pinwheel: Add work-vpn in work module (openvpn)

2023-09-30 18:09:08 +02:00
parent ff473fa392
commit 79f694d064
6 changed files with 71 additions and 1 deletions
--- a/hosts/pinwheel/configuration.nix
+++ b/hosts/pinwheel/configuration.nix
@@ -23,6 +23,7 @@
      ./modules/syncthing
      ./modules/firefox
      ./modules/mullvad
      ./modules/openvpn
      ./modules/calibre
      ./modules/go
      ./modules/nix
@@ -122,6 +123,8 @@
    }];
  };
  mod.openvpn.enable = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/pinwheel/modules/openvpn/default.nix
+++ b/hosts/pinwheel/modules/openvpn/default.nix
@@ -0,0 +1,22 @@
 { pkgs, lib, config, ... }:
 let
  enabled = config.mod.openvpn.enable;
 in
 {
  options = {
    mod.openvpn = {
      enable = lib.mkEnableOption "add openvpn related packages";
    };
  };
  config = lib.mkIf enabled {
    home-manager.users.alex = {
      home.packages = [
        pkgs.openvpn
        pkgs.update-systemd-resolved
      ];
    };
    services.resolved.enable = true;
  };
 }
--- a/hosts/pinwheel/modules/work/default.nix
+++ b/hosts/pinwheel/modules/work/default.nix
@@ -1,4 +1,26 @@
-{ ... }:
+{ pkgs, lib, config, ... }:
 let
  openvpnEnabled = config.mod.openvpn.enable;
  work-vpn = let
    ovpnconfig = config.age.secrets.work-ovpn.path;
    userpass = config.age.secrets.work-ovpn-userpass.path;
  in
    pkgs.writeShellApplication {
    name = "work-vpn";
    text = ''
        sudo \
        ${pkgs.openvpn}/bin/openvpn \
        --script-security 2 \
        --up ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \
        --up-restart \
        --down ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \
        --down-pre \
        --config ${ovpnconfig} \
        --auth-user-pass ${userpass}
    '';
  };
 in
 {
  home-manager.users.alex = {
    programs.git = {
@@ -13,6 +35,8 @@
    programs.go = {
      goPrivate = [ "gitlab.com/zebware/*" ];
    };
    home.packages = lib.mkIf openvpnEnabled [ work-vpn ];
  };
  age.secrets = {
@@ -22,5 +46,13 @@
      owner = "alex";
      group = "users";
    };
    "work-ovpn" = lib.mkIf openvpnEnabled {
      file = ../../../../secrets/pinwheel/work-ovpn.age;
    };
    "work-ovpn-userpass" = lib.mkIf openvpnEnabled {
      file = ../../../../secrets/pinwheel/work-ovpn-userpass.age;
    };
  };
 }
--- a/secrets/pinwheel/work-ovpn-userpass.age
+++ b/secrets/pinwheel/work-ovpn-userpass.age
@@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 vxPbZg 7KS4VEUkTfMmn+qf5oGnQrnlnBfPcJp4i/tOtQOM5zc
 R5DuA9UnMItrqtHG2rNfCC5/BoPkdxQq3OmIgRMjvGM
 -> ssh-ed25519 ek+b7Q w6PYfDR2dpqLknYvbC7umnK2eXQzk36scvPQctSIZz8
 rvbgLNqkzfpgBAEZa5XZ0jtxJxsRObAyJyw4vnIYJAw
 -> WukD86"4-grease gm HHH), >.i ~bi
 yV7GpsEhncUjuoMD56M5Wg2qkdPOVewQpHRoIrV68g
 --- 3drQ0pMsHbSMSA8tnTs3muN122ZYgN5JDzoz3tRymJQ
 <EFBFBD>#<23><>)<29>`<60>Cm<43>7<EFBFBD><0B>ps<0C><><EFBFBD><EFBFBD><EFBFBD>><3E><>*<2A>e<EFBFBD><65><EFBFBD><EFBFBD>Mޡ9<DEA1><39><EFBFBD><EFBFBD><EFBFBD><EFBFBD>n^<5E><><EFBFBD><EFBFBD>*6<><36>&
 m<EFBFBD>{<7B><><EFBFBD>-<2D><><EFBFBD>A
--- a/secrets/pinwheel/work-ovpn.age
+++ b/secrets/pinwheel/work-ovpn.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,4 +1,5 @@
 let
  # see `modules/age/default.nix` where these are defined
  pinwheel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoI7Q4zT2AGXU+i8fLmzcNLdfMkEnfHYh4PmaEmo2QW root@pinwheel";
  alex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjSFvlbdy5D59UaVWjRMyBndiAT2MtCeT+6GuemkuYe alex.pinwheel";
 in {
@@ -11,4 +12,6 @@ in {
  "pinwheel/alex.pinwheel-work.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-work.pub.age".publicKeys = [ pinwheel alex ];
  "pinwheel/netrc.age".publicKeys = [ pinwheel alex ];
  "pinwheel/work-ovpn.age".publicKeys = [ pinwheel alex ];
  "pinwheel/work-ovpn-userpass.age".publicKeys = [ pinwheel alex ];
 }