From 1cb0e4bdc794679d394b85d3e1bea59383c21125 Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte@vanpetegem.me>
Date: Mon, 21 Jun 2021 16:03:42 +0200
Subject: [PATCH] UGent VPN

---
 flake.lock                      |  18 +++++++++---------
 machines/kharbranth/default.nix |   1 +
 machines/kholinar/default.nix   |   1 +
 modules/default.nix             |   1 +
 modules/vpn.nix                 |  32 ++++++++++++++++++++++++++++++++
 modules/vpn/secret.nix          | Bin 0 -> 537 bytes
 secrets.nix                     |   1 +
 secrets/passwords/ugent-vpn.age | Bin 0 -> 899 bytes
 8 files changed, 45 insertions(+), 9 deletions(-)
 create mode 100644 modules/vpn.nix
 create mode 100644 modules/vpn/secret.nix
 create mode 100644 secrets/passwords/ugent-vpn.age

diff --git a/flake.lock b/flake.lock
index dbd5b946..289260b0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -22,11 +22,11 @@
     },
     "emacs-overlay": {
       "locked": {
-        "lastModified": 1624127230,
-        "narHash": "sha256-0Wg07rR5u4F/02/mJU+CjwyYryBHB/zMOz7ArEnMlt8=",
+        "lastModified": 1624266581,
+        "narHash": "sha256-HuZxnFRh9czYa++g5g33R4PBIpLBE3nxav/ja+rJoRM=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "e9ced9b4f2e49488a97b20dc43fafea7284715a7",
+        "rev": "80c0348b6ccff2fa2e1898d57780a6815feb5d12",
         "type": "github"
       },
       "original": {
@@ -58,11 +58,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1623967045,
-        "narHash": "sha256-D8tZULncqU2Drn4vmG1vgMdhnZ5ONV5aEuHIxaA/kyE=",
+        "lastModified": 1624214437,
+        "narHash": "sha256-BtB6k1mQXG/P8MUlNVcuboQqlxlks2H6i5vj2pbGa3Y=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2f6d5c90f4497dc3cfc043c0fd1b77272ebaeeaa",
+        "rev": "cd11c02c286a996ff55010146baecae4c413634f",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1624034845,
-        "narHash": "sha256-FG7TpcrgswilnjCUqv7aWpA9QyJVpd/7PvgzNUlxINc=",
+        "lastModified": 1624252303,
+        "narHash": "sha256-ObacANYG/IvQLfcVzNEAmIX1zCw4UVbtiFycUMvDmgo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4b4f4bf2845c6e2cc21cd30f2e297908c67d8611",
+        "rev": "7c2d15627a3012c5e5af1d1664a53599687cf1d1",
         "type": "github"
       },
       "original": {
diff --git a/machines/kharbranth/default.nix b/machines/kharbranth/default.nix
index 101cb252..dfe154ee 100644
--- a/machines/kharbranth/default.nix
+++ b/machines/kharbranth/default.nix
@@ -19,6 +19,7 @@
     eid.enable = true;
     git.email = "charlotte.vanpetegem@ugent.be";
     sshd.enable = true;
+    vpn.ugent.enable = true;
     zfs = {
       enable = true;
       encrypted = true;
diff --git a/machines/kholinar/default.nix b/machines/kholinar/default.nix
index 4c8a2a6e..201a43be 100644
--- a/machines/kholinar/default.nix
+++ b/machines/kholinar/default.nix
@@ -35,6 +35,7 @@
     git.email = "charlotte@vanpetegem.me";
     minecraft.client = true;
     sshd.enable = true;
+    vpn.ugent.enable = true;
     zeroad.enable = true;
     zfs = {
       enable = true;
diff --git a/modules/default.nix b/modules/default.nix
index 447e47a7..9efc27f4 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -21,6 +21,7 @@
     ./teeworlds.nix
     ./tetris.nix
     ./tmux.nix
+    ./vpn.nix
     ./zeroad.nix
     ./zfs.nix
     ./zotero.nix
diff --git a/modules/vpn.nix b/modules/vpn.nix
new file mode 100644
index 00000000..18482f4a
--- /dev/null
+++ b/modules/vpn.nix
@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./vpn/secret.nix
+  ];
+
+  options = {
+    chvp.vpn.ugent.enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf config.chvp.vpn.ugent.enable {
+    systemd.services = {
+      ugent-global-vpn.after = [ "network.target" ];
+      ugent-local-vpn.after = [ "network.target" ];
+    };
+    security.polkit.extraConfig = ''
+        polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "ugent-global-vpn.service") {
+                return polkit.Result.YES;
+            }
+            if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "ugent-local-vpn.service") {
+                return polkit.Result.YES;
+            }
+        });
+    '';
+    age.secrets."passwords/ugent-vpn".file = ../secrets/passwords/ugent-vpn.age;
+  };
+}
diff --git a/modules/vpn/secret.nix b/modules/vpn/secret.nix
new file mode 100644
index 0000000000000000000000000000000000000000..58d67171e0b119ad358408856c7afd92583e4967
GIT binary patch
literal 537
zcmZQ@_Y83kiVO&0SQf_P6d0ej+x?^0_K(?R=l87qZpcxVa<X|v^eMaF)eC3j-CJzM
zdcf2Bp~bgfwmv-X@@u&n{_JIa7S{DzGVa{rg9e&!(p+_Al)IfSGamc$`_Mj%6{pH?
zU32fg%(cx&w`9wuqlS_n1$B9=@6<khmRZh_e$c0y+4rVetg3uV^wsJwE7${z6}Im4
zW}FqQR(|l3+~0z~FU2yh9+#iHPpD{5ed~hL|NoSW&uSDudc&&LwYgZfYQh3@_ho8@
z0_o;IPs+}=?Y-;PvC{6^95col>@ytBEtmY$dNAK~w(ri|eM$-KF~8=mT#{XIe`Ro*
zUFEkH@dGDJPIDd8D7(3iZASZ)pd8b9vk%iZ-Z8FCYWw!C+IlX##@ULngul<;c8Giw
z_&@LQmtCt0O-+vGEj3zpO5@p&by2dfDzZJ-uVQ%LV(k~;(=<~@y=|Y<v>=N+bN273
zx9AVN<WyzfuYbSr-Mw%JuYjg`zeQ{hJk&pblKI>bSMz5)ydA$k^GVM<7Gyp-?bhD{
zLCa@%Tw;apo37p&`_6EN$%BvKo>Gx|Eqbg$42qkiRabv`y7+hM`Q5uFCT_@cRS$dd
zlC4&=F?N~H+M9A7ESu~X7*sdv{MvP%JNHSPwz$L=WASHor%YL*r^el%Q@&94d_d~y
z_Zhc-yvQv|TlhMtW96$af?^S~rXF9jqO^?f^4-IKHAA)M2Pnpg6;0Pj4BK`d0Ael(
A&j0`b

