nix-config/modules/mullvad.nix

{
  pkgs,
  config,
  ...
}: {
  age.secrets.mullvad.file = ../secrets/mullvad.age;

  environment.shellAliases = {
    mullvad-up = "systemctl start wg-quick-wg0.service";
    mullvad-down = "systemctl stop wg-quick-wg0.service";
  };

  networking.wg-quick.interfaces = let
    server_ip = "146.70.198.194";
  in {
    wg0 = {
      autostart = false;

      # IP address of this machine in the *tunnel network*
      address = [
        "10.70.139.192/32"
        "fc00:bbbb:bbbb:bb01::7:8bbf/128"
      ];

      # To match firewall allowedUDPPorts (without this wg
      # uses random port numbers).
      listenPort = 51820;

      # Path to the private key file.
      privateKeyFile = config.age.secrets.mullvad.path;

      peers = [
        {
          publicKey = "57Zu2qPzRScZWsoC2NhXgz0FiC0HiKkbEa559sbxB3k=";
          allowedIPs = ["0.0.0.0/0"];
          endpoint = "${server_ip}:51820";
          persistentKeepalive = 25;
        }
      ];

      postUp = ''
        wg set wg0 fwmark 51820

        ${pkgs.iptables}/bin/iptables -I OUTPUT \
          ! -o wg0 \
          -m mark ! --mark $(wg show wg0 fwmark) \
          -m addrtype ! --dst-type LOCAL \
          -j REJECT
        ${pkgs.iptables}/bin/ip6tables -I OUTPUT \
          ! -o wg0 \
          -m mark ! --mark $(wg show wg0 fwmark) \
          -m addrtype ! --dst-type LOCAL \
          -j REJECT
      '';

      preDown = ''
        ${pkgs.iptables}/bin/iptables -D OUTPUT \
          ! -o wg0 \
          -m mark ! --mark $(wg show wg0 fwmark) \
          -m addrtype ! --dst-type LOCAL \
          -j REJECT
        ${pkgs.iptables}/bin/ip6tables -D OUTPUT \
          ! -o wg0 -m mark \
          ! --mark $(wg show wg0 fwmark) \
          -m addrtype ! --dst-type LOCAL \
          -j REJECT
      '';
    };
  };
}