From eceff55fcaa83f5bb6e1bdc74344b0da0aefa3bd Mon Sep 17 00:00:00 2001 From: Aria Nolan Date: Sat, 23 Mar 2024 15:54:24 -0400 Subject: [PATCH] mullvad wg config --- modules/mullvad.nix | 65 ++++++++++++++++++++++++++++++++++++++++ modules/nixos-common.nix | 9 ++++-- secrets/mullvad.age | 9 ++++++ secrets/secrets.nix | 1 + users/tacocat/home.nix | 1 + 5 files changed, 82 insertions(+), 3 deletions(-) create mode 100644 modules/mullvad.nix create mode 100644 secrets/mullvad.age diff --git a/modules/mullvad.nix b/modules/mullvad.nix new file mode 100644 index 0000000..1769485 --- /dev/null +++ b/modules/mullvad.nix @@ -0,0 +1,65 @@ +{pkgs, config, ...}: { + + age.secrets.mullvad.file = ../secrets/mullvad.age; + + environment.shellAliases = { + mullvad-up = "systemctl start wg-quick-wg0.service"; + mullvad-down = "systemctl stop wg-quick-wg0.service"; + }; + + networking.wg-quick.interfaces = let + server_ip = "146.70.198.194"; + in { + wg0 = { + autostart = false; + + # IP address of this machine in the *tunnel network* + address = [ + "10.70.139.192/32" + "fc00:bbbb:bbbb:bb01::7:8bbf/128" + ]; + + # To match firewall allowedUDPPorts (without this wg + # uses random port numbers). + listenPort = 51820; + + # Path to the private key file. + privateKeyFile = config.age.secrets.mullvad.path; + + peers = [{ + publicKey = "57Zu2qPzRScZWsoC2NhXgz0FiC0HiKkbEa559sbxB3k="; + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "${server_ip}:51820"; + persistentKeepalive = 25; + }]; + + postUp = '' + wg set wg0 fwmark 51820 + + ${pkgs.iptables}/bin/iptables -I OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/ip6tables -I OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ''; + + preDown = '' + ${pkgs.iptables}/bin/iptables -D OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/ip6tables -D OUTPUT \ + ! -o wg0 -m mark \ + ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ''; + }; + }; +} diff --git a/modules/nixos-common.nix b/modules/nixos-common.nix index c2f8f74..5a8c8cd 100644 --- a/modules/nixos-common.nix +++ b/modules/nixos-common.nix @@ -1,6 +1,10 @@ -{pkgs, ...}: { +{pkgs, inputs, ...}: { # ------------ System ------------ + imports = [ + ./mullvad.nix + ]; + users.users.tacocat = { isNormalUser = true; extraGroups = ["wheel" "networkmanager" "audio" "video" "bluetooth" "kvm" "docker"]; @@ -44,8 +48,6 @@ services.blueman.enable = true; services.printing.enable = true; services.geoclue2.enable = true; - services.mullvad-vpn.enable = true; - services.mullvad-vpn.enableExcludeWrapper = false; services.fwupd.enable = true; security.rtkit.enable = true; services.resolved.enable = true; @@ -160,6 +162,7 @@ encfs ntfs3g gnutls + inputs.agenix.packages.${system}.default ]; # remove nano defaultPackages = with pkgs; [ diff --git a/secrets/mullvad.age b/secrets/mullvad.age new file mode 100644 index 0000000..ca80bde --- /dev/null +++ b/secrets/mullvad.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 ozffKQ CkcpkTq9vVNTE+jghNH8tu349y1TtgDN6NwWU0QbER0 +6wRQIui7/mWJwzR6SfHYowaS5/Z7Me1hN5BEpW11tHA +-> ssh-ed25519 95Hm4w gR3lnTJsYQvgyP5WcAbVcG6iBHgmIkKOjhk8Y0UK/xY +4oJCwVLhUVz9mB1Qq4XBswvcjNdx/yLs09BVRGAok2Q +-> ssh-ed25519 +vYWqQ xDtHwWOQBpzqS3+7Hi/wPwxzEgHyb/qbl+h/ZOkOdA0 +7zibbuUxXwFQd6Z7tRDIUi7eaIio8pDitElyPWsfPOc +--- Xu0Nb3MrNnmRkNfd605ev8LQuV5vTMlVM7TP+Z6yJuE +!^`[7S3wF>gWl# r2Â!>DTBx Iҳ&M \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index aafbb91..f34d410 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -9,4 +9,5 @@ in { "taskd-ca-cert.age".publicKeys = users ++ systems; "taskd-aria-cert.age".publicKeys = users ++ systems; "taskd-aria-key.age".publicKeys = users ++ systems; + "mullvad.age".publicKeys = users ++ systems; } diff --git a/users/tacocat/home.nix b/users/tacocat/home.nix index 40a53e7..e5f4c2c 100644 --- a/users/tacocat/home.nix +++ b/users/tacocat/home.nix @@ -24,6 +24,7 @@ ]; packages = with pkgs; [ fd + unzip mpc-cli nicotine-plus texliveFull