From 5f3ce793dc6d9a904edb76909e264edeb2cd5f38 Mon Sep 17 00:00:00 2001 From: Sergei Bulavintsev Date: Wed, 20 Nov 2024 12:35:32 +0300 Subject: [PATCH] feat(nix): add openconnect hm module --- .../aarch64-darwin/sab@mbp16/default.nix | 1 + nix/modules/darwin/nix/default.nix | 3 +- .../darwin/system/security/default.nix | 17 ++++ nix/modules/home/cli-apps/atuin/default.nix | 1 - .../home/security/openconnect/default.nix | 95 +++++++++++++++++++ nix/modules/nixos/system/nix/default.nix | 3 +- nix/secrets/sab/default.yaml | 6 +- 7 files changed, 120 insertions(+), 6 deletions(-) create mode 100644 nix/modules/home/security/openconnect/default.nix diff --git a/nix/homes/aarch64-darwin/sab@mbp16/default.nix b/nix/homes/aarch64-darwin/sab@mbp16/default.nix index 017cc59..85c6973 100644 --- a/nix/homes/aarch64-darwin/sab@mbp16/default.nix +++ b/nix/homes/aarch64-darwin/sab@mbp16/default.nix @@ -36,6 +36,7 @@ with lib.custom; { }; security = { vault = enabled; + openconnect = enabled; sops = { enable = true; defaultSopsFile = lib.snowfall.fs.get-file "secrets/sab/default.yaml"; diff --git a/nix/modules/darwin/nix/default.nix b/nix/modules/darwin/nix/default.nix index f319a05..fafd1cd 100644 --- a/nix/modules/darwin/nix/default.nix +++ b/nix/modules/darwin/nix/default.nix @@ -17,9 +17,10 @@ in { config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ cachix - nixfmt-rfc-style + deploy-rs nix-index nix-prefetch-git + nixfmt-rfc-style nvd ]; diff --git a/nix/modules/darwin/system/security/default.nix b/nix/modules/darwin/system/security/default.nix index ab39298..8cd1551 100644 --- a/nix/modules/darwin/system/security/default.nix +++ b/nix/modules/darwin/system/security/default.nix @@ -1,6 +1,8 @@ { config, lib, + pkgs, + namespace, ... }: with lib; @@ -14,6 +16,21 @@ in { config = mkIf cfg.enable (mkMerge [ { security.pam.enableSudoTouchIdAuth = true; + # skip sudo authn for frequently used commands + environment.etc."sudoers.d/10-nix-commands".text = with pkgs; '' + ${config.${namespace}.user.name} ALL=(ALL:ALL) NOPASSWD: \ + /run/current-system/sw/bin/darwin-rebuild, \ + /run/current-system/sw/bin/nix-build, \ + /run/current-system/sw/bin/nix-channel, \ + /run/current-system/sw/bin/nix-collect-garbage, \ + ${pkgs.coreutils}/bin/env nix-env -p /nix/var/nix/profiles/system --set /nix/store/*, \ + ${pkgs.coreutils}/bin/env /nix/store/*/activate, \ + /etc/profiles/per-user/${config.${namespace}.user.name}/bin/openconnect, \ + /usr/bin/dscacheutil, \ + /usr/bin/killall, \ + /usr/bin/pkill, \ + /usr/bin/renice + ''; } ]); } diff --git a/nix/modules/home/cli-apps/atuin/default.nix b/nix/modules/home/cli-apps/atuin/default.nix index cf62ffa..e0490da 100644 --- a/nix/modules/home/cli-apps/atuin/default.nix +++ b/nix/modules/home/cli-apps/atuin/default.nix @@ -43,7 +43,6 @@ in { }; }; - # sops.secrets = lib.mkIf osConfig.${namespace}.security.sops.enable { sops.secrets = lib.mkIf config.${namespace}.security.sops.enable { atuin_key = { sopsFile = lib.snowfall.fs.get-file "secrets/sab/default.yaml"; diff --git a/nix/modules/home/security/openconnect/default.nix b/nix/modules/home/security/openconnect/default.nix new file mode 100644 index 0000000..bba5bb7 --- /dev/null +++ b/nix/modules/home/security/openconnect/default.nix @@ -0,0 +1,95 @@ +{ + namespace, + config, + pkgs, + lib, + ... +}: +with lib; +with lib.custom; let + cfg = config.