From efe00fc184a2fd38d4e80ad427b6fbbfce47bd93 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 7 Aug 2024 13:40:02 +0200
Subject: [PATCH] updates

---
 flake.lock                                  |  32 ++++++++++----------
 flake.nix                                   |   1 -
 hosts/thinkpad/modules/networks/uni.nix     |  27 +++++++++++++----
 hosts/thinkpad/modules/security/default.nix |  14 ++++-----
 secrets.nix                                 |   2 +-
 secrets/thinkpad/dyport-auth.age            | Bin 0 -> 1088 bytes
 secrets/thinkpad/ifsr-apb-auth.age          | Bin 711 -> 0 bytes
 users/rouven/fixes.nix                      |   2 +-
 users/rouven/modules/ssh/default.nix        |  16 +++++-----
 9 files changed, 55 insertions(+), 39 deletions(-)
 create mode 100644 secrets/thinkpad/dyport-auth.age
 delete mode 100644 secrets/thinkpad/ifsr-apb-auth.age

diff --git a/flake.lock b/flake.lock
index 2f96b6b..1480148 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,11 +38,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1720784813,
-        "narHash": "sha256-8/6yU/wbf6lsUFOLisLVADD6QHHmMDUM85c7hPnPBZA=",
+        "lastModified": 1722879849,
+        "narHash": "sha256-Hg1I6vmrxWz6RrVROXn1RDCPniOJx93QQg99x/wSkjY=",
         "owner": "nix-community",
         "repo": "authentik-nix",
-        "rev": "89cfaf2eb197a39d12422e773f867d1a7c99b048",
+        "rev": "80fc87361809f78b8a8cd7e57a14b66a726379ef",
         "type": "github"
       },
       "original": {
@@ -54,16 +54,16 @@
     "authentik-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1720727154,
-        "narHash": "sha256-SMupiJGJbkBn33JP4WLF3IsBdt3SN3JvZg/EYlz443g=",
+        "lastModified": 1722875733,
+        "narHash": "sha256-LPNcvKiVrwPwc3G/j0a7KoMKAMScbzui0C3IgWXP+g4=",
         "owner": "goauthentik",
         "repo": "authentik",
-        "rev": "9075270b01e784d25f2ec08b82e73f1ce3086184",
+        "rev": "8f207c75046d722c17dee2bcf65fa386b06f5b9a",
         "type": "github"
       },
       "original": {
         "owner": "goauthentik",
-        "ref": "version/2024.6.1",
+        "ref": "version/2024.6.3",
         "repo": "authentik",
         "type": "github"
       }
@@ -299,11 +299,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722407237,
-        "narHash": "sha256-wcpVHUc2nBSSgOM7UJSpcRbyus4duREF31xlzHV5T+A=",
+        "lastModified": 1723015306,
+        "narHash": "sha256-jQnFEtH20/OsDPpx71ntZzGdRlpXhUENSQCGTjn//NA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "58cef3796271aaeabaed98884d4abaab5d9d162d",
+        "rev": "b3d5ea65d88d67d4ec578ed11d4d2d51e3de525e",
         "type": "github"
       },
       "original": {
@@ -447,11 +447,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722136042,
-        "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=",
+        "lastModified": 1722740924,
+        "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "c0ca47e8523b578464014961059999d8eddd4aae",
+        "rev": "97ca0a0fca0391de835f57e44f369a283e37890f",
         "type": "github"
       },
       "original": {
@@ -462,11 +462,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1722185531,
-        "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
+        "lastModified": 1722813957,
+        "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
+        "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index e72336b..ec3a775 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,6 @@
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
-
     };
 
