fix

2025-12-06 06:01:51 +00:00 · 2023-03-03 00:56:28 +00:00
parent 74794db1f3
commit c982805de4
6 changed files with 136 additions and 11 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -23,3 +23,15 @@ creation_rules:
      - *adminkey
      - *STU_ID
  
+  - path_regex: secrets/hosts/StuPC/.*$
+    key_groups:
+    - age:
+      - *adminkey
+      - *STUPC_WSL_NIXOS
+  
+  - path_regex: secrets/hosts/Go3/.*$
+    key_groups:
+    - age:
+      - *adminkey
+      - *GO3_WSL_NIXOS
+  
--- a/flake.nix
+++ b/flake.nix
@@ -112,13 +112,13 @@
      # Available through 'nixos-rebuild --flake .#your-hostname'
      nixosConfigurations = {
        Go3 = nixpkgs.lib.nixosSystem {
-          specialArgs = { inherit inputs outputs; };
+          specialArgs = { inherit  inputs outputs lib;hostName = "Go3"; };
          modules = [
            ./hosts/Go3
          ];
        };
        StuPC = nixpkgs.lib.nixosSystem {
-          specialArgs = { inherit inputs outputs; };
+          specialArgs = { inherit  inputs outputs lib; hostName = "StuPC";};
          modules = [
            ./hosts/StuPC
          ];
--- a/hosts/StuPC/default.nix
+++ b/hosts/StuPC/default.nix
@@ -10,7 +10,7 @@
  # system.stateVersion = "22.11";
  nixpkgs.hostPlatform.system = "x86_64-linux";
  networking.hostName = "StuPC";
-
+  custom.mullvad.enable = true;
  wsl = {
    enable = true;
    wslConf.automount.root = "/mnt";
--- a/modules/nixos/vpn/default.nix
+++ b/modules/nixos/vpn/default.nix
@@ -0,0 +1,72 @@
+{ lib, pkgs, config, hostName,... }:
+with lib;
+
+let 
+cfg = config.custom.mullvad;
+secretstore = config._secretstore;
+
+in {
+
+  #define option to enable this 
+  options.custom.mullvad.enable = mkEnableOption "Enable SSH";
+
+  config = mkIf cfg.enable {
+  networking.wireguard.enable = true;
+  services.mullvad-vpn.enable = true;
+
+ sops.secrets.device_json = {
+    sopsFile = "${secretstore}/hosts/${hostName}/mullvad/device.json";
+    format = "binary";
+  };  
+  
+  environment.etc."mullvad-vpn/device.conf".source = config.sops.secrets.device_json.path;
+
+  # set some options after every daemon start
+  # to avoid accidentally leaving unsafe settings
+  systemd.services."mullvad-daemon" = {
+    postStart = ''
+      while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
+      ${pkgs.mullvad}/bin/mullvad lan set allow   #enable local lan access
+      ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
+      ${pkgs.mullvad}/bin/mullvad relay set location ca mtr
+    '';
+  };
+
+
+
+};
+}
+    #    secrets = hm_secrets "${secretstore}/user_dotfiles/${username}@${hostName}/keybase/" "${config.xdg.configHome}/keybase/";
+# 
+
+# { config, pkgs, ... }:
+
+# {
+#   age.secrets.mullvad.file = ../secrets/mullvad.age;
+
+#   networking.wireguard.enable = true;
+
+#   services.mullvad-vpn.enable = true;
+
+#   # set some options after every daemon start
+#   # to avoid accidentally leaving unsafe settings
+#   systemd.services."mullvad-daemon" = {
+#     serviceConfig.LoadCredential =
+#       [ "account:${config.age.secrets.mullvad.path}" ];
+#     postStart = ''
+#       while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
+#       account="$(<"$CREDENTIALS_DIRECTORY/account")"
+#       current_account="$(${pkgs.mullvad}/bin/mullvad account get | grep "account:" | sed 's/.* //')"
+#       if [[ "$current_account" != "$account" ]]; then
+#         ${pkgs.mullvad}/bin/mullvad account login "$account"
+#       fi
+#       ${pkgs.mullvad}/bin/mullvad always-require-vpn set on
+#       ${pkgs.mullvad}/bin/mullvad dns set default \
+#         --block-ads --block-trackers --block-malware
