Change wireguard service

2019-10-10 19:37:45 +04:00 · 2019-10-10 19:37:45 +04:00 · 72c9c07fdd
commit 72c9c07fdd
parent 2f66a8c8d8
6 changed files with 60 additions and 44 deletions
--- a/modules/applications/packages.nix
+++ b/modules/applications/packages.nix
@ -34,7 +34,9 @@ with deviceSpecific; {
    libnotify
    tree
    iperf
+
    (youtube-to-mpv.override { isLaptop = isLaptop; })
+    wg-conf
    # Other
    (vivaldi.override { proprietaryCodecs = true; })
    wget
--- a/modules/applications/wg-conf.nix
+++ b/modules/applications/wg-conf.nix
@ -0,0 +1,19 @@
+{ stdenv, pkgs }:
+let
+  myScript = pkgs.writeShellScriptBin "wg-conf" ''
+    if [[ -z "$1" ]]; then
+      exit 1
+    fi
+    systemctl stop wg-quick-wg0.service
+    cp "$1" /root/wg0.conf
+    systemctl start wg-quick-wg0.service
+  '';
+in
+stdenv.mkDerivation rec {
+  name = "wg-conf";
+  src = myScript;
+  installPhase = ''
+    mkdir -p $out/bin
+    cp ./bin/wg-conf $out/bin/wg-conf
+  '';
+}
--- a/modules/packages.nix
+++ b/modules/packages.nix
@ -3,6 +3,7 @@
    (self: old: rec {
      # nerdfonts = nur.balsoft.pkgs.roboto-mono-nerd;
      youtube-to-mpv = pkgs.callPackage ./applications/youtube-to-mpv.nix {};
+      wg-conf = pkgs.callPackage ./applications/wg-conf.nix {};
      xonar-fp = pkgs.writers.writeBashBin "xonar-fp" ''
        CURRENT_STATE=`amixer -c 0 sget "Front Panel" | egrep -o '\[o.+\]'`
        if [[ $CURRENT_STATE == '[on]' ]]; then
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -2,45 +2,37 @@
 let
  cfg = config.secrets.wireguard.${config.device};
 in {
-  # Enable wireguard
-  networking.wg-quick.interfaces = lib.mkIf cfg.enable {
-    wg0 = cfg.interface;
+  config = lib.mkIf cfg.enable {
+    boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+    environment.systemPackages = [ pkgs.wireguard pkgs.wireguard-tools ];
+    networking.firewall.checkReversePath = false;
+
+    systemd.services."wg-quick-wg0" = {
+      description = "wg-quick WireGuard Tunnel - wg0";
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.DEVICE = "wg0";
+      path = [ pkgs.kmod pkgs.wireguard-tools ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
      };
-  # Enable killswitch
-  environment.systemPackages =
-    lib.mkIf (cfg.killswitch.package == "iptables") [
-      pkgs.iptables
-    ];
-  networking.nftables =
-    lib.mkIf (cfg.killswitch.package == "nftables") {
-    enable = true;
-    ruleset = ''
-      flush ruleset
-      table inet firewall {
-          chain input {
-              type filter hook input priority 0; policy drop;
-              iif "lo" accept
-              ct state { established, related } accept
-              ct state invalid drop
-              ip protocol icmp icmp type echo-request accept
-              ip daddr 192.168.0.1/24 accept
-              reject
-          }
-          chain forward {
-              type filter hook forward priority 0; policy drop;
-          }
-          chain output {
-              type filter hook output priority 0; policy drop;
-              oifname "lo" accept
-              oifname "wg0" accept
-              oifname "docker0" accept
-              oifname "vboxnet0" accept
-              oifname "vboxnet1" accept
-              udp dport domain drop
-              ip daddr 192.168.0.1/24 accept
-              udp dport 51820 accept
-          }
-      }
+
+      script = ''
+        ${lib.strings.optionalString (!config.boot.isContainer) "modprobe wireguard"}
+        wg-quick up /root/wg0.conf
+      '';
+
+      postStart = lib.mkIf cfg.killswitch ''
+        ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+      '';
+
+      preStop = ''
+        ${lib.strings.optionalString (cfg.killswitch) "${pkgs.iptables}/bin/iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -D OUTPUT -s 192.168.0.0/24 && ${pkgs.iptables}/bin/ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
+        wg-quick down /root/wg0.conf
      '';
    };
+  };
 }
--- a/modules/workspace/zsh.nix
+++ b/modules/workspace/zsh.nix
@ -45,10 +45,12 @@
      "clr" = "clear";
      "weather" = "curl wttr.in/Volzhskiy";
      "l" = "ls -lah --group-directories-first";
-      "rede" = "systemctl --user start redshift.service";
-      "redd" = "systemctl --user stop redshift.service";
-      "bare" = "systemctl --user start barrier-client.service";
-      "bard" = "systemctl --user stop barrier-client.service";
+      "rede" = "systemctl --user start redshift.service &";
+      "redd" = "systemctl --user stop redshift.service &";
+      "bare" = "systemctl --user start barrier-client.service &";
+      "bard" = "systemctl --user stop barrier-client.service &";
+      "wgup" = "_ systemctl start wg-quick-wg0.service";
+      "wgdown" = "_ systemctl stop wg-quick-wg0.service";
    };
  };
 }
--- a/secret.nix.gpg
+++ b/secret.nix.gpg