{ config, pkgs, lib, ... }: { age.secrets = { tud.file = ../../../../secrets/thinkpad/tud.age; agdsn.file = ../../../../secrets/thinkpad/agdsn.age; dyport-auth = { file = ../../../../secrets/thinkpad/dyport-auth.age; }; }; networking = { supplicant = { "LAN" = { userControlled.enable = true; driver = "wired"; configFile.path = config.age.secrets.dyport-auth.path; }; }; wireless.networks = { eduroam = { auth = '' eap=TTLS anonymous_identity="anonymous@tu-dresden.de" ca_cert="/etc/ssl/certs/ca-certificates.crt" domain_suffix_match="radius-eduroam.zih.tu-dresden.de" identity="rose159e@tu-dresden.de" password="@EDUROAM_AUTH@" phase2="auth=PAP" bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b ''; extraConfig = '' scan_ssid=1 ''; authProtocols = [ "WPA-EAP" ]; }; agdsn = { auth = '' eap=TTLS anonymous_identity="wifi@agdsn.de" ca_cert="/etc/ssl/certs/ca-certificates.crt" domain_suffix_match="radius.agdsn.de" identity="r5" password="@AGDSN_WIFI_AUTH@" phase2="auth=PAP" bssid_ignore=b8:3a:5a:8b:96:c2 ''; authProtocols = [ "WPA-EAP" ]; }; agdsn-office = { priority = 5; auth = '' eap=TTLS anonymous_identity="wifi@agdsn.de" ca_cert="/etc/ssl/certs/ca-certificates.crt" domain_suffix_match="radius.agdsn.de" identity="r5" proto=WPA2 password="@AGDSN_AUTH@" phase2="auth=PAP" ''; extraConfig = "disabled=1"; authProtocols = [ "WPA-EAP" ]; }; agdsn_fritzbox = { psk = "@AGDSN_FRITZBOX_PSK@"; authProtocols = [ "WPA-PSK" ]; }; FSR = { psk = "@FSR_PSK@"; authProtocols = [ "WPA-PSK" ]; }; }; openconnect.interfaces = { TUD-A-Tunnel = { # apparently device names have a character limit protocol = "anyconnect"; gateway = "vpn2.zih.tu-dresden.de"; user = "rose159e@tu-dresden.de"; passwordFile = config.age.secrets.tud.path; autoStart = false; extraOptions = { authgroup = "A-Tunnel-TU-Networks"; compression = "stateless"; }; }; TUD-C-Tunnel = { protocol = "anyconnect"; gateway = "vpn2.zih.tu-dresden.de"; user = "rose159e@tu-dresden.de"; passwordFile = config.age.secrets.tud.path; autoStart = false; extraOptions = { authgroup = "C-Tunnel-All-Networks"; compression = "stateless"; }; }; ZIH = { protocol = "anyconnect"; gateway = "vpn2.zih.tu-dresden.de"; user = "rose159e@zih-ma-vpn"; passwordFile = config.age.secrets.tud.path; autoStart = false; extraOptions = { authgroup = "A-Tunnel-TU-Networks"; compression = "stateless"; }; }; iFSR = { protocol = "anyconnect"; gateway = "vpn2.zih.tu-dresden.de"; user = "rose159e@apb-ifsr-vpn"; passwordFile = config.age.secrets.tud.path; autoStart = false; extraOptions = { authgroup = "A-Tunnel-TU-Networks"; compression = "stateless"; }; }; }; }; systemd.services = { openfortivpn-agdsn = { description = "AG DSN Fortinet VPN"; script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert f49ac8a174c758737c3e27d93bc2f5de37e634e2f04029a85bdb629c0ebeed31"; requires = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; serviceConfig = { Type = "simple"; LoadCredential = [ "password:${config.age.secrets.agdsn.path}" ]; ProtectSystem = true; ProtectKernelLogs = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectHome = true; ProtectClock = true; PrivateTmp = true; LockPersonality = true; }; }; # fix systemd dependencies for supplicant services "supplicant-lan@" = { wantedBy = lib.mkForce [ ]; }; }; }