diff --git a/hosts/pinwheel/configuration.nix b/hosts/pinwheel/configuration.nix index 5e8cf6c..9f27a0c 100644 --- a/hosts/pinwheel/configuration.nix +++ b/hosts/pinwheel/configuration.nix @@ -23,6 +23,7 @@ ./modules/syncthing ./modules/firefox ./modules/mullvad + ./modules/openvpn ./modules/calibre ./modules/go ./modules/nix @@ -122,6 +123,8 @@ }]; }; + mod.openvpn.enable = true; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/pinwheel/modules/openvpn/default.nix b/hosts/pinwheel/modules/openvpn/default.nix new file mode 100644 index 0000000..a10f43b --- /dev/null +++ b/hosts/pinwheel/modules/openvpn/default.nix @@ -0,0 +1,22 @@ +{ pkgs, lib, config, ... }: +let + enabled = config.mod.openvpn.enable; +in +{ + options = { + mod.openvpn = { + enable = lib.mkEnableOption "add openvpn related packages"; + }; + }; + + config = lib.mkIf enabled { + home-manager.users.alex = { + home.packages = [ + pkgs.openvpn + pkgs.update-systemd-resolved + ]; + }; + + services.resolved.enable = true; + }; +} diff --git a/hosts/pinwheel/modules/work/default.nix b/hosts/pinwheel/modules/work/default.nix index 79551f0..43500c6 100644 --- a/hosts/pinwheel/modules/work/default.nix +++ b/hosts/pinwheel/modules/work/default.nix @@ -1,4 +1,26 @@ -{ ... }: +{ pkgs, lib, config, ... }: +let + openvpnEnabled = config.mod.openvpn.enable; + + work-vpn = let + ovpnconfig = config.age.secrets.work-ovpn.path; + userpass = config.age.secrets.work-ovpn-userpass.path; + in + pkgs.writeShellApplication { + name = "work-vpn"; + text = '' + sudo \ + ${pkgs.openvpn}/bin/openvpn \ + --script-security 2 \ + --up ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \ + --up-restart \ + --down ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \ + --down-pre \ + --config ${ovpnconfig} \ + --auth-user-pass ${userpass} + ''; + }; +in { home-manager.users.alex = { programs.git = { @@ -13,6 +35,8 @@ programs.go = { goPrivate = [ "gitlab.com/zebware/*" ]; }; + + home.packages = lib.mkIf openvpnEnabled [ work-vpn ]; }; age.secrets = { @@ -22,5 +46,13 @@ owner = "alex"; group = "users"; }; + + "work-ovpn" = lib.mkIf openvpnEnabled { + file = ../../../../secrets/pinwheel/work-ovpn.age; + }; + + "work-ovpn-userpass" = lib.mkIf openvpnEnabled { + file = ../../../../secrets/pinwheel/work-ovpn-userpass.age; + }; }; } diff --git a/secrets/pinwheel/work-ovpn-userpass.age b/secrets/pinwheel/work-ovpn-userpass.age new file mode 100644 index 0000000..a5b675e --- /dev/null +++ b/secrets/pinwheel/work-ovpn-userpass.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 vxPbZg 7KS4VEUkTfMmn+qf5oGnQrnlnBfPcJp4i/tOtQOM5zc +R5DuA9UnMItrqtHG2rNfCC5/BoPkdxQq3OmIgRMjvGM +-> ssh-ed25519 ek+b7Q w6PYfDR2dpqLknYvbC7umnK2eXQzk36scvPQctSIZz8 +rvbgLNqkzfpgBAEZa5XZ0jtxJxsRObAyJyw4vnIYJAw +-> WukD86"4-grease gm HHH), >.i ~bi +yV7GpsEhncUjuoMD56M5Wg2qkdPOVewQpHRoIrV68g +--- 3drQ0pMsHbSMSA8tnTs3muN122ZYgN5JDzoz3tRymJQ +•#ó€)ö`ÎCmƒ7Í ¨ps ˆœñ™ú >§Ð*¤e¾œ©¶MÞ¡9º°ðó§ìn^ÒÂîê*6®º& +mü{‰Œà-òŒ³A \ No newline at end of file diff --git a/secrets/pinwheel/work-ovpn.age b/secrets/pinwheel/work-ovpn.age new file mode 100644 index 0000000..086d70f Binary files /dev/null and b/secrets/pinwheel/work-ovpn.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0ae9d10..929dbfb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,4 +1,5 @@ let + # see `modules/age/default.nix` where these are defined pinwheel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoI7Q4zT2AGXU+i8fLmzcNLdfMkEnfHYh4PmaEmo2QW root@pinwheel"; alex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjSFvlbdy5D59UaVWjRMyBndiAT2MtCeT+6GuemkuYe alex.pinwheel"; in { @@ -11,4 +12,6 @@ in { "pinwheel/alex.pinwheel-work.age".publicKeys = [ pinwheel alex ]; "pinwheel/alex.pinwheel-work.pub.age".publicKeys = [ pinwheel alex ]; "pinwheel/netrc.age".publicKeys = [ pinwheel alex ]; + "pinwheel/work-ovpn.age".publicKeys = [ pinwheel alex ]; + "pinwheel/work-ovpn-userpass.age".publicKeys = [ pinwheel alex ]; }