Add openfortivpn.nix with sops secrets.

2025-10-02 10:50:29 +02:00
parent 96afcd2c67
commit ba557d70d3
11 changed files with 181 additions and 80 deletions
--- a/modules/optionnals/desktop/config/etc/xdg/hypr/hyprpaper.conf
+++ b/modules/optionnals/desktop/config/etc/xdg/hypr/hyprpaper.conf
@@ -0,0 +1,2 @@
+preload = ~/Downloads/wallpaper.jpeg
+wallpaper = , ~/Downloads/wallpaper.jpeg
--- a/modules/optionnals/desktop/kitty.nix
+++ b/modules/optionnals/desktop/kitty.nix
@@ -21,7 +21,7 @@
    starship.enable = true;
    bash = {
      promptInit = ''
-        [[ "$TERM" == "xterm-kitty" ]] && export TERM="xterm" 
+        [[ "$TERM" == "xterm-kitty" ]] && export TERM="xterm-256color" 

        [[ -f ${pkgs.nitch}/bin/nitch ]] && nitch

--- a/modules/optionnals/hosts/home-nix.nix
+++ b/modules/optionnals/hosts/home-nix.nix
@@ -1,13 +1,15 @@
 {
+  pkgs,
  ...
 }:
 {
  imports = [
-    ../sops-desktop.nix
-    ../sudo-nopasswd.nix
    ../autologin.nix
+    ../openfortivpn.nix
+    ../sops-desktop.nix
    ../ssh.nix
-
+    ../sudo-nopasswd.nix
+    
    ### Import GUI modules
    ../desktop/dunst.nix
    ../desktop/kitty.nix
@@ -21,4 +23,36 @@
    ### Import Graphics modules
    ../desktop/nvidia.nix
  ];
+
+    networking = {
+    interfaces.enp5s0 = {
+      ipv4.addresses = [
+        {
+          address = "192.168.0.2";
+          prefixLength = 24;
+        }
+      ];
+    };
+    defaultGateway = {
+      address = "192.168.0.254";
+      interface = "enp5s0";
+    };
+    nameservers = [
+      #"9.9.9.9"
+      "2001:41d0:303:20da::1"
+      "217.182.138.218"
+    ];
+    extraHosts = ''
+      172.18.21.172   errorpages.grandbesancon.fr
+      #172.18.23.4    dozzle.grandbesancon.fr
+      #172.18.22.206  toto.grandbesancon.fr
+      #172.18.229.3   sso.grandbesancon.fr
+      #172.18.20.37   sso.grandbesancon.fr
+      #172.18.20.229  auth.grandbesancon.fr
+      #172.18.20.181  traefikauth.grandbesancon.fr
+    '';
+  };
+  environment.systemPackages = [
+    pkgs.tor-browser
+  ];
 }
--- a/modules/optionnals/openfortivpn.nix
+++ b/modules/optionnals/openfortivpn.nix
@@ -0,0 +1,100 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  openfortivpn-addroute = pkgs.writeShellScript "openfortivpn-addroute.sh" ''
+
+    sleep 2
+    ${pkgs.iproute2}/bin/ip route add 172.16.0.0/12 dev ppp0
+    ${pkgs.iproute2}/bin/ip route del default
+    ${pkgs.iproute2}/bin/ip route add default via 192.168.0.254
+    ${pkgs.coreutils-full}/bin/cat << EOF > /etc/resolv.conf
+    search ville.besancon
+    nameserver 172.18.96.1
+    nameserver 172.18.96.2
+    EOF
+  '';
+  openfortivpn-delroute = pkgs.writeShellScript "openfortivpn-delroute.sh" ''
+
+    sleep 2
+    ${pkgs.coreutils-full}/bin/cat << EOF > /etc/resolv.conf
+    nameserver 10.0.0.1
+    nameserver 2001:41d0:303:20da::1
+    nameserver 217.182.138.218
+    nameserver 9.9.9.9
+    EOF
+  '';
+
+  myMount = description: what: where: {
+    inherit description what where;
+    type = "cifs";
+    options = "credentials=/etc/openfortivpn/smb-secrets,uid=beastie,gid=users";
+  };
+  myAutoMount = description: where: {
+    inherit description where;
+    requires = [ "network-online.target" ];
+    after = [ "network-online.service" ];
+    wantedBy = [ "multi-user.target" ];
+    automountConfig = {
+      TimeoutIdleSec = 30;
+    };
+  };
+in
+{
+  sops = {
+    secrets = {
+      "ldap_GBM/username" = { };
+      "ldap_GBM/password" = { };
+      "openfortivpn/host" = { };
+      "openfortivpn/port" = { };
+    };
+    templates."openfortivpn.conf" = {
+      content = ''
+        host = ${config.sops.placeholder."openfortivpn/host"}
+        port = ${config.sops.placeholder."openfortivpn/port"}
+        username = ${config.sops.placeholder."ldap_GBM/username"}
+        password = ${config.sops.placeholder."ldap_GBM/password"}
+      '';
+      mode = "0600";
+      owner = "root";
+    };
+  };
+  environment.systemPackages = [
+    pkgs.openfortivpn
+    pkgs.cifs-utils
+  ];
+  systemd.services."openfortivpn" = {
+    enable = true;
+    #wantedBy = lib.mkForce [ ];
+    unitConfig = {
+      Description = "OpenFortiVPN";
+      After = "network-online.target";
+      Wants = "network-online.target systemd-networkd-wait-online.service";
+      Documentation = [
+        "man:openfortivpn(1) https://github.com/adrienverge/openfortivpn#readme https://github.com/adrienverge/openfortivpn/wiki"
+      ];
+    };
+    serviceConfig = {
+      Type = "notify";
+      PrivateTmp = "true";
+      ExecStart = "${pkgs.openfortivpn}/bin/openfortivpn --no-dns -c ${config.sops.templates."openfortivpn.conf".path}";
+      ExecStartPost = "${openfortivpn-addroute}";
+      ExecStopPost = "${openfortivpn-delroute}";
+      Restart = "on-failure";
+      #OOMScoreAdjust = "-100";
+    };
+  };
+
+  systemd.mounts = [
+    (myMount "GBM Perso" "//vf-mc2-sfic06.ville.besancon/usr_s$/SALVIJER/Mes Documents"
+      "/gbmshares/perso"
+    )
+    (myMount "GBM Services" "//vf-mc2-sfic06.ville.besancon/08TIC" "/gbmshares/services")
+  ];
+  systemd.automounts = [
+    (myAutoMount "GBM Perso automount" "/gbmshares/perso")
+    (myAutoMount "GBM Services automount" "/gbmshares/services")
+  ];
+}