diff --git a/.sops.yaml b/.sops.yaml index 4013ff1..3987c52 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -22,4 +22,16 @@ creation_rules: - age: - *adminkey - *STU_ID + + - path_regex: secrets/hosts/StuPC/.*$ + key_groups: + - age: + - *adminkey + - *STUPC_WSL_NIXOS + + - path_regex: secrets/hosts/Go3/.*$ + key_groups: + - age: + - *adminkey + - *GO3_WSL_NIXOS \ No newline at end of file diff --git a/flake.nix b/flake.nix index 50b674b..246ae90 100644 --- a/flake.nix +++ b/flake.nix @@ -112,13 +112,13 @@ # Available through 'nixos-rebuild --flake .#your-hostname' nixosConfigurations = { Go3 = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs outputs; }; + specialArgs = { inherit inputs outputs lib;hostName = "Go3"; }; modules = [ ./hosts/Go3 ]; }; StuPC = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs outputs; }; + specialArgs = { inherit inputs outputs lib; hostName = "StuPC";}; modules = [ ./hosts/StuPC ]; diff --git a/hosts/StuPC/default.nix b/hosts/StuPC/default.nix index 9cde4db..d3724ce 100644 --- a/hosts/StuPC/default.nix +++ b/hosts/StuPC/default.nix @@ -10,7 +10,7 @@ # system.stateVersion = "22.11"; nixpkgs.hostPlatform.system = "x86_64-linux"; networking.hostName = "StuPC"; - + custom.mullvad.enable = true; wsl = { enable = true; wslConf.automount.root = "/mnt"; diff --git a/modules/nixos/vpn/default.nix b/modules/nixos/vpn/default.nix new file mode 100644 index 0000000..92b81d5 --- /dev/null +++ b/modules/nixos/vpn/default.nix @@ -0,0 +1,72 @@ +{ lib, pkgs, config, hostName,... }: +with lib; + +let +cfg = config.custom.mullvad; +secretstore = config._secretstore; + +in { + + #define option to enable this + options.custom.mullvad.enable = mkEnableOption "Enable SSH"; + + config = mkIf cfg.enable { + networking.wireguard.enable = true; + services.mullvad-vpn.enable = true; + + sops.secrets.device_json = { + sopsFile = "${secretstore}/hosts/${hostName}/mullvad/device.json"; + format = "binary"; + }; + + environment.etc."mullvad-vpn/device.conf".source = config.sops.secrets.device_json.path; + + # set some options after every daemon start + # to avoid accidentally leaving unsafe settings + systemd.services."mullvad-daemon" = { + postStart = '' + while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done + ${pkgs.mullvad}/bin/mullvad lan set allow #enable local lan access + ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard + ${pkgs.mullvad}/bin/mullvad relay set location ca mtr + ''; + }; + + + +}; +} + # secrets = hm_secrets "${secretstore}/user_dotfiles/${username}@${hostName}/keybase/" "${config.xdg.configHome}/keybase/"; +# + +# { config, pkgs, ... }: + +# { +# age.secrets.mullvad.file = ../secrets/mullvad.age; + +# networking.wireguard.enable = true; + +# services.mullvad-vpn.enable = true; + +# # set some options after every daemon start +# # to avoid accidentally leaving unsafe settings +# systemd.services."mullvad-daemon" = { +# serviceConfig.LoadCredential = +# [ "account:${config.age.secrets.mullvad.path}" ]; +# postStart = '' +# while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done +# account="$(<"$CREDENTIALS_DIRECTORY/account")" +# current_account="$(${pkgs.mullvad}/bin/mullvad account get | grep "account:" | sed 's/.