diff --git a/flake.lock b/flake.lock index 2f96b6b..1480148 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1720784813, - "narHash": "sha256-8/6yU/wbf6lsUFOLisLVADD6QHHmMDUM85c7hPnPBZA=", + "lastModified": 1722879849, + "narHash": "sha256-Hg1I6vmrxWz6RrVROXn1RDCPniOJx93QQg99x/wSkjY=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "89cfaf2eb197a39d12422e773f867d1a7c99b048", + "rev": "80fc87361809f78b8a8cd7e57a14b66a726379ef", "type": "github" }, "original": { @@ -54,16 +54,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1720727154, - "narHash": "sha256-SMupiJGJbkBn33JP4WLF3IsBdt3SN3JvZg/EYlz443g=", + "lastModified": 1722875733, + "narHash": "sha256-LPNcvKiVrwPwc3G/j0a7KoMKAMScbzui0C3IgWXP+g4=", "owner": "goauthentik", "repo": "authentik", - "rev": "9075270b01e784d25f2ec08b82e73f1ce3086184", + "rev": "8f207c75046d722c17dee2bcf65fa386b06f5b9a", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2024.6.1", + "ref": "version/2024.6.3", "repo": "authentik", "type": "github" } @@ -299,11 +299,11 @@ ] }, "locked": { - "lastModified": 1722407237, - "narHash": "sha256-wcpVHUc2nBSSgOM7UJSpcRbyus4duREF31xlzHV5T+A=", + "lastModified": 1723015306, + "narHash": "sha256-jQnFEtH20/OsDPpx71ntZzGdRlpXhUENSQCGTjn//NA=", "owner": "nix-community", "repo": "home-manager", - "rev": "58cef3796271aaeabaed98884d4abaab5d9d162d", + "rev": "b3d5ea65d88d67d4ec578ed11d4d2d51e3de525e", "type": "github" }, "original": { @@ -447,11 +447,11 @@ ] }, "locked": { - "lastModified": 1722136042, - "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", + "lastModified": 1722740924, + "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "c0ca47e8523b578464014961059999d8eddd4aae", + "rev": "97ca0a0fca0391de835f57e44f369a283e37890f", "type": "github" }, "original": { @@ -462,11 +462,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722185531, - "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=", + "lastModified": 1722813957, + "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d", + "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e72336b..ec3a775 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,6 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; inputs.home-manager.follows = "home-manager"; - }; impermanence.url = "github:nix-community/impermanence"; diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index 68f9af6..4de970c 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -3,15 +3,19 @@ age.secrets = { tud.file = ../../../../secrets/thinkpad/tud.age; agdsn.file = ../../../../secrets/thinkpad/agdsn.age; - ifsr-apb-auth = { - file = ../../../../secrets/thinkpad/ifsr-apb-auth.age; + dyport-auth = { + file = ../../../../secrets/thinkpad/dyport-auth.age; }; }; networking = { - supplicant."enp0s31f6" = { - userControlled.enable = true; - driver = "wired"; - configFile.path = config.age.secrets.ifsr-apb-auth.path; + supplicant = rec { + enp0s31f6 = { + userControlled.enable = true; + driver = "wired"; + configFile.path = config.age.secrets.dyport-auth.path; + }; + # ugly way to add more interfaces + "enp0s13f0u2u1" = enp0s31f6; }; wireless.networks = { eduroam = { @@ -90,6 +94,17 @@ compression = "stateless"; }; }; + ZIH = { + protocol = "anyconnect"; + gateway = "vpn2.zih.tu-dresden.de"; + user = "rose159e@zih-ma-vpn"; + passwordFile = config.age.secrets.tud.path; + autoStart = false; + extraOptions = { + authgroup = "A-Tunnel-TU-Networks"; + compression = "stateless"; + }; + }; }; }; systemd.services = { diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix index 3812ff2..546985d 100644 --- a/hosts/thinkpad/modules/security/default.nix +++ b/hosts/thinkpad/modules/security/default.nix @@ -14,10 +14,9 @@ pam = { u2f = { enable = true; - cue = true; - # settings = { - # cue = true; - # }; + settings = { + cue = true; + }; }; }; krb5 = { @@ -45,9 +44,10 @@ }; }; }; - services = { - fprintd.enable = true; # log in using fingerprint - }; + # broken again + # services = { + # fprintd.enable = true; # log in using fingerprint + # }; environment.systemPackages = with pkgs; [ agenix.packages.x86_64-linux.default tpm2-tools diff --git a/secrets.nix b/secrets.nix index 8c188cb..f84d30d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -9,7 +9,7 @@ in "secrets/thinkpad/wireless.age".publicKeys = [ rouven thinkpad ]; "secrets/thinkpad/tud.age".publicKeys = [ rouven thinkpad ]; "secrets/thinkpad/agdsn.age".publicKeys = [ rouven thinkpad ]; - "secrets/thinkpad/ifsr-apb-auth.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/dyport-auth.age".publicKeys = [ rouven thinkpad ]; "secrets/thinkpad/wireguard/dorm/private.age".publicKeys = [ rouven thinkpad ]; "secrets/thinkpad/wireguard/dorm/preshared.age".publicKeys = [ rouven thinkpad ]; "secrets/thinkpad/borg/passphrase.age".publicKeys = [ rouven thinkpad ]; diff --git a/secrets/thinkpad/dyport-auth.age b/secrets/thinkpad/dyport-auth.age new file mode 100644 index 0000000..6edb4ff Binary files /dev/null and b/secrets/thinkpad/dyport-auth.age differ diff --git a/secrets/thinkpad/ifsr-apb-auth.age b/secrets/thinkpad/ifsr-apb-auth.age deleted file mode 100644 index d372fd2..0000000 Binary files a/secrets/thinkpad/ifsr-apb-auth.age and /dev/null differ diff --git a/users/rouven/fixes.nix b/users/rouven/fixes.nix index ba07825..9699a26 100644 --- a/users/rouven/fixes.nix +++ b/users/rouven/fixes.nix @@ -37,6 +37,7 @@ # home manager needs dconf programs.dconf.enable = true; # fixes pam entries for swaylock + # auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so security.pam.services.swaylock.text = '' # Account management. account required pam_unix.so @@ -45,7 +46,6 @@ auth sufficient pam_unix.so nullok likeauth try_first_pass auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so - auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so auth required pam_deny.so # Password management. diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix index 496cd42..bb97aab 100644 --- a/users/rouven/modules/ssh/default.nix +++ b/users/rouven/modules/ssh/default.nix @@ -36,13 +36,15 @@ in hostname = "login.zih.tu-dresden.de"; user = "rose159e"; }; - "mininet" = { - hostname = "internet.netd.cs.tu-dresden.de"; - user = "root"; - port = 2133; - extraOptions = { - ProxyJump = "tud"; - }; + "*.zih.tu-dresden.de" = { + user = "rose159e"; + }; + "*.net.tu-dresden.de" = { + user = "rose159e"; + }; + "git@gitlab.hrz.tu-chemnitz.de" = { + match = "Host gitlab.hrz.tu-chemnitz.de User git"; + identityFile = git; }; # iFSR