     impermanence.url = "github:nix-community/impermanence";
diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix
index 68f9af6..4de970c 100644
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@@ -3,15 +3,19 @@
   age.secrets = {
     tud.file = ../../../../secrets/thinkpad/tud.age;
     agdsn.file = ../../../../secrets/thinkpad/agdsn.age;
-    ifsr-apb-auth = {
-      file = ../../../../secrets/thinkpad/ifsr-apb-auth.age;
+    dyport-auth = {
+      file = ../../../../secrets/thinkpad/dyport-auth.age;
     };
   };
   networking = {
-    supplicant."enp0s31f6" = {
-      userControlled.enable = true;
-      driver = "wired";
-      configFile.path = config.age.secrets.ifsr-apb-auth.path;
+    supplicant = rec {
+      enp0s31f6 = {
+        userControlled.enable = true;
+        driver = "wired";
+        configFile.path = config.age.secrets.dyport-auth.path;
+      };
+      # ugly way to add more interfaces
+      "enp0s13f0u2u1" = enp0s31f6;
     };
     wireless.networks = {
       eduroam = {
@@ -90,6 +94,17 @@
           compression = "stateless";
         };
       };
+      ZIH = {
+        protocol = "anyconnect";
+        gateway = "vpn2.zih.tu-dresden.de";
+        user = "rose159e@zih-ma-vpn";
+        passwordFile = config.age.secrets.tud.path;
+        autoStart = false;
+        extraOptions = {
+          authgroup = "A-Tunnel-TU-Networks";
+          compression = "stateless";
+        };
+      };
     };
   };
   systemd.services = {
diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix
index 3812ff2..546985d 100644
--- a/hosts/thinkpad/modules/security/default.nix
+++ b/hosts/thinkpad/modules/security/default.nix
@@ -14,10 +14,9 @@
     pam = {
       u2f = {
         enable = true;
-        cue = true;
-        # settings = {
-        #   cue = true;
-        # };
+        settings = {
+          cue = true;
+        };
       };
     };
     krb5 = {
@@ -45,9 +44,10 @@
       };
     };
   };
-  services = {
-    fprintd.enable = true; # log in using fingerprint
-  };
+  # broken again
+  # services = {
+  #   fprintd.enable = true; # log in using fingerprint
+  # };
   environment.systemPackages = with pkgs; [
     agenix.packages.x86_64-linux.default
     tpm2-tools
diff --git a/secrets.nix b/secrets.nix
index 8c188cb..f84d30d 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -9,7 +9,7 @@ in
   "secrets/thinkpad/wireless.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/tud.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/agdsn.age".publicKeys = [ rouven thinkpad ];
-  "secrets/thinkpad/ifsr-apb-auth.age".publicKeys = [ rouven thinkpad ];
+  "secrets/thinkpad/dyport-auth.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/wireguard/dorm/private.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/wireguard/dorm/preshared.age".publicKeys = [ rouven thinkpad ];
   "secrets/thinkpad/borg/passphrase.age".publicKeys = [ rouven thinkpad ];
diff --git a/secrets/thinkpad/dyport-auth.age b/secrets/thinkpad/dyport-auth.age
new file mode 100644
index 0000000000000000000000000000000000000000..6edb4ff03af0806c85af8689460392757951b32a
GIT binary patch
literal 1088
zcmV-G1i$-XXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9Lbys3RNKqho
zIY&=gb8%&BMln`ocuHb0LrYU@FK1~`RBuKvZ8T0;X?kgOWnoivR7DCwaYk7}Lp5tj
zO*d;XY<4(yLw8VPGIw)JbVOr!a%ePeQZ-6uc6wB4H$e(5J|J^*Xf0)AGBq_ZIUq$=
zdUQEaAURVoQEX>NMN(Q$S94A{GdX2xQbu<xVsUaYPgztnNMST%PI@_Ec4$F&3Nu4?
zS#n2MGeJyQRzYrLS7=r%V>vQvMQdnka#K-PczQ`yS8a4|MrdVG3N0-yAZ0dDPBw6C
zXft;>W;0QFMOs2<ZbD;WczAeda%^Z~QA%)lI8;|gaY1@X3R>9xx%^JtHMA#-&NV&E
z*hSPU(#g7MK<!@<&g%)LMdF2U&R2V#R35GYQ0aAb5ku(u`G?-&6|h8o>iWSzTVxd*
z=Sy7mrzJ_OxKVrtze+XxO0rq(4RkFxstcY|U<v7uOQULjoB^D(vFQ*aUa}XB!BLs~
z3uI<H+g%AzENE&a06?70)4hm%x_pE$4?RuehL?x}u8Q2gZ6^EJ`UP`=hT;%m9Hfv|
z2a7Ye)X{8B0^uhcLcmYwqz9>9&WD?}M!;8AeTxT+(k;kb?%(0I`x~G;$xuHh=zo&v
zq><3K5t!}0T-~G*lab=-qnI<%=|md5xE+tWMex`3E>O5H-N(TF+Mp^rlN4G}iZhYm
z1weNOI`CDB6^#miRSEB@OnH+JX;L$@H&a1vqH3MFA_Pz<At2Kd?Pp4>&p&eXRbzcO
zXf`yUb8IPCh_M3Hx{2`j)p#AXQCGH_wwfqmjr(~6g6A~H3bt8EiuYLa6**%*SvKye
z<0i`D6zwe=W<WHQ8_z0e0=K>UbSNlwNRAtB_s7Rs{%Xt=BHyKcC1yoi7DC>^z^Zz0
zy&;8j7#HRGjgaf>3MmRA16fkKmT?*?CeoC5NjgR_-zoR;4d3>+0wLs;74=k>R}|go
z+@S)qoi}`teSeqQ!?LTJOjjo}dYejexauG-6DtlGv^#zB-O+HLW>Uo{JsM%g&FFIy
z$z|q!L?y5^n<=G2gfq9<5^MQYbwK?2glbRWSFq97j(AA}+0@%j6-&Ll@lcC|*iY1~
z9j}}s7J_Ourhr+I%057HQejfD@uKx@-`q<!FE>Mw7(kNI@K_>MnkC<8IqlF1dKoJ6
zDt*W}_q^JLS5^h4gfc1oyUDNyqa+SGcaXO8Cd4zp>W=={CIChc0sw7$J^c>mw(%B$
z^<FyjdVn`QKF&4i`g51Fge09oGuZ7|>(f$JOTSAP_~bSF=PoYda6+Lp_y)j8Hy=%&
zdwl(HJro9o$PHV)&Ow|iiLr7wQ?v*Z`dK)2M?e9tR&4?Gy7{~%mmX7icm8{hYFCza
Gr1$V7^5jMU

