fix(ap01/radius-secret): Use environment variable for radius secret

This is a hack, please fix it in the next iteration of the project
2025-01-30 02:03:02 +01:00 · 2025-01-30 02:03:02 +01:00 · 966e1ed038
commit 966e1ed038
parent 8b25a202c1
4 changed files with 59 additions and 32 deletions
--- a/default.nix
+++ b/default.nix
@ -187,6 +187,8 @@ in
        }))
        pkgs.npins

+        pkgs.rage
+
        # SSO testing
        pkgs.kanidm
        pkgs.freeradius
--- a/machines/liminix/ap01/wlan.nix
+++ b/machines/liminix/ap01/wlan.nix
@ -2,7 +2,12 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
  svc = config.system.service;
  secrets-1 = {
@ -64,7 +69,14 @@ let
    # No DNS here, hostapd do not support this mode.
    auth_server_addr = "129.199.195.129";
    auth_server_port = 1812;
-    auth_server_shared_secret = builtins.getEnv "RADIUS_SECRET";
+    auth_server_shared_secret =
+      let
+        secret = builtins.getEnv "RADIUS_SECRET";
+      in
+      if secret == "" then
+        lib.warn "Using a dummy RADIUS secret. Please do not use in production" "DUMMYSECRET"
+      else
+        secret;
  };

