{ config, lib, pkgs, ... }: let userName = "jal"; vpn_routes = [ "10.18.0.0/16" # OEE VPC "10.64.64.0/20" # CPS "10.158.128.0/23" # approval "10.158.224.0/20" # core production "10.158.240.0/20" # core development #"10.96.0.0/24" # CCS infrastructure #"10.96.8.0/24" # Boomi #"10.96.10.0/24" # Boomi (new) "10.96.0.0/16" "10.170.254.30/32" # core DNS resolver ]; vpnc-script = pkgs.writeShellScript "vpnc-script-tb" '' cisco_split_inc="$CISCO_SPLIT_INC" export CISCO_SPLIT_INC=0 unset INTERNAL_IP4_DNS route_in_whitelist() { for route in ${builtins.toString vpn_routes}; do [ "$1" = "$route" ] && return 0 done return 1 } routes() { for i in $(seq 0 $((cisco_split_inc-1))); do addr_var="CISCO_SPLIT_INC_''${i}_ADDR" mask_var="CISCO_SPLIT_INC_''${i}_MASK" masklen_var="CISCO_SPLIT_INC_''${i}_MASKLEN" addr="''${!addr_var}" mask="''${!mask_var}" masklen="''${!masklen_var}" if route_in_whitelist "$addr/$masklen"; then case "$1" in add) if [ -n "$NETGW" ]; then ip route add "$addr/$masklen" metric 100 dev "$TUNDEV" via "$NETGW" else ip route add "$addr/$masklen" metric 100 dev "$TUNDEV" fi ;; remove) ip route del "$addr/$masklen" dev "$TUNDEV" ;; esac echo "allowing route '$addr/$masklen'" else echo "ignoring route '$addr/$masklen'" fi done } case "$reason" in pre-init|reconnect|attempt-reconnect) "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@" ;; connect) "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@" routes add ;; disconnect) routes remove "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@" ;; *) echo "reason '$reason' is not implemented" >&2 exit 1 ;; esac ''; tradebyte-vpn = pkgs.writeShellScriptBin "tradebyte-vpn" '' [ $UID -ne 0 ] && exec sudo -- "$0" "$@" /run/wrappers/bin/sudo -u "$SUDO_USER" ${pkgs.pass}/bin/pass show zalando | openconnect \ --protocol=pulse \ -u jlechner \ --passwd-on-stdin \ -i pulse \ --pfs \ --disable-ipv6 \ --script=${vpnc-script} \ https://remote.tradebyte.org | grep -v '^> ' ''; aws_defaults = { sso = { start_url = "https://d-9967250383.awsapps.com/start"; region = "eu-central-1"; role_name = "AdministratorAccess"; }; region = "eu-central-1"; }; in { imports = [ ./default.nix ]; jalr = { git = { user = { name = "Jakob Lechner"; email = "jal@tradebyte.biz"; }; signByDefault = false; }; gpg.defaultKey = "FE170812543DF81393EA56BA5042B8317A10617E"; aws = { enable = true; accounts = { ops_testing = { sso_account_id = 134848648016; sso_start_url = aws_defaults.sso.start_url; sso_region = aws_defaults.sso.region; sso_role_name = aws_defaults.sso.role_name; region = aws_defaults.region; }; core-production = { sso_account_id = 455520445575; sso_start_url = aws_defaults.sso.start_url; sso_region = aws_defaults.sso.region; sso_role_name = aws_defaults.sso.role_name; region = aws_defaults.region; }; tbmeta-production = { sso_account_id = 696695470425; sso_start_url = aws_defaults.sso.start_url; sso_region = aws_defaults.sso.region; sso_role_name = aws_defaults.sso.role_name; region = aws_defaults.region; }; abnahme = { sso_account_id = 837645089494; sso_start_url = aws_defaults.sso.start_url; sso_region = aws_defaults.sso.region; sso_role_name = aws_defaults.sso.role_name; region = aws_defaults.region; }; core-develop = { sso_account_id = 934000686307; sso_start_url = aws_defaults.sso.start_url; sso_region = aws_defaults.sso.region; sso_role_name = aws_defaults.sso.role_name; region = aws_defaults.region; }; infrastructure = { sso_account_id = 994756397773; sso_start_url = aws_defaults.sso.start_url; sso_region = aws_defaults.sso.region; sso_role_name = aws_defaults.sso.role_name; region = aws_defaults.region; }; tbmeta-development = { sso_account_id = 730951147261; sso_start_url = aws_defaults.sso.start_url; sso_region = aws_defaults.sso.region; sso_role_name = aws_defaults.sso.role_name; region = aws_defaults.region; }; }; }; }; users.users.${userName} = { isNormalUser = true; extraGroups = [ "dialout" "podman" "libvirtd" "lp" "networkmanager" "scanner" "video" "wheel" "wireshark" ]; # Enable ‘sudo’ for the user. shell = pkgs.fish; }; home-manager = { useUserPackages = true; useGlobalPkgs = true; users.${userName} = { lib, pkgs, ... }: { imports = [ ../modules ]; config = { home.stateVersion = config.system.stateVersion; home.packages = with pkgs; [ mycli timetrap tradebyte-vpn # common asciinema bat docker-compose envsubst exa gnupg nmap psutils pwgen tig vlc xdg_utils ]; }; }; }; security.sudo.extraRules = [{ users = [ userName ]; commands = [ { command = "${tradebyte-vpn}/bin/tradebyte-vpn"; options = [ "NOPASSWD" ]; } ]; }]; }