pinwheel: Update work module and related files/secrets

hosts/pinwheel/modules/waybar/default.nix

@@ -82,8 +82,11 @@ let
   '';
 
   work-vpn-status = pkgs.writeShellScript "work-vpn-status" ''
-    ON=$(ls /tmp | grep work-vpn-on | wc -l)
+    STAGING=$(systemctl is-active openvpn-work-staging.service)
-    [ "$ON" -gt 0 ] && echo "WORK-VPN ON"
+    [ "$STAGING" == "active" ] && echo "WORK-VPN STAGING ON" && exit 0
+
+    PRODUCTION=$(systemctl is-active openvpn-work-production.service)
+    [ "$PRODUCTION" == "active" ] && echo "WORK-VPN PRODUCTION ON" && exit 0
   '';
 
   toggle-bt-power = pkgs.writeShellScript "toggle-bt-power" ''

hosts/pinwheel/modules/work/default.nix

@@ -1,79 +1,50 @@
-{ pkgs, lib, config, ... }:
+{ lib, config, ... }:
 let
   gitEnabled = config.mod.git.enable;
-  goEnabled = config.mod.go.enable;
   openvpnEnabled = config.mod.openvpn.enable;
-
-  work-vpn = let
-    ovpnconfig = config.age.secrets.work-ovpn.path;
-    userpass = config.age.secrets.work-ovpn-userpass.path;
-  in
-    pkgs.writeShellApplication {
-    name = "work-vpn";
-    text = ''
-        touch /tmp/work-vpn-on; \
-        sudo \
-        ${pkgs.openvpn}/bin/openvpn \
-        --script-security 2 \
-        --up ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \
-        --up-restart \
-        --down ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \
-        --down-pre \
-        --config ${ovpnconfig} \
-        --auth-user-pass ${userpass}; \
-        rm /tmp/work-vpn-on
-    '';
-  };
 in
 {
   home-manager.users.alex = {
     programs.git = lib.mkIf gitEnabled {
       includes = [
         {
-          path = ./work-gitconfig;
+          path = config.age.secrets.work-gitconfig.path;
           condition = "gitdir:~/code/work/";
         }
       ];
     };
 
-    programs.go = lib.mkIf goEnabled {
-      goPrivate = [ "gitlab.com/zebware/*" ];
-    };
-
     programs.ssh = {
       enable = true;
+    };
+  };
 
-      matchBlocks = {
+  services.openvpn.servers = lib.mkIf openvpnEnabled {
-        "gitlab.com" = {
+    work-staging = {
-          hostname = "gitlab.com";
+      config = "config ${config.age.secrets.work-staging-ovpn.path}";
-          identityFile = "/home/alex/.ssh/alex.pinwheel-work";
+      autoStart = false;
-        };
-      };
     };
 
-    home.sessionVariables = {
+    work-production = {
-      ZCENV_HOME = "/home/alex/code/work/zebware/zcenv";
+      config = "config ${config.age.secrets.work-production-ovpn.path}";
+      autoStart = false;
     };
-
-    home.packages = lib.mkIf openvpnEnabled [ work-vpn ];
   };
 
   age.secrets = {
-    "alex.pinwheel-work" = {
+    "work-gitconfig" = lib.mkIf gitEnabled {
-       file = ../../../../secrets/pinwheel/alex.pinwheel-work.age;
+      file = ../../../../secrets/pinwheel/work-gitconfig.age;
-       path = "/home/alex/.ssh/alex.pinwheel-work";
+      path = "/home/alex/code/work/.work-gitconfig";
-       owner = "alex";
+      owner = "alex";
-       group = "users";
+      group = "users";
-    };
-    "alex.pinwheel-work.pub" = {
-       file = ../../../../secrets/pinwheel/alex.pinwheel-work.pub.age;
-       path = "/home/alex/.ssh/alex.pinwheel-work.pub";
-       owner = "alex";
-       group = "users";
     };
 
-    "work-ovpn" = lib.mkIf openvpnEnabled {
+    "work-staging-ovpn" = lib.mkIf openvpnEnabled {
-      file = ../../../../secrets/pinwheel/work-ovpn.age;
+      file = ../../../../secrets/pinwheel/work-staging-ovpn.age;
+    };
+
+    "work-production-ovpn" = lib.mkIf openvpnEnabled {
+      file = ../../../../secrets/pinwheel/work-production-ovpn.age;
     };
   };
 }

hosts/pinwheel/modules/work/work-gitconfig

@@ -1,3 +0,0 @@
-[user]
-name = Alexander Heldt
-email = alexander.heldt@zebware.com

secrets/pinwheel/work-gitconfig.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 vxPbZg ns/Hd7mkx1YbuUfP8AUzFLMy8Zps531/kL+1LsyDmzY
+8UIeOcgDWqW7h2rQFVZB1DuAi2rxY141VQgfIyJqfmQ
+-> ssh-ed25519 ek+b7Q KBS99VZ03/1C35EZtWoo96+NZFZhW/TESyXwhOkR924
+qG5bq6hkrcU0fX3mbb787A/cy4VCkytjDsD5EXHowR4
+--- FGygGCVoZ2LWY5guhe/LOjihpJTYk0neLqMSwZnoI0k
+5<EFBFBD>rDM<EFBFBD><EFBFBD>X<1B><>A<11>Q<EFBFBD><51>OC1l<31><6C>\<5C>9q<39>7Xw<58>/<2F>b<EFBFBD><62><EFBFBD>u<EFBFBD>9<EFBFBD><39>zp~<7E><>`<60>W:U<>B ,^<5E>v<><76>Vq<>m<EFBFBD>à<EFBFBD>IJ<EFBFBD>g<EFBFBD>`<1C><16><>"l<><6C><0C><><EFBFBD><EFBFBD>Q<EFBFBD>M<EFBFBD><4D>

secrets/secrets.nix

@@ -12,11 +12,12 @@ in {
   "pinwheel/alex.pinwheel-github.com.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-andromeda.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-andromeda.pub.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/alex.pinwheel-work.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/alex.pinwheel-work.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-codeberg.org.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-codeberg.org.pub.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/work-ovpn.age".publicKeys = [ pinwheel alex ];
+
+  "pinwheel/work-gitconfig.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/work-staging-ovpn.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/work-production-ovpn.age".publicKeys = [ pinwheel alex ];
 
   "sombrero/syncthing-cert.age".publicKeys = [ sombrero alex ];
   "sombrero/syncthing-key.age".publicKeys = [ sombrero alex ];