From 72c9c07fdd81a5006a6f2b25f2db99dcc9fbe552 Mon Sep 17 00:00:00 2001
From: Dmitriy Holkin <alukard.develop@gmail.com>
Date: Thu, 10 Oct 2019 19:37:45 +0400
Subject: [PATCH] Change wireguard service

---
 modules/applications/packages.nix |   2 +
 modules/applications/wg-conf.nix  |  19 ++++++++
 modules/packages.nix              |   1 +
 modules/wireguard.nix             |  72 +++++++++++++-----------------
 modules/workspace/zsh.nix         |  10 +++--
 secret.nix.gpg                    | Bin 1042 -> 551 bytes
 6 files changed, 60 insertions(+), 44 deletions(-)
 create mode 100644 modules/applications/wg-conf.nix

diff --git a/modules/applications/packages.nix b/modules/applications/packages.nix
index 485d685..0b85ff4 100644
--- a/modules/applications/packages.nix
+++ b/modules/applications/packages.nix
@@ -34,7 +34,9 @@ with deviceSpecific; {
     libnotify
     tree
     iperf
+
     (youtube-to-mpv.override { isLaptop = isLaptop; })
+    wg-conf
     # Other
     (vivaldi.override { proprietaryCodecs = true; })
     wget
diff --git a/modules/applications/wg-conf.nix b/modules/applications/wg-conf.nix
new file mode 100644
index 0000000..38a2fd5
--- /dev/null
+++ b/modules/applications/wg-conf.nix
@@ -0,0 +1,19 @@
+{ stdenv, pkgs }:
+let
+  myScript = pkgs.writeShellScriptBin "wg-conf" ''
+    if [[ -z "$1" ]]; then
+      exit 1
+    fi
+    systemctl stop wg-quick-wg0.service
+    cp "$1" /root/wg0.conf
+    systemctl start wg-quick-wg0.service
+  '';
+in
+stdenv.mkDerivation rec {
+  name = "wg-conf";
+  src = myScript;
+  installPhase = ''
+    mkdir -p $out/bin
+    cp ./bin/wg-conf $out/bin/wg-conf
+  '';
+}
\ No newline at end of file
diff --git a/modules/packages.nix b/modules/packages.nix
index 11a6fa2..62fb147 100644
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -3,6 +3,7 @@
     (self: old: rec {
       # nerdfonts = nur.balsoft.pkgs.roboto-mono-nerd;
       youtube-to-mpv = pkgs.callPackage ./applications/youtube-to-mpv.nix {};
+      wg-conf = pkgs.callPackage ./applications/wg-conf.nix {};
       xonar-fp = pkgs.writers.writeBashBin "xonar-fp" ''
         CURRENT_STATE=`amixer -c 0 sget "Front Panel" | egrep -o '\[o.+\]'`
         if [[ $CURRENT_STATE == '[on]' ]]; then
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 297449f..35730f3 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -2,45 +2,37 @@
 let
   cfg = config.secrets.wireguard.${config.device};
 in {
-  # Enable wireguard
-  networking.wg-quick.interfaces = lib.mkIf cfg.enable {
-    wg0 = cfg.interface;
-  };
-  # Enable killswitch
-  environment.systemPackages =
-    lib.mkIf (cfg.killswitch.package == "iptables") [
-      pkgs.iptables
-    ];
-  networking.nftables =
