Add module for on-demand usage of mullvad

Since wg-quick does not require the configuration file to include a
private key and local addresses, they can be added after the execution
of wg-quick.

Fixes #32.
This commit is contained in:
Simon Bruder 2021-05-31 23:02:11 +02:00
parent ac81f66237
commit 56b9c6c37f
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
7 changed files with 2117 additions and 4 deletions

View file

@ -11,6 +11,7 @@
games.enable = true;
gui.enable = true;
media-proxy.enable = true;
mullvad.enable = true;
restic.system.enable = true;
unfree.allowSoftware = true;
wireguard.home.enable = true;

View file

@ -11,6 +11,7 @@
games.enable = true;
gui.enable = true;
media-proxy.enable = true;
mullvad.enable = true;
restic.system = {
enable = true;
extraPaths = [

View file

@ -29,6 +29,7 @@
./locales.nix
./mailserver.nix
./media-proxy.nix
./mullvad
./network-manager.nix
./nginx-interactive-index
./nginx.nix

View file

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
let
relays = builtins.fromJSON (builtins.readFile ./relays.json);
cfg = config.sbruder.mullvad;
relayConfigs = lib.mapAttrs'
(name: configuration: lib.nameValuePair "mullvad-${name}.conf" (with configuration; ''
[Interface]
DNS = ${cfg.dnsServer}
[Peer]
Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
PublicKey = ${pubkey}
AllowedIPs = 0.0.0.0/0,::0/0
''))
relays;
# Creating 100+ files in a separate derivation each has too much overhead
relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
mkdir $out
'' + (lib.concatStringsSep
"\n"
(lib.mapAttrsToList
(name: content: ''
cat > $out/${lib.escapeShellArg name} << EOF
${content}
EOF
'')
relayConfigs)));
in
{
options.sbruder.mullvad = {
enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
dnsServer = lib.mkOption {
type = lib.types.str;
default = "193.138.218.74";
};
ipVersion = lib.mkOption {
type = lib.types.enum [ 4 6 ];
default = 4;
};
port = lib.mkOption {
type = lib.types.port;
default = 51820;
};
};
config = lib.mkIf cfg.enable {
environment.etc = builtins.listToAttrs
(map
(name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
(lib.attrNames relayConfigs));
};
}

1997
modules/mullvad/relays.json Normal file

File diff suppressed because it is too large Load diff

12
modules/mullvad/update.sh Executable file
View file

@ -0,0 +1,12 @@
#!/usr/bin/env bash
# This gets the current wireguard relay list from mullvads API and transforms
# it into a format that takes up less space than the original response.
set -euo pipefail
curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
key: .hostname | split("-")[0],
value: {
endpoint4: .ipv4_addr_in,
endpoint6: .ipv6_addr_in,
pubkey: .pubkey
}
}) | from_entries' > relays.json

View file

@ -1,14 +1,60 @@
#!/usr/bin/env bash
# This reads wg-quick compatible configuration files from
# /etc/wireguard/mullvad-LOCATION.conf
#
# Since they are autogenerated by nix and therefore world-readable, they do not
# include secrets like the private key and client address. Instead, they are
# manually added after wg-quick set up the tunnel by retrieving them with
# pass(1) from web/mullvad.net/wireguard.
#
# Format of pass entry:
# PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
# Address4: 10.0.0.1/32
# Address6: fd00::1/128
set -euo pipefail
if (( $# < 1 )); then
echo "USAGE: $0 LOCATION|off" >&2
exit 1
fi
current_interfaces="$(ip -o a | grep -oE '[0-9]*:\ mullvad-(v6-)?[a-z][a-z][0-9]*' | uniq | cut -d: -f2 | tr -d ' ')"
for current_interface in $current_interfaces; do
sudo wg-quick down "$current_interface"
INTERFACE="mullvad-$1"
cmd() {
echo "[#] $*" >&2
sudo "$@"
}
# Make sure gpg-agent is unlocked so the period where the interface exists but
# no private key is set is minised.
pass web/mullvad.net/wireguard >/dev/null
for interface in /sys/class/net/*; do
interface="${interface#/sys/class/net/}"
[[ $interface =~ ^mullvad-(v6-)?[a-z]{2}[0-9]*$ ]] && cmd wg-quick down "$interface"
done
if [ "$1" != "off" ]; then
sudo wg-quick up mullvad-$1
cmd wg-quick up "$INTERFACE"
pass web/mullvad.net/wireguard | while read -r line; do
key="${line%%: *}"
value="${line#*: }"
case "$key" in
PrivateKey)
cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
continue
;;
Address4)
cmd ip -4 address add "$value" dev "$INTERFACE"
continue
;;
Address6)
cmd ip -6 address add "$value" dev "$INTERFACE"
continue
;;
*)
echo "Invalid key '$key'"
exit 1
esac
done
fi