literal 0
HcmV?d00001

diff --git a/secrets/thinkpad/ifsr-apb-auth.age b/secrets/thinkpad/ifsr-apb-auth.age
deleted file mode 100644
index d372fd2fe9fb026e927095ce5813032b77170623..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 711
zcmV;&0yzC)XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9Lbys3RNKqhJ
zXKgfgO*2waLsxDuG;vi$YEXD^H)d>aT2L=dSXM+YPHb96b7@&@XmbioMQ&|OL|7|C
zW^F`IVM=IZV|6f6G(~TAOJ`A4Rb@dpZ82pscujJ2Q9%kVJ|J^*Xf0)AGBq_ZIUq$=
zdUQEaAZbBYI7V+|Mnp$6WqCw$RZm4_MR`qbHF0clYg0{ba#nC_G<s-eT31I!3U*^n
zQg(Q9PEkc?Xi;u=GI~`)bY)d?K}J|JayC(PQf@{>P;xU(RZe+l3N0-yAWmmaGi+o?
zQc6x~VrnosYGzVYYgtHkIBH}!I9fwPb#qQ@Wo~vdYi(Ld3gHBx59vnAs}e*;o>)VQ
zii8lLDg`lLnsM5TmJ2f<C&nV?x*ZE!tjN+{szaNe$P9CX1?x~*xoroI7Nwhn5+6!m
zpFwl1oe_Qlf}^f^FM8!y->wjsIllF3$RFf`m`lO3YA+09Eb|aHknL@s-MdQb#|y9f
z%-?*&`L7s38u8dT!*suZC@P^8!QWPS?WcO#eI<XADajl?rtm%&K$$p(64wtDMIa}1
z!<1foB6A71uI<82&8Ma}gskmrlh%5*x`8ewEfGyz&>n_bj$PBND$Y~Iuc0Ir`h=QT
zhLyNh)$a!CmQJ-!)4v8R?*(cHtpgH>(hcNMzai1C#o<CcdIi|sOMj`_D5)~4HesO2
z4t>UHg%-k@W4JBe5(~~@Z7iRgo(lp0UaLgtH=B84O3yI>OeUdLV!iP&ageo-jYyH9
z6Z<DXDNGo?DXn~!Fos%T20}T9?92H@kGPsB1@z4}E{^!otvwFha=Y9hlG}Z69H)>S
t6IQGQ__fA7hn+{%95B3e)hL?}q>bpiZ&v%6Lp$eZEo8p-0|hegg^Tz^C#C=Z

diff --git a/users/rouven/fixes.nix b/users/rouven/fixes.nix
index ba07825..9699a26 100644
--- a/users/rouven/fixes.nix
+++ b/users/rouven/fixes.nix
@@ -37,6 +37,7 @@
   # home manager needs dconf
   programs.dconf.enable = true;
   # fixes pam entries for swaylock
+  # auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
   security.pam.services.swaylock.text = ''
     # Account management.
     account required pam_unix.so
@@ -45,7 +46,6 @@
 
     auth sufficient pam_unix.so nullok likeauth try_first_pass
     auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so
-    auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
     auth required pam_deny.so
 
     # Password management.
diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix
index 496cd42..bb97aab 100644
--- a/users/rouven/modules/ssh/default.nix
+++ b/users/rouven/modules/ssh/default.nix
@@ -36,13 +36,15 @@ in
         hostname = "login.zih.tu-dresden.de";
         user = "rose159e";
       };
-      "mininet" = {
-        hostname = "internet.netd.cs.tu-dresden.de";
-        user = "root";
-        port = 2133;
-        extraOptions = {
-          ProxyJump = "tud";
-        };
+      "*.zih.tu-dresden.de" = {
+        user = "rose159e";
+      };
+      "*.net.tu-dresden.de" = {
+        user = "rose159e";
+      };
+      "git@gitlab.hrz.tu-chemnitz.de" = {
+        match = "Host gitlab.hrz.tu-chemnitz.de User git";
+        identityFile = git;
       };
 
       # iFSR