From b76ffc648d076b29ac897cfd22aad3d9cc7fc232 Mon Sep 17 00:00:00 2001 From: Tasia Iso Date: Wed, 7 Aug 2024 16:03:11 +0200 Subject: [PATCH] 1.1.2 --- .gitignore | 1 + .markdownlint.yaml | 4 +- docs/changelog.md | 4 ++ docs/index.md | 4 ++ docs/posts/nixos-wifi-agenix.md | 83 +++++++++++++++++++++++++++++++++ package-lock.json | 4 +- package.json | 2 +- 7 files changed, 97 insertions(+), 5 deletions(-) create mode 100644 docs/posts/nixos-wifi-agenix.md diff --git a/.gitignore b/.gitignore index 9891f15..482ce4e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ node_modules site NOTES.md +*.ods* theme/*.html theme/*.min.* diff --git a/.markdownlint.yaml b/.markdownlint.yaml index c8ba000..75bb336 100644 --- a/.markdownlint.yaml +++ b/.markdownlint.yaml @@ -1,5 +1,5 @@ default: true MD013: false -MD007: - indent: 4 \ No newline at end of file +MD007: + indent: 4 diff --git a/docs/changelog.md b/docs/changelog.md index 95f1569..838f5d5 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -13,6 +13,10 @@ unlisted: true --> +## v1.1.2 (2024-08-07) + +- new post: [NixOS: Declarative WiFi connections with agenix and NetworkManager](/~tasiaiso/docs/posts/nixos-wifi-agenix.md) + ## v1.1.0, v1.1.1 (2024-08-03) - new post: [My review of the Piscine at 42](/~tasiaiso/docs/posts/42-piscine.md) diff --git a/docs/index.md b/docs/index.md index 4bdd508..f6b6956 100644 --- a/docs/index.md +++ b/docs/index.md @@ -72,6 +72,10 @@ If you like my posts, please consider supporting me on [Liberapay](https://liber See the whole [changelog](changelog.md). +## v1.1.2 (2024-08-07) + +- new post: [NixOS: Declarative WiFi connections with agenix and NetworkManager](/~tasiaiso/docs/posts/nixos-wifi-agenix.md) + ### v1.1.0, v1.1.1 (2024-08-03) - new post: [My review of the Piscine at 42](/~tasiaiso/docs/posts/42-piscine.md) diff --git a/docs/posts/nixos-wifi-agenix.md b/docs/posts/nixos-wifi-agenix.md new file mode 100644 index 0000000..b5554b7 --- /dev/null +++ b/docs/posts/nixos-wifi-agenix.md @@ -0,0 +1,83 @@ +--- +date: 2024-08-07 +unlisted: false +--- + +# NixOS: Declarative WiFi connections with agenix and NetworkManager + +Here I'll show you how to declare WiFi connections for NetworkManager in NixOS, using agenix to store encrypted pre-shared keys. +Thanks to [@TLATER](https://discourse.nixos.org/u/TLATER) for the [answer](https://discourse.nixos.org/t/storing-wifi-passwords-with-agenix-using-networkmanager/50215/2)! + +## The agenix part + +Here I'll assume you got agenix working. If not, follow [this wiki article](https://nixos.wiki/wiki/Agenix). + +Create an age-encrypted [environment file](https://www.baeldung.com/linux/environment-variables-file) so that: + +```bash + $ agenix -d crypto/nm-secrets.age + STARLINK_PSK=MyPSKHere +``` + +Tell your NixOS config to import it: + +```nix + age.secrets.nm-secrets = { + file = ../../crypto/nm-secrets.age; + owner = "root"; + group = "root"; + }; +``` + +## Import the secrets into NixOS + +Now tell NetworkManager to ensure your profile is installed. +To achieve this we'll be using `networking.networkmanager.ensureProfiles.profiles` and `networking.networkmanager.ensureProfiles.environmentFiles`: + +```nix + networking.networkmanager.ensureProfiles = { + environmentFiles = [ + config.age.secrets.nm-secrets.path + ]; + + profiles = { + Starlink = { + connection = { + id = "Starlink"; + type = "wifi"; + }; + ipv4 = { + method = "auto"; + }; + ipv6 = { + addr-gen-mode = "stable-privacy"; + method = "auto"; + }; + wifi = { + mode = "infrastructure"; + ssid = "Starlink"; + }; + wifi-security = { + key-mgmt = "wpa-psk"; + psk = "$STARLINK_PSK"; + }; + }; + }; + }; +``` + +`networking.networkmanager.ensureProfiles.profiles` first builds a configuration file NetworkManager can understand from the attribute set we pass it, and `networking.networkmanager.ensureProfiles.environmentFiles` tells NixOS to take the configuration and to substitute variable identifiers by their value stored in the `nm-secrets.age` file. + +Adjust this configuration as needed using [this documentation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/assembly_networkmanager-connection-profiles-in-keyfile-format_configuring-and-managing-networking). +Rebuild and everything should just work! + +## Security considerations + +**DISCLAIMER**: I'm pretty sure what I'm saying here is accurate, but I do not have the time nor skills to check this in depth. +Take what I'm saying here with a grain of salt. If I'm wrong, please send me an email containing a minimum of 3 insults. + +agenix stores your secrets in an encrypted format in the publicly-available Nix store (`/nix/store/*-nm-secrets.age`) and exposes them in plaintext at `/run/agenix.d/*/nm-secrets` to `root` only. +After decryption, the password is stored in plaintext as part of the connection configuration at `/run/NetworkManager/system-connections/'Starlink'.nmconnection` in a tmpfs only available to `root`. +Additionnally, NetworkManager exposes the PSK to all members of the `networkmanager` group. + +To me this looks like a reasonably secure way to store WiFi credentials. diff --git a/package-lock.json b/package-lock.json index 1096102..a58d73f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "tilde", - "version": "1.1.1", + "version": "1.1.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "tilde", - "version": "1.1.1", + "version": "1.1.2", "license": "GPL-3.0-only", "devDependencies": { "markdownlint-cli": "0.40.0", diff --git a/package.json b/package.json index 04d7277..ca1843b 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "tilde", "description": "My personal website", - "version": "1.1.1", + "version": "1.1.2", "author": "tasiaiso", "license": "GPL-3.0-only", "devDependencies": {