diff --git a/default.nix b/default.nix index 55017dd..a56e937 100644 --- a/default.nix +++ b/default.nix @@ -187,6 +187,8 @@ in })) pkgs.npins + pkgs.rage + # SSO testing pkgs.kanidm pkgs.freeradius diff --git a/machines/liminix/ap01/wlan.nix b/machines/liminix/ap01/wlan.nix index 6cf4acb..f6d4dfe 100644 --- a/machines/liminix/ap01/wlan.nix +++ b/machines/liminix/ap01/wlan.nix @@ -2,7 +2,12 @@ # # SPDX-License-Identifier: EUPL-1.2 -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: let svc = config.system.service; secrets-1 = { @@ -64,7 +69,14 @@ let # No DNS here, hostapd do not support this mode. auth_server_addr = "129.199.195.129"; auth_server_port = 1812; - auth_server_shared_secret = builtins.getEnv "RADIUS_SECRET"; + auth_server_shared_secret = + let + secret = builtins.getEnv "RADIUS_SECRET"; + in + if secret == "" then + lib.warn "Using a dummy RADIUS secret. Please do not use in production" "DUMMYSECRET" + else + secret; }; mkWifiSta = diff --git a/machines/nixos/vault01/secrets/radius-ap-radius-secret_file b/machines/nixos/vault01/secrets/radius-ap-radius-secret_file index 0bb33d8..256cf6a 100644 --- a/machines/nixos/vault01/secrets/radius-ap-radius-secret_file +++ b/machines/nixos/vault01/secrets/radius-ap-radius-secret_file @@ -1,32 +1,32 @@ age-encryption.org/v1 --> ssh-ed25519 jIXfPA 2nFaxyP7O4GWU7U3wmET5sNrnFq72b9DEhiKEgWVrFk -l8uXfCBkTHogzVoUY0WOYhA99fodoT+N0HunacULydI --> ssh-ed25519 QlRB9Q qDalihZE404oPOVHYQR5GIvozXNh4wNxhUa5Zwfz2DU -X8qvWf7qprbh0xu/uOHGsNLTQc8efYsgveH9R9kZZZw --> ssh-ed25519 r+nK/Q mksHDhPoKKxQpk4sQPHapdq87EaJmgdmoVxMYjsAang -FTYHyxLp4nGOWJu1135yN/lQkGgAD9Jy4JJpMKFktrk +-> ssh-ed25519 jIXfPA TdfYeqsPJBf26CO1Bh74K8qxqR1MX3VUvZ/e73+oDXQ +KoA/I5kVXxryQ86qjfzq67Aiar+qDZF9OoF4MsNDqe4 +-> ssh-ed25519 QlRB9Q ZaPziTdzqf0vCkCiLWAUJbnROaZ7Mz+Xgw1viEMWM2s +I0peAEQPbaXL9eHQ/OraNuqJPCxIwjpxIxhvgAifATY +-> ssh-ed25519 r+nK/Q kgmK60IgdW4QFdKqBQ6S9JmQVoRvpmffVaoNWzfV5Bc +ru8etu+7QOmnAoJv8BLtEK0SuDfhB75l525ORrDirvM -> ssh-rsa krWCLQ -jEPt5eWP6NmpOikLhs1uPVo7kxHgg1y7WwdOPyR0z2vpFD2BWGlIi/BvnlE3OO5n -jtvDjAauWU0X2JarfdY9mY8MoPjT9qQ/ukxuVAHi5CoL/I1JCqcbuftssYY0B7Ab -SMfbyxjK8aIT1/4EQhMoWm0tuIylvgTBagL03Lw5mbyRqDkbpI/6YC9401YjT7Ts -dCDGIFAYM2BA7TuJiZr881ypUdU9rlm5rss1ZLMj90jyJPJC4SDYbzE0BoBat9l0 -dYUrYGhGgZ1cDd6D6mPf6H95muiGHIhxaE8c+LdK/rKCSH9Rf6mfn/Ab/xvnaDNn -GW/WD0EpmdzpWVPby68+KA --> ssh-ed25519 /vwQcQ 5DoMxdoK+KiHXKwwOpb7/1FZIEzAa/2/1l8yyxey6iw -RzmUkqZQLM5/jDXG9fxhZmfAywgVMjH9Y3O66BnhCSQ --> ssh-ed25519 0R97PA g+uW/jfwHB3m0AdWxb9vPRjeaowhEx1Uoc2R0CVStlA -m5XvSEVQ8DiA7BSTsxVn6S1zv92CpbyZxSgUI3ObE4c --> ssh-ed25519 JGx7Ng