beastie/dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add openfortivpn.nix with sops secrets.

Browse Source
This commit is contained in:
Jérémie SALVI
2025-10-02 10:50:29 +02:00
parent 96afcd2c67
commit ba557d70d3
11 changed files with 181 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock generated
View File

@@ -23,11 +23,11 @@
"mysecrets": { "mysecrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1758835276, "lastModified": 1759394888,
"narHash": "sha256-RlfV0236hc1olvLMUDmd6uBOYGqr+77pF+UjGzELPA8=", "narHash": "sha256-FwmvYoAcBtsKW4dGVeD+/zHKov3cIYfyWO1Fwqv3HwQ=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "38102377bbb3ecc2de852446ad03a6e4e98aba0b", "rev": "e5ceedd0e56ae0272875765da13dccabf8747764",
"revCount": 7, "revCount": 10,
"type": "git", "type": "git",
"url": "file:///home/beastie/nixos/secrets" "url": "file:///home/beastie/nixos/secrets"
}, },

3
hosts/home-nix/default.nix
View File

@@ -11,10 +11,9 @@
imports = builtins.trace "${inputs.mysecrets}" [ imports = builtins.trace "${inputs.mysecrets}" [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
./network.nix
./disk-config.nix ./disk-config.nix
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/core ../../modules/core
../../modules/optionnals/hosts/${hostname}.nix ../../modules/optionnals/hosts/${hostname}.nix
]; ];
} }

29
hosts/home-nix/network.nix
View File

@@ -1,29 +0,0 @@
{
hostname,
...
}:
{
networking = {
hostName = "${hostname}";
interfaces.enp5s0 = {
ipv4.addresses = [
{
address = "192.168.0.2";
prefixLength = 24;
}
];
};
defaultGateway = {
address = "192.168.0.254";
interface = "enp5s0";
};
nameservers = [
"9.9.9.9"
"2001:41d0:303:20da::1"
"217.182.138.218"
];
networkmanager.enable = true;
firewall.enable = true;
};
}

29
hosts/test-kvm/network.nix
View File

@@ -1,29 +0,0 @@
{
hostname,
...
}:
{
networking = {
hostName = "${hostname}";
interfaces.enp1s0 = {
ipv4.addresses = [
{
address = "192.168.122.100";
prefixLength = 24;
}
];
};
defaultGateway = {
address = "192.168.122.1";
interface = "enp1s0";
};
nameservers = [
"9.9.9.9"
"2001:41d0:303:20da::1"
"217.182.138.218"
];
networkmanager.enable = true;
firewall.enable = true;
};
}

3
hosts/work-nix/default.nix
View File

@@ -7,9 +7,10 @@
... ...
}: }:
{ {
system.stateVersion = "25.11";
imports = builtins.trace "${inputs.mysecrets}" [ imports = builtins.trace "${inputs.mysecrets}" [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
./network.nix
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/core ../../modules/core
../../modules/optionnals/hosts/${hostname}.nix ../../modules/optionnals/hosts/${hostname}.nix

11
hosts/work-nix/network.nix
View File

@@ -1,11 +0,0 @@
{
hostname,
...
}:
{
networking = {
hostName = "${hostname}";
networkmanager.enable = true;
firewall.enable = true;
};
}

34
modules/core/system.nix
View File

@@ -0,0 +1,34 @@
{
pkgs,
username,
hostname,
modulesPath,
inputs,
...
}:
{
boot.kernelPackages = pkgs.linuxPackages_latest;
time.timeZone = "Europe/Paris";
nix = {
settings = {
## Enable flakes
experimental-features = [
"nix-command"
"flakes"
];
## Users trusted to use flake command
trusted-users = [
"root"
"${username}"
];
};
};
networking = {
hostName = "${hostname}";
networkmanager.enable = true;
firewall.enable = true;
};
}

2
modules/optionnals/desktop/config/etc/xdg/hypr/hyprpaper.conf
View File

@@ -0,0 +1,2 @@
preload = ~/Downloads/wallpaper.jpeg
wallpaper = , ~/Downloads/wallpaper.jpeg

2
modules/optionnals/desktop/kitty.nix
View File

@@ -21,7 +21,7 @@
starship.enable = true; starship.enable = true;
bash = { bash = {
promptInit = '' promptInit = ''
[[ "$TERM" == "xterm-kitty" ]] && export TERM="xterm" [[ "$TERM" == "xterm-kitty" ]] && export TERM="xterm-256color"
[[ -f ${pkgs.nitch}/bin/nitch ]] && nitch [[ -f ${pkgs.nitch}/bin/nitch ]] && nitch

