From 2745d9dc033ea976106ef469f680839005052f5d Mon Sep 17 00:00:00 2001
From: Daniel Langbein <daniel@systemli.org>
Date: Fri, 23 Aug 2024 12:37:30 +0200
Subject: [PATCH] add openconnect vpn

---
 hosts/yodaTux/configuration.nix |  1 +
 modules/t-telesec.nix           | 27 +++++++++++++++++++++++++++
 modules/uni-vpn.nix             | 17 +++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 modules/t-telesec.nix
 create mode 100644 modules/uni-vpn.nix

diff --git a/hosts/yodaTux/configuration.nix b/hosts/yodaTux/configuration.nix
index 42ebb84..0ccec9a 100644
--- a/hosts/yodaTux/configuration.nix
+++ b/hosts/yodaTux/configuration.nix
@@ -53,6 +53,7 @@
       ../../modules/ghostwriter.nix
       ../../modules/print-and-scan.nix
       #../../modules/waydroid.nix
+      ../../modules/uni-vpn.nix
 
       ../../modules/games.nix
       ../../modules/dosbox-x.nix
diff --git a/modules/t-telesec.nix b/modules/t-telesec.nix
new file mode 100644
index 0000000..f6dd1c0
--- /dev/null
+++ b/modules/t-telesec.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+let
+  # Define an awk script, that cuts one certificate out of the ca-bundle.crt file.
+  # https://gist.github.com/erictapen/841190c8b7d63b775df21123d55eddcb
+  cert = pkgs.stdenv.mkDerivation rec{
+    name = "telesec-globalroot-class-2.pem";
+    src = builtins.toFile "${name}-awk-helper" ''
+      {
+        if(a > 0) {
+          print
+        }
+      }
+      /-----END CERTIFICATE-----/ {
+        a = 0
+      }
+      /T-TeleSec GlobalRoot Class 2/ {
+        a = 1
+      }
+    '';
+    nativeBuildInputs = with pkgs; [ cacert gawk ];
+    phases = "installPhase";
+    installPhase = "${pkgs.gawk}/bin/awk -f $src ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt > $out";
+  };
+in
+{
+  environment.etc."t-telesec.pem".source = cert;
+}
diff --git a/modules/uni-vpn.nix b/modules/uni-vpn.nix
new file mode 100644
index 0000000..77b1359
--- /dev/null
+++ b/modules/uni-vpn.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+{
+  assertions = [{
+    assertion = config.services.xserver.desktopManager.gnome.enable;
+    message = "Only tested with GNOME";
+  }];
+
+  imports = [
+    ./t-telesec.nix
+  ];
+
+  users.users.yoda = {
+    packages = with pkgs; [
+      gnome.networkmanager-openconnect # Openconnect VPN
+    ];
+  };
+}