BtdJpskbfPyywYeFbmQw3HGPTLv5ri6x4bFocr9l6H8 -88aFw+MCJLqMU/W/ikYDUZEAi0ImaPVbSc7cAZPbs/I --> ssh-ed25519 5SY7Kg +JUMQfaxl7Orym43LVeqUyno0JfUbVnB+xv7smpdRhE -6K+Ewq1FhrXB2eYdljlsYpIfmVv49E4jSBsphgDpRJk --> ssh-ed25519 p/Mg4Q AITnEN+Q41fEA2tkvVOKGCDZiuCXanG+qaiF5X4ukiA -NvP/HXOliNvi8tngH9PU90E616CPlh/QgkZ052H8wtk --> ssh-ed25519 +mFdtQ RuaXIQNZ3s9C27XtpVTExJlAhYDYXRQni+Hwot0wrzU -WctqqoGS2hVfOZSU3ihCg5eI7PnxM7dkOJKM9DJ90Wk --> ssh-ed25519 5rrg4g cAqJQ8z6T46YwzahtcTJxXZHklCGrupVCja5U/g+ZmM -wERu5T6rOi5/0qPSXeOnfA0Szg7/pbYFTW0Ys1yWq40 --> ssh-ed25519 oRtTqQ NF73c0d1qM4nVt2bEdWTEDjDcz/ZMCObn/7cDZfkVGA -Mivm+WWVqAfNs5pLwGmINIsmxlEZi7m7bQIRxGkf3/Q ---- 8R1h+xsovrLq+5QI1CoTXc9TBTQugnROZpOAHWBwG1w -G"8&NF}xksy\.iקF}-ӚLb;{ \ No newline at end of file +QsgW7OvOB3cOz9MZI1PQ6Fe208WS+Sv/TWcucjD9i28U6Bty1KYeSwMH/zyzLuSe +51TqJTnkb+xGcqw3RvKiM58HMFcl6INmOI8otGxfCQSX7p3/QxiGQBbIgRblxtWB +8Jf55hgfh+1+vwTcM+BlBRWz4K581MeQiF2jj6ihfJNwTZ7Q9jNvgzF42znEyZyE +QTHoR9ROA/HqLgcrui1L7QnBlP1Y9Bt/oMCh4jFwHfcc6NeHF+I6AEeQNAHH9iNX +2+1RsJnQrTM+H204GrpVK78e1B5uCjvq/LeoWSQ3pFD9PwdM6JW2WfkB4FSCriAI +7ZAg64qNahyjX+J+KDlrwQ +-> ssh-ed25519 /vwQcQ MBPiBQdz65VVKMxJDlTCFUfG084K0ZcGpPJc5RKKND4 +jH9fRJ/tcGQpZQ+pGNw9lXcRbPS8LLsuwe4EUsaFGDM +-> ssh-ed25519 0R97PA bvY5a3GO1CfVmCPJwBfFGJcS+Zkr2QRENa0WyzqspGc +YgxthAE4TIPlweuH8cWaOmVGqomc2yfLdzjO8G8bytw +-> ssh-ed25519 JGx7Ng 11We2girRvmkDm8eWkTZnazm7Ly0tmECFTdSFnBKIQQ +VQ+jlP1sk+SPkHARgAly9U7W0HVbpvZvxLN4V5l6JwE +-> ssh-ed25519 bUjjig Zt2Br6ls9INAJ5aQZ/az+6+rIpDCf/NCJP2zusdggms +3k0NOSVDpbQFEflEvyTzKv1/zXUBVN5ub9jjOe4EybM +-> ssh-ed25519 +mFdtQ inTgQzJVaYt8JZjtrjVzZzW9PscvBnZWkXIpEQYtdFI +O/Z7ccZam386C6r2UVJS+OMwG8nZ57RmUy+VJEgWJEY +-> ssh-ed25519 5rrg4g ApGMepP+32epekSxCfLGJs6uI38WPjWxtdk+q1Lvx0I +huEBiiNzTcz5hPUs+INfDyfeqKtl+mYE38PUizHktyI +-> ssh-ed25519 oRtTqQ QBBeZ0kLMPuDmO0hT7LvMs31WuVZATUSyxtCxgMzHgQ +HooCKv78+xzYnOwaYXbRNVH1XpG1e8tY0PB246nkFU8 +-> G8<-grease +58RFQqg54Xu8pavoh6wbEnJl7J8XJ5rgaVq1bxokhQ +--- +gYhV/IjEqBw3YKDEeSbepgAIIO6A/BcpsYrwCy+Ezs +%b7}nx~YZ{OMlHW Xk@9 \ No newline at end of file diff --git a/scripts/export_secret.sh b/scripts/export_secret.sh new file mode 100755 index 0000000..e14ce9c --- /dev/null +++ b/scripts/export_secret.sh @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: 2024 Maurice Debray +# +# SPDX-License-Identifier: EUPL-1.2 + +DECRYPT=() +if [ -f "$HOME/.ssh/id_rsa" ]; then + DECRYPT+=(-i "$HOME/.ssh/id_rsa") +fi +if [ -f "$HOME/.ssh/id_ed25519" ]; then + DECRYPT+=(-i "$HOME/.ssh/id_ed25519") +fi + +export RADIUS_SECRET=$(rage "${DECRYPT[@]}" -d ./machines/nixos/vault01/secrets/radius-ap-radius-secret_file)