2019-08-27 23:41:02 +04:00
|
|
|
{ config, pkgs, lib, ... }:
|
2020-08-07 23:27:49 +04:00
|
|
|
with lib;
|
2019-08-27 23:41:02 +04:00
|
|
|
let
|
2021-06-16 23:42:44 +03:00
|
|
|
cfg = config.deviceSpecific.wireguard;
|
2020-08-11 02:38:02 +04:00
|
|
|
kernel = config.boot.kernelPackages;
|
2019-08-27 23:41:02 +04:00
|
|
|
in {
|
2021-06-27 20:45:03 +03:00
|
|
|
# config = mkIf cfg.enable {
|
|
|
|
|
# boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
|
|
|
|
|
# environment.systemPackages = [ pkgs.wireguard-tools ];
|
|
|
|
|
# networking.firewall.checkReversePath = false;
|
2019-10-10 19:37:45 +04:00
|
|
|
|
2021-06-27 20:45:03 +03:00
|
|
|
# systemd.services."wg-quick-wg0" = {
|
|
|
|
|
# description = "wg-quick WireGuard Tunnel - wg0";
|
|
|
|
|
# requires = [ "network-online.target" ];
|
|
|
|
|
# after = [ "network.target" "network-online.target" ];
|
|
|
|
|
# wantedBy = [ "multi-user.target" ];
|
|
|
|
|
# environment.DEVICE = "wg0";
|
|
|
|
|
# path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables pkgs.iproute ];
|
2019-10-10 19:37:45 +04:00
|
|
|
|
2021-06-27 20:45:03 +03:00
|
|
|
# serviceConfig = {
|
|
|
|
|
# Type = "oneshot";
|
|
|
|
|
# RemainAfterExit = true;
|
|
|
|
|
# };
|
2019-10-10 19:37:45 +04:00
|
|
|
|
2021-06-27 20:45:03 +03:00
|
|
|
# unitConfig = {
|
|
|
|
|
# ConditionPathExists = "/root/wg0.conf";
|
|
|
|
|
# };
|
2020-08-11 02:38:02 +04:00
|
|
|
|
2021-06-27 20:45:03 +03:00
|
|
|
# script = ''
|
|
|
|
|
# ${strings.optionalString (!config.boot.isContainer) "modprobe wireguard"}
|
|
|
|
|
# wg-quick up /root/wg0.conf
|
|
|
|
|
# '';
|
2019-10-10 19:37:45 +04:00
|
|
|
|
2021-06-27 20:45:03 +03:00
|
|
|
# postStart = mkIf cfg.killswitch ''
|
|
|
|
|
# iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
|
|
|
|
|
# # Allow IPv4 private ip addresses
|
|
|
|
|
# iptables -I OUTPUT -s 192.168.0.0/16 -j ACCEPT && iptables -I OUTPUT -s 172.16.0.0/12 -j ACCEPT
|
|
|
|
|
# '';
|
2019-10-10 19:37:45 +04:00
|
|
|
|
2021-06-27 20:45:03 +03:00
|
|
|
# preStop = ''
|
|
|
|
|
# ${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
|
|
|
|
|
# # Delete rule thats allow IPv4 private ip addresses
|
|
|
|
|
# ${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT -s 192.168.0.0/16 && iptables -D OUTPUT -s 172.16.0.0/12"}
|
|
|
|
|
# wg-quick down /root/wg0.conf
|
|
|
|
|
# '';
|
2019-10-23 19:31:32 +04:00
|
|
|
|
2021-06-27 20:45:03 +03:00
|
|
|
# postStop = ''
|
|
|
|
|
# ip link delete wg0
|
|
|
|
|
# '';
|
|
|
|
|
# };
|
|
|
|
|
# };
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
|
|
|
|
|
networking.firewall.checkReversePath = "loose";
|
|
|
|
|
environment.systemPackages = [ pkgs.wireguard-tools pkgs.mullvad-vpn ];
|
|
|
|
|
services.mullvad-vpn.enable = true;
|
2021-06-29 22:28:37 +03:00
|
|
|
startupApplications = [ "${pkgs.mullvad-vpn}/share/mullvad/mullvad-gui" ];
|
2019-08-27 23:41:02 +04:00
|
|
|
};
|
|
|
|
|
}
|
