Wifi: Hide Email/Identitiy in Eduroam Config

Hi there,
Is it possible to hide my eduroam email/identity in my wifi config? I looked it up on the wiki wpa_supplicant - NixOS Wiki and tried:

networking.wireless.networks.eduroam = {
   auth = ''
     key_mgmt=WPA-EAP
     eap=PWD
     identity=ext:EDUROAM_IDENTITY
     password=ext:EDUROAM_PASSWORD
   '';
 };

But I can’t enter a variable for the identity field. The only way is to write the real e-mail into the config:

networking.wireless.networks.eduroam = {
   auth = ''
     key_mgmt=WPA-EAP
     eap=PWD
     identity="my-mail@edu.com"
     password=ext:EDUROAM_PASSWORD
   '';
 };

without errors while building. Is there a way to hide my real Mail Address for my public repository?

Edit: I already use sops-nix for encrypting my secrets

But I can’t enter a variable for the identity field.

Only some fields support this, it’s meant to keep secrets (PSKs, passwords) protected.

If you’re publishing your configuration and want to hide PII (such as usernames, SSIDs, email addresses, etc.), the standard method is to define these in an external .nix file and import them where needed.

You can even make it a NixOS module that exports your constants as an option, so that you can do identity=${config.stuff.myemail}. Then you either don’t share this file, use git-crypt or the method described here to keep it encrypted and decrypt it on the fly from Nix.

Instead, if you really care about local users not being able to access this information, you can try this:

  1. Define your networks using wpa_supplicant.conf syntax in some networks.conf file

    # networks.conf
    network={
      ssid="eduroam"
      key_mgmt=WPA-EAP
      eap=PWD
      identity="my-mail@edu.com"
      password="mypassword"
    }
    
  2. set networking.wireless.allowAuxiliaryImperativeNetworks. This makes wpa_supplicant load /etc/wpa_supplicant.conf in addition to the configuration generated by NixOS.

  3. Install networks.conf in /etc/wpa_supplicant.conf` with whatever you use to handle secrets. (It should have permissions 400 and ownership root:root)

2 Likes

I don’t know what the ext: stuff is about, but it looks to me like entries using environmentFile will substitute all occurrences of @VARNAME@ based on implementation: nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix at 944b2aea7f0a2d7c79f72468106bc5510cbf5101 · NixOS/nixpkgs · GitHub

So… Use that and e.g. sops-nix?

Unrelated, but that’s the unofficial wiki. Try making a conscious effort to switch to wiki.nixos.org.

1 Like

environmentFile has just been removed from NixOS unstable.

2 Likes

I should have added that I already use sops-nix

I see! Yeah, now the question makes sense, should have checked unstable before replying, thanks for your work there :slight_smile:

You can even make it a NixOS module that exports your constants as an option, so that you can do identity=${config.stuff.myemail}. Then you either don’t share this file, use git-crypt or the method described here to keep it encrypted and decrypt it on the fly from Nix.

Could you provide an example or a link to such a module with pre-defined constants?

Sure, look at this.

1 Like