40
modules/optionnals/hosts/home-nix.nix
View File

@@ -1,13 +1,15 @@
{ {
pkgs,
... ...
}: }:
{ {
imports = [ imports = [
../sops-desktop.nix
../sudo-nopasswd.nix
../autologin.nix ../autologin.nix
../openfortivpn.nix
../sops-desktop.nix
../ssh.nix ../ssh.nix
../sudo-nopasswd.nix
### Import GUI modules ### Import GUI modules
../desktop/dunst.nix ../desktop/dunst.nix
../desktop/kitty.nix ../desktop/kitty.nix
@@ -21,4 +23,36 @@
### Import Graphics modules ### Import Graphics modules
../desktop/nvidia.nix ../desktop/nvidia.nix
]; ];
networking = {
interfaces.enp5s0 = {
ipv4.addresses = [
{
address = "192.168.0.2";
prefixLength = 24;
}
];
};
defaultGateway = {
address = "192.168.0.254";
interface = "enp5s0";
};
nameservers = [
#"9.9.9.9"
"2001:41d0:303:20da::1"
"217.182.138.218"
];
extraHosts = ''
172.18.21.172 errorpages.grandbesancon.fr
#172.18.23.4 dozzle.grandbesancon.fr
#172.18.22.206 toto.grandbesancon.fr
#172.18.229.3 sso.grandbesancon.fr
#172.18.20.37 sso.grandbesancon.fr
#172.18.20.229 auth.grandbesancon.fr
#172.18.20.181 traefikauth.grandbesancon.fr
'';
};
environment.systemPackages = [
pkgs.tor-browser
];
} }

100
modules/optionnals/openfortivpn.nix Normal file
View File

@@ -0,0 +1,100 @@
{
config,
pkgs,
...
}:
let
openfortivpn-addroute = pkgs.writeShellScript "openfortivpn-addroute.sh" ''
sleep 2
${pkgs.iproute2}/bin/ip route add 172.16.0.0/12 dev ppp0
${pkgs.iproute2}/bin/ip route del default
${pkgs.iproute2}/bin/ip route add default via 192.168.0.254
${pkgs.coreutils-full}/bin/cat << EOF > /etc/resolv.conf
search ville.besancon
nameserver 172.18.96.1
nameserver 172.18.96.2
EOF
'';
openfortivpn-delroute = pkgs.writeShellScript "openfortivpn-delroute.sh" ''
sleep 2
${pkgs.coreutils-full}/bin/cat << EOF > /etc/resolv.conf
nameserver 10.0.0.1
nameserver 2001:41d0:303:20da::1
nameserver 217.182.138.218
nameserver 9.9.9.9
EOF
'';
myMount = description: what: where: {
inherit description what where;
type = "cifs";
options = "credentials=/etc/openfortivpn/smb-secrets,uid=beastie,gid=users";
};
myAutoMount = description: where: {
inherit description where;
requires = [ "network-online.target" ];
after = [ "network-online.service" ];
wantedBy = [ "multi-user.target" ];
automountConfig = {
TimeoutIdleSec = 30;
};
};
in
{
sops = {
secrets = {
"ldap_GBM/username" = { };
"ldap_GBM/password" = { };
"openfortivpn/host" = { };
"openfortivpn/port" = { };
};
templates."openfortivpn.conf" = {
content = ''
host = ${config.sops.placeholder."openfortivpn/host"}
port = ${config.sops.placeholder."openfortivpn/port"}
username = ${config.sops.placeholder."ldap_GBM/username"}
password = ${config.sops.placeholder."ldap_GBM/password"}
'';
mode = "0600";
owner = "root";
};
};
environment.systemPackages = [
pkgs.openfortivpn
pkgs.cifs-utils
];
systemd.services."openfortivpn" = {
enable = true;
#wantedBy = lib.mkForce [ ];
unitConfig = {
Description = "OpenFortiVPN";
After = "network-online.target";
Wants = "network-online.target systemd-networkd-wait-online.service";
Documentation = [
"man:openfortivpn(1) https://github.com/adrienverge/openfortivpn#readme https://github.com/adrienverge/openfortivpn/wiki"
];
};
serviceConfig = {
Type = "notify";
PrivateTmp = "true";
ExecStart = "${pkgs.openfortivpn}/bin/openfortivpn --no-dns -c ${config.sops.templates."openfortivpn.conf".path}";
ExecStartPost = "${openfortivpn-addroute}";
ExecStopPost = "${openfortivpn-delroute}";
Restart = "on-failure";
#OOMScoreAdjust = "-100";
};
};
systemd.mounts = [
(myMount "GBM Perso" "//vf-mc2-sfic06.ville.besancon/usr_s$/SALVIJER/Mes Documents"
"/gbmshares/perso"
)
(myMount "GBM Services" "//vf-mc2-sfic06.ville.besancon/08TIC" "/gbmshares/services")
];
systemd.automounts = [
(myAutoMount "GBM Perso automount" "/gbmshares/perso")
(myAutoMount "GBM Services automount" "/gbmshares/services")
];
}