vpn: allow disabling vpn config

2023-06-02 10:40:51 -03:00 · 2023-06-02 10:40:51 -03:00 · 2dd9bea706
parent 10380a53b5
commit 2dd9bea706
3 changed files with 83 additions and 72 deletions
--- a/flake.nix
+++ b/flake.nix
@ -116,6 +116,7 @@
          inherit system specialArgs;
          modules = [
            ./hosts/rainbow.nix
+            { vpn.enable = true; }
            ./system/rainbow-gitlab-runner.nix
          ] ++ common_modules;
        };
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -1,83 +1,93 @@
-{ pkgs, ... }: {
-  networking.firewall.enable = false;
+{ pkgs, lib, config, ... }:
+let
+  cfg = config.services.vpn;
+in
+{
+  options.services.vpn = {
+    enable = lib.mkEnableOption "Whether vpn should be enabled";
+  };

-  services.mullvad-vpn.enable = true;
-  services.mullvad-vpn.package = pkgs.mullvad-vpn;
+  config = lib.mkIf cfg.enable {
+    networking.firewall.enable = false;

-  networking.nftables = {
-    enable = true;
-    ruleset = ''
-      table inet allowAll {
-          chain allowIncoming {
-              type filter hook input priority -100; policy accept;
-              tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
-          }
-          chain allowOutgoing {
-              type route hook output priority -100; policy accept;
-              tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
-          }
-      }
+    services.mullvad-vpn.enable = true;
+    services.mullvad-vpn.package = pkgs.mullvad-vpn;

-      ######################################
-      #       _            _               #
-      #    __| | ___   ___| | _____ _ __   #
-      #   / _` |/ _ \ / __| |/ / _ \ '__|  #
-      #  | (_| | (_) | (__|   <  __/ |     #
-      #   \__,_|\___/ \___|_|\_\___|_|     #
-      #                                    #
-      ######################################
+    networking.nftables = {
+      enable = true;
+      ruleset = ''
+        table inet allowAll {
+            chain allowIncoming {
+                type filter hook input priority -100; policy accept;
+                tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+            }
+            chain allowOutgoing {
+                type route hook output priority -100; policy accept;
+                tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+            }
+        }

-      # This gets sent to the vpn so it's safe
+        ######################################
+        #       _            _               #
+        #    __| | ___   ___| | _____ _ __   #
+        #   / _` |/ _ \ / __| |/ / _ \ '__|  #
+        #  | (_| | (_) | (__|   <  __/ |     #
+        #   \__,_|\___/ \___|_|\_\___|_|     #
+        #                                    #
+        ######################################

-      table ip nat {
-          chain DOCKER {
-              iifname "docker0" counter packets 0 bytes 0 return
-          }
+        # This gets sent to the vpn so it's safe

-          chain POSTROUTING {
-              type nat hook postrouting priority srcnat; policy accept;
-              oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
-          }
+        table ip nat {
+            chain DOCKER {
+                iifname "docker0" counter packets 0 bytes 0 return
+            }

-          chain PREROUTING {
-              type nat hook prerouting priority dstnat; policy accept;
-              fib daddr type local counter packets 5 bytes 252 jump DOCKER
-          }
+            chain POSTROUTING {
+                type nat hook postrouting priority srcnat; policy accept;
+                oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
+            }

-          chain OUTPUT {
-              type nat hook output priority -100; policy accept;
-              ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
-          }
-      }
-      table ip filter {
-          chain DOCKER {
-          }
+            chain PREROUTING {
+                type nat hook prerouting priority dstnat; policy accept;
+                fib daddr type local counter packets 5 bytes 252 jump DOCKER
+            }

-          chain DOCKER-ISOLATION-STAGE-1 {
-              iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
-              counter packets 0 bytes 0 return
-          }
+            chain OUTPUT {
+                type nat hook output priority -100; policy accept;
+                ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
+            }
+        }
+        table ip filter {
+            chain DOCKER {
+            }

-          chain DOCKER-ISOLATION-STAGE-2 {
-              oifname "docker0" counter packets 0 bytes 0 drop
-              counter packets 0 bytes 0 return
-          }
+            chain DOCKER-ISOLATION-STAGE-1 {
+                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
+                counter packets 0 bytes 0 return
+            }

-          chain FORWARD {
-              type filter hook forward priority filter; policy accept;
-              counter packets 0 bytes 0 jump DOCKER-USER
-              counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
-              oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
-              oifname "docker0" counter packets 0 bytes 0 jump DOCKER
-              iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
-              iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
-          }
+            chain DOCKER-ISOLATION-STAGE-2 {
+                oifname "docker0" counter packets 0 bytes 0 drop
+                counter packets 0 bytes 0 return
+            }

-          chain DOCKER-USER {
-              counter packets 0 bytes 0 return
-          }
-      }
+            chain FORWARD {
+                type filter hook forward priority filter; policy accept;
+                counter packets 0 bytes 0 jump DOCKER-USER
+                counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
+                oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
+                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
+                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
+                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
+            }

-    '';
+            chain DOCKER-USER {
+                counter packets 0 bytes 0 return
+            }
+        }
+
+      '';
+    };
  };
 }
--- a/user/waybar/default.nix
+++ b/user/waybar/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, font, ... }:
+{ config, osConfig, pkgs, lib, font, ... }:
 let
  inherit (pkgs.uservars) key theme accent font;
  inherit (theme) color;
@ -13,14 +13,14 @@ in
        layer = "top";
        modules-left = [ "sway/workspaces" "sway/mode" "sway/window" ];
        modules-center = [ "clock" ];
-        modules-right = [
+        modules-right = lib.flatten [
          "sway/language"
          "mpd"
          "custom/playerctl"
          "tray"
          "custom/caffeine"
          "pulseaudio"
-          "custom/vpn"
+          (lib.optional osConfig.services.vpn.enable "custom/vpn")
          "network"
          "battery"
        ];
@ -110,7 +110,7 @@ in
          interval = 1;
          tooltip = false;
        };
-        "custom/vpn" = {
+        "custom/vpn" = lib.mkIf osConfig.services.vpn.enable {
          format = "{}";
          exec = ''
            mullvad status | grep "^Connected" > /dev/null \