vpn: allow disabling vpn config
This commit is contained in:
parent
10380a53b5
commit
2dd9bea706
|
@ -116,6 +116,7 @@
|
|||
inherit system specialArgs;
|
||||
modules = [
|
||||
./hosts/rainbow.nix
|
||||
{ vpn.enable = true; }
|
||||
./system/rainbow-gitlab-runner.nix
|
||||
] ++ common_modules;
|
||||
};
|
||||
|
|
146
system/vpn.nix
146
system/vpn.nix
|
@ -1,83 +1,93 @@
|
|||
{ pkgs, ... }: {
|
||||
networking.firewall.enable = false;
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.services.vpn;
|
||||
in
|
||||
{
|
||||
options.services.vpn = {
|
||||
enable = lib.mkEnableOption "Whether vpn should be enabled";
|
||||
};
|
||||
|
||||
services.mullvad-vpn.enable = true;
|
||||
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking.firewall.enable = false;
|
||||
|
||||
networking.nftables = {
|
||||
enable = true;
|
||||
ruleset = ''
|
||||
table inet allowAll {
|
||||
chain allowIncoming {
|
||||
type filter hook input priority -100; policy accept;
|
||||
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||
}
|
||||
chain allowOutgoing {
|
||||
type route hook output priority -100; policy accept;
|
||||
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||
}
|
||||
}
|
||||
services.mullvad-vpn.enable = true;
|
||||
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
||||
|
||||
######################################
|
||||
# _ _ #
|
||||
# __| | ___ ___| | _____ _ __ #
|
||||
# / _` |/ _ \ / __| |/ / _ \ '__| #
|
||||
# | (_| | (_) | (__| < __/ | #
|
||||
# \__,_|\___/ \___|_|\_\___|_| #
|
||||
# #
|
||||
######################################
|
||||
networking.nftables = {
|
||||
enable = true;
|
||||
ruleset = ''
|
||||
table inet allowAll {
|
||||
chain allowIncoming {
|
||||
type filter hook input priority -100; policy accept;
|
||||
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||
}
|
||||
chain allowOutgoing {
|
||||
type route hook output priority -100; policy accept;
|
||||
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||
}
|
||||
}
|
||||
|
||||
# This gets sent to the vpn so it's safe
|
||||
######################################
|
||||
# _ _ #
|
||||
# __| | ___ ___| | _____ _ __ #
|
||||
# / _` |/ _ \ / __| |/ / _ \ '__| #
|
||||
# | (_| | (_) | (__| < __/ | #
|
||||
# \__,_|\___/ \___|_|\_\___|_| #
|
||||
# #
|
||||
######################################
|
||||
|
||||
table ip nat {
|
||||
chain DOCKER {
|
||||
iifname "docker0" counter packets 0 bytes 0 return
|
||||
}
|
||||
# This gets sent to the vpn so it's safe
|
||||
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
|
||||
}
|
||||
table ip nat {
|
||||
chain DOCKER {
|
||||
iifname "docker0" counter packets 0 bytes 0 return
|
||||
}
|
||||
|
||||
chain PREROUTING {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
fib daddr type local counter packets 5 bytes 252 jump DOCKER
|
||||
}
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
|
||||
}
|
||||
|
||||
chain OUTPUT {
|
||||
type nat hook output priority -100; policy accept;
|
||||
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
|
||||
}
|
||||
}
|
||||
table ip filter {
|
||||
chain DOCKER {
|
||||
}
|
||||
chain PREROUTING {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
fib daddr type local counter packets 5 bytes 252 jump DOCKER
|
||||
}
|
||||
|
||||
chain DOCKER-ISOLATION-STAGE-1 {
|
||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
chain OUTPUT {
|
||||
type nat hook output priority -100; policy accept;
|
||||
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
|
||||
}
|
||||
}
|
||||
table ip filter {
|
||||
chain DOCKER {
|
||||
}
|
||||
|
||||
chain DOCKER-ISOLATION-STAGE-2 {
|
||||
oifname "docker0" counter packets 0 bytes 0 drop
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
chain DOCKER-ISOLATION-STAGE-1 {
|
||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter; policy accept;
|
||||
counter packets 0 bytes 0 jump DOCKER-USER
|
||||
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
|
||||
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
|
||||
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
|
||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
|
||||
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
|
||||
}
|
||||
chain DOCKER-ISOLATION-STAGE-2 {
|
||||
oifname "docker0" counter packets 0 bytes 0 drop
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
|
||||
chain DOCKER-USER {
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
}
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter; policy accept;
|
||||
counter packets 0 bytes 0 jump DOCKER-USER
|
||||
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
|
||||
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
|
||||
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
|
||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
|
||||
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
|
||||
}
|
||||
|
||||
'';
|
||||
chain DOCKER-USER {
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
}
|
||||
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, font, ... }:
|
||||
{ config, osConfig, pkgs, lib, font, ... }:
|
||||
let
|
||||
inherit (pkgs.uservars) key theme accent font;
|
||||
inherit (theme) color;
|
||||
|
@ -13,14 +13,14 @@ in
|
|||
layer = "top";
|
||||
modules-left = [ "sway/workspaces" "sway/mode" "sway/window" ];
|
||||
modules-center = [ "clock" ];
|
||||
modules-right = [
|
||||
modules-right = lib.flatten [
|
||||
"sway/language"
|
||||
"mpd"
|
||||
"custom/playerctl"
|
||||
"tray"
|
||||
"custom/caffeine"
|
||||
"pulseaudio"
|
||||
"custom/vpn"
|
||||
(lib.optional osConfig.services.vpn.enable "custom/vpn")
|
||||
"network"
|
||||
"battery"
|
||||
];
|
||||
|
@ -110,7 +110,7 @@ in
|
|||
interval = 1;
|
||||
tooltip = false;
|
||||
};
|
||||
"custom/vpn" = {
|
||||
"custom/vpn" = lib.mkIf osConfig.services.vpn.enable {
|
||||
format = "{}";
|
||||
exec = ''
|
||||
mullvad status | grep "^Connected" > /dev/null \
|
||||
|
|
Loading…
Reference in a new issue