feat(nix): add openconnect hm module

sbulav · Nov 20, 2024 · 5f3ce79 · 5f3ce79
1 parent fbde0d5
commit 5f3ce79
Show file tree

Hide file tree

Showing 7 changed files with 120 additions and 6 deletions.
diff --git a/nix/homes/aarch64-darwin/sab@mbp16/default.nix b/nix/homes/aarch64-darwin/sab@mbp16/default.nix
@@ -36,6 +36,7 @@ with lib.custom; {
     };
     security = {
       vault = enabled;
+      openconnect = enabled;
       sops = {
         enable = true;
         defaultSopsFile = lib.snowfall.fs.get-file "secrets/sab/default.yaml";

diff --git a/nix/modules/darwin/nix/default.nix b/nix/modules/darwin/nix/default.nix
@@ -17,9 +17,10 @@ in {
   config = mkIf cfg.enable {
     environment.systemPackages = with pkgs; [
       cachix
-      nixfmt-rfc-style
+      deploy-rs
       nix-index
       nix-prefetch-git
+      nixfmt-rfc-style
       nvd
     ];
 

diff --git a/nix/modules/darwin/system/security/default.nix b/nix/modules/darwin/system/security/default.nix
@@ -1,6 +1,8 @@
 {
   config,
   lib,
+  pkgs,
+  namespace,
   ...
 }:
 with lib;
@@ -14,6 +16,21 @@ in {
   config = mkIf cfg.enable (mkMerge [
     {
       security.pam.enableSudoTouchIdAuth = true;
+      # skip sudo authn for frequently used commands
+      environment.etc."sudoers.d/10-nix-commands".text = with pkgs; ''
+        ${config.${namespace}.user.name} ALL=(ALL:ALL) NOPASSWD: \
+          /run/current-system/sw/bin/darwin-rebuild, \
+          /run/current-system/sw/bin/nix-build, \
+          /run/current-system/sw/bin/nix-channel, \
+          /run/current-system/sw/bin/nix-collect-garbage, \
+          ${pkgs.coreutils}/bin/env nix-env -p /nix/var/nix/profiles/system --set /nix/store/*, \
+          ${pkgs.coreutils}/bin/env /nix/store/*/activate, \
+          /etc/profiles/per-user/${config.${namespace}.user.name}/bin/openconnect, \
+          /usr/bin/dscacheutil, \
+          /usr/bin/killall, \
+          /usr/bin/pkill, \
+          /usr/bin/renice
+      '';
     }
   ]);
 }
diff --git a/nix/modules/home/cli-apps/atuin/default.nix b/nix/modules/home/cli-apps/atuin/default.nix
@@ -43,7 +43,6 @@ in {
       };
     };
 
-    # sops.secrets = lib.mkIf osConfig.${namespace}.security.sops.enable {
     sops.secrets = lib.mkIf config.${namespace}.security.sops.enable {
       atuin_key = {
         sopsFile = lib.snowfall.fs.get-file "secrets/sab/default.yaml";

diff --git a/nix/modules/home/security/openconnect/default.nix b/nix/modules/home/security/openconnect/default.nix
@@ -0,0 +1,95 @@
+{
+  namespace,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.${namespace}.security.openconnect;
+  vpnScript = pkgs.writeScriptBin "myvpn" ''
+    #! ${pkgs.bash}/bin/sh
+
+    function openconnecthelp ()
+    {
+      echo "******************************************************"
+      echo "VPN access via openconnect"
+      echo "******************************************************"
+      echo
+      echo "Usage: myvpn <up|down|status>"
+    }
+
+    if [ "$#" != "1" ]
+    then
+      openconnecthelp
+      exit 0
+    fi
+
+    # Parse command
+    case "$1" in
+      start)
+      ;;
+      down)
+      ;;
+      status)
+      ;;
+      *)
+        echo "ERROR: Invalid command <$1>"
+        RESULT=2
+      ;;
+    esac
+        # Parse command
+        case "$1" in
+          up)
+            echo $OPENCONNECT_PW | \
+              sudo ${pkgs.openconnect}/bin/openconnect --background \
+              --passwd-on-stdin -u $OPENCONNECT_USER $OPENCONNECT_SERVER
+            if [[ $? -ne 0 ]]; then
+            echo "******************************************************"
+              echo "ERROR: Cannot start VPN connection."
+            else
+              sleep 1
+              echo "******************************************************"
+              echo "My DNSs are:"
+              grep "nameserver" /etc/resolv.conf
+              echo "******************************************************"
+              echo "VPN is up and running!"
+            fi
+          ;;
+          down)
+            echo "******************************************************"
+            echo "Stopping the VPN and removing all routes"
+            sudo kill -2 `pgrep openconnect`
+            echo "VPN stopped!"
+          ;;
+          status)
+            echo "*******************STATUS*****************************"
+            echo "Connected as $OPENCONNECT_USER to $OPENCONNECT_SERVER"
+            echo "******************************************************"
+            echo "Pid of openconnect are:"
+            pgrep -l openconnect
+            echo "******************************************************"
+            echo "My DNSs are:"
+            grep "nameserver" /etc/resolv.conf
+          ;;
+        esac
+
+  '';
+in {
+  options.custom.security.openconnect = with types; {
+    enable = mkBoolOpt false "Whether or not to install openconnect and add script.";
+  };
+
+  config = mkIf cfg.enable {
+    # sops.secrets = lib.mkIf config.${namespace}.security.sops.enable {
+    #   openconnect_pw = {
+    #     sopsFile = lib.snowfall.fs.get-file "secrets/${config.${namespace}.user.name}/default.yaml";
+    #   };
+    # };
+    home.packages = with pkgs; [
+      openconnect
+      vpnScript
+    ];
+  };
+}
diff --git a/nix/modules/nixos/system/nix/default.nix b/nix/modules/nixos/system/nix/default.nix
@@ -22,11 +22,12 @@ in {
   config = mkIf cfg.enable {
     environment.systemPackages = with pkgs; [
       cachix
+      deploy-rs
       gcc
       nil
-      nixfmt-rfc-style
       nix-index
       nix-prefetch-git
+      nixfmt-rfc-style
       nvd
     ];
 

