Setting up easyroam under NixOS is kind of a pain in the ass. The official app only supports NetworkManager and x86 so if you configure your networks declaratively with nix or have a non-x86 laptop you're kind of screwed. The pkcs file you can download also needs to be extracted into multiple certificates.
This module aims to fix these issues by automatically extracting the pkcs file at startup using
a systemd service (similar to sops). You'll still need to redownload it every few months, but its much less tedious.
It can also automatically setup the wpa_supplicant
or NetworkManager
connection for you
The extracted Common Name/Root Certificate/Client Certificate/Private Key end up in /run/easyroam/
, so you
can use them externally.
Go to easyroam.de, select your University and log in. Under Manual Options
select PKCS12
and generate the profile.
If you dont encrypt the file, it will be copied to the nix-store and will be world readable. You also cannot safely put it into a git repo or something
# copy the file into your secrets folder
cp file.p12 secrets/easyroam
# sops encrypt it in place
sops encrypt -i secrets/easyroam
# now setup the sops secret as usual
# i recommend setting the secrets restartUnits to [ "easyroam-install.service" ]
Do something like this in your flake
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nix-easyroam.url = "github:0x5a4/nix-easyroam";
};
outputs = {nixpkgs, nix-easyroam, ...}: {
nixosConfigurations.mysystem = nixpkgs.lib.nixosSystem {
modules = [
# ...
nix-easyroam.nixosModules.nix-easyroam
# ...
];
};
};
}
Somewhere in your Nixos Config put:
services.easyroam = {
enable = true;
pkcsFile = "/path/to/the/file.p12"; # or e.g. config.sops.secrets.easyroam.path
# automatically configure wpa-supplicant (use this if you configure your networking via networking.wireless)
wpa-supplicant = {
enable = true;
# optional, extra config to write into the wpa_supplicant network block
extraConfig = '';
priority=5
'';
};
# automatically configure NetworkManager
networkmanager = {
enable = true;
# optional, extra config to write into the NetworkManager config
extraConfig = {
ipv6.addr-gen-mode = "default";
};
};
# optional, if you want to override the passphrase for the private key file.
# this doesnt need to be secret, since its useless without the private key file
privateKeyPassPhrase = "";
# optional, if you want to override where the extracted files end up
# the defaults are:
# /run/easyroam/common-name/
# /run/easyroam/root-certificate.pem
# /run/easyroam/client-certificate.pem
# /run/easyroam/private-key.pem
#
# you can also read these from within your nix config using
# `config.services.easyroam.paths`
paths = {
rootCert = "";
clientCert = "";
privateKey = "";
commonName = "";
};
# optional, (permission bits) the files are stored as, (default is 0400 (0r--------))
mode = "";
# optional, owner and group of the files. (default is root)
owner = "";
group = "";
};
Because easyroam is so much easier, you need to redo this every once in a while. Fun Fact: I've been told this has no technical reason, but is merely so users dont forget how to set it up (and they'll get less support tickets).
Do you still have your old eduroam connection set up? Remove it and run sudo systemctl restart easyroam-install.service
.
This is most likely because you copy-pasted the certificate for encryption and your editor appended a newline.
Prefer using sops encrypt -i
for encrypting the file. This encrypts the file in place.