Allow choosing between iwd and wpa_supplicant

2024-08-31 18:38:31 +02:00 · 2024-08-31 18:38:31 +02:00 · c0a5d1f8cc
commit c0a5d1f8cc
parent 0a2f22b0af
19 changed files with 384 additions and 199 deletions
--- a/hosts/nixos/common/optional/services/iwd.nix
+++ b/hosts/nixos/common/optional/services/iwd.nix
@ -0,0 +1,12 @@
+{
+  networking.wireless.iwd = {
+    enable = true;
+
+    settings = {
+      IPv6.Enabled = true;
+      Settings.AutoConnect = true;
+    };
+  };
+
+  environment.persistence."/persist/state".directories = [ "/var/lib/iwd" ];
+}
--- a/hosts/nixos/common/optional/services/wpa_supplicant.nix
+++ b/hosts/nixos/common/optional/services/wpa_supplicant.nix
@ -0,0 +1,57 @@
+{ config, ... }:
+{
+  sops.secrets.wireless.sopsFile = ../../secrets.yaml;
+
+  # https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/networking/wpa_supplicant.nix
+  networking.wireless = {
+    enable = true;
+    fallbackToWPA2 = false;
+
+    # Declarative
+    environmentFile = config.sops.secrets.wireless.path;
+    networks = {
+      "Neptune".psk = "@ENCELADUS_HOTSPOT_PASS@";
+
+      "Familia-Matei-PRO".psk = "@TG_HOTSPOT_HOME_PASS@";
+      "Familia-Matei".psk = "@TG_HOTSPOT_HOME_PASS@";
+
+      "R15-5365 5g".psk = "@TG_WIFI_HOME_PASS@";
+      "R15-5365".psk = "@TG_WIFI_HOME_PASS@";
+
+      "Sailhorse".psk = "@NL_PLACE_0_PASS@";
+      "Ziggo1721699".psk = "@NL_PLACE_1_PASS@";
+      "Konijntjes".psk = "@NL_PLACE_1_PODS_PASS@";
+      "InfoEdu12".psk = "@INFOEDU_PASS@";
+      "CNU19".psk = "@INFOEDU_PASS@";
+      "ZTE_F7A321".psk = "@MADALINA_PASS@";
+
+      # [Working solution](https://bbs.archlinux.org/viewtopic.php?id=271336)
+      # [Other interesting link](https://help.itc.rwth-aachen.de/en/service/b3d9a2c8ae5345b8b8f5128143ef4e3c/article/eaf6d69389a74a5a839c1f383c508df7/)
+      # [Uni link](https://lwpwiki.webhosting.rug.nl/index.php/Configure_your_wifi_for_Eduroam)
+      "eduroam" = {
+        authProtocols = [ "WPA-EAP" ];
+        auth = ''
+          eap=PEAP
+          identity="s5260329@rug.nl"
+          password="@EDUROAM_PASS@"
+        '';
+        extraConfig = ''
+          phase2="auth=MSCHAPV2"
+        '';
+      };
+    };
+
+    # Imperative
+    allowAuxiliaryImperativeNetworks = true;
+    userControlled = {
+      enable = true;
+      group = "network";
+    };
+  };
+
+  # Ensure group exists
+  users.groups.network = { };
+
+  # The service seems to fail if this file does not exist
+  systemd.tmpfiles.rules = [ "f /etc/wpa_supplicant.conf" ];
+}
--- a/hosts/nixos/common/optional/users/common.nix
+++ b/hosts/nixos/common/optional/users/common.nix
@ -0,0 +1,4 @@
+{
+  authorizedKeys = { outputs, lib }:
+
+}
--- a/hosts/nixos/common/optional/users/guest.nix
+++ b/hosts/nixos/common/optional/users/guest.nix
@ -0,0 +1,23 @@
+# For more comments check out [pilot](./pilot.nix)
+{
+  pkgs,
+  outputs,
+  lib,
+  ...
+}:
+{
+  users.mutableUsers = false;
+  users.users.guest = {
+    isNormalUser = true;
+    shell = pkgs.fish;
+    extraGroups = [
+      "wheel"
+      "audio"
+      "video"
+      "network"
+      "tty"
+    ];
+    password = "heyo";
+    openssh.authorizedKeys.keyFiles = (import ./common.nix).authorizedKeys { inherit outputs lib; };
+  };
+}
--- a/hosts/nixos/common/optional/users/pilot.nix
+++ b/hosts/nixos/common/optional/users/pilot.nix
@ -0,0 +1,90 @@
+{
+  pkgs,
+  outputs,
+  config,
+  lib,
+  ...
+}:
+{
+  # This is it's own attribute in order to prevent infinite recursion
+  # in certain places.
+  satellite.pilot.name = lib.mkDefault "adrielus";
+
+  # {{{ Password handling
+  sops.secrets.pilot_password = {
+    sopsFile = ../secrets.yaml;
+    neededForUsers = true;
+  };
+  # }}}
+
+  users = {
+    # Configure users through nix only
+    mutableUsers = false;
+
+    # {{{ Create pilot user
+    users.pilot = {
+      inherit (config.satellite.pilot) name;
+
+      # This gets referenced in other parts of the config
+      uid = 1000;
+
+      # Adds me to some default groups, and creates the home dir
+      isNormalUser = true;
+
+      # Picked up by our persistence module
+      homeMode = "700";
+
+      # Add user to the following groups
+      extraGroups = [
+        "wheel" # Access to sudo
+        "lp" # Printers
+        "audio" # Audio devices
+        "video" # Webcam and the like
+        "network" # wpa_supplicant
+        "syncthing" # syncthing!
+      ];
+
+      hashedPasswordFile = config.sops.secrets.pilot_password.path;
+      shell = pkgs.fish;
+
+      # {{{ Authorize ssh keys
+      openssh.authorizedKeys.keyFiles =
+        let
+          # Record containing all the hosts
+          hosts = outputs.nixosConfigurations;
+
+          # Function from hostname to relative path to public ssh key
+          idKey = host: ../../${host}/keys/id_ed25519.pub;
+        in
+        lib.pipe hosts [
+          # attrsetof host -> attrsetof path
+          (builtins.mapAttrs (name: _: idKey name)) # string -> host -> path
+
+          # attrsetof path -> path[]
+          builtins.attrValues
+
+          # path[] -> path[]
+          (builtins.filter builtins.pathExists)
+        ];
+      # }}}
+    };
+    # }}}
+  };
+
+  # {{{ Set user-specific ssh permissions
+  # This is mainly useful because home-manager can often fail if the perms on
+  # `~/.ssh` are incorrect.
+  systemd.tmpfiles.rules =
+    let
+      user = config.users.users.pilot;
+      root = "/persist/state/${user.home}/ssh";
+    in
+    [
+      "d ${root}                 0755 ${user.name} ${user.group}"
+      "d ${root}/.ssh            0755 ${user.name} ${user.group}"
+      "z ${root}/.ssh/id_*.pub   0755 ${user.name} ${user.group}"
+      "z ${root}/.ssh/id_rsa     0700 ${user.name} ${user.group}"
+      "z ${root}/.ssh/id_ed25519 0700 ${user.name} ${user.group}"
+    ];
+  # }}}
+}