diff --git a/flake.lock b/flake.lock index e8d01f1..54b95bc 100644 --- a/flake.lock +++ b/flake.lock @@ -8,14 +8,15 @@ ], "nixpkgs": [ "nixpkgs" - ] + ], + "systems": "systems" }, "locked": { - "lastModified": 1703260116, - "narHash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU=", + "lastModified": 1703433843, + "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=", "owner": "ryantm", "repo": "agenix", - "rev": "d0d4ad5be611da43da04321f49684ad72d705c7e", + "rev": "417caa847f9383e111d1397039c9d4337d024bf0", "type": "github" }, "original": { @@ -242,11 +243,11 @@ ] }, "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "type": "github" }, "original": { @@ -262,7 +263,7 @@ "agenix-rekey", "nixpkgs" ], - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1695195896, @@ -307,7 +308,7 @@ "nixos-extra-modules", "nixpkgs" ], - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1701787589, @@ -330,11 +331,11 @@ ] }, "locked": { - "lastModified": 1703162528, - "narHash": "sha256-pQ41wN6JlStkZOhRTIHEpuwVywLdh+xzZQW1+FzdjVs=", + "lastModified": 1703532766, + "narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=", "owner": "nix-community", "repo": "disko", - "rev": "a050895e4eb06e0738680021a701ea05dc8dbfc9", + "rev": "1b191113874dee97796749bb21eac3d84735c70a", "type": "github" }, "original": { @@ -519,7 +520,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1681202837, @@ -537,7 +538,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1701680307, @@ -555,7 +556,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1701680307, @@ -573,7 +574,7 @@ }, "flake-utils_5": { "inputs": { - "systems": "systems_6" + "systems": "systems_7" }, "locked": { "lastModified": 1685518550, @@ -591,7 +592,7 @@ }, "flake-utils_6": { "inputs": { - "systems": "systems_7" + "systems": "systems_8" }, "locked": { "lastModified": 1701680307, @@ -609,7 +610,7 @@ }, "flake-utils_7": { "inputs": { - "systems": "systems_8" + "systems": "systems_9" }, "locked": { "lastModified": 1685518550, @@ -627,7 +628,7 @@ }, "flake-utils_8": { "inputs": { - "systems": "systems_9" + "systems": "systems_10" }, "locked": { "lastModified": 1685518550, @@ -791,11 +792,11 @@ ] }, "locked": { - "lastModified": 1703178811, - "narHash": "sha256-Orbqa8DvszYZ38XGWAs43hVs++czt2N6/Y0sFRLhJms=", + "lastModified": 1703527373, + "narHash": "sha256-AjypRssRtS6F3xkf7rE3/bXkIF2WJOZLbTIspjcE1zM=", "owner": "nix-community", "repo": "home-manager", - "rev": "fb5ac0c870a1b3ffea70e02ab1720d991ce812ae", + "rev": "80679ea5074ab7190c4cce478c600057cfb5edae", "type": "github" }, "original": { @@ -827,11 +828,11 @@ }, "impermanence": { "locked": { - "lastModified": 1702984171, - "narHash": "sha256-reIUBrUXibohXmvXRsgpvtlCE0QQSvWSA+qQCKohgR0=", + "lastModified": 1703562375, + "narHash": "sha256-T46GgRVnSUo0DrCVAHreLNMgeCYmFvo469qj1Z6dYDQ=", "owner": "nix-community", "repo": "impermanence", - "rev": "123e94200f63952639492796b8878e588a4a2851", + "rev": "8d16ac97980b3641078dd7c11337bfaa77b45789", "type": "github" }, "original": { @@ -873,11 +874,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1702814943, - "narHash": "sha256-tNKSDbtoEDfCTs30dyW0Fcj4KJpjzTRASL6f2BbuSKE=", + "lastModified": 