diff --git a/nix/secrets/sab/default.yaml b/nix/secrets/sab/default.yaml
@@ -1,7 +1,7 @@
 example_key: ENC[AES256_GCM,data:db4wLhDMLwk7qrMdX24=,iv:tL8H78oNaQibOxiEBZpvVVJs58sgtApWrBdvyAEbMXs=,tag:u9/CJLZH5JvLVbXp1W5l2g==,type:str]
 nz_sab_ssh_key: ENC[AES256_GCM,data:avcGPKW3n3vI5KGYJB1jxuxMpA236L4UyXWl9JYlA4Y2cMAvqiyx4aWXKADEJIWwOvKZ5xR/kHB81MX3q2eK/pS39Y7u51QLR6VqBmCSUKfNKeakDwqANQsGza6axyJtSIqQKGVhWXw4uQjlz56KWjMM6BMaGDxfX5nb0AQBB0vVPoDwTQPuFv5IRv+hcls0vkjNrEFjSHLDjtXyHnOYxSFxuz2euLJhwe8BuSZjH8dHWd25TYnLFmC9ADt+QGjFEg2xAYUe47WS0wqVEOw5u19/X2Lep0tzyC/KOPVV4mfpnrL2XfHZMJmkqKVHFemksmGhOA6BE7tqOsazODxXjHenP/WsTBiMCCt33XFRsy8czUZx2awSkupNUQJMcXCxF8Ma93MEmWjtC+PbhwgUH46LCYr4TDjICtaDEmhPBGb+TJXVlKE7rbcjdUSJlp7ssV3n9VHt2470zVdczier1NScQWZ1QMmLOCAlieZOd+CRLYjbbVhWo6SMomavnsfCLowB46ddt16l/QgOHjWc04TpmVh/HSvF1lo=,iv:Ld8A1kf+K6hlOSawnjSw4yrYvKRB7X+nYh40Gmk4u9A=,tag:wBVb0axy58EU+RkdgqNj+Q==,type:str]
 atuin_key: ENC[AES256_GCM,data:tG7Nj9virYKiPuCnRotex2o/gW6Z0MhOPaSQ6bpehjOr40S4fmUMEjkhlb7K0D/kTO1Ktm5PgkIMnfcYgoHPVg==,iv:pNvTMM2U421tyjrZqAL7uPtGddeALPWhSYlI+XibtGs=,tag:+jFmITYcfP6SJ8ClFy5xhg==,type:str]
-env_credentials: ENC[AES256_GCM,data:x/aJwteXldpw/qnDM6CCYGoMfMQZMED9JeCvJIOT+1khIFmcVjvlIgX/rjLSZ8G21kp5wM6IhAw6jnF2xmTZiorhP1GM2IWEAyh1xFVEx6RvNKXPAYneT3vMK1V3hgoMS6GcshEsrcxuzTOMhAjgG668B4dLjY7Hw899nGoen8QDYucNyVqPEC9DbVpn4eBiaTiDKY9QQP7OLCe4v1a5WS7nuHWKGwqQtw+o1hqzf90sXFkX24Fp5Sx64wxanlkaxyA9njjWFA1BuladPE1IpzaQc3DJmd0Z2ZYMM4Hf85kskp57NyUKCUbIrR+0tFpo/cGwzgRCT1faA9SUcPG/pAh3UK70KL1GpCzty+HtdtiriDK674vULuKclldgi+xZuRwgXNKgeFDWQ8w1Z6PqAMMp27yLT7EOyVoPw+l6T3rUkxVbsXSeQXEjHMMz3G5UBcR7/osdiJ08CygnNIpi6KM1YDmEIN3IaO5+G+cAoKO4CTOCTkQa8ZOcHk6T9YzORxJaxoVIwciLFvsI/I3vjH6AvuQGiaVKDp5u5CUhkRxmbB21y8rDjeU0Wphq/eXVFWOx5960XDMxq+a3qfbGEyHSt89Nxl5fT7DhrDF+mw6mB3TBu6g+B4v+mhiFHF3p79WEzrqfa7DQaKfsUA==,iv:RWX+WKF7gkdG0dLp0+GCNSSGVyKxz6YNpAAfDzUq/o8=,tag:EVcrEb0dyz5nloG1rfftbA==,type:str]