-    lib.mkIf (cfg.killswitch.package == "nftables") {
-    enable = true;
-    ruleset = ''
-      flush ruleset
-      table inet firewall {
-          chain input {
-              type filter hook input priority 0; policy drop;
-              iif "lo" accept
-              ct state { established, related } accept
-              ct state invalid drop
-              ip protocol icmp icmp type echo-request accept
-              ip daddr 192.168.0.1/24 accept
-              reject
-          }
-          chain forward {
-              type filter hook forward priority 0; policy drop;
-          }
-          chain output {
-              type filter hook output priority 0; policy drop;
-              oifname "lo" accept
-              oifname "wg0" accept
-              oifname "docker0" accept
-              oifname "vboxnet0" accept
-              oifname "vboxnet1" accept
-              udp dport domain drop
-              ip daddr 192.168.0.1/24 accept
-              udp dport 51820 accept
-          }
-      }
-    '';
+  config = lib.mkIf cfg.enable {
+    boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+    environment.systemPackages = [ pkgs.wireguard pkgs.wireguard-tools ];
+    networking.firewall.checkReversePath = false;
+
+    systemd.services."wg-quick-wg0" = {
+      description = "wg-quick WireGuard Tunnel - wg0";
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.DEVICE = "wg0";
+      path = [ pkgs.kmod pkgs.wireguard-tools ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+
+      script = ''
+        ${lib.strings.optionalString (!config.boot.isContainer) "modprobe wireguard"}
+        wg-quick up /root/wg0.conf
+      '';
+
+      postStart = lib.mkIf cfg.killswitch ''
+        ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+      '';
+
+      preStop = ''
+        ${lib.strings.optionalString (cfg.killswitch) "${pkgs.iptables}/bin/iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -D OUTPUT -s 192.168.0.0/24 && ${pkgs.iptables}/bin/ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
+        wg-quick down /root/wg0.conf
+      '';
+    };
   };
 }
\ No newline at end of file
diff --git a/modules/workspace/zsh.nix b/modules/workspace/zsh.nix
index d59196c..cd0a89a 100644
--- a/modules/workspace/zsh.nix
+++ b/modules/workspace/zsh.nix
@@ -45,10 +45,12 @@
       "clr" = "clear";
       "weather" = "curl wttr.in/Volzhskiy";
       "l" = "ls -lah --group-directories-first";
-      "rede" = "systemctl --user start redshift.service";
-      "redd" = "systemctl --user stop redshift.service";
-      "bare" = "systemctl --user start barrier-client.service";
-      "bard" = "systemctl --user stop barrier-client.service";
+      "rede" = "systemctl --user start redshift.service &";
