From 79f694d064b19f01f157d54d9db8f77b1395f0ab Mon Sep 17 00:00:00 2001 From: Alexander Heldt Date: Sat, 30 Sep 2023 18:09:08 +0200 Subject: [PATCH] pinwheel: Add `work-vpn` in `work` module (`openvpn`) --- hosts/pinwheel/configuration.nix | 3 ++ hosts/pinwheel/modules/openvpn/default.nix | 22 +++++++++++++ hosts/pinwheel/modules/work/default.nix | 34 ++++++++++++++++++++- secrets/pinwheel/work-ovpn-userpass.age | 10 ++++++ secrets/pinwheel/work-ovpn.age | Bin 0 -> 9020 bytes secrets/secrets.nix | 3 ++ 6 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 hosts/pinwheel/modules/openvpn/default.nix create mode 100644 secrets/pinwheel/work-ovpn-userpass.age create mode 100644 secrets/pinwheel/work-ovpn.age diff --git a/hosts/pinwheel/configuration.nix b/hosts/pinwheel/configuration.nix index 5e8cf6c..9f27a0c 100644 --- a/hosts/pinwheel/configuration.nix +++ b/hosts/pinwheel/configuration.nix @@ -23,6 +23,7 @@ ./modules/syncthing ./modules/firefox ./modules/mullvad + ./modules/openvpn ./modules/calibre ./modules/go ./modules/nix @@ -122,6 +123,8 @@ }]; }; + mod.openvpn.enable = true; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/pinwheel/modules/openvpn/default.nix b/hosts/pinwheel/modules/openvpn/default.nix new file mode 100644 index 0000000..a10f43b --- /dev/null +++ b/hosts/pinwheel/modules/openvpn/default.nix @@ -0,0 +1,22 @@ +{ pkgs, lib, config, ... }: +let + enabled = config.mod.openvpn.enable; +in +{ + options = { + mod.openvpn = { + enable = lib.mkEnableOption "add openvpn related packages"; + }; + }; + + config = lib.mkIf enabled { + home-manager.users.alex = { + home.packages = [ + pkgs.openvpn + pkgs.update-systemd-resolved + ]; + }; + + services.resolved.enable = true; + }; +} diff --git a/hosts/pinwheel/modules/work/default.nix b/hosts/pinwheel/modules/work/default.nix index 79551f0..43500c6 100644 --- a/hosts/pinwheel/modules/work/default.nix +++ b/hosts/pinwheel/modules/work/default.nix @@ -1,4 +1,26 @@ -{ ... }: +{ pkgs, lib, config, ... }: +let + openvpnEnabled = config.mod.openvpn.enable; + + work-vpn = let + ovpnconfig = config.age.secrets.work-ovpn.path; + userpass = config.age.secrets.work-ovpn-userpass.path; + in + pkgs.writeShellApplication { + name = "work-vpn"; + text = '' + sudo \ + ${pkgs.openvpn}/bin/openvpn \ + --script-security 2 \ + --up ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \ + --up-restart \ + --down ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \ + --down-pre \ + --config ${ovpnconfig} \ + --auth-user-pass ${userpass} + ''; + }; +in { home-manager.users.alex = { programs.git = { @@ -13,6 +35,8 @@ programs.go = { goPrivate = [ "gitlab.com/zebware/*" ]; }; + + home.packages = lib.mkIf openvpnEnabled [ work-vpn ]; }; age.secrets = { @@ -22,5 +46,13 @@ owner = "alex"; group = "users"; }; + + "work-ovpn" = lib.mkIf openvpnEnabled { + file = ../../../../secrets/pinwheel/work-ovpn.age; + }; + + "work-ovpn-userpass" = lib.mkIf openvpnEnabled { + file = ../../../../secrets/pinwheel/work-ovpn-userpass.age; + }; }; } diff --git a/secrets/pinwheel/work-ovpn-userpass.age b/secrets/pinwheel/work-ovpn-userpass.age new file mode 100644 index 0000000..a5b675e --- /dev/null +++ b/secrets/pinwheel/work-ovpn-userpass.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 vxPbZg 7KS4VEUkTfMmn+qf5oGnQrnlnBfPcJp4i/tOtQOM5zc +R5DuA9UnMItrqtHG2rNfCC5/BoPkdxQq3OmIgRMjvGM +-> ssh-ed25519 ek+b7Q w6PYfDR2dpqLknYvbC7umnK2eXQzk36scvPQctSIZz8 +rvbgLNqkzfpgBAEZa5XZ0jtxJxsRObAyJyw4vnIYJAw +-> WukD86"4-grease gm HHH), >.i ~bi +yV7GpsEhncUjuoMD56M5Wg2qkdPOVewQpHRoIrV68g +--- 3drQ0pMsHbSMSA8tnTs3muN122ZYgN5JDzoz3tRymJQ +•#ó€)ö`ÎCmƒ7Í ¨ps ˆœñ™ú >§Ð*¤e¾œ©¶MÞ¡9º°ðó§ìn^ÒÂîê*6®º& +mü{‰Œà-òŒ³A \ No newline at end of file diff --git a/secrets/pinwheel/work-ovpn.age b/secrets/pinwheel/work-ovpn.age new file mode 100644 index 0000000000000000000000000000000000000000..086d70f09d4f894f64f737c38f68098f18ab1922 GIT binary patch literal 9020 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHs|ZMnN>?y8^bZNj zDJn2Z@pn#7Dz3=(%r~+ON;WRf%@4@+*Z1)D%MA~NHccU&MXNl3=b`j@g)iA}k)Un*pEwZ4p z%+Srn%PcoAAT!-E$S1rkuPo6d-83aTtx!8Lw4BQ)!`;P6-?yryDj=^oJ3BbgI5#IP zJETZEyTHW5yfP&)tgy7wBdZ`SG!$f8MV4-QQEFmws)CWBLX?ePhMT>jf`5@`PFTEA z4wp-5ia}wZNm`L(MQL7Sa=BxWaZy-RYDsBSPKjSdieX`!}jjhxM&y#(? z)$O-0U5UQUAwIw9=l3j&S$nolcj%aDciigN7sabP;@a$|8!D{*(@?i}U)<+sJM5m% zKg-he?5KX{s_ByHn^(rA-utN_@lQ$c@j~YEJz1|-E3R&~ji@w^*dCEmuD|;P>wSix z&Hv_iP5GE{`v*gc?4*{6<16_JFFq=N7}Ke!VllPVXf^XjsXJC*^J2`yTwiZ#scEa? z=B)b=+t$1~qw0I%Q%#3os_R9WUVJj2^!tL^iR`8~5vQwSbP`j4%+#w>WcmI0%gLnh z=^^v_`2}>fo~agk-<8|>>hE*Y>inZQPK9Y&As?Tdb3Z;!z2tfL{V7w|EscAWX1inR zwnJ-qJ>))!