+env_credentials: ENC[AES256_GCM,data:iHi+SP6Zcc7O3hv/exLYQZrfciDbb2Pwv3jAr2gGUEeuEy5h3opqK7pSt2rL0UaxOE2Si5nhfwlzfqq0duae6nxZB/gXPat2S9SbXPXCbu+XH0GVEAngBsKt7QjbiNsfT3fBHB7bICgjx2VIhTGzxZrXae7PB8T4+SES4h8zJ2d28lg6e9Ze91hqGPgPzocsLNPs2zGHHE0NDLDNBm8X+PdTAbhglLKFTXg64SDnQuIELsJOxpPtYGpoxk8iSxGziRxCXiWJcHC2IRhKAOHi0jAMVf/El20brJHq1Wop/wpxTWi7HHW9+j+gi1ZJHVUXUf9FxaNCioKnbv7QZwmXVkJ5GjY+EGeSrogUMxUHwz7zOMMRptoKE8edu7FhBkm7tZ0zSy9EoeUoZLWM8KeZCNgMLZv8eVRlnk9WXvE5XteR8oKLrws7VTNukv270BOp3z9fKf9zGhjHx4IUzDFsk94i2J80ImHEdNFlVcYzDU7x7JN/xMG6vFkgegMr5AkMyY5iLOOFOKt5l9ZNPg096hJnllmbhZ5DQPHYkmiWxPHrZ6ZuyozJ0SAeMxbiyr5ZTrrwnhIxDiIEgJ0afkCurMnw+GUBH+pUbvYEFTA0PR8h16/cHyqodkifa8vi3fd4Bj+XVslQC4JWg4lhuRQeKwhSWZyxMs3J4m2n3mBvUgd2Kt5HWpgsLo0N2zimP1QiltacF2E5BIIlK3A4Ai1ImKRacOQ67ziklITnZeKAcFMTEsS/OWIhfoIBIWPaBqHF6/vkMuHgVinU1J7rdig84w==,iv:AhwRAXFzVHAiko398jJnGDCi8vUs4f4f/mWQVFNy6Cg=,tag:YZMONNKxLXl/5qmrDxcjhw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -35,8 +35,8 @@ sops:
             VUlMZGpNMGZjdzl3Nmd5dnJ4eUhRem8KCIJxtTUFgSaw/gHQuN15ffwCIJl4osCP
             4qv2XZ2qhBBhXJtqmzEecMVKE/qeCU0x2Jl2TwaSZdnjwJ9b40Q7tw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-02T10:50:35Z"
-    mac: ENC[AES256_GCM,data:3E+kRD3JwNaz5NKGRU/Z+jLMc+6vGplzvRBEO7y/dF6wke8Tg0+049aQj+WMg50wwBW8yG+VlaBAJ2aEfLz4w6lo/EDGaA3q3nFyOTMs1M9x/WltSbBEFCZMhAVWkq1aGH760PNUqEIPHQ33byYDFHrDuSmDhRxGCnAaSDPIhdk=,iv:oz3nuXunu6uwMl8VKjL50NViQ47pLMHblVDrfhSvBcU=,tag:My7PloK0IrEvE0Mhy2ilog==,type:str]
+    lastmodified: "2024-11-20T09:16:01Z"
+    mac: ENC[AES256_GCM,data:n4nfSyeKf/yOY+QawRtP3jNfvn3Q0WBdvdvwgmxiKJYX2kNHcku+W5g6Q7G0SqMfuTyqN57/rL2amedZ097edlPD8sKncFGOK/UKaCFgbvuClodsZRwFOm+nDrHQd8tPmpz69Y3FwMAALvpCohpCpQtBfn8NvF/2XgfePXNwFmk=,iv:nq8l3MtmTGhbAX5tvXQ6bGzVwPRs8Dv8uB6T5+N9Dgc=,tag:HMet1hHyYIjUp5vqcbOMZg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1