diff --git a/flake.nix b/flake.nix index ca325a3..1c72454 100644 --- a/flake.nix +++ b/flake.nix @@ -116,6 +116,7 @@ inherit system specialArgs; modules = [ ./hosts/rainbow.nix + { vpn.enable = true; } ./system/rainbow-gitlab-runner.nix ] ++ common_modules; }; diff --git a/system/vpn.nix b/system/vpn.nix index 9aa1ec0..703b5eb 100644 --- a/system/vpn.nix +++ b/system/vpn.nix @@ -1,83 +1,93 @@ -{ pkgs, ... }: { - networking.firewall.enable = false; +{ pkgs, lib, config, ... }: +let + cfg = config.services.vpn; +in +{ + options.services.vpn = { + enable = lib.mkEnableOption "Whether vpn should be enabled"; + }; - services.mullvad-vpn.enable = true; - services.mullvad-vpn.package = pkgs.mullvad-vpn; + config = lib.mkIf cfg.enable { + networking.firewall.enable = false; - networking.nftables = { - enable = true; - ruleset = '' - table inet allowAll { - chain allowIncoming { - type filter hook input priority -100; policy accept; - tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 - } - chain allowOutgoing { - type route hook output priority -100; policy accept; - tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 - } - } + services.mullvad-vpn.enable = true; + services.mullvad-vpn.package = pkgs.mullvad-vpn; - ###################################### - # _ _ # - # __| | ___ ___| | _____ _ __ # - # / _` |/ _ \ / __| |/ / _ \ '__| # - # | (_| | (_) | (__| < __/ | # - # \__,_|\___/ \___|_|\_\___|_| # - # # - ###################################### + networking.nftables = { + enable = true; + ruleset = '' + table inet allowAll { + chain allowIncoming { + type filter hook input priority -100; policy accept; + tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 + } + chain allowOutgoing { + type route hook output priority -100; policy accept; + tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 + } + } - # This gets sent to the vpn so it's safe + ###################################### + # _ _ # + # __| | ___ ___| | _____ _ __ # + # / _` |/ _ \ / __| |/ / _ \ '__| # + # | (_| | (_) | (__| < __/ | # + # \__,_|\___/ \___|_|\_\___|_| # + # # + ###################################### - table ip nat { - chain DOCKER { - iifname "docker0" counter packets 0 bytes 0 return - } + # This gets sent to the vpn so it's safe - chain POSTROUTING { - type nat hook postrouting priority srcnat; policy accept; - oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade - } + table ip nat { + chain DOCKER { + iifname "docker0" counter packets 0 bytes 0 return + } - chain PREROUTING { - type nat hook prerouting priority dstnat; policy accept; - fib daddr type local counter packets 5 bytes 252 jump DOCKER - } + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade + } - chain OUTPUT { - type nat hook output priority -100; policy accept; - ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER - } - } - table ip filter { - chain DOCKER { - } + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + fib daddr type local counter packets 5 bytes 252 jump DOCKER + } - chain DOCKER-ISOLATION-STAGE-1 { - iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 - counter packets 0 bytes 0 return - } + chain OUTPUT { + type nat hook output priority -100; policy accept; + ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER + } + } + table ip filter { + chain DOCKER { + } - chain DOCKER-ISOLATION-STAGE-2 { - oifname "docker0" counter packets 0 bytes 0 drop - counter packets 0 bytes 0 return - } + chain DOCKER-ISOLATION-STAGE-1 { + iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 + counter packets 0 bytes 0 return + } - chain FORWARD { - type filter hook forward priority filter; policy accept; - counter packets 0 bytes 0 jump DOCKER-USER - counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 - oifname "docker0" ct state related,established counter packets 0 bytes 0 accept - oifname "docker0" counter packets 0 bytes 0 jump DOCKER - iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept - iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept - } + chain DOCKER-ISOLATION-STAGE-2 { + oifname "docker0" counter packets 0 bytes 0 drop + counter packets 0 bytes 0 return + } - chain DOCKER-USER { - counter packets 0 bytes 0 return - } - } + chain FORWARD { + type filter hook forward priority filter; policy accept; + counter packets 0 bytes 0 jump DOCKER-USER + counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 + oifname "docker0" ct state related,established counter packets 0 bytes 0 accept + oifname "docker0" counter packets 0 bytes 0 jump DOCKER + iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept + iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept + } - ''; + chain DOCKER-USER { + counter packets 0 bytes 0 return + } + } + + ''; + }; }; } diff --git a/user/waybar/default.nix b/user/waybar/default.nix index 1c13a5f..304d463 100644 --- a/user/waybar/default.nix +++ b/user/waybar/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, font, ... }: +{ config, osConfig, pkgs, lib, font, ... }: let inherit (pkgs.uservars) key theme accent font; inherit (theme) color; @@ -13,14 +13,14 @@ in layer = "top"; modules-left = [ "sway/workspaces" "sway/mode" "sway/window" ]; modules-center = [ "clock" ]; - modules-right = [ + modules-right = lib.flatten [ "sway/language" "mpd" "custom/playerctl" "tray" "custom/caffeine" "pulseaudio" - "custom/vpn" + (lib.optional osConfig.services.vpn.enable "custom/vpn") "network" "battery" ]; @@ -110,7 +110,7 @@ in interval = 1; tooltip = false; }; - "custom/vpn" = { + "custom/vpn" = lib.mkIf osConfig.services.vpn.enable { format = "{}"; exec = '' mullvad status | grep "^Connected" > /dev/null \