Remove mullvad vpn
This commit is contained in:
parent
65d78cb872
commit
142d2c2314
|
@ -126,14 +126,12 @@
|
||||||
./system/monolith-gitlab-runner.nix
|
./system/monolith-gitlab-runner.nix
|
||||||
./system/nix-serve.nix
|
./system/nix-serve.nix
|
||||||
./system/steam.nix
|
./system/steam.nix
|
||||||
# { services.vpn.enable = true; }
|
|
||||||
] ++ common_modules;
|
] ++ common_modules;
|
||||||
};
|
};
|
||||||
rainbow = lib.nixosSystem {
|
rainbow = lib.nixosSystem {
|
||||||
inherit system specialArgs;
|
inherit system specialArgs;
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/rainbow.nix
|
./hosts/rainbow.nix
|
||||||
{ services.vpn.enable = true; }
|
|
||||||
./system/rainbow-gitlab-runner.nix
|
./system/rainbow-gitlab-runner.nix
|
||||||
] ++ common_modules;
|
] ++ common_modules;
|
||||||
};
|
};
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
./cachix.nix
|
./cachix.nix
|
||||||
./media-packages.nix
|
./media-packages.nix
|
||||||
./boot.nix
|
./boot.nix
|
||||||
./vpn.nix
|
|
||||||
./thunar.nix
|
./thunar.nix
|
||||||
./nix.nix
|
./nix.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,93 +0,0 @@
|
||||||
{ pkgs, lib, config, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.services.vpn;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.services.vpn = {
|
|
||||||
enable = lib.mkEnableOption "Whether vpn should be enabled";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
networking.firewall.enable = false;
|
|
||||||
|
|
||||||
services.mullvad-vpn.enable = true;
|
|
||||||
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
|
||||||
|
|
||||||
networking.nftables = {
|
|
||||||
enable = true;
|
|
||||||
ruleset = ''
|
|
||||||
table inet allowAll {
|
|
||||||
chain allowIncoming {
|
|
||||||
type filter hook input priority -100; policy accept;
|
|
||||||
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
|
||||||
}
|
|
||||||
chain allowOutgoing {
|
|
||||||
type route hook output priority -100; policy accept;
|
|
||||||
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
######################################
|
|
||||||
# _ _ #
|
|
||||||
# __| | ___ ___| | _____ _ __ #
|
|
||||||
# / _` |/ _ \ / __| |/ / _ \ '__| #
|
|
||||||
# | (_| | (_) | (__| < __/ | #
|
|
||||||
# \__,_|\___/ \___|_|\_\___|_| #
|
|
||||||
# #
|
|
||||||
######################################
|
|
||||||
|
|
||||||
# This gets sent to the vpn so it's safe
|
|
||||||
|
|
||||||
table ip nat {
|
|
||||||
chain DOCKER {
|
|
||||||
iifname "docker0" counter packets 0 bytes 0 return
|
|
||||||
}
|
|
||||||
|
|
||||||
chain POSTROUTING {
|
|
||||||
type nat hook postrouting priority srcnat; policy accept;
|
|
||||||
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
|
|
||||||
}
|
|
||||||
|
|
||||||
chain PREROUTING {
|
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
|
||||||
fib daddr type local counter packets 5 bytes 252 jump DOCKER
|
|
||||||
}
|
|
||||||
|
|
||||||
chain OUTPUT {
|
|
||||||
type nat hook output priority -100; policy accept;
|
|
||||||
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
|
|
||||||
}
|
|
||||||
}
|
|
||||||
table ip filter {
|
|
||||||
chain DOCKER {
|
|
||||||
}
|
|
||||||
|
|
||||||
chain DOCKER-ISOLATION-STAGE-1 {
|
|
||||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
|
|
||||||
counter packets 0 bytes 0 return
|
|
||||||
}
|
|
||||||
|
|
||||||
chain DOCKER-ISOLATION-STAGE-2 {
|
|
||||||
oifname "docker0" counter packets 0 bytes 0 drop
|
|
||||||
counter packets 0 bytes 0 return
|
|
||||||
}
|
|
||||||
|
|
||||||
chain FORWARD {
|
|
||||||
type filter hook forward priority filter; policy accept;
|
|
||||||
counter packets 0 bytes 0 jump DOCKER-USER
|
|
||||||
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
|
|
||||||
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
|
|
||||||
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
|
|
||||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
|
|
||||||
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain DOCKER-USER {
|
|
||||||
counter packets 0 bytes 0 return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue