Finish modularising config

There are still some things I want to change, but at least there aren't two systems now.

modules/ugent/citrix.nix

@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+{
+  options.chvp.ugent.citrix.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.ugent.citrix.enable {
+    chvp = {
+      nix.unfreePackages = [ "citrix-workspace" ];
+      zfs.homeLinks = [
+        { path = ".ICAClient"; type = "data"; }
+      ];
+    };
+    home-manager.users.charlotte = { pkgs, ... }: {
+      home.packages = with pkgs; [ citrix_workspace ];
+    };
+  };
+}

modules/ugent/default.nix

@@ -0,0 +1,24 @@
+{ config, lib, ... }:
+
+{
+  imports = [
+    ./vpn.nix
+    ./citrix.nix
+    ./mounts.nix
+    ./teams.nix
+  ];
+
+  options.chvp.ugent.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.ugent.enable {
+    chvp.ugent = {
+      citrix.enable = lib.mkDefault true;
+      vpn.enable = lib.mkDefault true;
+      mounts.enable = lib.mkDefault true;
+      teams.enable = lib.mkDefault true;
+    };
+  };
+}

modules/ugent/mounts.nix

@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+let
+  automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+in
+{
+  options.chvp.ugent.mounts.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.ugent.mounts.enable {
+    fileSystems = {
+      "/mnt/ugent/files" = {
+        device = "//files.ugent.be/ecvpeteg";
+        fsType = "cifs";
+        options = [ "credentials=/run/secrets/passwords/ugent-mount-credentials,${automount_opts},users,vers=3.0,noperm,domain=UGENT,sec=ntlmv2i" ];
+        noCheck = true;
+      };
+      "/mnt/ugent/webhost" = {
+        device = "//webhost.ugent.be/ecvpeteg";
+        fsType = "cifs";
+        options = [ "credentials=/run/secrets/passwords/ugent-mount-credentials,${automount_opts},users,vers=3.0" ];
+        noCheck = true;
+      };
+    };
+
+    age.secrets."passwords/ugent-mount-credentials".file = ../../secrets/passwords/ugent-mount-credentials.age;
+
+    environment.systemPackages = [ pkgs.keyutils ];
+    # Remove this once https://github.com/NixOS/nixpkgs/issues/34638 is resolved
+    # The TL;DR is: the kernel calls out to the hard-coded path of
+    # /sbin/request-key as part of its CIFS auth process, which of course does
+    # not exist on NixOS due to the usage of Nix store paths.
+    system.activationScripts.symlink-requestkey = ''
+      if [ ! -d /sbin ]; then
+        mkdir /sbin
+      fi
+      ln -sfn /run/current-system/sw/bin/request-key /sbin/request-key
+    '';
+    # request-key expects a configuration file under /etc
+    environment.etc."request-key.conf" = {
+      text =
+        let
+          upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";
+          keyctl = "${pkgs.keyutils}/bin/keyctl";
+        in
+        ''
+          #OP     TYPE          DESCRIPTION  CALLOUT_INFO  PROGRAM
+          # -t is required for DFS share servers...
+          create  cifs.spnego   *            *             ${upcall} -t %k
+          create  dns_resolver  *            *             ${upcall} %k
+          # Everything below this point is essentially the default configuration,
+          # modified minimally to work under NixOS. Notably, it provides debug
+          # logging.
+          create  user          debug:*      negate        ${keyctl} negate %k 30 %S
+          create  user          debug:*      rejected      ${keyctl} reject %k 30 %c %S
+          create  user          debug:*      expired       ${keyctl} reject %k 30 %c %S
+          create  user          debug:*      revoked       ${keyctl} reject %k 30 %c %S
+          create  user          debug:loop:* *             |${pkgs.coreutils}/bin/cat
+          create  user          debug:*      *             ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
+          negate  *             *            *             ${keyctl} negate %k 30 %S
+        '';
+    };
+  };
+}

modules/ugent/teams.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.ugent.teams.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.ugent.teams.enable {
+    chvp = {
+      nix.unfreePackages = [ "teams" ];
+      zfs.homeLinks = [
+        { path = ".config/Microsoft"; type = "data"; }
+      ];
+    };
+
+    home-manager.users.charlotte = { pkgs, ... }: {
+      home.packages = with pkgs; [ teams ];
+    };
+  };
+}

modules/ugent/vpn.nix

@@ -0,0 +1,38 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./vpn.secret.nix
+  ];
+
+  options = {
+    chvp.ugent.vpn.enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf config.chvp.ugent.vpn.enable {
+    systemd.services = {
+      ugent-global-vpn = {
+        after = [ "network.target" ];
+        conflicts = [ "ugent-local-vpn.service" ];
+      };
+      ugent-local-vpn = {
+        after = [ "network.target" ];
+        conflicts = [ "ugent-global-vpn.service" ];
+      };
+    };
+    security.polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+          if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "ugent-global-vpn.service") {
+              return polkit.Result.YES;
+          }
+          if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "ugent-local-vpn.service") {
+              return polkit.Result.YES;
+          }
+      });
+    '';
+    age.secrets."passwords/ugent-vpn".file = ../../secrets/passwords/ugent-vpn.age;
+  };
+}