literal 0
HcmV?d00001

diff --git a/secrets.nix b/secrets.nix
index 8373e6d4..79893fcd 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -26,6 +26,7 @@ in
   "secrets/authorized_keys/root.age".publicKeys = hosts ++ users;
 
   "secrets/passwords/ugent-mount-credentials.age".publicKeys = [ kholinar ] ++ users;
+  "secrets/passwords/ugent-vpn.age".publicKeys = [ kholinar ] ++ users;
 
   "secrets/passwords/services/accentor.age".publicKeys = [ urithiru ] ++ users;
 
diff --git a/secrets/passwords/ugent-vpn.age b/secrets/passwords/ugent-vpn.age
new file mode 100644
index 0000000000000000000000000000000000000000..0e20f14aeb192da5bf1c851b5c1e9b9312303338
GIT binary patch
literal 899
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn3{A20OII)~Fe?xB
zEby;%at?7y3=c6iH*s?{@ixfvs!Z`U^K?uz4=pax4mZfi%jb%ya&yc#NH!=;HViQF
z4D!h=FLNsoE;p+xFtCU;OLvbnuQDp}s7&`sNk+G=*s>_eB3;2Pzr4^e&%8XxGA}R0
zE25~#(I~{xL*Lgp(8$%o)1W9gBP*{sveZf6$djv}DlFf~qddRV(#WE?Aj+%4+b^%o
zNjogpC$cm-FDW%V$i<~pKgT!7&k^0W%ET0tut0@UW6xxlhynv|<FLr&l&pv>$KtZW
z9FK|u@8Z(D%rvtcgDB^$5@%!goKP;KWb@R55dF%EitO;b5dAbKM^ndC%R-Netl*%0
zqjb+)cMtRQ5J!XbWM7bNTEV)y=|!oD#i<Gf{^t2vW!mlv+R4SLw%)p2A*mTTIj$Cl
zRer(RiN5(set8l3C9Xv!T)Mit3SkzeWyRSMIcfgRfngTu$x-f6VHKwNQ9j0QK>;Z~
zei^BiDG{dTm6aLUT&~vE8yD)|Pm0goIMMS}Yu%a9zRNpe^;ZV`u&G%cTYb7`v2JYW
z)ZI;v{$&@f^`?3}H`uzUZjHZ};C{>1I`i+{*{iT^@xr-moHrV;zS1vRn&c{QcG39|
zmFTPN&yK%eHP0t{&A!Dfd)7>P7%RKs>+>?Jp6uD-ySh1ZPfVZjEnC7fVq$xQ@%p!(
z1-rI7M`}r%Uf6u+W9r(JVyj)n44=4pWL~=+w(0!Vk#wx;^HQD8$j?4njE$OolU!ZT
zrFHh4`tET(M)uF~Kkxot(hstj(EQ!(($#y}3NPgzck}klJ|^ZrzvjTLizixaDi)d^
zt?{eO-SN;N{)bobag8|wejnx>;j6ZG&(7T|{AE(+`kSH)R_UKUCC8Ri%eJdXfNNz#
zw2+Tx?G2Z5<xP)wtvB5xZx$z^Z`d;ZT<niy*LGF=tY^<>+F9N_(fFCE_CrJdswLT-
zOA5pDCq#ZPI)2xvM5KDx4@L)8?kLmR5*LftOSb+ulAbB~aYgKR9T9f!&A&Ho_!)WB
zPyE%r+iTqJJduAXo?$T8N1^68e~7s7)J-nTiwt;})DkQv{bOADYRkV13+=7`+}_T-
QJn*=Z_AXBoBk_w40G~o@Jpcdz

literal 0
HcmV?d00001