Add module for on-demand usage of mullvad

Since wg-quick does not require the configuration file to include a
private key and local addresses, they can be added after the execution
of wg-quick.

Fixes #32.

machines/nunotaba/configuration.nix

@@ -11,6 +11,7 @@
     games.enable = true;
     gui.enable = true;
     media-proxy.enable = true;
+    mullvad.enable = true;
     restic.system.enable = true;
     unfree.allowSoftware = true;
     wireguard.home.enable = true;

machines/sayuri/configuration.nix

@@ -11,6 +11,7 @@
     games.enable = true;
     gui.enable = true;
     media-proxy.enable = true;
+    mullvad.enable = true;
     restic.system = {
       enable = true;
       extraPaths = [

modules/default.nix

@@ -29,6 +29,7 @@
     ./locales.nix
     ./mailserver.nix
     ./media-proxy.nix
+    ./mullvad
     ./network-manager.nix
     ./nginx-interactive-index
     ./nginx.nix

modules/mullvad/default.nix

@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+let
+  relays = builtins.fromJSON (builtins.readFile ./relays.json);
+
+  cfg = config.sbruder.mullvad;
+
+  relayConfigs = lib.mapAttrs'
+    (name: configuration: lib.nameValuePair "mullvad-${name}.conf" (with configuration; ''
+      [Interface]
+      DNS = ${cfg.dnsServer}
+
+      [Peer]
+      Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
+      PublicKey = ${pubkey}
+      AllowedIPs = 0.0.0.0/0,::0/0
+    ''))
+    relays;
+
+  # Creating 100+ files in a separate derivation each has too much overhead
+  relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
+    mkdir $out
+  '' + (lib.concatStringsSep
+    "\n"
+    (lib.mapAttrsToList
+      (name: content: ''
+        cat > $out/${lib.escapeShellArg name} << EOF
+        ${content}
+        EOF
+      '')
+      relayConfigs)));
+in
+{
+  options.sbruder.mullvad = {
+    enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
+    dnsServer = lib.mkOption {
+      type = lib.types.str;
+      default = "193.138.218.74";
+    };
+    ipVersion = lib.mkOption {
+      type = lib.types.enum [ 4 6 ];
+      default = 4;
+    };
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 51820;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.etc = builtins.listToAttrs
+      (map
+        (name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
+        (lib.attrNames relayConfigs));
+  };
+}

modules/mullvad/update.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+# This gets the current wireguard relay list from mullvad’s API and transforms
+# it into a format that takes up less space than the original response.
+set -euo pipefail
+curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
+	key: .hostname | split("-")[0],
+	value: {
+		endpoint4: .ipv4_addr_in,
+		endpoint6: .ipv6_addr_in,
+		pubkey: .pubkey
+	}
+}) | from_entries' > relays.json

users/simon/files/scripts/mullvad

@@ -1,14 +1,60 @@
 #!/usr/bin/env bash
+# This reads wg-quick compatible configuration files from
+# /etc/wireguard/mullvad-LOCATION.conf
+#
+# Since they are autogenerated by nix and therefore world-readable, they do not
+# include secrets like the private key and client address. Instead, they are
+# manually added after wg-quick set up the tunnel by retrieving them with
+# pass(1) from web/mullvad.net/wireguard.
+#
+# Format of pass entry:
+#     PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
+#     Address4: 10.0.0.1/32
+#     Address6: fd00::1/128
+set -euo pipefail
+
 if (( $# < 1 )); then
 	echo "USAGE: $0 LOCATION|off" >&2
 	exit 1
 fi
 
-current_interfaces="$(ip -o a | grep -oE '[0-9]*:\ mullvad-(v6-)?[a-z][a-z][0-9]*' | uniq | cut -d: -f2 | tr -d ' ')"
+INTERFACE="mullvad-$1"
-for current_interface in $current_interfaces; do
+
-	sudo wg-quick down "$current_interface"
+cmd() {
+	echo "[#] $*" >&2
+	sudo "$@"
+}
+
+# Make sure gpg-agent is unlocked so the period where the interface exists but
+# no private key is set is minised.
+pass web/mullvad.net/wireguard >/dev/null
+
+for interface in /sys/class/net/*; do
+	interface="${interface#/sys/class/net/}"
+	[[ $interface =~ ^mullvad-(v6-)?[a-z]{2}[0-9]*$ ]] && cmd wg-quick down "$interface"
 done
 
 if [ "$1" != "off" ]; then
-	sudo wg-quick up mullvad-$1
+	cmd wg-quick up "$INTERFACE"
+	pass web/mullvad.net/wireguard | while read -r line; do
+		key="${line%%: *}"
+		value="${line#*: }"
+		case "$key" in
+			PrivateKey)
+				cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
+				continue
+				;;
+			Address4)
+				cmd ip -4 address add "$value" dev "$INTERFACE"
+				continue
+				;;
+			Address6)
+				cmd ip -6 address add "$value" dev "$INTERFACE"
+				continue
+				;;
+			*)
+				echo "Invalid key '$key'"
+				exit 1
+		esac
+	done
 fi