@qU|ZoPYhl=-k5-vlf28X8xo;g;RTT$Q)NmmwWZn2Hnzn4;E(aJw5Z- z#=za1I#1u8ezo$)aXp{zdlP3j7|fm0^rArCr1ykC%E8iFzcYH`TAeN5el9d-IuxQK z6tm>tE+)yi(yFP7oB#b{=}_2d7o+{T%QGY6bH|UGZB4U|ZEBejG$Ts7Wns(LgH!hy z$p)S0KWQH(m+70Vt}&K1^c$J7;!f9RWC`QkIzhH+WJV!0nW+d^$s&*kgq%~JnS z6m}v?>hs<$PiB3YZ>v1#&X?P74!M*w2)i~GvusuWSkO34D|Kzs?b+6QuElFgc-;JV z$eC0o{ZXZbpGx6#;-l(6(%{qyZrrufJ22+&sX~uVK*RFi5$WTg%bGskRED`X) zlWFzvRbG=2lxZp@k}+J04k!7aVAvsW|bSQOC`)nhU&v z=RTW0+bY%;(0Q5vVB4}cP68okZ|glsyd!kS=A`&EcZP4b83aowvWi}OwId;Zhm+gR zvsH5vd6KQ1gfE)KeE&V$enr4^mb*#c%CGCy8t=*}TKqHeM1RiIK$-2GS`5Cw&d0YZ zPMuTV<@xMZ+y8Z?J~~U}#IL8Ov*etL+Oz3M>%T}{#qGP#3CZjgDPxX3{OYoGdt1qD zgEx_yD<14$CRe3%u5d=P)HKz7dmjn^kxgiLFymE5H~-$Rv$UpoN3~j}Pq=wJp5KQ7O%q}=(=|8~N@o%`ng%&BrsT7FsaeM>>O zPK9aP+nZ~gs+zbgET4S(>GedX zYWozUX}_yJr=5)X+;Z-FSkWb`J?0*F@{aF5S|VJ!cm2y-d}*_kG83(yRV7Z&+>v{= zl!Nhd$BA=_kv|)L`CYF)Zl}Q{cqQqmv}=!=)r1Qte?Gprs$j=Gy74&{u}zvmkq zj%fasxc^U1Udsas^`}3%Yz}|^?(!;akLg^kUA&Cq$EBJ?mUxtZ`}*ei<1-qW-%g5d z*c-+dJ=1w*Bj*x#89oSLKt1%f7lP zCMdV~X@uWiGUx5HO{`fZ%cm51eO$$LanY&Yn-;jg^ziM_s^F^lR~RBzw!xSsO6r%C zW5e1HeP<2CSIo@xeSGG3bkM$!)X+g3~@2Z{EH0>00I8&z+xY9O6G7oOfo!*$l=?-L8wueJvFkiuW?2 zh3_eqzgi_#7}ng_E-b9^OzpGbJmwX%xEkbybCNrE%+3hY3>2I9VSjc^*0x5WvtQpX z3;y3^`;1qqg>@p|{A;#NQy<;jZJ3wzK)G4$U0U$>lVbl~@A@efQeSW=_|IdXD>YM- z@(bpC^rW_tL`?5x__ock(4yM_JVtmzk@%uriU^)qGJqT0Hg{1~mP zYbI^H=WTta{HOeU*Ta=-FIH_^%oeV1SNqEpAO?!29P zvf-iI$|Z3OKTDcY^2<_#H=Qq%uMXR{XzF682Op&!dr}K+ z!`8bo`xlsKe_M8Yy;^;dqR`0=P3Mywl*8=!8xK`Qd-5~Le_R()`{cKhf4?vPzSB|bq{7XAACteBfBUyc?|qU4^XlV$jAxVW3J*4GeA=QT zrlyopoBV*WP{X9viAQM8qUVN7!o%)9+x5BSuv*pP6Pvi*xHvr;f9Do1WKz9R?=wN_ ze869(F13#(KWh%zO||7+dH&ot{!5SfQ@xa2Q)MswVe)Ew=2;TGW6oJ|e!~KXFFXG7 z3wO_d@^|IAcW-7~ z`!Mtzy8#nJ(2Z81JKxqw?{VJECCak&<42tj&-Z^(^w%rD)V0pEN=TjO{ncpe8H%*tyg1hZG+rqNVYa(LS=e8u-y?U(k#&DhA)&p8c#2-0E zKl>eXT{m&&vO8t}ZzyYD`cZ3_FRNyd^>=Mcu*J-Y{^kp|c3HN}x^&j~T7!R3KIfh{ zD?XQT=dPaHZQu(A-QNAo0*&#}zU;@QJTmSo4PXen ze{lb8msj4m-^@JrH$rSb=WNpll`9k1J)A$^WbNLAI}fehudiBr^}k_;JKxN*=>jkG zv(^}RbG;7;{v#0BdG<}b@BL)6!Us?1n*V*ytb0T+%x2&0+cxx;pIU|Lrfz zepqGYvZY>rx6fa`%XGu>wRdv*Kiy~KW?d2Du(qFD)OuG9Z|w}@Q%7~oT0ZUDZK)Qy zd2`RY`c1nwL}iL4X^2l}+xO@D1SR=c`xWxqnV;^9ibsF_>tJzLsr+cvGvkoXziCq* zdGIa%=yvwjLcb?(b{!3I``E$CJf-$_rN_z7hDHk#x9tdAcG&E()@)vZ?bWXTE%JNKWl*{=%pF z7k5Yh&CI*-<&EY$2cR+$mog41R@r^nkp(oNhM%hz8_ zP2H-q`0wxby3YEoR{Q?$bvx^soW5o1-ap^h7O!yIV030bBln}8?GA{A6;z*dCqPr(b0|_Mh0e@_Bjm-sf-JQ<==x@!2+RJQ_Lk z>bpCAa=WbE^E_ro*Ocq8ET38sA2^fIVYBz?h@#X#Q-2?A)6J7UJ=dwW-=lY{(zgkF z^{5>OSR;o~!8+Ug6P-7Cc-mIGB?_c@ZDnqBHIDA)p<3H8?6#u>TakDS7UM-%O7T$ZBZNh1@>aa7{yw6Or zy>ppI;EdR>gSEMH;&=oTDh^(l^0PEhVXA3V;m!wfr?o?w*q79uzp4Ghapk+o?57Q; zZx-4eD{^*k@0wG~Z%WtOthdc~+O}z1S>ogk&$k|2krfg2w|m1WwmV1V_B6L1>|XJ7 zW1L~*mf0I`ip-w7t=3}4-2WRcOwJumCeD?d&xKlACA)9H0Dl|COjyia$> z(^DU2-|bJrg+JQ?)v&^ z2@{@A2+@$)w<;%GeqmT|^FKYw9M0c8)zZN=tOsWrMTSS*KlpwY^YPuUx)>OLWM-z_ zYyES3gFsk!grV@-c;WSS3USHic0sBVrlMk3UMBJgCFsP6J^S`|E88yK(=X=aCKUv> z7p>Xo`0w){uNhMO56C5xg&&Hc?FYCU+C`ouv6oNl>ug9rwxoTbiBtB@Ke}}LwKI_(;;W5$AHUu7C-TlwNqfm0 zv$c%smYTn+zI)x=e$KAh;;hKs;0s2pSNES&>{2y9eKq~N#H0FRSLZSwarK|93l1Gl zN%*bye~YI|w|ve@+fyxE6JnSDy2q1UH@}FZl6mLXb>C(*a>a@6e`)k^ngPr7WyV?) ztWRY>I(fN{Rk(~x*y({>C!>|>xohP|KlH4y-4|0Fn07_NKSXh(;tJcUt7*UOqys-? zPFtk9@(4Sp{=$fle_h~H;=+Ei%5|FXHicL^K2-JetPGI3q~ zAt#a4MaP8>|8vrw81l`*U&2t;Q`@HcOjVqJs%=we`x{=4hA4~R9e<7nzHe$4zIl5| z@}G=E-3-S&7cYmk?LV6Ih$Fvb#znQKKPTkR^trcP@%EG29TV65{hFZ4)A;d*vSzK_ zx8x?b)Y=X2rlqxfWl4EBCCitE?PYL=z25d;N-4K*FW|6?&T0&u``%h==G-uI)wPfI zM|K3Xa{Vg)nC$OfP-9&yEuZRto{(g}|Gr3UfU3pS{`Ja*g0HIo-1sF^J^TH_ z-N6PMxIReW8mxsYv|{QE9DYr&~3hm8Mfr(Bx9?!w;xSLOb_*|?ki(LxsI%lSbs zHS^j|XQy_5)2?2;;`ZP5%aTH-emGvv_h*~@&wuXXY2A-es$s)hD-@2|DbKU9PWWI^954X2oU6#!~ zV`jPX`RnVeOTU|}ZEUkQtgStAQA9FGLfrSmr}qyg>`E#{y5ENuB|E-+ASuUu zypAXQ_$@J^b3a0>R#fE(O?p2)oqt-1@U6_~4JAeIv+s)MJeOXuZrQOjZzPLN?=B?ss;Xd8RbDy;V<;D|gg$Gk?+%H!n_TnrLXS%E`b}EB90sdC2_RsW8`7 zJ=_XT;__J^jVljLB}_ajQHLuBcUsq9uu%JQLD4 z*elg1xpm zQ|d*XNNV(H8HFs58_lXKmd1u~DR}L2-=wend-v*Ki~VU_e8J&eiS{* z&n&cT>6WG~bCx{KU=9A^9^&JBV~3BNGw&M9B3_>AuCF%HVHcNmeU8|A-CViw{+fLX zJEPnfdmj8eDRgOvUaI?Ff79Mx_P<|UMYmo*>X6sbz2^72b&DJ}ye}zR&z`x{%bOu) z;bj%Mxxc0FYB(M^rm6f>R_?ZaxfSgn0{h-JyXJw`sSO0TdPyK$DT-`OX!=A7w2d6|mY z33oPbdTp!nrgL+RJL_!;xl^81YaVibJAF^2@J~X&&GU_iQaJA}eB^R@^9S>3>m^om z+MKa5&VJJH(?qD#>-O{O1;73kbukD3u_&lkVz~M0Q0vq);j<2RE1jxer^>YSs$=j< z|E#mQ$4~vaXI&-Zz+wN(>l5RZva1}wE<6cN-Pf}6zwVn2Y<@jq`M$q8HrnqwQ?%mZ zB4tIbB1Zj%^(g`S?;g}XwaATSLb}Oa`D<%xw10_R&VFQcX!c*uo!b)Ss{%x9c<+c! zu{hx3wwdKvd_nzmhjz^{)!Jamt_94S^3;E?DX|rOc>HyM@Y^#_lS;I7Om}`2a1l|w z=T~pW2s|k0|WtNGz&eir5N>5V^)?UMX)^PI|$Js6R9m+OuQ+F!Q zTA=pu%*qTS<*r{hj9Y@A_@2)d;>*siW~k+i9TE9*tXw1Vrc6Mef=vzeJgxVCkh$1Ez! znfv0%fv3$ES>^s%`U@5ByXJl@?0m)q&zj_;s}r&kR^;rC$rk>V)^8<0X~`;&1-Ba5 z=470mIwj;~$tKxoT_)+2b#^@*lg=HBKmV|ryJ+Hf`|}O!7UnKAOF5vj+tA#wqVwx1 zmDx|)FJEXla`XJg)z%5#rtbdo*PoQ_V0^n+SI#0v_1pvIh3wkQ6Ox%tRVP+88lLq! zwSj+Xw^-CJXRV`#8coeiDi(I@%WD!