vpn: allow disabling vpn config

This commit is contained in:
Leonardo Eugênio 2023-06-02 10:40:51 -03:00
parent 10380a53b5
commit 2dd9bea706
3 changed files with 83 additions and 72 deletions

View file

@ -116,6 +116,7 @@
inherit system specialArgs;
modules = [
./hosts/rainbow.nix
{ vpn.enable = true; }
./system/rainbow-gitlab-runner.nix
] ++ common_modules;
};

View file

@ -1,83 +1,93 @@
{ pkgs, ... }: {
networking.firewall.enable = false;
{ pkgs, lib, config, ... }:
let
cfg = config.services.vpn;
in
{
options.services.vpn = {
enable = lib.mkEnableOption "Whether vpn should be enabled";
};
services.mullvad-vpn.enable = true;
services.mullvad-vpn.package = pkgs.mullvad-vpn;
config = lib.mkIf cfg.enable {
networking.firewall.enable = false;
networking.nftables = {
enable = true;
ruleset = ''
table inet allowAll {
chain allowIncoming {
type filter hook input priority -100; policy accept;
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
chain allowOutgoing {
type route hook output priority -100; policy accept;
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
}
services.mullvad-vpn.enable = true;
services.mullvad-vpn.package = pkgs.mullvad-vpn;
######################################
# _ _ #
# __| | ___ ___| | _____ _ __ #
# / _` |/ _ \ / __| |/ / _ \ '__| #
# | (_| | (_) | (__| < __/ | #
# \__,_|\___/ \___|_|\_\___|_| #
# #
######################################
networking.nftables = {
enable = true;
ruleset = ''
table inet allowAll {
chain allowIncoming {
type filter hook input priority -100; policy accept;
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
chain allowOutgoing {
type route hook output priority -100; policy accept;
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
}
# This gets sent to the vpn so it's safe
######################################
# _ _ #
# __| | ___ ___| | _____ _ __ #
# / _` |/ _ \ / __| |/ / _ \ '__| #
# | (_| | (_) | (__| < __/ | #
# \__,_|\___/ \___|_|\_\___|_| #
# #
######################################
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
# This gets sent to the vpn so it's safe
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
}
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 5 bytes 252 jump DOCKER
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 5 bytes 252 jump DOCKER
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
'';
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}
'';
};
};
}

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, font, ... }:
{ config, osConfig, pkgs, lib, font, ... }:
let
inherit (pkgs.uservars) key theme accent font;
inherit (theme) color;
@ -13,14 +13,14 @@ in
layer = "top";
modules-left = [ "sway/workspaces" "sway/mode" "sway/window" ];
modules-center = [ "clock" ];
modules-right = [
modules-right = lib.flatten [
"sway/language"
"mpd"
"custom/playerctl"
"tray"
"custom/caffeine"
"pulseaudio"
"custom/vpn"
(lib.optional osConfig.services.vpn.enable "custom/vpn")
"network"
"battery"
];
@ -110,7 +110,7 @@ in
interval = 1;
tooltip = false;
};
"custom/vpn" = {
"custom/vpn" = lib.mkIf osConfig.services.vpn.enable {
format = "{}";
exec = ''
mullvad status | grep "^Connected" > /dev/null \