tasiaiso/tasiaiso.vulpecula.zone
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

1.1.2

Browse source
This commit is contained in:
Tasia Iso 2024-08-07 16:03:11 +02:00
parent d88606a2bc
commit b76ffc648d
Signed by: tasiaiso
SSH key fingerprint: SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw
7 changed files with 97 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,6 +1,7 @@
node_modules node_modules
site site
NOTES.md NOTES.md
*.ods*
theme/*.html theme/*.html
theme/*.min.* theme/*.min.*

4
.markdownlint.yaml
View file

@ -1,5 +1,5 @@
default: true default: true
MD013: false MD013: false
MD007: MD007:
indent: 4 indent: 4

4
docs/changelog.md
View file

@ -13,6 +13,10 @@ unlisted: true
--> -->
<!-- - put advertisement behind a `details` block --> <!-- - put advertisement behind a `details` block -->
## v1.1.2 (2024-08-07)
- new post: [NixOS: Declarative WiFi connections with agenix and NetworkManager](/~tasiaiso/docs/posts/nixos-wifi-agenix.md)
## v1.1.0, v1.1.1 (2024-08-03) ## v1.1.0, v1.1.1 (2024-08-03)
- new post: [My review of the Piscine at 42](/~tasiaiso/docs/posts/42-piscine.md) - new post: [My review of the Piscine at 42](/~tasiaiso/docs/posts/42-piscine.md)

4
docs/index.md
View file

@ -72,6 +72,10 @@ If you like my posts, please consider supporting me on [Liberapay](https://liber
See the whole [changelog](changelog.md). See the whole [changelog](changelog.md).
## v1.1.2 (2024-08-07)
- new post: [NixOS: Declarative WiFi connections with agenix and NetworkManager](/~tasiaiso/docs/posts/nixos-wifi-agenix.md)
### v1.1.0, v1.1.1 (2024-08-03) ### v1.1.0, v1.1.1 (2024-08-03)
- new post: [My review of the Piscine at 42](/~tasiaiso/docs/posts/42-piscine.md) - new post: [My review of the Piscine at 42](/~tasiaiso/docs/posts/42-piscine.md)

83
docs/posts/nixos-wifi-agenix.md Normal file
View file

@ -0,0 +1,83 @@
---
date: 2024-08-07
unlisted: false
---
# NixOS: Declarative WiFi connections with agenix and NetworkManager
Here I'll show you how to declare WiFi connections for NetworkManager in NixOS, using agenix to store encrypted pre-shared keys.
Thanks to [@TLATER](https://discourse.nixos.org/u/TLATER) for the [answer](https://discourse.nixos.org/t/storing-wifi-passwords-with-agenix-using-networkmanager/50215/2)!
## The agenix part
Here I'll assume you got agenix working. If not, follow [this wiki article](https://nixos.wiki/wiki/Agenix).
Create an age-encrypted [environment file](https://www.baeldung.com/linux/environment-variables-file) so that:
```bash
$ agenix -d crypto/nm-secrets.age
STARLINK_PSK=MyPSKHere
```
Tell your NixOS config to import it:
```nix
age.secrets.nm-secrets = {
file = ../../crypto/nm-secrets.age;
owner = "root";
group = "root";
};
```
## Import the secrets into NixOS
Now tell NetworkManager to ensure your profile is installed.
To achieve this we'll be using `networking.networkmanager.ensureProfiles.profiles` and `networking.networkmanager.ensureProfiles.environmentFiles`:
```nix
networking.networkmanager.ensureProfiles = {
environmentFiles = [
config.age.secrets.nm-secrets.path
];
profiles = {
Starlink = {
connection = {
id = "Starlink";
type = "wifi";
};
ipv4 = {
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "Starlink";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$STARLINK_PSK";
};
};
};
};
```
`networking.networkmanager.ensureProfiles.profiles` first builds a configuration file NetworkManager can understand from the attribute set we pass it, and `networking.networkmanager.ensureProfiles.environmentFiles` tells NixOS to take the configuration and to substitute variable identifiers by their value stored in the `nm-secrets.age` file.
Adjust this configuration as needed using [this documentation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/assembly_networkmanager-connection-profiles-in-keyfile-format_configuring-and-managing-networking).
Rebuild and everything should just work!
## Security considerations
**DISCLAIMER**: I'm pretty sure what I'm saying here is accurate, but I do not have the time nor skills to check this in depth.
Take what I'm saying here with a grain of salt. If I'm wrong, please send me an email containing a minimum of 3 insults.
agenix stores your secrets in an encrypted format in the publicly-available Nix store (`/nix/store/*-nm-secrets.age`) and exposes them in plaintext at `/run/agenix.d/*/nm-secrets` to `root` only.
After decryption, the password is stored in plaintext as part of the connection configuration at `/run/NetworkManager/system-connections/'Starlink'.nmconnection` in a tmpfs only available to `root`.
Additionnally, NetworkManager exposes the PSK to all members of the `networkmanager` group.
To me this looks like a reasonably secure way to store WiFi credentials.

4
package-lock.json generated
View file

@ -1,12 +1,12 @@
{ {
"name": "tilde", "name": "tilde",
"version": "1.1.1", "version": "1.1.2",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "tilde", "name": "tilde",
"version": "1.1.1", "version": "1.1.2",
"license": "GPL-3.0-only", "license": "GPL-3.0-only",
"devDependencies": { "devDependencies": {
"markdownlint-cli": "0.40.0", "markdownlint-cli": "0.40.0",

2
package.json
View file

@ -1,7 +1,7 @@
{ {
"name": "tilde", "name": "tilde",
"description": "My personal website", "description": "My personal website",
"version": "1.1.1", "version": "1.1.2",
"author": "tasiaiso", "author": "tasiaiso",
"license": "GPL-3.0-only", "license": "GPL-3.0-only",
"devDependencies": { "devDependencies": {