mullvad: Drop
This commit is contained in:
parent
5c5c554bb2
commit
2d7305d199
|
@ -18,7 +18,6 @@
|
|||
};
|
||||
gui.enable = true;
|
||||
media-proxy.enable = true;
|
||||
mullvad.enable = true;
|
||||
restic.system = {
|
||||
enable = true;
|
||||
qos = true;
|
||||
|
|
|
@ -18,7 +18,6 @@
|
|||
};
|
||||
gui.enable = true;
|
||||
media-proxy.enable = true;
|
||||
mullvad.enable = true;
|
||||
podman.enable = true;
|
||||
restic.system = {
|
||||
enable = true;
|
||||
|
|
|
@ -46,7 +46,6 @@
|
|||
./mailserver
|
||||
./media-mount.nix
|
||||
./media-proxy.nix
|
||||
./mullvad
|
||||
./network-manager.nix
|
||||
./nginx-interactive-index
|
||||
./nginx.nix
|
||||
|
|
|
@ -1,66 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
relays = builtins.fromJSON (builtins.readFile ./relays.json);
|
||||
|
||||
cfg = config.sbruder.mullvad;
|
||||
|
||||
relayConfigs = lib.mapAttrs'
|
||||
(name: configuration: lib.nameValuePair "mlv-${name}.conf" (with configuration; ''
|
||||
[Interface]
|
||||
DNS = ${cfg.dnsServer}
|
||||
|
||||
[Peer]
|
||||
Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
|
||||
PublicKey = ${pubkey}
|
||||
AllowedIPs = 0.0.0.0/0,::0/0
|
||||
''))
|
||||
relays;
|
||||
|
||||
# Creating 100+ files in a separate derivation each has too much overhead
|
||||
relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
|
||||
mkdir $out
|
||||
'' + (lib.concatStringsSep
|
||||
"\n"
|
||||
(lib.mapAttrsToList
|
||||
(name: content: ''
|
||||
cat > $out/${lib.escapeShellArg name} << EOF
|
||||
${content}
|
||||
EOF
|
||||
'')
|
||||
relayConfigs)));
|
||||
in
|
||||
{
|
||||
options.sbruder.mullvad = {
|
||||
enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
|
||||
dnsServer = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "193.138.218.74";
|
||||
};
|
||||
ipVersion = lib.mkOption {
|
||||
type = lib.types.enum [ 4 6 ];
|
||||
default = 4;
|
||||
};
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 51820;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment = {
|
||||
etc = builtins.listToAttrs
|
||||
(map
|
||||
(name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
|
||||
(lib.attrNames relayConfigs));
|
||||
|
||||
systemPackages = lib.singleton (pkgs.runCommandNoCC "mullvad-on-demand" { } ''
|
||||
install -D ${./mullvad.sh} $out/bin/mullvad
|
||||
install -D ${./mullvad-fzf.sh} $out/bin/mullvad-fzf
|
||||
'');
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2022 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
mullvad $(find /etc/wireguard -name "mlv-*.conf" -printf "%f\n" | sed 's/mlv-\(.*\)\.conf/\1/' | fzf)
|
|
@ -1,65 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
# This reads wg-quick compatible configuration files from
|
||||
# /etc/wireguard/mlv-LOCATION.conf
|
||||
#
|
||||
# Since they are autogenerated by nix and therefore world-readable, they do not
|
||||
# include secrets like the private key and client address. Instead, they are
|
||||
# manually added after wg-quick set up the tunnel by retrieving them with
|
||||
# pass(1) from web/mullvad.net/wireguard.
|
||||
#
|
||||
# Format of pass entry:
|
||||
# PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
|
||||
# Address4: 10.0.0.1/32
|
||||
# Address6: fd00::1/128
|
||||
set -euo pipefail
|
||||
|
||||
if (( $# < 1 )); then
|
||||
echo "USAGE: $0 LOCATION|off" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
INTERFACE="mlv-$1"
|
||||
|
||||
cmd() {
|
||||
echo "[#] $*" >&2
|
||||
sudo "$@"
|
||||
}
|
||||
|
||||
for interface in /sys/class/net/*; do
|
||||
interface="${interface#/sys/class/net/}"
|
||||
[[ $interface =~ ^mlv-(v6-)?[a-z]{2}(-[a-z]{3}-)?[0-9]*$ ]] && cmd wg-quick down "$interface"
|
||||
done
|
||||
|
||||
if [ "$1" != "off" ]; then
|
||||
# Make sure gpg-agent is unlocked so the period where the interface exists but
|
||||
# no private key is set is minised.
|
||||
pass web/mullvad.net/wireguard >/dev/null
|
||||
|
||||
cmd wg-quick up "$INTERFACE"
|
||||
pass web/mullvad.net/wireguard | while read -r line; do
|
||||
key="${line%%: *}"
|
||||
value="${line#*: }"
|
||||
case "$key" in
|
||||
PrivateKey)
|
||||
cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
|
||||
continue
|
||||
;;
|
||||
Address4)
|
||||
cmd ip -4 address add "$value" dev "$INTERFACE"
|
||||
continue
|
||||
;;
|
||||
Address6)
|
||||
cmd ip -6 address add "$value" dev "$INTERFACE"
|
||||
continue
|
||||
;;
|
||||
*)
|
||||
echo "Invalid key '$key'"
|
||||
exit 1
|
||||
esac
|
||||
done
|
||||
fi
|
File diff suppressed because it is too large
Load diff
|
@ -1,3 +0,0 @@
|
|||
SPDX-FileCopyrightText: 2021-2023 Mullvad VPN AB
|
||||
|
||||
SPDX-License-Identifier: CC0-1.0
|
|
@ -1,17 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
# This gets the current wireguard relay list from mullvad’s API and transforms
|
||||
# it into a format that takes up less space than the original response.
|
||||
set -euo pipefail
|
||||
curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
|
||||
key: (if .hostname | endswith("-wireguard") then .hostname | split("-")[0] else .hostname | sub("-wg-"; "-") end),
|
||||
value: {
|
||||
endpoint4: .ipv4_addr_in,
|
||||
endpoint6: .ipv6_addr_in,
|
||||
pubkey: .pubkey
|
||||
}
|
||||
}) | from_entries' > relays.json
|
Loading…
Reference in a new issue