${namespace}.security.openconnect; + vpnScript = pkgs.writeScriptBin "myvpn" '' + #! ${pkgs.bash}/bin/sh + + function openconnecthelp () + { + echo "******************************************************" + echo "VPN access via openconnect" + echo "******************************************************" + echo + echo "Usage: myvpn " + } + + if [ "$#" != "1" ] + then + openconnecthelp + exit 0 + fi + + # Parse command + case "$1" in + start) + ;; + down) + ;; + status) + ;; + *) + echo "ERROR: Invalid command <$1>" + RESULT=2 + ;; + esac + # Parse command + case "$1" in + up) + echo $OPENCONNECT_PW | \ + sudo ${pkgs.openconnect}/bin/openconnect --background \ + --passwd-on-stdin -u $OPENCONNECT_USER $OPENCONNECT_SERVER + if [[ $? -ne 0 ]]; then + echo "******************************************************" + echo "ERROR: Cannot start VPN connection." + else + sleep 1 + echo "******************************************************" + echo "My DNSs are:" + grep "nameserver" /etc/resolv.conf + echo "******************************************************" + echo "VPN is up and running!" + fi + ;; + down) + echo "******************************************************" + echo "Stopping the VPN and removing all routes" + sudo kill -2 `pgrep openconnect` + echo "VPN stopped!" + ;; + status) + echo "*******************STATUS*****************************" + echo "Connected as $OPENCONNECT_USER to $OPENCONNECT_SERVER" + echo "******************************************************" + echo "Pid of openconnect are:" + pgrep -l openconnect + echo "******************************************************" + echo "My DNSs are:" + grep "nameserver" /etc/resolv.conf + ;; + esac + + ''; +in { + options.custom.security.openconnect = with types; { + enable = mkBoolOpt false "Whether or not to install openconnect and add script."; + }; + + config = mkIf cfg.enable { + # sops.secrets = lib.mkIf config.${namespace}.security.sops.enable { + # openconnect_pw = { + # sopsFile = lib.snowfall.fs.get-file "secrets/${config.${namespace}.user.name}/default.yaml"; + # }; + # }; + home.packages = with pkgs; [ + openconnect + vpnScript + ]; + }; +} diff --git a/nix/modules/nixos/system/nix/default.nix b/nix/modules/nixos/system/nix/default.nix index 394db4f..b522606 100644 --- a/nix/modules/nixos/system/nix/default.nix +++ b/nix/modules/nixos/system/nix/default.nix @@ -22,11 +22,12 @@ in { config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ cachix + deploy-rs gcc nil - nixfmt-rfc-style nix-index nix-prefetch-git + nixfmt-rfc-style nvd ]; diff --git a/nix/secrets/sab/default.yaml b/nix/secrets/sab/default.yaml index a1ccd10..2ea8d07 100644 --- a/nix/secrets/sab/default.yaml +++ b/nix/secrets/sab/default.yaml @@ -1,7 +1,7 @@ example_key: ENC[AES256_GCM,data:db4wLhDMLwk7qrMdX24=,iv:tL8H78oNaQibOxiEBZpvVVJs58sgtApWrBdvyAEbMXs=,tag:u9/CJLZH5JvLVbXp1W5l2g==,type:str] nz_sab_ssh_key: ENC[AES256_GCM,data:avcGPKW3n3vI5KGYJB1jxuxMpA236L4UyXWl9JYlA4Y2cMAvqiyx4aWXKADEJIWwOvKZ5xR/kHB81MX3q2eK/pS39Y7u51QLR6VqBmCSUKfNKeakDwqANQsGza6axyJtSIqQKGVhWXw4uQjlz56KWjMM6BMaGDxfX5nb0AQBB0vVPoDwTQPuFv5IRv+hcls0vkjNrEFjSHLDjtXyHnOYxSFxuz2euLJhwe8BuSZjH8dHWd25TYnLFmC9ADt+QGjFEg2xAYUe47WS0wqVEOw5u19/X2Lep0tzyC/KOPVV4mfpnrL2XfHZMJmkqKVHFemksmGhOA6BE7tqOsazODxXjHenP/WsTBiMCCt33XFRsy8czUZx2awSkupNUQJMcXCxF8Ma93MEmWjtC+PbhwgUH46LCYr4TDjICtaDEmhPBGb+TJXVlKE7rbcjdUSJlp7ssV3n9VHt2470zVdczier1NScQWZ1QMmLOCAlieZOd+CRLYjbbVhWo6SMomavnsfCLowB46ddt16l/QgOHjWc04TpmVh/HSvF1lo=,iv:Ld8A1kf+K6hlOSawnjSw4yrYvKRB7X+nYh40Gmk4u9A=,tag:wBVb0axy58EU+RkdgqNj+Q==,type:str] atuin_key: ENC[AES256_GCM,data:tG7Nj9virYKiPuCnRotex2o/gW6Z0MhOPaSQ6bpehjOr40S4fmUMEjkhlb7K0D/kTO1Ktm5PgkIMnfcYgoHPVg==,iv:pNvTMM2U421tyjrZqAL7uPtGddeALPWhSYlI+XibtGs=,tag:+jFmITYcfP6SJ8ClFy5xhg==,type:str] -env_credentials: ENC[AES256_GCM,data:x/aJwteXldpw/qnDM6CCYGoMfMQZMED9JeCvJIOT+1khIFmcVjvlIgX/rjLSZ8G21kp5wM6IhAw6jnF2xmTZiorhP1GM2IWEAyh1xFVEx6RvNKXPAYneT3vMK1V3hgoMS6GcshEsrcxuzTOMhAjgG668B4dLjY7Hw899nGoen8QDYucNyVqPEC9DbVpn4eBiaTiDKY9QQP7OLCe4v1a5WS7nuHWKGwqQtw+o1hqzf90sXFkX24Fp5Sx64wxanlkaxyA9njjWFA1BuladPE1IpzaQc3DJmd0Z2ZYMM4Hf85kskp57NyUKCUbIrR+0tFpo/cGwzgRCT1faA9SUcPG/pAh3UK70KL1GpCzty+HtdtiriDK674vULuKclldgi+xZuRwgXNKgeFDWQ8w1Z6PqAMMp27yLT7EOyVoPw+l6T3rUkxVbsXSeQXEjHMMz3G5UBcR7/osdiJ08CygnNIpi6KM1YDmEIN3IaO5+G+cAoKO4CTOCTkQa8ZOcHk6T9YzORxJaxoVIwciLFvsI/I3vjH6AvuQGiaVKDp5u5CUhkRxmbB21y8rDjeU0Wphq/eXVFWOx5960XDMxq+a3qfbGEyHSt89Nxl5fT7DhrDF+mw6mB3TBu6g+B4v+mhiFHF3p79WEzrqfa7DQaKfsUA==,iv:RWX+WKF7gkdG0dLp0+GCNSSGVyKxz6YNpAAfDzUq/o8=,tag:EVcrEb0dyz5nloG1rfftbA==,type:str] +env_credentials: ENC[AES256_GCM,data:iHi+SP6Zcc7O3hv/exLYQZrfciDbb2Pwv3jAr2gGUEeuEy5h3opqK7pSt2rL0UaxOE2Si5nhfwlzfqq0duae6nxZB/gXPat2S9SbXPXCbu+XH0GVEAngBsKt7QjbiNsfT3fBHB7bICgjx2VIhTGzxZrXae7PB8T4+SES4h8zJ2d28lg6e9Ze91hqGPgPzocsLNPs2zGHHE0NDLDNBm8X+PdTAbhglLKFTXg64SDnQuIELsJOxpPtYGpoxk8iSxGziRxCXiWJcHC2IRhKAOHi0jAMVf/El20brJHq1Wop/wpxTWi7HHW9+j+gi1ZJHVUXUf9FxaNCioKnbv7QZwmXVkJ5GjY+EGeSrogUMxUHwz7zOMMRptoKE8edu7FhBkm7tZ0zSy9EoeUoZLWM8KeZCNgMLZv8eVRlnk9WXvE5XteR8oKLrws7VTNukv270BOp3z9fKf9zGhjHx4IUzDFsk94i2J80ImHEdNFlVcYzDU7x7JN/xMG6vFkgegMr5AkMyY5iLOOFOKt5l9ZNPg096hJnllmbhZ5DQPHYkmiWxPHrZ6ZuyozJ0SAeMxbiyr5ZTrrwnhIxDiIEgJ0afkCurMnw+GUBH+pUbvYEFTA0PR8h16/cHyqodkifa8vi3fd4Bj+XVslQC4JWg4lhuRQeKwhSWZyxMs3J4m2n3mBvUgd2Kt5HWpgsLo0N2zimP1QiltacF2E5BIIlK3A4Ai1ImKRacOQ67ziklITnZeKAcFMTEsS/OWIhfoIBIWPaBqHF6/vkMuHgVinU1J7rdig84w==,iv:AhwRAXFzVHAiko398jJnGDCi8vUs4f4f/mWQVFNy6Cg=,tag:YZMONNKxLXl/5qmrDxcjhw==,type:str] sops: kms: [] gcp_kms: [] @@ -35,8 +35,8 @@ sops: VUlMZGpNMGZjdzl3Nmd5dnJ4eUhRem8KCIJxtTUFgSaw/gHQuN15ffwCIJl4osCP 4qv2XZ2qhBBhXJtqmzEecMVKE/qeCU0x2Jl2TwaSZdnjwJ9b40Q7tw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-02T10:50:35Z" - mac: ENC[AES256_GCM,data:3E+kRD3JwNaz5NKGRU/Z+jLMc+6vGplzvRBEO7y/dF6wke8Tg0+049aQj+WMg50wwBW8yG+VlaBAJ2aEfLz4w6lo/EDGaA3q3nFyOTMs1M9x/WltSbBEFCZMhAVWkq1aGH760PNUqEIPHQ33byYDFHrDuSmDhRxGCnAaSDPIhdk=,iv:oz3nuXunu6uwMl8VKjL50NViQ47pLMHblVDrfhSvBcU=,tag:My7PloK0IrEvE0Mhy2ilog==,type:str] + lastmodified: "2024-11-20T09:16:01Z" + mac: ENC[AES256_GCM,data:n4nfSyeKf/yOY+QawRtP3jNfvn3Q0WBdvdvwgmxiKJYX2kNHcku+W5g6Q7G0SqMfuTyqN57/rL2amedZ097edlPD8sKncFGOK/UKaCFgbvuClodsZRwFOm+nDrHQd8tPmpz69Y3FwMAALvpCohpCpQtBfn8NvF/2XgfePXNwFmk=,iv:nq8l3MtmTGhbAX5tvXQ6bGzVwPRs8Dv8uB6T5+N9Dgc=,tag:HMet1hHyYIjUp5vqcbOMZg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1