  mkWifiSta =
--- a/machines/nixos/vault01/secrets/radius-ap-radius-secret_file
+++ b/machines/nixos/vault01/secrets/radius-ap-radius-secret_file
@ -1,32 +1,32 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA 2nFaxyP7O4GWU7U3wmET5sNrnFq72b9DEhiKEgWVrFk
-l8uXfCBkTHogzVoUY0WOYhA99fodoT+N0HunacULydI
-> ssh-ed25519 QlRB9Q qDalihZE404oPOVHYQR5GIvozXNh4wNxhUa5Zwfz2DU
-X8qvWf7qprbh0xu/uOHGsNLTQc8efYsgveH9R9kZZZw
-> ssh-ed25519 r+nK/Q mksHDhPoKKxQpk4sQPHapdq87EaJmgdmoVxMYjsAang
-FTYHyxLp4nGOWJu1135yN/lQkGgAD9Jy4JJpMKFktrk
+-> ssh-ed25519 jIXfPA TdfYeqsPJBf26CO1Bh74K8qxqR1MX3VUvZ/e73+oDXQ
+KoA/I5kVXxryQ86qjfzq67Aiar+qDZF9OoF4MsNDqe4
+-> ssh-ed25519 QlRB9Q ZaPziTdzqf0vCkCiLWAUJbnROaZ7Mz+Xgw1viEMWM2s
+I0peAEQPbaXL9eHQ/OraNuqJPCxIwjpxIxhvgAifATY
+-> ssh-ed25519 r+nK/Q kgmK60IgdW4QFdKqBQ6S9JmQVoRvpmffVaoNWzfV5Bc
+ru8etu+7QOmnAoJv8BLtEK0SuDfhB75l525ORrDirvM
 -> ssh-rsa krWCLQ
-jEPt5eWP6NmpOikLhs1uPVo7kxHgg1y7WwdOPyR0z2vpFD2BWGlIi/BvnlE3OO5n
-jtvDjAauWU0X2JarfdY9mY8MoPjT9qQ/ukxuVAHi5CoL/I1JCqcbuftssYY0B7Ab
-SMfbyxjK8aIT1/4EQhMoWm0tuIylvgTBagL03Lw5mbyRqDkbpI/6YC9401YjT7Ts
-dCDGIFAYM2BA7TuJiZr881ypUdU9rlm5rss1ZLMj90jyJPJC4SDYbzE0BoBat9l0
-dYUrYGhGgZ1cDd6D6mPf6H95muiGHIhxaE8c+LdK/rKCSH9Rf6mfn/Ab/xvnaDNn
-GW/WD0EpmdzpWVPby68+KA
-> ssh-ed25519 /vwQcQ 5DoMxdoK+KiHXKwwOpb7/1FZIEzAa/2/1l8yyxey6iw
-RzmUkqZQLM5/jDXG9fxhZmfAywgVMjH9Y3O66BnhCSQ
-> ssh-ed25519 0R97PA g+uW/jfwHB3m0AdWxb9vPRjeaowhEx1Uoc2R0CVStlA
-m5XvSEVQ8DiA7BSTsxVn6S1zv92CpbyZxSgUI3ObE4c
-> ssh-ed25519 JGx7Ng BtdJpskbfPyywYeFbmQw3HGPTLv5ri6x4bFocr9l6H8
-88aFw+MCJLqMU/W/ikYDUZEAi0ImaPVbSc7cAZPbs/I
-> ssh-ed25519 5SY7Kg +JUMQfaxl7Orym43LVeqUyno0JfUbVnB+xv7smpdRhE
-6K+Ewq1FhrXB2eYdljlsYpIfmVv49E4jSBsphgDpRJk
-> ssh-ed25519 p/Mg4Q AITnEN+Q41fEA2tkvVOKGCDZiuCXanG+qaiF5X4ukiA
-NvP/HXOliNvi8tngH9PU90E616CPlh/QgkZ052H8wtk
-> ssh-ed25519 +mFdtQ RuaXIQNZ3s9C27XtpVTExJlAhYDYXRQni+Hwot0wrzU
-WctqqoGS2hVfOZSU3ihCg5eI7PnxM7dkOJKM9DJ90Wk
-> ssh-ed25519 5rrg4g cAqJQ8z6T46YwzahtcTJxXZHklCGrupVCja5U/g+ZmM
-wERu5T6rOi5/0qPSXeOnfA0Szg7/pbYFTW0Ys1yWq40
-> ssh-ed25519 oRtTqQ NF73c0d1qM4nVt2bEdWTEDjDcz/ZMCObn/7cDZfkVGA
-Mivm+WWVqAfNs5pLwGmINIsmxlEZi7m7bQIRxGkf3/Q
--- 8R1h+xsovrLq+5QI1CoTXc9TBTQugnROZpOAHWBwG1w
-G“Þ"û¤‡ã8ƒÈî‚&NF}x£ksyÖ\£.i§<69>×§F¢‹¯}ê-ÍÁÓšLbì;{
+QsgW7OvOB3cOz9MZI1PQ6Fe208WS+Sv/TWcucjD9i28U6Bty1KYeSwMH/zyzLuSe
+51TqJTnkb+xGcqw3RvKiM58HMFcl6INmOI8otGxfCQSX7p3/QxiGQBbIgRblxtWB
+8Jf55hgfh+1+vwTcM+BlBRWz4K581MeQiF2jj6ihfJNwTZ7Q9jNvgzF42znEyZyE
+QTHoR9ROA/HqLgcrui1L7QnBlP1Y9Bt/oMCh4jFwHfcc6NeHF+I6AEeQNAHH9iNX
+2+1RsJnQrTM+H204GrpVK78e1B5uCjvq/LeoWSQ3pFD9PwdM6JW2WfkB4FSCriAI
+7ZAg64qNahyjX+J+KDlrwQ
+-> ssh-ed25519 /vwQcQ MBPiBQdz65VVKMxJDlTCFUfG084K0ZcGpPJc5RKKND4
+jH9fRJ/tcGQpZQ+pGNw9lXcRbPS8LLsuwe4EUsaFGDM
+-> ssh-ed25519 0R97PA bvY5a3GO1CfVmCPJwBfFGJcS+Zkr2QRENa0WyzqspGc
+YgxthAE4TIPlweuH8cWaOmVGqomc2yfLdzjO8G8bytw
+-> ssh-ed25519 JGx7Ng 11We2girRvmkDm8eWkTZnazm7Ly0tmECFTdSFnBKIQQ
+VQ+jlP1sk+SPkHARgAly9U7W0HVbpvZvxLN4V5l6JwE
+-> ssh-ed25519 bUjjig Zt2Br6ls9INAJ5aQZ/az+6+rIpDCf/NCJP2zusdggms
+3k0NOSVDpbQFEflEvyTzKv1/zXUBVN5ub9jjOe4EybM
+-> ssh-ed25519 +mFdtQ inTgQzJVaYt8JZjtrjVzZzW9PscvBnZWkXIpEQYtdFI
+O/Z7ccZam386C6r2UVJS+OMwG8nZ57RmUy+VJEgWJEY
+-> ssh-ed25519 5rrg4g ApGMepP+32epekSxCfLGJs6uI38WPjWxtdk+q1Lvx0I
+huEBiiNzTcz5hPUs+INfDyfeqKtl+mYE38PUizHktyI
+-> ssh-ed25519 oRtTqQ QBBeZ0kLMPuDmO0hT7LvMs31WuVZATUSyxtCxgMzHgQ
+HooCKv78+xzYnOwaYXbRNVH1XpG1e8tY0PB246nkFU8
+-> G8<-grease
+58RFQqg54Xu8pavoh6wbEnJl7J8XJ5rgaVq1bxokhQ
+--- +gYhV/IjEqBw3YKDEeSbepgAIIO6A/BcpsYrwCy+Ezs
+萠%Ｃ7図殤ﾁx盟~YﾖﾜZﾁ{儖情ﾘM<EFBE98>Hﾊ<48>欷ｿXｾ<58>ﾅk@ﾓ9<EFBE93>
--- a/scripts/export_secret.sh
+++ b/scripts/export_secret.sh
@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+DECRYPT=()
+if [ -f "$HOME/.ssh/id_rsa" ]; then
+  DECRYPT+=(-i "$HOME/.ssh/id_rsa")
+fi
+if [ -f "$HOME/.ssh/id_ed25519" ]; then
+  DECRYPT+=(-i "$HOME/.ssh/id_ed25519")
+fi
+
+export RADIUS_SECRET=$(rage "${DECRYPT[@]}" -d ./machines/nixos/vault01/secrets/radius-ap-radius-secret_file)