nixos-config/hosts/thinkpad/modules/networks/uni.nix
2024-08-13 11:38:01 +02:00

148 lines
4.4 KiB
Nix

{ config, pkgs, ... }:
{
age.secrets = {
tud.file = ../../../../secrets/thinkpad/tud.age;
agdsn.file = ../../../../secrets/thinkpad/agdsn.age;
dyport-auth = {
file = ../../../../secrets/thinkpad/dyport-auth.age;
};
};
networking = {
supplicant = rec {
enp0s31f6 = {
userControlled.enable = true;
driver = "wired";
configFile.path = config.age.secrets.dyport-auth.path;
};
# ugly way to add more interfaces
# "enp0s13f0u2u1" = enp0s31f6;
# "enp0s13f0u3u1" = enp0s31f6;
};
wireless.networks = {
eduroam = {
auth = ''
eap=TTLS
anonymous_identity="anonymous@tu-dresden.de"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
domain_suffix_match="radius-eduroam.zih.tu-dresden.de"
identity="rose159e@tu-dresden.de"
password="@EDUROAM_AUTH@"
phase2="auth=PAP"
bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b
'';
extraConfig = ''
scan_ssid=1
'';
authProtocols = [ "WPA-EAP" ];
};
agdsn = {
auth = ''
eap=TTLS
anonymous_identity="wifi@agdsn.de"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
domain_suffix_match="radius.agdsn.de"
identity="r5"
password="@AGDSN_WIFI_AUTH@"
phase2="auth=PAP"
bssid_ignore=b8:3a:5a:8b:96:c2
'';
authProtocols = [ "WPA-EAP" ];
};
agdsn-office = {
priority = 5;
auth = ''
eap=TTLS
anonymous_identity="wifi@agdsn.de"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
domain_suffix_match="radius.agdsn.de"
identity="r5"
proto=WPA2
password="@AGDSN_AUTH@"
phase2="auth=PAP"
'';
extraConfig = "disabled=1";
authProtocols = [ "WPA-EAP" ];
};
agdsn_fritzbox = {
psk = "@AGDSN_FRITZBOX_PSK@";
authProtocols = [ "WPA-PSK" ];
};
FSR = {
psk = "@FSR_PSK@";
authProtocols = [ "WPA-PSK" ];
};
};
openconnect.interfaces = {
TUD-A-Tunnel = {
# apparently device names have a character limit
protocol = "anyconnect";
gateway = "vpn2.zih.tu-dresden.de";
user = "rose159e@tu-dresden.de";
passwordFile = config.age.secrets.tud.path;
autoStart = false;
extraOptions = {
authgroup = "A-Tunnel-TU-Networks";
compression = "stateless";
};
};
TUD-C-Tunnel = {
protocol = "anyconnect";
gateway = "vpn2.zih.tu-dresden.de";
user = "rose159e@tu-dresden.de";
passwordFile = config.age.secrets.tud.path;
autoStart = false;
extraOptions = {
authgroup = "C-Tunnel-All-Networks";
compression = "stateless";
};
};
ZIH = {
protocol = "anyconnect";
gateway = "vpn2.zih.tu-dresden.de";
user = "rose159e@zih-ma-vpn";
passwordFile = config.age.secrets.tud.path;
autoStart = false;
extraOptions = {
authgroup = "A-Tunnel-TU-Networks";
compression = "stateless";
};
};
iFSR = {
protocol = "anyconnect";
gateway = "vpn2.zih.tu-dresden.de";
user = "rose159e@apb-ifsr-vpn";
passwordFile = config.age.secrets.tud.path;
autoStart = false;
extraOptions = {
authgroup = "A-Tunnel-TU-Networks";
compression = "stateless";
};
};
};
};
systemd.services = {
openfortivpn-agdsn = {
description = "AG DSN Fortinet VPN";
script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert f49ac8a174c758737c3e27d93bc2f5de37e634e2f04029a85bdb629c0ebeed31";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
serviceConfig = {
Type = "simple";
LoadCredential = [
"password:${config.age.secrets.agdsn.path}"
];
ProtectSystem = true;
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectHome = true;
ProtectClock = true;
PrivateTmp = true;
LockPersonality = true;
};
};
};
}