+      "redd" = "systemctl --user stop redshift.service &";
+      "bare" = "systemctl --user start barrier-client.service &";
+      "bard" = "systemctl --user stop barrier-client.service &";
+      "wgup" = "_ systemctl start wg-quick-wg0.service";
+      "wgdown" = "_ systemctl stop wg-quick-wg0.service";
     };
   };
 }
diff --git a/secret.nix.gpg b/secret.nix.gpg
index 29c425c0fe979aec7221ff40f8034ec55bc3f1f4..90152bce2129680384898ea01ed0081008a65ed5 100644
GIT binary patch
literal 551
zcmZo=<Y87nmLupBtG%0%gW<CAs`kkG?^*?ia>{4*dvxyf>|D@%Z^^EC2lt%m=Pp|)
zeXiHHE^RBHPpM<Tv6;u8-7wZs`2OQU>w$!?@oX<DYm(k=+naM!&(@l^rq%r7gn!3p
zxNbOq-Ph|EL(^)d7i^C|)Xmw&*67Am_qa7Bmp%IX(-Ur<v+7qr_DRgG-_=y~;DXZi
zgKwQ5C2e0-@{RGtOws4(E<Wb_eBhajTWpEu6IJae^SS0YK0bHAdebfSliAA;9#vR9
zE8A5;T<EPS(+!P;ewmlkJnJS^_{Kc9UzgteK=WTr#E!)E4M+K^LJT)Pi2n5Sb?HWz
zhO)IR#!q%Ocd(w@wC;w&!*@1^r}qf{J;b&5^rZu#jG5nx-s)_$Vz^ZmA!cS@Y`?_z
zb>)&D%(CZPrpU}KOv+TWjX9tfQ2jKsZ2oD3Q@Jda?g!R}tIeOfUd+@<J7--?)bjPm
zyrYe7Dt@qAbf5L~ncL!AlWMm=ob^y$-X!+jd``O-R<keGHx9qN-oocEvvqa1sjXn#
z<{ttjE)fmYM_xSRcCh{Xxj5!Vsqgkx4gWK8duN`yygU2$(=|*k=imR#UAVsWi+HG>
z@8XL42Yj`|n7ud2{O7s(o_ogr*EJGuv3Ec6t?-a6VUyo|V%MD5n|dGZLRU67gs)Xl
zSN~Y+IPZ6?J4f1G{`pK>mHxCZN@g&4|J3mIf7T-PG+(x_@v`p>CvA8wbvQ&&fK4{G
Q<H6cR{ihkf&SdBT05_=;!T<mO

literal 1042
zcmZo=<Y87nmLupBtG%0%{eN_c{}SOs73JK<qRIJxCh?11R{j-`zg&@DL$!nLnr1C$
zT@VZRW^vCqAA5dol<13pY||~v<@KPje#a^HC-O@37nGK3PkG#XV%qAR8&ltOWHcT4
z%6H~%ldk^#(pPGJ5{xOo)~(#IbaUu(rxd~HCo4SnU6%=|``UJC>Gm&=-*45LA>X=i
z#w2cq^@&VVi$(ooKRmykX0PCFRg_q3Zn^acM_jmFx~TJkUSYN7*j%~i8Z)0(CO7w_
zC?DElF^#!SMR5AJA1!kGUyGPIw%R`Z%kV8+-}zcuZd~_wjfI>{O4BFZxm~fbJYKx^
zdA^0S$_3G>6GL|8zFntVY_piNk!QQFm;I%ej9jigJhe-nA7Z>Pqepf7|D$_fDb3ap
zI8+nOUC&`W)k$JTfwumykj-lrOuM0d=v}+k!Pm#6qW4|m6}`b`uq<5LiJz0(_gCaw
z-*YpTJm8w~$JEYN=Te!A?sA2vneAC2a$UR`4sMbs*F1UB`2O!qiAMjv_LrCVyFapP
zZ<*Q~%9nCEs47H?b@8fpp(Q`fXSKSxdy6P9bJ+aVEVJP7zBf-c$5%_1w||<k?6j{o
zlNlHLv+a|1EUWKL?y@iOvP{?+wSL=#$2ASI2lw~gJg4FJd-k*AoRb`0oz(jwZLpJd
zdz+1X=<L*(Xo-)35hpa>KL46x{(E6`gPKXH)iEi?xbp>GJF<PYIz};Eiw#<Qd87KQ
zUrW{hs{d4WWP2a0>po#hB*Ws`uwTz~T=R}UG<+)}!YwmF#Z19x|AiB?zWQ4T7A}$v
z(z$onN89Fmf#!kD+f{a5dnvw(-{?}!EQyGtlV?uW`{xlPaOvk!sVhZ}37+mrGrzAe
zl4XwU{?rr1WxULR<-AG5<xeYkWR4qdRJr2w)#v-R<Hj2<cqA-{ShYa8uxHCzm)&=b
z1Jr$-jVd|VXKc9sGXGmo{=*kPo>$3yHo0)o$wm6~>XTb9s`Gq1W4h(#$LD7*Zgg_(
z?Poe3A}{^bD`21L+{?O~{QR5t<of>pRJ{DvMEBRZ=i(P>*)N{wFyH22#_hK31NNq|
zFQ1#73<<q;|4^2#G}px{`zbFfG+9mv?ftZcBV^x(4v!aV%k#=U>TRu%x;}5t+qi(^
zjwO5QIqxuTXI*Oa=d}N$7e1-X8fx|*Rrah)_#%^edD-2(W$l)?JSYBF-T&aAQk?e{
zY0YU<9X~IySTgam{HiP)(>Wb(felexmmPj~CRpoTS9!<1P}YOzYCNJNOc<xt9G+!=
za9OV0Pajo39ha;#DVypAi(Pmw+^cc2F+D8Wzir#4s^C`7QuCJ2E2gbmX!rLQYvQN9
zB`Y_o?B2n!eRkbpMd$FJA+H?Y92d-(C$yH?n@e+YWXYR*J4~)-1bsO1yzckn%8LvK
Mex_e`QGa_10QaByApigX