jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-configuration/home-manager/users/jal.nix
Jakob Lechner 3bdc570a9f
Move evince to gui.nix
2023-07-10 19:08:48 +00:00

222 lines
6 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, lib, pkgs, ... }:
let
userName = "jal";
vpn_routes = [
"10.18.0.0/16" # OEE VPC
"10.64.64.0/20" # CPS
"10.158.128.0/23" # approval
"10.158.224.0/20" # core production
"10.158.240.0/20" # core development
#"10.96.0.0/24" # CCS infrastructure
#"10.96.8.0/24" # Boomi
#"10.96.10.0/24" # Boomi (new)
"10.96.0.0/16"
"10.170.254.30/32" # core DNS resolver
];
vpnc-script = pkgs.writeShellScript "vpnc-script-tb" ''
cisco_split_inc="$CISCO_SPLIT_INC"
export CISCO_SPLIT_INC=0
unset INTERNAL_IP4_DNS
route_in_whitelist() {
for route in ${builtins.toString vpn_routes}; do
[ "$1" = "$route" ] && return 0
done
return 1
}
routes() {
for i in $(seq 0 $((cisco_split_inc-1))); do
addr_var="CISCO_SPLIT_INC_''${i}_ADDR"
mask_var="CISCO_SPLIT_INC_''${i}_MASK"
masklen_var="CISCO_SPLIT_INC_''${i}_MASKLEN"
addr="''${!addr_var}"
mask="''${!mask_var}"
masklen="''${!masklen_var}"
if route_in_whitelist "$addr/$masklen"; then
case "$1" in
add)
if [ -n "$NETGW" ]; then
ip route add "$addr/$masklen" metric 100 dev "$TUNDEV" via "$NETGW"
else
ip route add "$addr/$masklen" metric 100 dev "$TUNDEV"
fi
;;
remove)
ip route del "$addr/$masklen" dev "$TUNDEV"
;;
esac
echo "allowing route '$addr/$masklen'"
else
echo "ignoring route '$addr/$masklen'"
fi
done
}
case "$reason" in
pre-init|reconnect|attempt-reconnect)
"${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
;;
connect)
"${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
routes add
;;
disconnect)
routes remove
"${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
;;
*)
echo "reason '$reason' is not implemented" >&2
exit 1
;;
esac
'';
tradebyte-vpn = pkgs.writeShellScriptBin "tradebyte-vpn" ''
[ $UID -ne 0 ] && exec sudo -- "$0" "$@"
/run/wrappers/bin/sudo -u "$SUDO_USER" ${pkgs.pass}/bin/pass show zalando | openconnect \
--protocol=pulse \
-u jlechner \
--passwd-on-stdin \
-i pulse \
--pfs \
--disable-ipv6 \
--script=${vpnc-script} \
https://remote.tradebyte.org | grep -v '^> '
'';
aws_defaults = {
sso = {
start_url = "https://d-9967250383.awsapps.com/start";
region = "eu-central-1";
role_name = "AdministratorAccess";
};
region = "eu-central-1";
};
in
{
imports = [
./default.nix
];
jalr = {
git = {
user = {
name = "Jakob Lechner";
email = "jal@tradebyte.biz";
};
signByDefault = false;
};
gpg.defaultKey = "FE170812543DF81393EA56BA5042B8317A10617E";
aws = {
enable = true;
accounts = {
ops_testing = {
sso_account_id = 134848648016;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
core-production = {
sso_account_id = 455520445575;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
tbmeta-production = {
sso_account_id = 696695470425;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
abnahme = {
sso_account_id = 837645089494;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
core-develop = {
sso_account_id = 934000686307;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
infrastructure = {
sso_account_id = 994756397773;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
tbmeta-development = {
sso_account_id = 730951147261;
sso_start_url = aws_defaults.sso.start_url;
sso_region = aws_defaults.sso.region;
sso_role_name = aws_defaults.sso.role_name;
region = aws_defaults.region;
};
};
};
};
users.users.${userName} = {
isNormalUser = true;
extraGroups = [
"dialout"
"podman"
"libvirtd"
"lp"
"networkmanager"
"scanner"
"video"
"wheel"
"wireshark"
]; # Enable sudo for the user.
shell = pkgs.fish;
};
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
users.${userName} = { lib, pkgs, ... }: {
imports = [ ../modules ];
config = {
home.stateVersion = config.system.stateVersion;
home.packages = with pkgs; [
mycli
timetrap
tradebyte-vpn
# common
asciinema
bat
docker-compose
envsubst
exa
gnupg
nmap
psutils
pwgen
tig
vlc
xdg_utils
];
};
};
};
security.sudo.extraRules = [{
users = [ userName ];
commands = [
{
command = "${tradebyte-vpn}/bin/tradebyte-vpn";
options = [ "NOPASSWD" ];
}
];
}];
}
Reference in a new issue View git blame Copy permalink