UGent VPN

flake.lock

@@ -22,11 +22,11 @@
     },
     "emacs-overlay": {
       "locked": {
-        "lastModified": 1624127230,
-        "narHash": "sha256-0Wg07rR5u4F/02/mJU+CjwyYryBHB/zMOz7ArEnMlt8=",
+        "lastModified": 1624266581,
+        "narHash": "sha256-HuZxnFRh9czYa++g5g33R4PBIpLBE3nxav/ja+rJoRM=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "e9ced9b4f2e49488a97b20dc43fafea7284715a7",
+        "rev": "80c0348b6ccff2fa2e1898d57780a6815feb5d12",
         "type": "github"
       },
       "original": {
@@ -58,11 +58,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1623967045,
-        "narHash": "sha256-D8tZULncqU2Drn4vmG1vgMdhnZ5ONV5aEuHIxaA/kyE=",
+        "lastModified": 1624214437,
+        "narHash": "sha256-BtB6k1mQXG/P8MUlNVcuboQqlxlks2H6i5vj2pbGa3Y=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2f6d5c90f4497dc3cfc043c0fd1b77272ebaeeaa",
+        "rev": "cd11c02c286a996ff55010146baecae4c413634f",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1624034845,
-        "narHash": "sha256-FG7TpcrgswilnjCUqv7aWpA9QyJVpd/7PvgzNUlxINc=",
+        "lastModified": 1624252303,
+        "narHash": "sha256-ObacANYG/IvQLfcVzNEAmIX1zCw4UVbtiFycUMvDmgo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4b4f4bf2845c6e2cc21cd30f2e297908c67d8611",
+        "rev": "7c2d15627a3012c5e5af1d1664a53599687cf1d1",
         "type": "github"
       },
       "original": {

machines/kharbranth/default.nix

@@ -19,6 +19,7 @@
     eid.enable = true;
     git.email = "charlotte.vanpetegem@ugent.be";
     sshd.enable = true;
+    vpn.ugent.enable = true;
     zfs = {
       enable = true;
       encrypted = true;

machines/kholinar/default.nix

@@ -35,6 +35,7 @@
     git.email = "charlotte@vanpetegem.me";
     minecraft.client = true;
     sshd.enable = true;
+    vpn.ugent.enable = true;
     zeroad.enable = true;
     zfs = {
       enable = true;

modules/default.nix

@@ -21,6 +21,7 @@
     ./teeworlds.nix
     ./tetris.nix
     ./tmux.nix
+    ./vpn.nix
     ./zeroad.nix
     ./zfs.nix
     ./zotero.nix

modules/vpn.nix

@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./vpn/secret.nix
+  ];
+
+  options = {
+    chvp.vpn.ugent.enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf config.chvp.vpn.ugent.enable {
+    systemd.services = {
+      ugent-global-vpn.after = [ "network.target" ];
+      ugent-local-vpn.after = [ "network.target" ];
+    };
+    security.polkit.extraConfig = ''
+        polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "ugent-global-vpn.service") {
+                return polkit.Result.YES;
+            }
+            if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "ugent-local-vpn.service") {
+                return polkit.Result.YES;
+            }
+        });
+    '';
+    age.secrets."passwords/ugent-vpn".file = ../secrets/passwords/ugent-vpn.age;
+  };
+}

secrets.nix

@@ -26,6 +26,7 @@ in
   "secrets/authorized_keys/root.age".publicKeys = hosts ++ users;
 
   "secrets/passwords/ugent-mount-credentials.age".publicKeys = [ kholinar ] ++ users;
+  "secrets/passwords/ugent-vpn.age".publicKeys = [ kholinar ] ++ users;
 
   "secrets/passwords/services/accentor.age".publicKeys = [ urithiru ] ++ users;