1703419730, + "narHash": "sha256-ZRqj/irxTzRoGne2eWmuNaSO1/rz22S1EGj+MJXINeo=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "ac8b1c4cfb2f9111e709aaf503511df354e86733", + "rev": "7deb8249793fd2e9244c4e652c18d95351eb1111", "type": "github" }, "original": { @@ -894,11 +895,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1702815315, - "narHash": "sha256-LEpv7kvB7KPj/6BoNYWMcVjRezTJe6FNmg5kCKZQxMk=", + "lastModified": 1703466376, + "narHash": "sha256-Wy8iF8u5KSzrTxg1hStTBmUjzzKdKyCyMOg8b/eTvVQ=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "3c6e1234af3aa26fc60d0969619cf6806ec51639", + "rev": "64104a3c55593c903af78af86a4c9d2e5487a2d7", "type": "github" }, "original": { @@ -936,11 +937,11 @@ ] }, "locked": { - "lastModified": 1702864432, - "narHash": "sha256-xR5Igg2hnm979W3YgMDrSjErHFhHo4rbMboF6DC0mbc=", + "lastModified": 1703387252, + "narHash": "sha256-XKJqGj0BaEn/zyctEnkgVIh6Ba1rgTRc+UBi9EU8Y54=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "4605ccd764fac78b9e4b5b058698cb9f04430b91", + "rev": "f4340c1a42c38d79293ba69bfd839fbd6268a538", "type": "github" }, "original": { @@ -1010,11 +1011,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1702453208, - "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=", + "lastModified": 1703545041, + "narHash": "sha256-nvQA+k1rSszrf4kA4eK2i/SGbzoXyoKHzzyzq/Jca1w=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6", + "rev": "a15b6e525f5737a47b4ce28445c836996fb2ea8c", "type": "github" }, "original": { @@ -1025,11 +1026,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "lastModified": 1703255338, + "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", "type": "github" }, "original": { @@ -1041,11 +1042,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1702774034, - "narHash": "sha256-M0IsUA89EKHL8IDx9bf+e2W2l1kMRpaZ4h08navMXig=", + "lastModified": 1703378839, + "narHash": "sha256-wJDrJji9XNMgAsO+Ah34BaraG8bAw9GF7poJQPE0TqU=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "9b4f1493009b8d2f55a525a01de10addc9a0a752", + "rev": "9b3a550ca7d42f5ceb3acc13f95dae1a69e6de56", "type": "github" }, "original": { @@ -1144,11 +1145,11 @@ ] }, "locked": { - "lastModified": 1703261986, - "narHash": "sha256-+OPGb6fOF1wpiCNnpnDHvLkwnhbcAx6785FyNdYupkI=", + "lastModified": 1703502790, + "narHash": "sha256-BMwU2OD7PB0ikWABs58c6kRkzxznIF/G8tacr9pENmE=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "e977dcdee6b4c944b6309cd7973fd27f73efa842", + "rev": "95c67444c1886ed3cddd54da947237682c211c39", "type": "github" }, "original": { @@ -1159,11 +1160,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1702539185, - "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=", + "lastModified": 1703134684, + "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447", + "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", "type": "github" }, "original": { @@ -1249,11 +1250,11 @@ "pre-commit-hooks": "pre-commit-hooks_3" }, "locked": { - "lastModified": 1703260550, - "narHash": "sha256-wPe+0oCgzvf9Ixscme+NUS4iRX0n/alJvt3msnu9vPA=", + "lastModified": 