vpn: allow disabling vpn config
This commit is contained in:
parent
10380a53b5
commit
2dd9bea706
|
|
@ -116,6 +116,7 @@
|
||||||
inherit system specialArgs;
|
inherit system specialArgs;
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/rainbow.nix
|
./hosts/rainbow.nix
|
||||||
|
{ vpn.enable = true; }
|
||||||
./system/rainbow-gitlab-runner.nix
|
./system/rainbow-gitlab-runner.nix
|
||||||
] ++ common_modules;
|
] ++ common_modules;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
146
system/vpn.nix
146
system/vpn.nix
|
|
@ -1,83 +1,93 @@
|
||||||
{ pkgs, ... }: {
|
{ pkgs, lib, config, ... }:
|
||||||
networking.firewall.enable = false;
|
let
|
||||||
|
cfg = config.services.vpn;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.vpn = {
|
||||||
|
enable = lib.mkEnableOption "Whether vpn should be enabled";
|
||||||
|
};
|
||||||
|
|
||||||
services.mullvad-vpn.enable = true;
|
config = lib.mkIf cfg.enable {
|
||||||
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
networking.firewall.enable = false;
|
||||||
|
|
||||||
networking.nftables = {
|
services.mullvad-vpn.enable = true;
|
||||||
enable = true;
|
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
||||||
ruleset = ''
|
|
||||||
table inet allowAll {
|
|
||||||
chain allowIncoming {
|
|
||||||
type filter hook input priority -100; policy accept;
|
|
||||||
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
|
||||||
}
|
|
||||||
chain allowOutgoing {
|
|
||||||
type route hook output priority -100; policy accept;
|
|
||||||
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
######################################
|
networking.nftables = {
|
||||||
# _ _ #
|
enable = true;
|
||||||
# __| | ___ ___| | _____ _ __ #
|
ruleset = ''
|
||||||
# / _` |/ _ \ / __| |/ / _ \ '__| #
|
table inet allowAll {
|
||||||
# | (_| | (_) | (__| < __/ | #
|
chain allowIncoming {
|
||||||
# \__,_|\___/ \___|_|\_\___|_| #
|
type filter hook input priority -100; policy accept;
|
||||||
# #
|
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||||
######################################
|
}
|
||||||
|
chain allowOutgoing {
|
||||||
|
type route hook output priority -100; policy accept;
|
||||||
|
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# This gets sent to the vpn so it's safe
|
######################################
|
||||||
|
# _ _ #
|
||||||
|
# __| | ___ ___| | _____ _ __ #
|
||||||
|
# / _` |/ _ \ / __| |/ / _ \ '__| #
|
||||||
|
# | (_| | (_) | (__| < __/ | #
|
||||||
|
# \__,_|\___/ \___|_|\_\___|_| #
|
||||||
|
# #
|
||||||
|
######################################
|
||||||
|
|
||||||
table ip nat {
|
# This gets sent to the vpn so it's safe
|
||||||
chain DOCKER {
|
|
||||||
iifname "docker0" counter packets 0 bytes 0 return
|
|
||||||
}
|
|
||||||
|
|
||||||
chain POSTROUTING {
|
table ip nat {
|
||||||
type nat hook postrouting priority srcnat; policy accept;
|
chain DOCKER {
|
||||||
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
|
iifname "docker0" counter packets 0 bytes 0 return
|
||||||
}
|
}
|
||||||
|
|
||||||
chain PREROUTING {
|
chain POSTROUTING {
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
fib daddr type local counter packets 5 bytes 252 jump DOCKER
|
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
|
||||||
}
|
}
|
||||||
|
|
||||||
chain OUTPUT {
|
chain PREROUTING {
|
||||||
type nat hook output priority -100; policy accept;
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
|
fib daddr type local counter packets 5 bytes 252 jump DOCKER
|
||||||
}
|
}
|
||||||
}
|
|
||||||
table ip filter {
|
|
||||||
chain DOCKER {
|
|
||||||
}
|
|
||||||
|
|
||||||
chain DOCKER-ISOLATION-STAGE-1 {
|
chain OUTPUT {
|
||||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
|
type nat hook output priority -100; policy accept;
|
||||||
counter packets 0 bytes 0 return
|
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
table ip filter {
|
||||||
|
chain DOCKER {
|
||||||
|
}
|
||||||
|
|
||||||
chain DOCKER-ISOLATION-STAGE-2 {
|
chain DOCKER-ISOLATION-STAGE-1 {
|
||||||
oifname "docker0" counter packets 0 bytes 0 drop
|
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
|
||||||
counter packets 0 bytes 0 return
|
counter packets 0 bytes 0 return
|
||||||
}
|
}
|
||||||
|
|
||||||
chain FORWARD {
|
chain DOCKER-ISOLATION-STAGE-2 {
|
||||||
type filter hook forward priority filter; policy accept;
|
oifname "docker0" counter packets 0 bytes 0 drop
|
||||||
counter packets 0 bytes 0 jump DOCKER-USER
|
counter packets 0 bytes 0 return
|
||||||
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
|
}
|
||||||
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
|
|
||||||
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
|
|
||||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
|
|
||||||
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain DOCKER-USER {
|
chain FORWARD {
|
||||||
counter packets 0 bytes 0 return
|
type filter hook forward priority filter; policy accept;
|
||||||
}
|
counter packets 0 bytes 0 jump DOCKER-USER
|
||||||
}
|
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
|
||||||
|
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
|
||||||
|
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
|
||||||
|
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
|
||||||
|
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
|
||||||
|
}
|
||||||
|
|
||||||
'';
|
chain DOCKER-USER {
|
||||||
|
counter packets 0 bytes 0 return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, lib, font, ... }:
|
{ config, osConfig, pkgs, lib, font, ... }:
|
||||||
let
|
let
|
||||||
inherit (pkgs.uservars) key theme accent font;
|
inherit (pkgs.uservars) key theme accent font;
|
||||||
inherit (theme) color;
|
inherit (theme) color;
|
||||||
|
|
@ -13,14 +13,14 @@ in
|
||||||
layer = "top";
|
layer = "top";
|
||||||
modules-left = [ "sway/workspaces" "sway/mode" "sway/window" ];
|
modules-left = [ "sway/workspaces" "sway/mode" "sway/window" ];
|
||||||
modules-center = [ "clock" ];
|
modules-center = [ "clock" ];
|
||||||
modules-right = [
|
modules-right = lib.flatten [
|
||||||
"sway/language"
|
"sway/language"
|
||||||
"mpd"
|
"mpd"
|
||||||
"custom/playerctl"
|
"custom/playerctl"
|
||||||
"tray"
|
"tray"
|
||||||
"custom/caffeine"
|
"custom/caffeine"
|
||||||
"pulseaudio"
|
"pulseaudio"
|
||||||
"custom/vpn"
|
(lib.optional osConfig.services.vpn.enable "custom/vpn")
|
||||||
"network"
|
"network"
|
||||||
"battery"
|
"battery"
|
||||||
];
|
];
|
||||||
|
|
@ -110,7 +110,7 @@ in
|
||||||
interval = 1;
|
interval = 1;
|
||||||
tooltip = false;
|
tooltip = false;
|
||||||
};
|
};
|
||||||
"custom/vpn" = {
|
"custom/vpn" = lib.mkIf osConfig.services.vpn.enable {
|
||||||
format = "{}";
|
format = "{}";
|
||||||
exec = ''
|
exec = ''
|
||||||
mullvad status | grep "^Connected" > /dev/null \
|
mullvad status | grep "^Connected" > /dev/null \
|
||||||
|
|
|
||||||
Reference in a new issue