nixos-config/modules/mullvad/default.nix

{ config, lib, pkgs, ... }:
let
  relays = builtins.fromJSON (builtins.readFile ./relays.json);

  cfg = config.sbruder.mullvad;

  relayConfigs = lib.mapAttrs'
    (name: configuration: lib.nameValuePair "mullvad-${name}.conf" (with configuration; ''
      [Interface]
      DNS = ${cfg.dnsServer}

      [Peer]
      Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
      PublicKey = ${pubkey}
      AllowedIPs = 0.0.0.0/0,::0/0
    ''))
    relays;

  # Creating 100+ files in a separate derivation each has too much overhead
  relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
    mkdir $out
  '' + (lib.concatStringsSep
    "\n"
    (lib.mapAttrsToList
      (name: content: ''
        cat > $out/${lib.escapeShellArg name} << EOF
        ${content}
        EOF
      '')
      relayConfigs)));
in
{
  options.sbruder.mullvad = {
    enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
    dnsServer = lib.mkOption {
      type = lib.types.str;
      default = "193.138.218.74";
    };
    ipVersion = lib.mkOption {
      type = lib.types.enum [ 4 6 ];
      default = 4;
    };
    port = lib.mkOption {
      type = lib.types.port;
      default = 51820;
    };
  };

  config = lib.mkIf cfg.enable {
    environment.etc = builtins.listToAttrs
      (map
        (name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
        (lib.attrNames relayConfigs));
  };
}