mullvad: Drop

machines/hitagi/configuration.nix

@@ -18,7 +18,6 @@
     };
     gui.enable = true;
     media-proxy.enable = true;
-    mullvad.enable = true;
     restic.system = {
       enable = true;
       qos = true;

machines/mayushii/configuration.nix

@@ -18,7 +18,6 @@
     };
     gui.enable = true;
     media-proxy.enable = true;
-    mullvad.enable = true;
     podman.enable = true;
     restic.system = {
       enable = true;

modules/default.nix

@@ -46,7 +46,6 @@
     ./mailserver
     ./media-mount.nix
     ./media-proxy.nix
-    ./mullvad
     ./network-manager.nix
     ./nginx-interactive-index
     ./nginx.nix

modules/mullvad/default.nix

@@ -1,66 +0,0 @@
-# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, pkgs, ... }:
-let
-  relays = builtins.fromJSON (builtins.readFile ./relays.json);
-
-  cfg = config.sbruder.mullvad;
-
-  relayConfigs = lib.mapAttrs'
-    (name: configuration: lib.nameValuePair "mlv-${name}.conf" (with configuration; ''
-      [Interface]
-      DNS = ${cfg.dnsServer}
-
-      [Peer]
-      Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
-      PublicKey = ${pubkey}
-      AllowedIPs = 0.0.0.0/0,::0/0
-    ''))
-    relays;
-
-  # Creating 100+ files in a separate derivation each has too much overhead
-  relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
-    mkdir $out
-  '' + (lib.concatStringsSep
-    "\n"
-    (lib.mapAttrsToList
-      (name: content: ''
-        cat > $out/${lib.escapeShellArg name} << EOF
-        ${content}
-        EOF
-      '')
-      relayConfigs)));
-in
-{
-  options.sbruder.mullvad = {
-    enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
-    dnsServer = lib.mkOption {
-      type = lib.types.str;
-      default = "193.138.218.74";
-    };
-    ipVersion = lib.mkOption {
-      type = lib.types.enum [ 4 6 ];
-      default = 4;
-    };
-    port = lib.mkOption {
-      type = lib.types.port;
-      default = 51820;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    environment = {
-      etc = builtins.listToAttrs
-        (map
-          (name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
-          (lib.attrNames relayConfigs));
-
-      systemPackages = lib.singleton (pkgs.runCommandNoCC "mullvad-on-demand" { } ''
-        install -D ${./mullvad.sh} $out/bin/mullvad
-        install -D ${./mullvad-fzf.sh} $out/bin/mullvad-fzf
-      '');
-    };
-  };
-}

modules/mullvad/mullvad-fzf.sh

@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-
-# SPDX-FileCopyrightText: 2022 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-mullvad $(find /etc/wireguard -name "mlv-*.conf" -printf "%f\n" | sed 's/mlv-\(.*\)\.conf/\1/' | fzf)

modules/mullvad/mullvad.sh

@@ -1,65 +0,0 @@
-#!/usr/bin/env bash
-
-# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# This reads wg-quick compatible configuration files from
-# /etc/wireguard/mlv-LOCATION.conf
-#
-# Since they are autogenerated by nix and therefore world-readable, they do not
-# include secrets like the private key and client address. Instead, they are
-# manually added after wg-quick set up the tunnel by retrieving them with
-# pass(1) from web/mullvad.net/wireguard.
-#
-# Format of pass entry:
-#     PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
-#     Address4: 10.0.0.1/32
-#     Address6: fd00::1/128
-set -euo pipefail
-
-if (( $# < 1 )); then
-	echo "USAGE: $0 LOCATION|off" >&2
-	exit 1
-fi
-
-INTERFACE="mlv-$1"
-
-cmd() {
-	echo "[#] $*" >&2
-	sudo "$@"
-}
-
-for interface in /sys/class/net/*; do
-	interface="${interface#/sys/class/net/}"
-	[[ $interface =~ ^mlv-(v6-)?[a-z]{2}(-[a-z]{3}-)?[0-9]*$ ]] && cmd wg-quick down "$interface"
-done
-
-if [ "$1" != "off" ]; then
-	# Make sure gpg-agent is unlocked so the period where the interface exists but
-	# no private key is set is minised.
-	pass web/mullvad.net/wireguard >/dev/null
-
-	cmd wg-quick up "$INTERFACE"
-	pass web/mullvad.net/wireguard | while read -r line; do
-		key="${line%%: *}"
-		value="${line#*: }"
-		case "$key" in
-			PrivateKey)
-				cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
-				continue
-				;;
-			Address4)
-				cmd ip -4 address add "$value" dev "$INTERFACE"
-				continue
-				;;
-			Address6)
-				cmd ip -6 address add "$value" dev "$INTERFACE"
-				continue
-				;;
-			*)
-				echo "Invalid key '$key'"
-				exit 1
-		esac
-	done
-fi

modules/mullvad/relays.json.license

@@ -1,3 +0,0 @@
-SPDX-FileCopyrightText: 2021-2023 Mullvad VPN AB
-
-SPDX-License-Identifier: CC0-1.0

modules/mullvad/update.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-
-# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# This gets the current wireguard relay list from mullvad’s API and transforms
-# it into a format that takes up less space than the original response.
-set -euo pipefail
-curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
-	key: (if .hostname | endswith("-wireguard") then .hostname | split("-")[0] else .hostname | sub("-wg-"; "-") end),
-	value: {
-		endpoint4: .ipv4_addr_in,
-		endpoint6: .ipv6_addr_in,
-		pubkey: .pubkey
-	}
-}) | from_entries' > relays.json