* //')" +# if [[ "$current_account" != "$account" ]]; then +# ${pkgs.mullvad}/bin/mullvad account login "$account" +# fi +# ${pkgs.mullvad}/bin/mullvad always-require-vpn set on +# ${pkgs.mullvad}/bin/mullvad dns set default \ +# --block-ads --block-trackers --block-malware +# ${pkgs.mullvad}/bin/mullvad lan set allow +# ${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on +# ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard +# ${pkgs.mullvad}/bin/mullvad relay set location de dus +# ''; +# }; +# } \ No newline at end of file diff --git a/secrets/hosts/StuPC/mullvad/device.json b/secrets/hosts/StuPC/mullvad/device.json new file mode 100644 index 0000000..7e0be3e --- /dev/null +++ b/secrets/hosts/StuPC/mullvad/device.json @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:CX99EX2ffpGIMQRGM1FDmrU32f49Vu13uhPHrm0SckNsK03EunFbcRphJJOIt5KCPkheK990msrNXdxUqBwDAqg5wwbRA06qS+1Rl7K+8bP5W30AIqSrjBKWIAV05wONTbUO4LTAXuUDsS488xDQiucBxP0xmeQlgFfpYXJXABGt7PWBkLM375eINzeScqBFLTu1TQY8/dbDOrDLJBiBayKt+04BffEYjfcdv7GjVZu/QYZZXC4mfjmOjXK6X/F7wmuRE+KneAldLXn61w/1dIBvrZwcJwOA2zOTExeOBb7agYw0eY0s+/t8cEM+GsfNoePI7MjwYW74QMVeM+BQI9+AoDtUHM7UhaH2dorZvblphHFYGYkMhgGnTrh7Fsuhfs1/b5CleKWU9gWMos3AUZB5Ta/MWgT4/O84nM9FUPqjxQ5WLON3kJoNcWLxUKQqE169cbYdAOSM+DXxmwGvP5Bg8k17HtwHtqCInxxwNUoKXh6KsmO5x7t+av9A/MwignGzIyxGJWqe8Mu6/cf8VkXZ+REbmm+UPUqpF3CdfoYNOF8z6uru+ufNa1Jso5+fFTry8KtN/A+YqwqrDYNYBLFMItpJL0yd/Lx9Qx5d7md4zuhb0nJIj4DwuryCkDmZ6lfP8HcWjmZdMcNigcjNoYHfOsNAF54l/Cfi8Asf8ipVaBQ76Ral/vtfamE/dpnphC8S2UtRjaczMF5+gwTfyVU=,iv:4EqQI6qOvscIa5OabnXiWgbGu9SuUNysmdY0d1QfGm0=,tag:c6zXEEjxsZur08RKbYOLwg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1jvqe2j70h97844nkz34z9k4epx3uahx50cx75ss8mty2dnxlrf7qqv9a0g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUGVLUnRhS2ZrN1JBQi9k\nZmlYaHg1dEtrSEdYUlk2TTRWdmg1SG0wVlU4CjdoWnEzNjhHVEFzMEhFSnpoR09Y\nWkZVb1hDVnZsU040TmJmczY4ZnFuYncKLS0tIC9yY1lES1I4SmFTUWJFQlQ1Mmxv\nUURlRWZDellNWUl3c0xYWFZ6Rit1aFEKDM5uLYI6EZBRhZ9dz0zyknOMQnFR+mPD\n+RUpP9b8mWOPr723RIwCIvVtp4I1KRzpT6WApuVi6QztTWugPFHg6Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1e0g0rrfdmp5f8f4xgkyp8zgxw2v5t3ldlm2t822xekdz0z6qj49q6aesuw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRlZwUDAyOEU1SkFxdDYv\nT0hDSTlQNnduZ0FwVzE5MWdqRkhWYUEwSjJvCk1FeFZ2TldZTG1aWmk3b2VkQTRa\nS2xLRmkzWDNBZVpxWlkzSG4zdHFNR1kKLS0tIDZ6NVZoZlVWQUJaTVZVSGE5SjMr\nSHZEamtHMFFFTDVwY3l0K3E4NkdpRDQKDmM9JERDT+aHUAp/Yj0109uZHyHkK3Ns\nLBZae7em9Yp8bbCRBWY27XHroiGqm5ee+iOI5BrtlUGEFQyvfKK6Fg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-03-02T17:44:32Z", + "mac": "ENC[AES256_GCM,data:pMcfTaMlvFE4p7z9tDc2/QCFGDtHAZN5L/WHoB5MydPj8NbgLijAdqHfsWwv+iOHmo0mIYd6zciUM6xLCHbyU0661ET0N3M92z5XrYVcNdKWlin8bVmq5ZdXCl7RDycLfd8bOVbF42jxSnsTyZpNYUOvB6ec8I0NSoUIanCTVTA=,iv:jCRHZsvo0Hp99DEShNbUT6y1uJIG7LfeRh+y9ZlQpqQ=,tag:U/1yuPlZ4mn8zIZvIwEBdQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/shell.nix b/shell.nix index 22e0f44..e007e50 100644 --- a/shell.nix +++ b/shell.nix @@ -1,10 +1,27 @@ -# Shell for bootstrapping flake-enabled nix and home-manager -# You can enter it through 'nix develop' or (legacy) 'nix-shell' +{ pkgs ? import {} }: -{ pkgs ? (import ./nixpkgs.nix) { } }: { - default = pkgs.mkShell { - # Enable experimental features without having to specify the argument - NIX_CONFIG = "experimental-features = nix-command flakes"; - nativeBuildInputs = with pkgs; [ nix home-manager git ssh-to-age sops age ]; - }; +with pkgs; +let nixBin = + writeShellScriptBin "nix" '' + ${nixFlakes}/bin/nix --option experimental-features "nix-command flakes" "$@" + ''; +in mkShell { + buildInputs = [ + nix home-manager git ssh-to-age sops age + ]; + shellHook = '' + export FLAKE="$(pwd)" + export PATH="$FLAKE/bin:${nixBin}/bin:$PATH" + ''; } + + + + +# { pkgs ? (import ./nixpkgs.nix) { } }: { +# default = pkgs.mkShell { +# # Enable experimental features without having to specify the argument +# NIX_CONFIG = "experimental-features = nix-command flakes"; +# nativeBuildInputs = with pkgs; [ nix home-manager git ssh-to-age sops age ]; +# }; +# }