1.1.2

2024-08-07 16:03:11 +02:00 · 2024-08-07 16:03:11 +02:00 · b76ffc648d
parent d88606a2bc
commit b76ffc648d
7 changed files with 97 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,7 @@
 node_modules
 site
 NOTES.md
+*.ods*

 theme/*.html
 theme/*.min.*
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -1,5 +1,5 @@
 default: true

 MD013: false
-MD007: 
-  indent: 4
+MD007:
+  indent: 4
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -13,6 +13,10 @@ unlisted: true
 -->
 <!-- - put advertisement behind a `details` block -->

+## v1.1.2 (2024-08-07)
+
+- new post: [NixOS: Declarative WiFi connections with agenix and NetworkManager](/~tasiaiso/docs/posts/nixos-wifi-agenix.md)
+
 ## v1.1.0, v1.1.1 (2024-08-03)

 - new post: [My review of the Piscine at 42](/~tasiaiso/docs/posts/42-piscine.md)
--- a/docs/index.md
+++ b/docs/index.md
@ -72,6 +72,10 @@ If you like my posts, please consider supporting me on [Liberapay](https://liber

 See the whole [changelog](changelog.md).

+## v1.1.2 (2024-08-07)
+
+- new post: [NixOS: Declarative WiFi connections with agenix and NetworkManager](/~tasiaiso/docs/posts/nixos-wifi-agenix.md)
+
 ### v1.1.0, v1.1.1 (2024-08-03)

 - new post: [My review of the Piscine at 42](/~tasiaiso/docs/posts/42-piscine.md)
--- a/docs/posts/nixos-wifi-agenix.md
+++ b/docs/posts/nixos-wifi-agenix.md
@ -0,0 +1,83 @@
+---
+date: 2024-08-07
+unlisted: false
+---
+
+# NixOS: Declarative WiFi connections with agenix and NetworkManager
+
+Here I'll show you how to declare WiFi connections for NetworkManager in NixOS, using agenix to store encrypted pre-shared keys.
+Thanks to [@TLATER](https://discourse.nixos.org/u/TLATER) for the [answer](https://discourse.nixos.org/t/storing-wifi-passwords-with-agenix-using-networkmanager/50215/2)!
+
+## The agenix part
+
+Here I'll assume you got agenix working. If not, follow [this wiki article](https://nixos.wiki/wiki/Agenix).
+  
+Create an age-encrypted [environment file](https://www.baeldung.com/linux/environment-variables-file) so that:  
+  
+```bash
+  $ agenix -d crypto/nm-secrets.age
+  STARLINK_PSK=MyPSKHere
+```
+
+Tell your NixOS config to import it:
+
+```nix
+  age.secrets.nm-secrets = {
+    file = ../../crypto/nm-secrets.age;
+    owner = "root";
+    group = "root";
+  };
+```
+
+## Import the secrets into NixOS
+
+Now tell NetworkManager to ensure your profile is installed.
+To achieve this we'll be using `networking.networkmanager.ensureProfiles.profiles` and `networking.networkmanager.ensureProfiles.environmentFiles`:
+
+```nix
+  networking.networkmanager.ensureProfiles = {
+    environmentFiles = [
+      config.age.secrets.nm-secrets.path
+    ];
+  
+    profiles = {
+      Starlink = {
+        connection = {
+          id = "Starlink";
+          type = "wifi";
+        };
+        ipv4 = {
+          method = "auto";
+        };
+        ipv6 = {
+          addr-gen-mode = "stable-privacy";
+          method = "auto";
+        };
+        wifi = {
+          mode = "infrastructure";
+          ssid = "Starlink";
+        };
+        wifi-security = {
+          key-mgmt = "wpa-psk";
+          psk = "$STARLINK_PSK";
+        };
+      };
+    };
+  };
+```
+
+`networking.networkmanager.ensureProfiles.profiles` first builds a configuration file NetworkManager can understand from the attribute set we pass it, and `networking.networkmanager.ensureProfiles.environmentFiles` tells NixOS to take the configuration and to substitute variable identifiers by their value stored in the `nm-secrets.age` file.
+
+Adjust this configuration as needed using [this documentation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/assembly_networkmanager-connection-profiles-in-keyfile-format_configuring-and-managing-networking).
+Rebuild and everything should just work!
+
+## Security considerations
+
+**DISCLAIMER**: I'm pretty sure what I'm saying here is accurate, but I do not have the time nor skills to check this in depth.
+Take what I'm saying here with a grain of salt. If I'm wrong, please send me an email containing a minimum of 3 insults.
+
+agenix stores your secrets in an encrypted format in the publicly-available Nix store (`/nix/store/*-nm-secrets.age`) and exposes them in plaintext at `/run/agenix.d/*/nm-secrets` to `root` only.
+After decryption, the password is stored in plaintext as part of the connection configuration at `/run/NetworkManager/system-connections/'Starlink'.nmconnection` in a tmpfs only available to `root`.
+Additionnally, NetworkManager exposes the PSK to all members of the `networkmanager` group.
+
+To me this looks like a reasonably secure way to store WiFi credentials.
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "tilde",
-  "version": "1.1.1",
+  "version": "1.1.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "tilde",
-      "version": "1.1.1",
+      "version": "1.1.2",
      "license": "GPL-3.0-only",
      "devDependencies": {
        "markdownlint-cli": "0.40.0",
--- a/package.json
+++ b/package.json
@ -1,7 +1,7 @@
 {
  "name": "tilde",
  "description": "My personal website",
-  "version": "1.1.1",
+  "version": "1.1.2",
  "author": "tasiaiso",
  "license": "GPL-3.0-only",
  "devDependencies": {