+#       ${pkgs.mullvad}/bin/mullvad lan set allow
+#       ${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on
+#       ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
+#       ${pkgs.mullvad}/bin/mullvad relay set location de dus
+#     '';
+#   };
+# }
--- a/secrets/hosts/StuPC/mullvad/device.json
+++ b/secrets/hosts/StuPC/mullvad/device.json
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:CX99EX2ffpGIMQRGM1FDmrU32f49Vu13uhPHrm0SckNsK03EunFbcRphJJOIt5KCPkheK990msrNXdxUqBwDAqg5wwbRA06qS+1Rl7K+8bP5W30AIqSrjBKWIAV05wONTbUO4LTAXuUDsS488xDQiucBxP0xmeQlgFfpYXJXABGt7PWBkLM375eINzeScqBFLTu1TQY8/dbDOrDLJBiBayKt+04BffEYjfcdv7GjVZu/QYZZXC4mfjmOjXK6X/F7wmuRE+KneAldLXn61w/1dIBvrZwcJwOA2zOTExeOBb7agYw0eY0s+/t8cEM+GsfNoePI7MjwYW74QMVeM+BQI9+AoDtUHM7UhaH2dorZvblphHFYGYkMhgGnTrh7Fsuhfs1/b5CleKWU9gWMos3AUZB5Ta/MWgT4/O84nM9FUPqjxQ5WLON3kJoNcWLxUKQqE169cbYdAOSM+DXxmwGvP5Bg8k17HtwHtqCInxxwNUoKXh6KsmO5x7t+av9A/MwignGzIyxGJWqe8Mu6/cf8VkXZ+REbmm+UPUqpF3CdfoYNOF8z6uru+ufNa1Jso5+fFTry8KtN/A+YqwqrDYNYBLFMItpJL0yd/Lx9Qx5d7md4zuhb0nJIj4DwuryCkDmZ6lfP8HcWjmZdMcNigcjNoYHfOsNAF54l/Cfi8Asf8ipVaBQ76Ral/vtfamE/dpnphC8S2UtRjaczMF5+gwTfyVU=,iv:4EqQI6qOvscIa5OabnXiWgbGu9SuUNysmdY0d1QfGm0=,tag:c6zXEEjxsZur08RKbYOLwg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1jvqe2j70h97844nkz34z9k4epx3uahx50cx75ss8mty2dnxlrf7qqv9a0g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUGVLUnRhS2ZrN1JBQi9k\nZmlYaHg1dEtrSEdYUlk2TTRWdmg1SG0wVlU4CjdoWnEzNjhHVEFzMEhFSnpoR09Y\nWkZVb1hDVnZsU040TmJmczY4ZnFuYncKLS0tIC9yY1lES1I4SmFTUWJFQlQ1Mmxv\nUURlRWZDellNWUl3c0xYWFZ6Rit1aFEKDM5uLYI6EZBRhZ9dz0zyknOMQnFR+mPD\n+RUpP9b8mWOPr723RIwCIvVtp4I1KRzpT6WApuVi6QztTWugPFHg6Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1e0g0rrfdmp5f8f4xgkyp8zgxw2v5t3ldlm2t822xekdz0z6qj49q6aesuw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRlZwUDAyOEU1SkFxdDYv\nT0hDSTlQNnduZ0FwVzE5MWdqRkhWYUEwSjJvCk1FeFZ2TldZTG1aWmk3b2VkQTRa\nS2xLRmkzWDNBZVpxWlkzSG4zdHFNR1kKLS0tIDZ6NVZoZlVWQUJaTVZVSGE5SjMr\nSHZEamtHMFFFTDVwY3l0K3E4NkdpRDQKDmM9JERDT+aHUAp/Yj0109uZHyHkK3Ns\nLBZae7em9Yp8bbCRBWY27XHroiGqm5ee+iOI5BrtlUGEFQyvfKK6Fg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-03-02T17:44:32Z",
+		"mac": "ENC[AES256_GCM,data:pMcfTaMlvFE4p7z9tDc2/QCFGDtHAZN5L/WHoB5MydPj8NbgLijAdqHfsWwv+iOHmo0mIYd6zciUM6xLCHbyU0661ET0N3M92z5XrYVcNdKWlin8bVmq5ZdXCl7RDycLfd8bOVbF42jxSnsTyZpNYUOvB6ec8I0NSoUIanCTVTA=,iv:jCRHZsvo0Hp99DEShNbUT6y1uJIG7LfeRh+y9ZlQpqQ=,tag:U/1yuPlZ4mn8zIZvIwEBdQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
--- a/shell.nix
+++ b/shell.nix
@@ -1,10 +1,27 @@
-# Shell for bootstrapping flake-enabled nix and home-manager
-# You can enter it through 'nix develop' or (legacy) 'nix-shell'
+{ pkgs ? import <nixpkgs> {} }:

-{ pkgs ? (import ./nixpkgs.nix) { } }: {
-  default = pkgs.mkShell {
-    # Enable experimental features without having to specify the argument
-    NIX_CONFIG = "experimental-features = nix-command flakes";
-    nativeBuildInputs = with pkgs; [ nix home-manager git   ssh-to-age    sops  age ];
-  };
+with pkgs;
+let nixBin =
+      writeShellScriptBin "nix" ''
+        ${nixFlakes}/bin/nix --option experimental-features "nix-command flakes" "$@"
+      '';
+in mkShell {
+  buildInputs = [
+    nix home-manager git   ssh-to-age    sops  age
+  ];
+  shellHook = ''
+    export FLAKE="$(pwd)"
+    export PATH="$FLAKE/bin:${nixBin}/bin:$PATH"
+  '';
 }
+
+
+
+
+# { pkgs ? (import ./nixpkgs.nix) { } }: {
+#   default = pkgs.mkShell {
+#     # Enable experimental features without having to specify the argument
+#     NIX_CONFIG = "experimental-features = nix-command flakes";
+#     nativeBuildInputs = with pkgs; [ nix home-manager git   ssh-to-age    sops  age ];
+#   };
+# }