root

pages

NixOS: Declarative WiFi connections with agenix and NetworkManager

Here I'll show you how to declare WiFi connections for NetworkManager in NixOS, using agenix to store encrypted pre-shared keys. Thanks to @TLATER for the answer!

The agenix part

Here I'll assume you got agenix working. If not, follow this wiki article.

Create an age-encrypted environment file so that: 

  $ agenix -d crypto/nm-secrets.age
  STARLINK_PSK=MyPSKHere

Tell your NixOS config to import it:

  age.secrets.nm-secrets = {
    file = ../../crypto/nm-secrets.age;
    owner = "root";
    group = "root";
  };

Importing the secrets into NixOS

Now tell NetworkManager to ensure your profile is installed. To achieve this we'll be using networking.networkmanager.ensureProfiles.profiles and networking.networkmanager.ensureProfiles.environmentFiles:

  networking.networkmanager.ensureProfiles = {
    environmentFiles = [
      config.age.secrets.nm-secrets.path
    ];

    profiles = {
      Starlink = {
        connection = {
          id = "Starlink";
          type = "wifi";
        };
        ipv4 = {
          method = "auto";
        };
        ipv6 = {
          addr-gen-mode = "stable-privacy";
          method = "auto";
        };
        wifi = {
          mode = "infrastructure";
          ssid = "Starlink";
        };
        wifi-security = {
          key-mgmt = "wpa-psk";
          psk = "$STARLINK_PSK";
        };
      };
    };
  };

networking.networkmanager.ensureProfiles.profiles first builds a configuration file NetworkManager can understand from the attribute set we pass it, and networking.networkmanager.ensureProfiles.environmentFiles tells NixOS to take the configuration and to substitute variable identifiers by their value stored in the nm-secrets.age file.

Adjust this configuration as needed using this documentation. Rebuild and everything should just work!

Security considerations

DISCLAIMER: I'm pretty sure what I'm saying here is accurate, but I do not have the time nor skills to check this in depth. Take what I'm saying here with a grain of salt. If I'm wrong, please send me an email containing a minimum of 3 insults.

agenix stores your secrets in an encrypted format in the publicly-available Nix store (/nix/store/*-nm-secrets.age) and exposes them in plaintext at /run/agenix.d/*/nm-secrets to root only. After decryption, the password is stored in plaintext as part of the connection configuration at /run/NetworkManager/system-connections/'Starlink'.nmconnection in a tmpfs only available to root. Additionnally, NetworkManager exposes the PSK to all members of the networkmanager group.

To me this looks like a reasonably secure way to store WiFi credentials.

Fediring

tilde.club webring

the no ai webring

Floof Company Webring

my badge

if you want to add it to your website, please do not hotlink it. thanks!
made by the amazing nelson !
tasiaiso badge

cool people and creatures
xeiaso badge tea badge maia badge vulpinecitrus badge elke badge byte badge rail badge sammy badge soatok badge freeplay badge xaselgio badge cyrneko badge neil badge guigui badge houl badge invotek badge 440729 badge
misc
fediring badge kitsulife badge nixos badge tilde.club badge linux badge enby badge iso8601 badge no fkn thanks badge made with my own two paws badge creativecommons badge fof badge

memetic apiopage | buttons credits | warrant canary

copyright notice: this webite's source code and built webpages when shared in their entirety are provided under the GPL-3.0 license. all blog posts, articles, images and Markdown files contained within the git repository are shared under the CC BY-NC-SA 4.0 license. if you want to use my content for commercial purposes, feel free to contact me.

this is an actual website. read the web0 manifesto.

this page is cleaner than 85% of all web pages globally according to websitecarbon.com.

built by mkdocs.

rss feed: TODO - email me if you want to subscribe!

privacy policy: nginx stores your ip address (somewhere idk) and i use plausible for basic analytics.

please watch these ads for soul harvesting purposes