Add module for on-demand usage of mullvad

Since wg-quick does not require the configuration file to include a private key and local addresses, they can be added after the execution of wg-quick. Fixes #32.
2021-05-31 23:02:11 +02:00 · 2021-05-31 23:02:11 +02:00 · 56b9c6c37f
parent ac81f66237
commit 56b9c6c37f
7 changed files with 2117 additions and 4 deletions
--- a/machines/nunotaba/configuration.nix
+++ b/machines/nunotaba/configuration.nix
@ -11,6 +11,7 @@
    games.enable = true;
    gui.enable = true;
    media-proxy.enable = true;
+    mullvad.enable = true;
    restic.system.enable = true;
    unfree.allowSoftware = true;
    wireguard.home.enable = true;
--- a/machines/sayuri/configuration.nix
+++ b/machines/sayuri/configuration.nix
@ -11,6 +11,7 @@
    games.enable = true;
    gui.enable = true;
    media-proxy.enable = true;
+    mullvad.enable = true;
    restic.system = {
      enable = true;
      extraPaths = [
--- a/modules/default.nix
+++ b/modules/default.nix
@ -29,6 +29,7 @@
    ./locales.nix
    ./mailserver.nix
    ./media-proxy.nix
+    ./mullvad
    ./network-manager.nix
    ./nginx-interactive-index
    ./nginx.nix
--- a/modules/mullvad/default.nix
+++ b/modules/mullvad/default.nix
@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+let
+  relays = builtins.fromJSON (builtins.readFile ./relays.json);
+
+  cfg = config.sbruder.mullvad;
+
+  relayConfigs = lib.mapAttrs'
+    (name: configuration: lib.nameValuePair "mullvad-${name}.conf" (with configuration; ''
+      [Interface]
+      DNS = ${cfg.dnsServer}
+
+      [Peer]
+      Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
+      PublicKey = ${pubkey}
+      AllowedIPs = 0.0.0.0/0,::0/0
+    ''))
+    relays;
+
+  # Creating 100+ files in a separate derivation each has too much overhead
+  relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
+    mkdir $out
+  '' + (lib.concatStringsSep
+    "\n"
+    (lib.mapAttrsToList
+      (name: content: ''
+        cat > $out/${lib.escapeShellArg name} << EOF
+        ${content}
+        EOF
+      '')
+      relayConfigs)));
+in
+{
+  options.sbruder.mullvad = {
+    enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
+    dnsServer = lib.mkOption {
+      type = lib.types.str;
+      default = "193.138.218.74";
+    };
+    ipVersion = lib.mkOption {
+      type = lib.types.enum [ 4 6 ];
+      default = 4;
+    };
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 51820;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.etc = builtins.listToAttrs
+      (map
+        (name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
+        (lib.attrNames relayConfigs));
+  };
+}
--- a/modules/mullvad/relays.json
+++ b/modules/mullvad/relays.json
--- a/modules/mullvad/update.sh
+++ b/modules/mullvad/update.sh
@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+# This gets the current wireguard relay list from mullvad’s API and transforms
+# it into a format that takes up less space than the original response.
+set -euo pipefail
+curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
+	key: .hostname | split("-")[0],
+	value: {
+		endpoint4: .ipv4_addr_in,
+		endpoint6: .ipv6_addr_in,
+		pubkey: .pubkey
+	}
+}) | from_entries' > relays.json
--- a/users/simon/files/scripts/mullvad
+++ b/users/simon/files/scripts/mullvad
@ -1,14 +1,60 @@
 #!/usr/bin/env bash
+# This reads wg-quick compatible configuration files from
+# /etc/wireguard/mullvad-LOCATION.conf
+#
+# Since they are autogenerated by nix and therefore world-readable, they do not
+# include secrets like the private key and client address. Instead, they are
+# manually added after wg-quick set up the tunnel by retrieving them with
+# pass(1) from web/mullvad.net/wireguard.
+#
+# Format of pass entry:
+#     PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
+#     Address4: 10.0.0.1/32
+#     Address6: fd00::1/128
+set -euo pipefail
+
 if (( $# < 1 )); then
 	echo "USAGE: $0 LOCATION|off" >&2
 	exit 1
 fi

-current_interfaces="$(ip -o a | grep -oE '[0-9]*:\ mullvad-(v6-)?[a-z][a-z][0-9]*' | uniq | cut -d: -f2 | tr -d ' ')"
-for current_interface in $current_interfaces; do
-	sudo wg-quick down "$current_interface"
+INTERFACE="mullvad-$1"
+
+cmd() {
+	echo "[#] $*" >&2
+	sudo "$@"
+}
+
+# Make sure gpg-agent is unlocked so the period where the interface exists but
+# no private key is set is minised.
+pass web/mullvad.net/wireguard >/dev/null
+
+for interface in /sys/class/net/*; do
+	interface="${interface#/sys/class/net/}"
+	[[ $interface =~ ^mullvad-(v6-)?[a-z]{2}[0-9]*$ ]] && cmd wg-quick down "$interface"
 done

 if [ "$1" != "off" ]; then
-	sudo wg-quick up mullvad-$1
+	cmd wg-quick up "$INTERFACE"
+	pass web/mullvad.net/wireguard | while read -r line; do
+		key="${line%%: *}"
+		value="${line#*: }"
+		case "$key" in
+			PrivateKey)
+				cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
+				continue
+				;;
+			Address4)
+				cmd ip -4 address add "$value" dev "$INTERFACE"
+				continue
+				;;
+			Address6)
+				cmd ip -6 address add "$value" dev "$INTERFACE"
+				continue
+				;;
+			*)
+				echo "Invalid key '$key'"
+				exit 1
+		esac
+	done
 fi