root

pages table of contents

NixOS: Declarative WiFi connections with agenix and NetworkManager

Here I'll show you how to declare WiFi connections for NetworkManager in NixOS, using agenix to store encrypted pre-shared keys. Thanks to @TLATER for the answer!

The agenix part

Here I'll assume you got agenix working. If not, follow this wiki article.

Create an age-encrypted environment file so that:

  $ agenix -d crypto/nm-secrets.age
  STARLINK_PSK=MyPSKHere

Tell your NixOS config to import it:

  age.secrets.nm-secrets = {
    file = ../../crypto/nm-secrets.age;
    owner = "root";
    group = "root";
  };

Importing the secrets into NixOS

Now tell NetworkManager to ensure your profile is installed. To achieve this we'll be using networking.networkmanager.ensureProfiles.profiles and networking.networkmanager.ensureProfiles.environmentFiles:

  networking.networkmanager.ensureProfiles = {
    environmentFiles = [
      config.age.secrets.nm-secrets.path
    ];

    profiles = {
      Starlink = {
        connection = {
          id = "Starlink";
          type = "wifi";
        };
        ipv4 = {
          method = "auto";
        };
        ipv6 = {
          addr-gen-mode = "stable-privacy";
          method = "auto";
        };
        wifi = {
          mode = "infrastructure";
          ssid = "Starlink";
        };
        wifi-security = {
          key-mgmt = "wpa-psk";
          psk = "$STARLINK_PSK";
        };
      };
    };
  };

networking.networkmanager.ensureProfiles.profiles first builds a configuration file NetworkManager can understand from the attribute set we pass it, and networking.networkmanager.ensureProfiles.environmentFiles tells NixOS to take the configuration and to substitute variable identifiers by their value stored in the nm-secrets.age file.

Adjust this configuration as needed using this documentation. Rebuild and everything should just work!

Security considerations

DISCLAIMER: I'm pretty sure what I'm saying here is accurate, but I do not have the time nor skills to check this in depth. Take what I'm saying here with a grain of salt. If I'm wrong, please send me an email containing a minimum of 3 insults.

agenix stores your secrets in an encrypted format in the publicly-available Nix store (/nix/store/*-nm-secrets.age) and exposes them in plaintext at /run/agenix.d/*/nm-secrets to root only. After decryption, the password is stored in plaintext as part of the connection configuration at /run/NetworkManager/system-connections/'Starlink'.nmconnection in a tmpfs only available to root. Additionnally, NetworkManager exposes the PSK to all members of the networkmanager group.

To me this looks like a reasonably secure way to store WiFi credentials.

Fediring

tilde.club webring

the no ai webring


cool people and creatures
xeiaso badge tea badge maia badge vulpinecitrus badge elke badge byte badge rail badge sammy badge soatok badge freeplay badge xaselgio badge
misc
fediring badge kitsulife badge nixos badge tilde.club badge tilde.club badge enby badge iso8601 badge no fkn thanks badge made with my own two paws badge vscodium badge creativecommons badge
written by human, not by ai this website is a work in progress

memetic apiopage | buttons credits | warrant canary


copyright notice: This webite's source code and built webpages when shared in their entirety are provided under the GPL-3.0 license. All blog posts, articles and Markdown files contained within the git repository are shared under the CC BY-NC-SA 4.0 license. If you want to use my content for commercial purposes, feel free to contact me.

This is an actual website. Read the web0 manifesto.

This page is cleaner than 0% of all web pages globally according to websitecarbon.com.

Built by mkdocs and served by tilde.club.

rss feed: todo - email me if you want to subscribe !


This website does not use JavaScript or other tracking technologies.

Last update: 2024-10-13