mullvad wg config
This commit is contained in:
parent
05f6c1129b
commit
eceff55fca
65
modules/mullvad.nix
Normal file
65
modules/mullvad.nix
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
{pkgs, config, ...}: {
|
||||||
|
|
||||||
|
age.secrets.mullvad.file = ../secrets/mullvad.age;
|
||||||
|
|
||||||
|
environment.shellAliases = {
|
||||||
|
mullvad-up = "systemctl start wg-quick-wg0.service";
|
||||||
|
mullvad-down = "systemctl stop wg-quick-wg0.service";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.wg-quick.interfaces = let
|
||||||
|
server_ip = "146.70.198.194";
|
||||||
|
in {
|
||||||
|
wg0 = {
|
||||||
|
autostart = false;
|
||||||
|
|
||||||
|
# IP address of this machine in the *tunnel network*
|
||||||
|
address = [
|
||||||
|
"10.70.139.192/32"
|
||||||
|
"fc00:bbbb:bbbb:bb01::7:8bbf/128"
|
||||||
|
];
|
||||||
|
|
||||||
|
# To match firewall allowedUDPPorts (without this wg
|
||||||
|
# uses random port numbers).
|
||||||
|
listenPort = 51820;
|
||||||
|
|
||||||
|
# Path to the private key file.
|
||||||
|
privateKeyFile = config.age.secrets.mullvad.path;
|
||||||
|
|
||||||
|
peers = [{
|
||||||
|
publicKey = "57Zu2qPzRScZWsoC2NhXgz0FiC0HiKkbEa559sbxB3k=";
|
||||||
|
allowedIPs = [ "0.0.0.0/0" ];
|
||||||
|
endpoint = "${server_ip}:51820";
|
||||||
|
persistentKeepalive = 25;
|
||||||
|
}];
|
||||||
|
|
||||||
|
postUp = ''
|
||||||
|
wg set wg0 fwmark 51820
|
||||||
|
|
||||||
|
${pkgs.iptables}/bin/iptables -I OUTPUT \
|
||||||
|
! -o wg0 \
|
||||||
|
-m mark ! --mark $(wg show wg0 fwmark) \
|
||||||
|
-m addrtype ! --dst-type LOCAL \
|
||||||
|
-j REJECT
|
||||||
|
${pkgs.iptables}/bin/ip6tables -I OUTPUT \
|
||||||
|
! -o wg0 \
|
||||||
|
-m mark ! --mark $(wg show wg0 fwmark) \
|
||||||
|
-m addrtype ! --dst-type LOCAL \
|
||||||
|
-j REJECT
|
||||||
|
'';
|
||||||
|
|
||||||
|
preDown = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -D OUTPUT \
|
||||||
|
! -o wg0 \
|
||||||
|
-m mark ! --mark $(wg show wg0 fwmark) \
|
||||||
|
-m addrtype ! --dst-type LOCAL \
|
||||||
|
-j REJECT
|
||||||
|
${pkgs.iptables}/bin/ip6tables -D OUTPUT \
|
||||||
|
! -o wg0 -m mark \
|
||||||
|
! --mark $(wg show wg0 fwmark) \
|
||||||
|
-m addrtype ! --dst-type LOCAL \
|
||||||
|
-j REJECT
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,6 +1,10 @@
|
||||||
{pkgs, ...}: {
|
{pkgs, inputs, ...}: {
|
||||||
# ------------ System ------------
|
# ------------ System ------------
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./mullvad.nix
|
||||||
|
];
|
||||||
|
|
||||||
users.users.tacocat = {
|
users.users.tacocat = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["wheel" "networkmanager" "audio" "video" "bluetooth" "kvm" "docker"];
|
extraGroups = ["wheel" "networkmanager" "audio" "video" "bluetooth" "kvm" "docker"];
|
||||||
|
@ -44,8 +48,6 @@
|
||||||
services.blueman.enable = true;
|
services.blueman.enable = true;
|
||||||
services.printing.enable = true;
|
services.printing.enable = true;
|
||||||
services.geoclue2.enable = true;
|
services.geoclue2.enable = true;
|
||||||
services.mullvad-vpn.enable = true;
|
|
||||||
services.mullvad-vpn.enableExcludeWrapper = false;
|
|
||||||
services.fwupd.enable = true;
|
services.fwupd.enable = true;
|
||||||
security.rtkit.enable = true;
|
security.rtkit.enable = true;
|
||||||
services.resolved.enable = true;
|
services.resolved.enable = true;
|
||||||
|
@ -160,6 +162,7 @@
|
||||||
encfs
|
encfs
|
||||||
ntfs3g
|
ntfs3g
|
||||||
gnutls
|
gnutls
|
||||||
|
inputs.agenix.packages.${system}.default
|
||||||
];
|
];
|
||||||
# remove nano
|
# remove nano
|
||||||
defaultPackages = with pkgs; [
|
defaultPackages = with pkgs; [
|
||||||
|
|
9
secrets/mullvad.age
Normal file
9
secrets/mullvad.age
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 ozffKQ CkcpkTq9vVNTE+jghNH8tu349y1TtgDN6NwWU0QbER0
|
||||||
|
6wRQIui7/mWJwzR6SfHYowaS5/Z7Me1hN5BEpW11tHA
|
||||||
|
-> ssh-ed25519 95Hm4w gR3lnTJsYQvgyP5WcAbVcG6iBHgmIkKOjhk8Y0UK/xY
|
||||||
|
4oJCwVLhUVz9mB1Qq4XBswvcjNdx/yLs09BVRGAok2Q
|
||||||
|
-> ssh-ed25519 +vYWqQ xDtHwWOQBpzqS3+7Hi/wPwxzEgHyb/qbl+h/ZOkOdA0
|
||||||
|
7zibbuUxXwFQd6Z7tRDIUi7eaIio8pDitElyPWsfPOc
|
||||||
|
--- Xu0Nb3MrNnmRkNfd605ev8LQuV5vTMlVM7TP+Z6yJuE
|
||||||
|
!»^·¸¢`[7SÐ3°wÇF>g‰ºWl#<23>‚ r¶™Í2ÂÊ!˜›³›í“>ÏDT¡‚BÖëìŽxI—ÕËûÒ³&‚¦MÚ
|
|
@ -9,4 +9,5 @@ in {
|
||||||
"taskd-ca-cert.age".publicKeys = users ++ systems;
|
"taskd-ca-cert.age".publicKeys = users ++ systems;
|
||||||
"taskd-aria-cert.age".publicKeys = users ++ systems;
|
"taskd-aria-cert.age".publicKeys = users ++ systems;
|
||||||
"taskd-aria-key.age".publicKeys = users ++ systems;
|
"taskd-aria-key.age".publicKeys = users ++ systems;
|
||||||
|
"mullvad.age".publicKeys = users ++ systems;
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
];
|
];
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
fd
|
fd
|
||||||
|
unzip
|
||||||
mpc-cli
|
mpc-cli
|
||||||
nicotine-plus
|
nicotine-plus
|
||||||
texliveFull
|
texliveFull
|
||||||
|
|
Loading…
Reference in a new issue