update vpn options

2023-01-26 00:15:51 +03:00 · 2023-01-26 00:15:51 +03:00 · e0f402134e
commit e0f402134e
parent 99fff40577
5 changed files with 64 additions and 7 deletions
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@ -32,7 +32,7 @@
  deviceSpecific.isShared = false;
  deviceSpecific.isGaming = true;
  deviceSpecific.enableVirtualisation = true;
-  deviceSpecific.wireguard.enable = true;
+  deviceSpecific.vpn.mullvad.enable = true;
  boot.zfs.forceImportAll = lib.mkForce false;
--- a/machines/Dell-Laptop/default.nix
+++ b/machines/Dell-Laptop/default.nix
@ -26,7 +26,7 @@
  deviceSpecific.isShared = false;
  deviceSpecific.isGaming = true;
  deviceSpecific.enableVirtualisation = true;
-  deviceSpecific.wireguard.enable = true;
+  deviceSpecific.vpn.mullvad.enable = true;
  boot.blacklistedKernelModules = [
    "psmouse"
--- a/machines/NixOS-CT/default.nix
+++ b/machines/NixOS-CT/default.nix
@ -39,7 +39,7 @@
    ram = 1;
  };
  deviceSpecific.enableVirtualisation = true;
-  deviceSpecific.wireguard.enable = false;
+  deviceSpecific.vpn.mullvad.enable = false;
  deviceSpecific.isServer = lib.mkForce true;
  systemd.suppressedSystemUnits = [
--- a/modules/devices.nix
+++ b/modules/devices.nix
@ -76,14 +76,14 @@ with types; {
        type = bool;
        default = config.deviceSpecific.devInfo.drive.type == "ssd";
      };
-      wireguard = {
+      vpn = {
-        enable = mkOption {
+        mullvad.enable = mkOption {
          type = bool;
          default = false;
        };
-        killswitch = mkOption {
+        tailscale.enable = mkOption {
          type = bool;
-          default = true;
+          default = false;
        };
      };
    };
--- a/profiles/vpn.nix
+++ b/profiles/vpn.nix
@ -0,0 +1,57 @@
 { pkgs, lib, config, ... }:
 let
  isMullvad = config.deviceSpecific.vpn.mullvad.enable;
  isTailscale = config.deviceSpecific.vpn.tailscale.enable;
 in {
  config = lib.mkMerge [
    (lib.mkIf isMullvad {
      services.mullvad-vpn = {
        enable = true;
        enableExcludeWrapper = true;
        package = pkgs.mullvad-vpn;
      };
      startupApplications = [ "${pkgs.mullvad-vpn}/bin/mullvad-gui" ];
      persist.state.homeDirectories = [ ".config/Mullvad VPN" ];
      persist.cache.directories = [ "/var/cache/mullvad-vpn" ];
    })
    (lib.mkIf isTailscale {
      services.tailscale = {
        enable = true;
        #interfaceName = "userspace-networking";
        interfaceName = "tailscale0";
      };
      systemd.services.tailscaled.serviceConfig.ExecStart = [
        ""
        "${pkgs.mullvad}/bin/mullvad-exclude ${pkgs.tailscale}/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=\${PORT} $FLAGS"
      ];
      persist.state.directories = [ "/var/lib/tailscale" ];
    })
    (lib.mkIf (isMullvad && isTailscale) {
      # FIXME: allow mullvad custom dns
      networking.nftables.ruleset = let
        resolver_addrs = "100.100.100.100";
        excluded_ipv4 = "100.64.0.1/10";
        excluded_ipv6 = "fd7a:115c:a1e0::/48";
      in ''
        table inet mullvad-ts {
          chain excludeOutgoing {
            type route hook output priority 0; policy accept;
            ip daddr ${excluded_ipv4} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
            ip6 daddr ${excluded_ipv6} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
          chain allow-incoming {
            type filter hook input priority -100; policy accept;
            iifname "${config.services.tailscale.interfaceName}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
          chain excludeDns {
            type filter hook output priority -10; policy accept;
            ip daddr ${resolver_addrs} udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
            ip daddr ${resolver_addrs} tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
        }
      '';
    })
  ];
 }