mullvad wg config

2024-03-23 15:54:24 -04:00 · 2024-03-23 15:54:24 -04:00 · eceff55fca
parent 05f6c1129b
commit eceff55fca
5 changed files with 82 additions and 3 deletions
--- a/modules/mullvad.nix
+++ b/modules/mullvad.nix
@ -0,0 +1,65 @@
+{pkgs, config, ...}: {
+
+  age.secrets.mullvad.file = ../secrets/mullvad.age;
+
+  environment.shellAliases = {
+    mullvad-up = "systemctl start wg-quick-wg0.service";
+    mullvad-down = "systemctl stop wg-quick-wg0.service";
+  };
+
+  networking.wg-quick.interfaces = let
+    server_ip = "146.70.198.194";
+  in {
+    wg0 = {
+      autostart = false;
+
+      # IP address of this machine in the *tunnel network*
+      address = [
+        "10.70.139.192/32"
+        "fc00:bbbb:bbbb:bb01::7:8bbf/128"
+      ];
+
+      # To match firewall allowedUDPPorts (without this wg
+      # uses random port numbers).
+      listenPort = 51820;
+
+      # Path to the private key file.
+      privateKeyFile = config.age.secrets.mullvad.path;
+
+      peers = [{
+        publicKey = "57Zu2qPzRScZWsoC2NhXgz0FiC0HiKkbEa559sbxB3k=";
+        allowedIPs = [ "0.0.0.0/0" ];
+        endpoint = "${server_ip}:51820";
+        persistentKeepalive = 25;
+      }];
+
+      postUp = ''
+        wg set wg0 fwmark 51820
+
+        ${pkgs.iptables}/bin/iptables -I OUTPUT \
+          ! -o wg0 \
+          -m mark ! --mark $(wg show wg0 fwmark) \
+          -m addrtype ! --dst-type LOCAL \
+          -j REJECT
+        ${pkgs.iptables}/bin/ip6tables -I OUTPUT \
+          ! -o wg0 \
+          -m mark ! --mark $(wg show wg0 fwmark) \
+          -m addrtype ! --dst-type LOCAL \
+          -j REJECT
+      '';
+
+      preDown = ''
+        ${pkgs.iptables}/bin/iptables -D OUTPUT \
+          ! -o wg0 \
+          -m mark ! --mark $(wg show wg0 fwmark) \
+          -m addrtype ! --dst-type LOCAL \
+          -j REJECT
+        ${pkgs.iptables}/bin/ip6tables -D OUTPUT \
+          ! -o wg0 -m mark \
+          ! --mark $(wg show wg0 fwmark) \
+          -m addrtype ! --dst-type LOCAL \
+          -j REJECT
+      '';
+    };
+  };
+}
--- a/modules/nixos-common.nix
+++ b/modules/nixos-common.nix
@ -1,6 +1,10 @@
-{pkgs, ...}: {
+{pkgs, inputs, ...}: {
  # ------------ System ------------

+  imports = [
+    ./mullvad.nix
+  ];
+
  users.users.tacocat = {
    isNormalUser = true;
    extraGroups = ["wheel" "networkmanager" "audio" "video" "bluetooth" "kvm" "docker"];
@ -44,8 +48,6 @@
  services.blueman.enable = true;
  services.printing.enable = true;
  services.geoclue2.enable = true;
-  services.mullvad-vpn.enable = true;
-  services.mullvad-vpn.enableExcludeWrapper = false;
  services.fwupd.enable = true;
  security.rtkit.enable = true;
  services.resolved.enable = true;
@ -160,6 +162,7 @@
      encfs
      ntfs3g
      gnutls
+      inputs.agenix.packages.${system}.default
    ];
    # remove nano
    defaultPackages = with pkgs; [
--- a/secrets/mullvad.age
+++ b/secrets/mullvad.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ozffKQ CkcpkTq9vVNTE+jghNH8tu349y1TtgDN6NwWU0QbER0
+6wRQIui7/mWJwzR6SfHYowaS5/Z7Me1hN5BEpW11tHA
+-> ssh-ed25519 95Hm4w gR3lnTJsYQvgyP5WcAbVcG6iBHgmIkKOjhk8Y0UK/xY
+4oJCwVLhUVz9mB1Qq4XBswvcjNdx/yLs09BVRGAok2Q
+-> ssh-ed25519 +vYWqQ xDtHwWOQBpzqS3+7Hi/wPwxzEgHyb/qbl+h/ZOkOdA0
+7zibbuUxXwFQd6Z7tRDIUi7eaIio8pDitElyPWsfPOc
+--- Xu0Nb3MrNnmRkNfd605ev8LQuV5vTMlVM7TP+Z6yJuE
+!»^·¸¢`[7SÐ3°wÇF>g‰ºWl#<23>‚ r¶™Í2Ã‚Ê!˜›³›í“>ÏDT¡‚BÖëìŽxI—ÕËûÒ³&‚¦MÚ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -9,4 +9,5 @@ in {
  "taskd-ca-cert.age".publicKeys = users ++ systems;
  "taskd-aria-cert.age".publicKeys = users ++ systems;
  "taskd-aria-key.age".publicKeys = users ++ systems;
+  "mullvad.age".publicKeys = users ++ systems;
 }
--- a/users/tacocat/home.nix
+++ b/users/tacocat/home.nix
@ -24,6 +24,7 @@
    ];
    packages = with pkgs; [
      fd
+      unzip
      mpc-cli
      nicotine-plus
      texliveFull