{W_@B7e*f)t`Noj015;QEd4krQ@H{@@Q8kB} z(I)?CCB+$5$6r6l^cO2;>$nr0>EXR1*G&JPzg*A1q_4b(JeJ+RrNsVWhRN%XDrQyH zFpN_5OrLwTQue9|JkEImze?uli6ymsQOsca zKKYUV#vj2qzwrINGQo&PG`;WRtM{|M**;3HDwa^?d)II^GJeyFZC z;{$USKAWYH5EQF^LriVWnUB@_2i8|T+v{kM%v$`aXx4oFKSo>E9k~7^uhW;aLaCJ9 zV-4P7+c+!rR{LC_|_+^eEX)qluX>8 zXCfVcT*d3=lsjM6G*0z9np$A5!*%Pa_rb4*mK7gP7)-j@`{c-u3wz_s?Yzr4e4fwW zwe_lNNYh@ItV`QebD56*eXw)df~nqj?tijPwNqdTmyKJtYo$)T{N=a1Y9`0{7kyDs zwYc!5_nnqS9P5l7??2@2Te4TIz|eb_#4?G1rTaB!`Q9>_%r~jecZ%o=e(l({II!Z)v;1FMrml^8 z_wO@bzxe}Wm&bm+GFQu==E}>wo9_QD;o9ZQI;mv_*;_h=e(x8~pQ)SjeEox0zutdw z-Z@h0K>liF$7@+$sHXcf-o4hvCUpjUsdUZf{-^G5fdQleK%!T=`S3qqjs< zy<>7l>YA24)s}Ikn-Z))%BKB3eXRW0gtR*$37Zw8mIPc0)K9l`7LH^7`}&l{hUF)2 zl}&ND?fZvUyLN)xi;YwaTtXKHpnXEA;f-q-AsbEgTI`=ues7d5U}I zg*{1cEBeE)6@G}1FuHpsI;3jX3H7C6=Vt@2b$Zh!E%xaLo9)|aIjPB&3` zzba*vujp*+zI-Fg6UgFicrFM0v6wXdv-DZ79Km70YiGJ5s zv%ZyF7vaqI?)7f}V>6!VYU?bMQ_=X6U_Z4Zm{sei>hD#jw0$0)UR(a`vtsD;9gnu8 zT9m~iL#+VaVL@$ye9)O7n~lj1w)`C+t+5zU5(Wmma&;KfzD!s!azRAh8>x58d)j0K&z@87Yb>eA_E_ez=j`^~h2>wJ zr*7H6lrDHxH&=Jp;@MZX#j@V7I+}9*V`_}jv9CX_&+&82%H6Z=_1nz}{QEiL%qu4A zZ!RlU6Q65%!=#=?!Dk6`5&yyOhi8=wzbh#_HFwL-41dG0w@fqB9p9I`dF<=fxi9ak&o8e$o$l$K_o&}(dyJsKp4}abChactGd&c0{A}<6 z?-4K4?wl!izP-@c@s-70U+*F} zU10+O3AY`GkJmR&CSEz8 Ww#e)Anj@-nS*(9=)LgnO>Hq*)EMwpR literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0ae9d10..929dbfb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,4 +1,5 @@ let + # see `modules/age/default.nix` where these are defined pinwheel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoI7Q4zT2AGXU+i8fLmzcNLdfMkEnfHYh4PmaEmo2QW root@pinwheel"; alex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjSFvlbdy5D59UaVWjRMyBndiAT2MtCeT+6GuemkuYe alex.pinwheel"; in { @@ -11,4 +12,6 @@ in { "pinwheel/alex.pinwheel-work.age".publicKeys = [ pinwheel alex ]; "pinwheel/alex.pinwheel-work.pub.age".publicKeys = [ pinwheel alex ]; "pinwheel/netrc.age".publicKeys = [ pinwheel alex ]; + "pinwheel/work-ovpn.age".publicKeys = [ pinwheel alex ]; + "pinwheel/work-ovpn-userpass.age".publicKeys = [ pinwheel alex ]; }