root
pages
Here I'll show you how to declare WiFi connections for NetworkManager in NixOS, using agenix to store encrypted pre-shared keys. Thanks to @TLATER for the answer!
Here I'll assume you got agenix working. If not, follow this wiki article.
Create an age-encrypted environment file so that:
$ agenix -d crypto/nm-secrets.age
STARLINK_PSK=MyPSKHere
Tell your NixOS config to import it:
age.secrets.nm-secrets = {
file = ../../crypto/nm-secrets.age;
owner = "root";
group = "root";
};
Now tell NetworkManager to ensure your profile is installed. To achieve this we'll be using networking.networkmanager.ensureProfiles.profiles
and networking.networkmanager.ensureProfiles.environmentFiles
:
networking.networkmanager.ensureProfiles = {
environmentFiles = [
config.age.secrets.nm-secrets.path
];
profiles = {
Starlink = {
connection = {
id = "Starlink";
type = "wifi";
};
ipv4 = {
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "Starlink";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$STARLINK_PSK";
};
};
};
};
networking.networkmanager.ensureProfiles.profiles
first builds a configuration file NetworkManager can understand from the attribute set we pass it, and networking.networkmanager.ensureProfiles.environmentFiles
tells NixOS to take the configuration and to substitute variable identifiers by their value stored in the nm-secrets.age
file.
Adjust this configuration as needed using this documentation. Rebuild and everything should just work!
DISCLAIMER: I'm pretty sure what I'm saying here is accurate, but I do not have the time nor skills to check this in depth. Take what I'm saying here with a grain of salt. If I'm wrong, please send me an email containing a minimum of 3 insults.
agenix stores your secrets in an encrypted format in the publicly-available Nix store (/nix/store/*-nm-secrets.age
) and exposes them in plaintext at /run/agenix.d/*/nm-secrets
to root
only. After decryption, the password is stored in plaintext as part of the connection configuration at /run/NetworkManager/system-connections/'Starlink'.nmconnection
in a tmpfs only available to root
. Additionnally, NetworkManager exposes the PSK to all members of the networkmanager
group.
To me this looks like a reasonably secure way to store WiFi credentials.
memetic apiopage | buttons credits | warrant canary
copyright notice: This webite's source code and built webpages when shared in their entirety are provided under the GPL-3.0 license. All blog posts, articles and Markdown files contained within the git repository are shared under the CC BY-NC-SA 4.0 license. If you want to use my content for commercial purposes, feel free to contact me.
This is an actual website. Read the web0 manifesto.
This page is cleaner than 0% of all web pages globally according to websitecarbon.com.
Built by mkdocs and served by tilde.club.
rss feed: todo - email me if you want to subscribe !
Last update: 2024-10-13