1703435563, + "narHash": "sha256-BDnoVc9Kvc9wo9lt8GC0kkqwLedP7lnBBdh1UHl4cPw=", "owner": "nix-community", "repo": "nixvim", - "rev": "e0521dde87825e4ed16e1ac5b6df9f1b7e60af05", + "rev": "c11158c73e9a488d803356127a54af8101fc0051", "type": "github" }, "original": { @@ -1387,11 +1388,11 @@ "nixpkgs-stable": "nixpkgs-stable_5" }, "locked": { - "lastModified": 1702456155, - "narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=", + "lastModified": 1703426812, + "narHash": "sha256-aODSOH8Og8ne4JylPJn+hZ6lyv6K7vE5jFo4KAGIebM=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "007a45d064c1c32d04e1b8a0de5ef00984c419bc", + "rev": "7f35ec30d16b38fe0eed8005933f418d1a4693ee", "type": "github" }, "original": { @@ -1421,7 +1422,7 @@ "pre-commit-hooks": "pre-commit-hooks_4", "spicetify-nix": "spicetify-nix", "stylix": "stylix", - "systems": "systems_10", + "systems": "systems_11", "templates": "templates", "wired-notify": "wired-notify" } @@ -1485,11 +1486,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1703004037, - "narHash": "sha256-ceYPl/ML0kQBCUaOw0gG2TxHHEl4k9xivFpsdlKidIQ=", + "lastModified": 1703528325, + "narHash": "sha256-ajoMmEPbLhp9xsReDDQFaY7xX+ayIqwfMlZNg8YxHnw=", "owner": "danth", "repo": "stylix", - "rev": "d14ac4912a9ab02f8b49b761e9e4b9ae836171af", + "rev": "7ccd1293a48f01eace7d0ce8d82af51919105b76", "type": "github" }, "original": { @@ -1528,6 +1529,21 @@ "type": "github" } }, + "systems_11": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "systems_2": { "locked": { "lastModified": 1681028828, @@ -1672,11 +1688,11 @@ ] }, "locked": { - "lastModified": 1702461037, - "narHash": "sha256-ssyGxfGHRuuLHuMex+vV6RMOt7nAo07nwufg9L5GkLg=", + "lastModified": 1702979157, + "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "d06b70e5163a903f19009c3f97770014787a080f", + "rev": "2961375283668d867e64129c22af532de8e77734", "type": "github" }, "original": { diff --git a/hosts/patricknix/net.nix b/hosts/patricknix/net.nix index 796bd1e..fe57a13 100644 --- a/hosts/patricknix/net.nix +++ b/hosts/patricknix/net.nix @@ -1,7 +1,33 @@ {config, ...}: { + age.secrets.eduroam = { + rekeyFile = ./secrets/iwd/eduroam.8021x.age; + path = "/var/lib/iwd/eduroam.8021x"; + }; + age.secrets.simonWlan = { + rekeyFile = ./. + "/secrets/iwd/=467269747a21426f78373539302048616e7373656e.psk.age"; + path = "/var/lib/=467269747a21426f78373539302048616e7373656e.psk"; + }; + age.secrets = { + devoloog-psk.rekeyFile = ./secrets/iwd/devoloog-psk.age; + devoloog-pass.rekeyFile = ./secrets/iwd/devoloog-pass.age; + devoloog-sae19.rekeyFile = ./secrets/iwd/devoloog-sae19.age; + devoloog-sae20.rekeyFile = ./secrets/iwd/devoloog-sae20.age; + }; networking = { inherit (config.secrets.secrets.local.networking) hostId; - wireless.iwd.enable = true; + wireless.iwd = { + enable = true; + networks = { + devoloog.settings = { + Security = { + PreSharedKey = config.age.secrets.devoloog-psk.path; + Passphrase = config.age.secrets.devoloog-pass.path; + SAE-PT-Group19 = config.age.secrets.devoloog-sae19.path; + SAE-PT-Group20 = config.age.secrets.devoloog-sae20.path; + }; + }; + }; + }; # Add the VPN based route to my paperless instance to # etc/hosts extraHosts = '' @@ -45,16 +71,4 @@ dhcpV6Config.RouteMetric = 40; }; }; - age.secrets.eduroam = { - rekeyFile = ./secrets/iwd/eduroam.8021x.age; - path = "/var/lib/iwd/eduroam.8021x"; - }; - age.secrets.devoloog = { - rekeyFile = ./secrets/iwd/devolo-og.psk.age; - path = "/var/lib/iwd/devolo-og.psk"; - }; - age.secrets.simonWlan = { - rekeyFile = ./. + "/secrets/iwd/=467269747a21426f78373539302048616e7373656e.psk.age"; - path = "/var/lib/=467269747a21426f78373539302048616e7373656e.psk"; - }; } diff --git a/hosts/patricknix/secrets/iwd/devolo-og.psk.age b/hosts/patricknix/secrets/iwd/devolo-og.psk.age deleted file mode 100644 index 279b538..0000000 Binary files a/hosts/patricknix/secrets/iwd/devolo-og.psk.age and /dev/null differ diff --git a/hosts/patricknix/secrets/iwd/devoloog-pass.age b/hosts/patricknix/secrets/iwd/devoloog-pass.age new file mode 100644 index 0000000..d0cada9 --- /dev/null +++ b/hosts/patricknix/secrets/iwd/devoloog-pass.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> X25519 Yu9I8MMeSOj0o/GgDHavd/h+nFBLg+HgynBS4CwPu2E +c4ZFdXhiZteLlJ2p5bwqYqxert3Tu77G4k+7wVskkDY +-> piv-p256 XTQkUA ApCLcyq6V/ViY/CPEv/xNE94dr4rMacDYQaVbm3XiRh0 +sy28bqGANVFogK167Ug6UxlhCtu7VduqJRNf2JJy+3s +-> piv-p256 ZFgiIw A7MTWlpv3dxm3RqSvEYHolVR0Q9JVP+dlkf3PqwjtniY +jduMm3dHT/OZuvMTQ9mprd7mWU9cyiTkM557gOE6fz4 +-> piv-p256 ZFgiIw AyNVo9CHra3CEkgHvzv4AfoAWgVXcoU4KmTYoc9XCydE +by2yKqbQ4VQl074EXRJsntYDc+pTF3s/aZjTHUxcOc8 +-> 3h.^Qx$-grease [u;j} P` +02iOKQ +--- SxO9fHMpuwq7OtQW9oHce6yHT2HYz1dFb51IdfAirsE +v^k,Z5YL?&˻Đm-va#hi \ No newline at end of file diff --git a/hosts/patricknix/secrets/iwd/devoloog-psk.age b/hosts/patricknix/secrets/iwd/devoloog-psk.age new file mode 100644 index 0000000..0bcbaa9 Binary files /dev/null and b/hosts/patricknix/secrets/iwd/devoloog-psk.age differ diff --git a/hosts/patricknix/secrets/iwd/devoloog-sae19.age b/hosts/patricknix/secrets/iwd/devoloog-sae19.age new file mode 100644 index 0000000..74b7bd9 --- /dev/null +++ b/hosts/patricknix/secrets/iwd/devoloog-sae19.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> X25519 wtUBa6q5pJMUovFqGuAc1DgpxNNRcgPthhZVk/bJACY +TMyIvn5VGVxkTZYlxC6THUx2Yt88O1RxA/PVLrLEYmg +-> piv-p256 XTQkUA A5OxSdYZQqYkmarOpN6+lMA5z0thAwm5i1meR4baWVCg +ElbvdOqrb/gBlT/GRu7S8W1oIc3gHjbg8qh4aYCafkk +-> piv-p256 ZFgiIw AiaHGpxO8gsff4IIivHv6DsVQttjo1xAXu5DPv7ySTmM +cwiyq2nldnuyjv8RCu0LdK6CozWJhKyT3KOYZdNOX2o +-> piv-p256 ZFgiIw A+jEsJv/aasqc0pS9/YQVD8r9r7zE7TN1RQ4x3O9MGRH +muRbzTO5YKPV3SNxWlJmaYM/zaJ4Vibrw2rll9nhzcQ +-> `8G"-grease ^~S m9}+NyN! 0gUY%;m- ++C2Dt3GcIaS/w1u7wT0i2ImeFHLFuPZ8MLB2MIEWF0sMQauWc2XFN+dXxeUPCYl1 +ZSbY0u9KYqom9YsB5g +--- 661TNgwiETit9dGIYNyOJv/4FQzpMOZ5WFrkz79TvcI +T_$AXáHzkwx'[z/*yԤ~T4ėd7!v5\AΞ0OSµij+ԣ&yҨGE/j12MC?щ+P)< BMp:6| X25519 Ro0Os6I8MZwpIM1Od486oz5tlrCuXB8GGcIrPV8S1CQ +jVaINyZ0hZBoJn5iSpThaCH5SPLK5c2xL2pr4KXXrmM +-> piv-p256 XTQkUA AxMy20+EpCAgIyS6vp+qKDOju69nv3oua4swBnias6Jl +JRjc0UM3RdZ/VTj5lD5yIfGpVfiXKrIRAPJMghshHFk +-> piv-p256 ZFgiIw A35QGD5lRwczOKg2K/ZdgTRvyLdtNH57HKw6AoODkU8C +MBMOrxxWsL8xpUPskSCZkesB7htVexF1yGAUDDn0pK8 +-> piv-p256 ZFgiIw ApYHmHpIDyTgem54u7WRU35tJNgGZjA8aFd0UtMpkmXE +K7XdZit5Gkz2/D6UzMFUpobfnZXh1JWbV+/D0tNNrGw +-> jY-grease JDpeU' .3$h +lxaZZDyTUPhkis3ib33jT5GSOZa+EaheyHb7 +--- kL8WcOpKnQnZmww5ruBhlnHkryfirjgP7D3970gC3kQ +& ~hU- qx-|{zGɶy4@<t +y䁦xZ XJ^4{PhŨ"COR7! oi"WttITAno B{k瑞$hI IctX? j \ No newline at end of file diff --git a/hosts/patricknix/secrets/iwd/kaist.8021x.age b/hosts/patricknix/secrets/iwd/kaist.8021x.age deleted file mode 100644 index 189fba4..0000000 Binary files a/hosts/patricknix/secrets/iwd/kaist.8021x.age and /dev/null differ diff --git a/modules/config/default.nix b/modules/config/default.nix index ad8da21..fb59239 100644 --- a/modules/config/default.nix +++ b/modules/config/default.nix @@ -22,6 +22,7 @@ ../meta.nix ../smb-mounts.nix ../deterministic-ids.nix + ../optional/iwd.nix ./impermanence inputs.home-manager.nixosModules.default diff --git a/modules/optional/iwd.nix b/modules/optional/iwd.nix new file mode 100644 index 0000000..fed85ad --- /dev/null +++ b/modules/optional/iwd.nix @@ -0,0 +1,110 @@ +{ + lib, + pkgs, + config, + ... +}: { + options.networking.wireless.iwd = let + inherit + (lib) + mkOption + literalExample + types + hasAttrByPath + ; + in { + networks = mkOption { + default = {}; + example = literalExample '' + { "karlsruhe.freifunk.net" = {}; + }; + ''; + + description = '' + Declarative configuration of wifi networks for + iwd8. + + All networks will be stored in + /var/lib/iwd/<name>.<type>. + + Since each network is stored in its own file, declarative networks can be used in an + environment with imperatively added networks via + iwctl1. + ''; + + type = types.attrsOf (types.submodule ({config, ...}: { + config.kind = + if (hasAttrByPath ["Security" "Passphrase"] config.settings) + then "psk" + else if !(hasAttrByPath ["Security"] config.settings) + then "open" + else "8021x"; + + options = { + kind = mkOption { + type = types.enum ["open" "psk" "8021x"]; + description = "The type of network. This will determine the file ending. The module will try to determine this automatically so this should only be set when the heuristics fail."; + }; + settings = mkOption { + type = with types; (attrsOf (attrsOf str)); + description = '' + Contents of the iwd config file for this network + If a file named like this exists the content will be read from file, else the raw string will be used. + ''; + default = {}; + }; + }; + })); + }; + }; + + config = let + inherit + (lib) + mkIf + flip + mapAttrsToList + concatStringsSep + hasPrefix + ; + cfg = config.networking.wireless.iwd; + + encoder = pkgs.writeScriptBin "encoder" '' + #! ${pkgs.runtimeShell} -e + + # Extract file-ext from network names + ext="$(sed -re 's/.*\.(8021x|open|psk)$/\1/' <<< "$*")" + to_enc="$(sed -re "s/(.*)\.$ext/\1/g" <<< "$*")" + + # Encode ssid (excluding file-extensio) as base64 if needed + [[ "$to_enc" =~ ^[[:alnum:]]+$ ]] && { echo "$to_enc.$ext"; exit 0; } + echo "=$(printf "$to_enc" | ${pkgs.unixtools.xxd}/bin/xxd -pu).$ext" + ''; + in + mkIf cfg.enable { + systemd.services.iwd = mkIf (cfg.networks != {}) { + path = [encoder]; + preStart = let + dataDir = "/var/lib/iwd"; + in '' + # Create config files for declaratively defined networks in the NixOS config. + ${concatStringsSep "\n" (flip mapAttrsToList cfg.networks (network: config: '' + filename=${dataDir}/"$(encoder '${network}.${config.kind}')" + touch "$filename" + cat >$filename <