };
   };
+  systemd.services = {
+    openfortivpn-agdsn = {
+      description = "AG DSN Fortinet VPN";
+      script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert bbbe0df79764c5f1bd4b332e449e43a40e43eec57c983a1e75a1896e6eae4da5";
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      serviceConfig = {
+        Type = "simple";
+        LoadCredential = [
+          "password:${config.age.secrets.agdsn.path}"
+        ];
+        ProtectSystem = true;
+        ProtectKernelLogs = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+
+        ProtectHome = true;
+        ProtectClock = true;
+        PrivateTmp = true;
+
+        LockPersonality = true;
+      };
+    };
+  };
 }
diff --git a/secrets.nix b/secrets.nix
index 57f7b82..2ea2b0d 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -8,6 +8,7 @@ in
   # thinkpad
   "secrets/thinkpad/wireless.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/tud.age".publicKeys = [ rouven thinkpad ];
+  "secrets/thinkpad/agdsn.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/wireguard/dorm/private.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/wireguard/dorm/preshared.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/borg/passphrase.age".publicKeys = [ rouven thinkpad ];
diff --git a/secrets/thinkpad/agdsn.age b/secrets/thinkpad/agdsn.age
new file mode 100644
index 0000000..d1ad2e5
--- /dev/null
+++ b/secrets/thinkpad/agdsn.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ EGfkKwo45AWNHNFi67C9S4qBuk7/vUcux6p9zwV9nxM
+JdpzKDYUdDyzCUsaNnWxBf3HCFoPOgPT02/gcG7gtyc
+-> ssh-ed25519 EVzt9Q IE+sr7AE1LaPwej6vo1N6i6cSda0hetTiEfJtaodPh0
+ttrgi/C8BIcV20D9tF3rd8TcByzczbqo4Ez4qbpgQ5A
+-> e-grease <e(L>-d 5#8HBk F~8O<n
+LlHHkS6QsTkMnd7x18sJfXPNSpJBA1567JFZx2Ok58um4zR/EAZ7U9YHQ6jFB13X
+Ud938yc5aCceAqKwOS3edHlf6vqUVYVYg1ogQWZnvcA
+--- y6f7wlWYcpgK30XLjVS/lruIwAONt4wECDEd9spBn2A
+ÔÛ,SA€fª®—üÁ;GHÍ†Y›Î\á®TAÅª®	‘Nâ¤ÁßOv®ciZdrÞ–DÌ›º8xsßÞ
\ No newline at end of file