3 files changed, 106 insertions, 97 deletions

diff --git a/configuration/work/default.nix b/configuration/work/default.nix
index 25c3ef0..322f5bf 100644
--- a/configuration/work/default.nix
+++ b/configuration/work/default.nix
@@ -1,11 +1,13 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
-    ./hardware-configuration.nix
-    ./home-manager.nix
-
     ../core
     ../hyprland.nix
+
+    ./hardware-configuration.nix
+    ./home-manager.nix
+    ./networking.nix
+    ./secrets.nix
   ];
 
   system.stateVersion = "24.05"; # Do NOT change before reading configuration.nix
@@ -14,17 +16,6 @@
 
   time.timeZone = "Europe/Amsterdam";
 
-  age.secrets.ghostnet-cert.file = ../../secrets/ghostnet-cert.age;
-  age.secrets.ghostnet-key.file = ../../secrets/ghostnet-key.age;
-  age.secrets.ghostnet-ca.file = ../../secrets/ghostnet-ca.age;
-  age.secrets.ghostnet-tls-auth.file = ../../secrets/ghostnet-tls-auth.age;
-  age.secrets.ghostnet-auth-user-pass.file = ../../secrets/ghostnet-auth-user-pass.age;
-
-  age.secrets.systems-cert.file = ../../secrets/systems-cert.age;
-  age.secrets.systems-key.file = ../../secrets/systems-key.age;
-  age.secrets.systems-ca.file = ../../secrets/systems-ca.age;
-  age.secrets.systems-tls-auth.file = ../../secrets/systems-tls-auth.age;
-
   virtualisation.docker = {
     enable = true;
     enableOnBoot = true;
@@ -36,91 +27,9 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "work";
-  networking.networkmanager.enable = true;
-  networking.networkmanager.dns = "systemd-resolved";
-  networking.nameservers = [ "1.1.1.1" ];
-  networking.firewall.allowedTCPPorts = [];
-
   services.libinput.mouse.accelProfile = "flat";
   services.libinput.mouse.accelSpeed = "-5";
   services.upower.enable = true;
-  services.openssh.enable = true;
-  services.openvpn.servers = {
-    ghostnet = {
-      config = ''
-        client
-        remote 185.57.9.6 1194
-        cert ${config.age.secrets.ghostnet-cert.path}
-        key ${config.age.secrets.ghostnet-key.path}
-        ca ${config.age.secrets.ghostnet-ca.path}
-        auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
-        reneg-sec 0
-        cipher AES-256-CBC
-        comp-lzo adaptive
-        dev tun
-        proto udp
-        remote-cert-tls server
-        tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
-        nobind
-        auth-nocache
-        script-security 2
-        persist-key
-        persist-tun
-        user nm-openvpn
-        group nm-openvpn
-      '';
-      updateResolvConf = false;
-      autoStart = false;
-    };
-    systems = {
-      config = ''
-        client
-        remote 'vpn-v2.one.com'
-        cert '${config.age.secrets.systems-cert.path}'
-        key '${config.age.secrets.systems-key.path}'
-        ca '${config.age.secrets.systems-ca.path}'
-        cipher AES-128-CBC
-        comp-lzo adaptive
-        dev tun
-        proto udp
-        port 1200
-        remote-cert-tls server
-        tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
-        nobind
-        auth-nocache
-        script-security 2
-        persist-key
-        persist-tun
-        user nm-openvpn
-        group nm-openvpn
-      '';
-      updateResolvConf = false;
-      autoStart = false;
-    };
-  };
-
-  programs.update-systemd-resolved.servers = {
-    ghostnet = {
-      includeAutomatically = true;
-      settings = {
-        routeOnlyDomains = [ "hostnetbv.nl." ];
-        defaultRoute = false;
-        multicastDNS = "no";
-        dnsOverTLS = "opportunistic";
-        dnssec = "no";
-      };
-    };
-  };
-
-  services.resolved = {
-    enable = true;
-    dnssec = "true";
-    domains = [ "~." ];
-    fallbackDns = [ "1.1.1.1" ];
-    dnsovertls = "opportunistic";
-    llmnr = "true";
-  };
 
   services.xserver.xkb = {
     layout = "us";
diff --git a/configuration/work/networking.nix b/configuration/work/networking.nix
new file mode 100644
index 0000000..99ba8d7
--- /dev/null
+++ b/configuration/work/networking.nix
@@ -0,0 +1,87 @@
+{ pkgs, config, ... }:
+{
+	environment.systemPackages = with pkgs; [
+    networkmanager-openvpn
+  ];
+
+  networking.hostName = "work";
+  networking.networkmanager.enable = true;
+  networking.networkmanager.dns = "systemd-resolved";
+  networking.nameservers = [ "1.1.1.1" ];
+
+  services.openvpn.servers = {
+    ghostnet = {
+      config = ''
+        client
+        remote 185.57.9.6 1194
+        cert ${config.age.secrets.ghostnet-cert.path}
+        key ${config.age.secrets.ghostnet-key.path}
+        ca ${config.age.secrets.ghostnet-ca.path}
+        auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
+        reneg-sec 0
+        cipher AES-256-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        remote-cert-tls server
+        tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+    systems = {
+      config = ''
+        client
+        remote 'vpn-v2.one.com'
+        cert '${config.age.secrets.systems-cert.path}'
+        key '${config.age.secrets.systems-key.path}'
+        ca '${config.age.secrets.systems-ca.path}'
+        cipher AES-128-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        port 1200
+        remote-cert-tls server
+        tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+  };
+
+  programs.update-systemd-resolved.servers = {
+    ghostnet = {
+      includeAutomatically = true;
+      settings = {
+        routeOnlyDomains = [ "hostnetbv.nl." ];
+        defaultRoute = false;
+        multicastDNS = "no";
+        dnsOverTLS = "opportunistic";
+        dnssec = "no";
+      };
+    };
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = [ "~." ];
+    fallbackDns = [ "1.1.1.1" ];
+    dnsovertls = "opportunistic";
+    llmnr = "true";
+  };
+}
diff --git a/configuration/work/secrets.nix b/configuration/work/secrets.nix
new file mode 100644
index 0000000..d13599d
--- /dev/null
+++ b/configuration/work/secrets.nix
@@ -0,0 +1,13 @@
+{ ... }:
+{
+  age.secrets.ghostnet-cert.file = ../../secrets/ghostnet-cert.age;
+  age.secrets.ghostnet-key.file = ../../secrets/ghostnet-key.age;
+  age.secrets.ghostnet-ca.file = ../../secrets/ghostnet-ca.age;
+  age.secrets.ghostnet-tls-auth.file = ../../secrets/ghostnet-tls-auth.age;
+  age.secrets.ghostnet-auth-user-pass.file = ../../secrets/ghostnet-auth-user-pass.age;
+
+  age.secrets.systems-cert.file = ../../secrets/systems-cert.age;
+  age.secrets.systems-key.file = ../../secrets/systems-key.age;
+  age.secrets.systems-ca.file = ../../secrets/systems-ca.age;
+  age.secrets.systems-tls-auth.file = ../../secrets/systems-tls-auth.age;
+}