age secrets wifi

2024-08-07 16:33:11 +02:00 · 2024-08-07 16:33:11 +02:00 · 04bea76120
parent 13f2eb2628
commit 04bea76120
5 changed files with 82 additions and 6 deletions
--- a/common/components/networking.nix
+++ b/common/components/networking.nix
@ -1,4 +1,10 @@
-{
+{config, ...}: {
+  age.secrets.nm-secrets = {
+    file = ../../crypto/nm-secrets.age;
+    owner = "root";
+    group = "root";
+  };
+
  networking = {
    networkmanager = {
      enable = true;
@ -12,6 +18,36 @@
        # unique DUID per connection
        "ipv6.dhcp-duid" = "stable-uuid";
      };
+
+      ensureProfiles = {
+        environmentFiles = [
+          config.age.secrets.nm-secrets.path
+        ];
+
+        profiles = {
+          Starlink = {
+            connection = {
+              id = "Starlink";
+              type = "wifi";
+            };
+            ipv4 = {
+              method = "auto";
+            };
+            ipv6 = {
+              addr-gen-mode = "stable-privacy";
+              method = "auto";
+            };
+            wifi = {
+              mode = "infrastructure";
+              ssid = "Starlink";
+            };
+            wifi-security = {
+              key-mgmt = "wpa-psk";
+              psk = "$STARLINK_PSK";
+            };
+          };
+        };
+      };
    };

    firewall = {
--- a/crypto/nm-secrets.age
+++ b/crypto/nm-secrets.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 KiRjUQ 9wLMoxLXCO2BS4zXIQmxtJSQg5dR4HmkC29vvD7hyUs
+2Hn6HUUu8lTib5b/JYrNkU0/GGq7x4nAqtUMrYTNiVs
+-> ssh-ed25519 wZ5Prg WHHhw9N4vWmEXA3foMhueKcf2dcOCkF+mGNrG+WviQ8
+sH/F8N+00hmaUUHPgVmquZFQS2qjx891dftJe1H3oEo
+-> ssh-ed25519 VZzOpg rJR1x3ZPl+Y7SWpHDaxHNL4V7Tri+pzoN+WLQzBcmyg
+/hwwkcmvasPRSOo5axKuUTUgpEX82uqSmICrPdqwQdM
+-> ssh-ed25519 0bzV9g bB44z3/Wh+RmL8zQZPgpvaHAptLGIeiSDUlOgx4Y3z4
+J/+Kf9EilkLF4ifw4y6eybl9zrQTqUwfb7EYHo/vj2Y
+-> ssh-ed25519 hV3Kug OQsWDFIABnMppRP5TEmmxJpiTu4bVilp2L8BCPfd11g
+7ht5x3yChyKCmgI6fMAEnFLd1PseaTJoA0/Fft7MQvQ
+--- uiAthSODq6CzwGnuZ7SiDUhDIvPqhBWRn4k2ZU0c3Mc
+låžÅl¯Yv×†š¢ØW¡Åh$¦({@Ã˜F‰Tê,HnÌànSzë—zBåÊ¯4â“lþõ[ü' ÈQ
--- a/crypto/secrets.nix
+++ b/crypto/secrets.nix
@ -0,0 +1,12 @@
+let
+  sshKeys = import ./ssh-keys.nix;
+in {
+  "wifi.age".publicKeys = [sshKeys.host.yaseen sshKeys.tasia.yaseen];
+  "nm-secrets.age".publicKeys = [
+    sshKeys.tasia.yaseen
+    sshKeys.host.enry
+    sshKeys.host.phoenix
+    sshKeys.host.stuff
+    sshKeys.host.yaseen
+  ];
+}
--- a/hosts/yaseen/configuration.nix
+++ b/hosts/yaseen/configuration.nix
@ -179,6 +179,26 @@ in {
    relayIP = "100.91.88.2";
  };

+  # users.users.lol = {
+  #   isNormalUser = true;
+  #   description = "lol";
+  #   extraGroups = [
+  #     "networkmanager"
+  #     # "wheel"
+  #     # "syncthing"
+  #     # "tss"
+  #     # "dialout"
+  #     # "vboxusers"
+  #     # "adbusers"
+  #   ];
+  #   initialPassword = "password123";
+  # };
+
+  # netwobking
+  # ipvx dns-search = "";
+  # wifi mac-address-blacklist = "";
+  # wifisec auth-alg = "open";
+
  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
  system.stateVersion = "23.11";
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -1,5 +0,0 @@
-let
-  sshKeys = import ./crypto/ssh-keys.nix;
-in {
-  "crypto/wifi.age".publicKeys = [sshKeys.host.yaseen sshKeys.tasia.yaseen];
-}