mullvad: add vpn config file

2023-03-09 12:38:53 -03:00 · 2023-03-09 12:38:53 -03:00 · db80138e53
commit db80138e53
parent d9f56ffc93
2 changed files with 32 additions and 10 deletions
--- a/system/configuration.nix
+++ b/system/configuration.nix
@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, inputs, ... }: {
-  imports = [ ./gamemode.nix ./cachix.nix ./media-packages.nix ./boot.nix ];
+  imports = [ ./gamemode.nix ./cachix.nix ./media-packages.nix ./boot.nix ./vpn.nix ];
  packages.media-packages.enable = true;

  boot.kernelPackages = pkgs.linuxPackages_latest;
@ -141,15 +141,6 @@
    enableSSHSupport = true;
    pinentryFlavor = "curses";
  };
-  # List services that you want to enable:
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-  services.mullvad-vpn.enable = true;
  security.sudo.wheelNeedsPassword = false;

  nix.registry.nixpkgs.flake = inputs.nixpkgs;
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -0,0 +1,31 @@
+{ pkgs, ... }: {
+  networking.firewall.enable = false;
+
+  services.mullvad-vpn.enable = true;
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      table inet allowSSH {
+          chain allowIncoming {
+              type filter hook input priority -100; policy accept;
+              tcp dport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+          }
+          chain allowOutgoing {
+              type route hook output priority -100; policy accept;
+              tcp sport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+          }
+      }
+
+      table inet allowNixServe {
+          chain allowIncoming {
+              type filter hook input priority -100; policy accept;
+              tcp dport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+          }
+          chain allowOutgoing {
+              type route hook output priority -100; policy accept;
+              tcp sport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+          }
+      }
+    '';
+  };
+}