From e0f402134efcfbcf48fd02d2881f3252d3c892af Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Thu, 26 Jan 2023 00:15:51 +0300
Subject: [PATCH] update vpn options

---
 machines/AMD-Workstation/default.nix |  2 +-
 machines/Dell-Laptop/default.nix     |  2 +-
 machines/NixOS-CT/default.nix        |  2 +-
 modules/devices.nix                  |  8 ++--
 profiles/vpn.nix                     | 57 ++++++++++++++++++++++++++++
 5 files changed, 64 insertions(+), 7 deletions(-)
 create mode 100644 profiles/vpn.nix

diff --git a/machines/AMD-Workstation/default.nix b/machines/AMD-Workstation/default.nix
index e254a8b..08a2363 100644
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@@ -32,7 +32,7 @@
   deviceSpecific.isShared = false;
   deviceSpecific.isGaming = true;
   deviceSpecific.enableVirtualisation = true;
-  deviceSpecific.wireguard.enable = true;
+  deviceSpecific.vpn.mullvad.enable = true;
 
   boot.zfs.forceImportAll = lib.mkForce false;
 
diff --git a/machines/Dell-Laptop/default.nix b/machines/Dell-Laptop/default.nix
index 9886f56..b052c66 100644
--- a/machines/Dell-Laptop/default.nix
+++ b/machines/Dell-Laptop/default.nix
@@ -26,7 +26,7 @@
   deviceSpecific.isShared = false;
   deviceSpecific.isGaming = true;
   deviceSpecific.enableVirtualisation = true;
-  deviceSpecific.wireguard.enable = true;
+  deviceSpecific.vpn.mullvad.enable = true;
 
   boot.blacklistedKernelModules = [
     "psmouse"
diff --git a/machines/NixOS-CT/default.nix b/machines/NixOS-CT/default.nix
index 10ef497..1b6f9a4 100644
--- a/machines/NixOS-CT/default.nix
+++ b/machines/NixOS-CT/default.nix
@@ -39,7 +39,7 @@
     ram = 1;
   };
   deviceSpecific.enableVirtualisation = true;
-  deviceSpecific.wireguard.enable = false;
+  deviceSpecific.vpn.mullvad.enable = false;
   deviceSpecific.isServer = lib.mkForce true;
 
   systemd.suppressedSystemUnits = [
diff --git a/modules/devices.nix b/modules/devices.nix
index 99efc65..74cd0d0 100644
--- a/modules/devices.nix
+++ b/modules/devices.nix
@@ -76,14 +76,14 @@ with types; {
         type = bool;
         default = config.deviceSpecific.devInfo.drive.type == "ssd";
       };
-      wireguard = {
-        enable = mkOption {
+      vpn = {
+        mullvad.enable = mkOption {
           type = bool;
           default = false;
         };
-        killswitch = mkOption {
+        tailscale.enable = mkOption {
           type = bool;
-          default = true;
+          default = false;
         };
       };
     };
diff --git a/profiles/vpn.nix b/profiles/vpn.nix
new file mode 100644
index 0000000..c3e823d
--- /dev/null
+++ b/profiles/vpn.nix
@@ -0,0 +1,57 @@
+{ pkgs, lib, config, ... }:
+let
+  isMullvad = config.deviceSpecific.vpn.mullvad.enable;
+  isTailscale = config.deviceSpecific.vpn.tailscale.enable;
+in {
+  config = lib.mkMerge [
+    (lib.mkIf isMullvad {
+      services.mullvad-vpn = {
+        enable = true;
+        enableExcludeWrapper = true;
+        package = pkgs.mullvad-vpn;
+      };
+      startupApplications = [ "${pkgs.mullvad-vpn}/bin/mullvad-gui" ];
+      persist.state.homeDirectories = [ ".config/Mullvad VPN" ];
+      persist.cache.directories = [ "/var/cache/mullvad-vpn" ];
+    })
+
+    (lib.mkIf isTailscale {
+      services.tailscale = {
+        enable = true;
+        #interfaceName = "userspace-networking";
+        interfaceName = "tailscale0";
+      };
+      systemd.services.tailscaled.serviceConfig.ExecStart = [
+        ""
+        "${pkgs.mullvad}/bin/mullvad-exclude ${pkgs.tailscale}/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=\${PORT} $FLAGS"
+      ];
+      persist.state.directories = [ "/var/lib/tailscale" ];
+    })
+
+    (lib.mkIf (isMullvad && isTailscale) {
+      # FIXME: allow mullvad custom dns
+      networking.nftables.ruleset = let
+        resolver_addrs = "100.100.100.100";
+        excluded_ipv4 = "100.64.0.1/10";
+        excluded_ipv6 = "fd7a:115c:a1e0::/48";
+      in ''
+        table inet mullvad-ts {
+          chain excludeOutgoing {
+            type route hook output priority 0; policy accept;
+            ip daddr ${excluded_ipv4} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            ip6 daddr ${excluded_ipv6} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+          chain allow-incoming {
+            type filter hook input priority -100; policy accept;
+            iifname "${config.services.tailscale.interfaceName}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+          chain excludeDns {
+            type filter hook output priority -10; policy accept;
+            ip daddr ${resolver_addrs} udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            ip daddr ${resolver_addrs} tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+        }
+      '';
+    })
+  ];
+}