jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-configuration/home-manager/users/jal.nix
Jakob Lechner ba7f7f099c
Add secondary DNS server
2023-11-08 23:48:39 +00:00

224 lines
6.1 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, lib, pkgs, ... }:
let
userName = "jal";
vpn_routes = [
"10.18.0.0/16" # OEE VPC
"10.64.0.0/16" # CPS
"10.158.128.0/23" # approval
"10.158.224.0/20" # core production
"10.158.240.0/20" # core development
#"10.96.0.0/24" # CCS infrastructure
#"10.96.8.0/24" # Boomi
#"10.96.10.0/24" # Boomi (new)
"10.96.0.0/16"
"10.170.254.30/32" "10.170.254.40/32" # core DNS resolver
];
vpnc-script = pkgs.writeShellScript "vpnc-script-tb" ''
cisco_split_inc="$CISCO_SPLIT_INC"
export CISCO_SPLIT_INC=0
echo "DNS server sent by vpn: $INTERNAL_IP4_DNS"
unset INTERNAL_IP4_DNS
route_in_whitelist() {
for route in ${builtins.toString vpn_routes}; do
[ "$1" = "$route" ] && return 0
done
return 1
}
routes() {
for i in $(seq 0 $((cisco_split_inc-1))); do
addr_var="CISCO_SPLIT_INC_''${i}_ADDR"
mask_var="CISCO_SPLIT_INC_''${i}_MASK"
masklen_var="CISCO_SPLIT_INC_''${i}_MASKLEN"
addr="''${!addr_var}"
mask="''${!mask_var}"
masklen="''${!masklen_var}"
if route_in_whitelist "$addr/$masklen"; then
case "$1" in
add)
if [ -n "$NETGW" ]; then
ip route add "$addr/$masklen" metric 100 dev "$TUNDEV" via "$NETGW"
else
ip route add "$addr/$masklen" metric 100 dev "$TUNDEV"
fi
;;
remove)
ip route del "$addr/$masklen" dev "$TUNDEV"
;;
esac
echo "allowing route '$addr/$masklen'"
else
echo "ignoring route '$addr/$masklen'"
fi
done
}
case "$reason" in
pre-init|reconnect|attempt-reconnect)
"${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
;;
connect)
"${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
routes add
;;
disconnect)
routes remove
"${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
;;
*)
echo "reason '$reason' is not implemented" >&2
exit 1
;;
esac
'';
tradebyte-vpn = pkgs.writeShellScriptBin "tradebyte-vpn" ''
[ $UID -ne 0 ] && exec sudo -- "$0" "$@"
/run/wrappers/bin/sudo -u "$SUDO_USER" ${pkgs.pass}/bin/pass show zalando | openconnect \
--protocol=pulse \
-u jlechner \
--passwd-on-stdin \
-i pulse \
--pfs \
--disable-ipv6 \
--script=${vpnc-script} \
https://remote.tradebyte.org | grep -v '^> '
'';
aws_defaults = {
sso = {
start_url = "https://d-9967250383.awsapps.com/start";
region = "eu-central-1";
role_name = "AdministratorAccess";
};
region = "eu-central-1";
};
in
{
imports = [
./default.nix
];
jalr = {
git = {
user = {
name = "Jakob Lechner";
email = "jal@tradebyte.biz";
};
signByDefault = false;
};
gpg.defaultKey = "FE170812543DF81393EA56BA5042B8317A10617E";
aws = {
enable = true;
accounts = {
ops_testing = {
sso_account_id = 134848648016;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
core-production = {
sso_account_id = 455520445575;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
tbmeta-production = {
sso_account_id = 696695470425;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
abnahme = {
sso_account_id = 837645089494;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
core-develop = {
sso_account_id = 934000686307;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
infrastructure = {
sso_account_id = 994756397773;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
tbmeta-development = {
sso_account_id = 730951147261;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
};
};
};
users.users.${userName} = {
isNormalUser = true;
extraGroups = [
"dialout"
"podman"
"libvirtd"
"lp"
"networkmanager"
"scanner"
"video"
"wheel"
"wireshark"
]; # Enable sudo for the user.
shell = pkgs.fish;
};
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
users.${userName} = { lib, pkgs, ... }: {
imports = [ ../modules ];
config = {
home.stateVersion = config.system.stateVersion;
home.packages = with pkgs; [
mycli
timetrap
tradebyte-vpn
# common
asciinema
bat
docker-compose
envsubst
exa
gnupg
nmap
psutils
pwgen
tig
vlc
xdg_utils
];
};
};
};
security.sudo.extraRules = [{
users = [ userName ];
commands = [
{
command = "${tradebyte-vpn}/bin/tradebyte-vpn";
options = [ "NOPASSWD" ];
}
];
}];
}
Reference in a new issue View git blame Copy permalink