{ config, pkgs, lib, ... }:
{
age.secrets = {
tud.file = ../../../../secrets/thinkpad/tud.age;
agdsn.file = ../../../../secrets/thinkpad/agdsn.age;
dyport-auth = {
file = ../../../../secrets/thinkpad/dyport-auth.age;
};
};
programs.openvpn3.enable = true;
networking = {
supplicant = {
"LAN" = {
userControlled.enable = true;
driver = "wired";
configFile.path = pkgs.writeText "supplicant-lan.conf" ''
ctrl_interface=/run/wpa_supplicant
ap_scan=0
network={
ssid="apb-ifsr"
key_mgmt=IEEE8021X
eap=TTLS
anonymous_identity="rose159e@apb-ifsr"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
domain_suffix_match="radius-tud.zih.tu-dresden.de"
identity="rose159e@apb-ifsr"
password=ext:TUD_AUTH
phase2="auth=PAP"
disabled=1
}
network={
ssid="zih-ma"
key_mgmt=IEEE8021X
eap=TTLS
anonymous_identity="rose159e@zih-ma"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
domain_suffix_match="radius-tud.zih.tu-dresden.de"
identity="rose159e@zih-ma"
password=ext:TUD_AUTH
phase2="auth=PAP"
disabled=1
}
ext_password_backend=file:${config.age.secrets.dyport-auth.path}
'';
# configFile.path = config.age.secrets.dyport-auth.path;
};
};
wireless.networks = {
eduroam = {
auth = ''
eap=TTLS
anonymous_identity="anonymous@tu-dresden.de"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
domain_suffix_match="radius-eduroam.zih.tu-dresden.de"
identity="rose159e@tu-dresden.de"
password=ext:EDUROAM_AUTH
phase2="auth=PAP"
bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b 82:5a:1c:02:3d:8b
'';
extraConfig = ''
scan_ssid=1
'';
authProtocols = [ "WPA-EAP" ];
};
agdsn = {
auth = ''
eap=TTLS
anonymous_identity="wifi@agdsn.de"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
domain_suffix_match="radius.agdsn.de"
identity="r5"
password=ext:AGDSN_WIFI_AUTH
phase2="auth=PAP"
bssid_ignore=b8:3a:5a:8b:96:c2
'';
authProtocols = [ "WPA-EAP" ];
};
agdsn-office = {
priority = 5;
auth = ''
eap=TTLS
anonymous_identity="wifi@agdsn.de"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
domain_suffix_match="radius.agdsn.de"
identity="r5"
proto=WPA2
password=ext:AGDSN_AUTH
phase2="auth=PAP"
'';
extraConfig = "disabled=1";
authProtocols = [ "WPA-EAP" ];
};
agdsn_fritzbox = {
psk = "ext:AGDSN_FRITZBOX_PSK";
authProtocols = [ "WPA-PSK" ];
};
FSR = {
psk = "ext:FSR_PSK";
authProtocols = [ "WPA-PSK" ];
extraConfig = "disabled=1";
};
};
openconnect.interfaces = {
TUD-A-Tunnel = {
# apparently device names have a character limit
protocol = "anyconnect";
gateway = "vpn2.zih.tu-dresden.de";
user = "rose159e@tu-dresden.de";
passwordFile = config.age.secrets.tud.path;
autoStart = false;
extraOptions = {
authgroup = "A-Tunnel-TU-Networks";
compression = "stateless";
};
};
TUD-C-Tunnel = {
protocol = "anyconnect";
gateway = "vpn2.zih.tu-dresden.de";
user = "rose159e@tu-dresden.de";
passwordFile = config.age.secrets.tud.path;
autoStart = false;
extraOptions = {
authgroup = "C-Tunnel-All-Networks";
compression = "stateless";
};
};
ZIH = {
protocol = "anyconnect";
gateway = "vpn2.zih.tu-dresden.de";
user = "rose159e@zih-ma-vpn";
passwordFile = config.age.secrets.tud.path;
autoStart = false;
extraOptions = {
authgroup = "A-Tunnel-TU-Networks";
compression = "stateless";
};
};
};
};
systemd.services = {
openfortivpn-agdsn = {
description = "AG DSN Fortinet VPN";
script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert 2edda9c8797e09af039bbefeb083a9238c353cbc913210ad8a4f737820c35a91";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
serviceConfig = {
Type = "simple";
LoadCredential = [
"password:${config.age.secrets.agdsn.path}"
];
ProtectSystem = true;
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectHome = true;
ProtectClock = true;
PrivateTmp = true;
LockPersonality = true;
};
};
# fix systemd dependencies for supplicant services
"supplicant-lan@" = {
wantedBy = lib.mkForce [ ];
};
};
}