nixos-config/modules/mullvad/default.nix

# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:
let
  relays = builtins.fromJSON (builtins.readFile ./relays.json);

  cfg = config.sbruder.mullvad;

  relayConfigs = lib.mapAttrs'
    (name: configuration: lib.nameValuePair "mlv-${name}.conf" (with configuration; ''
      [Interface]
      DNS = ${cfg.dnsServer}

      [Peer]
      Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
      PublicKey = ${pubkey}
      AllowedIPs = 0.0.0.0/0,::0/0
    ''))
    relays;

  # Creating 100+ files in a separate derivation each has too much overhead
  relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
    mkdir $out
  '' + (lib.concatStringsSep
    "\n"
    (lib.mapAttrsToList
      (name: content: ''
        cat > $out/${lib.escapeShellArg name} << EOF
        ${content}
        EOF
      '')
      relayConfigs)));
in
{
  options.sbruder.mullvad = {
    enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
    dnsServer = lib.mkOption {
      type = lib.types.str;
      default = "193.138.218.74";
    };
    ipVersion = lib.mkOption {
      type = lib.types.enum [ 4 6 ];
      default = 4;
    };
    port = lib.mkOption {
      type = lib.types.port;
      default = 51820;
    };
  };

  config = lib.mkIf cfg.enable {
    environment = {
      etc = builtins.listToAttrs
        (map
          (name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
          (lib.attrNames relayConfigs));

      systemPackages = lib.singleton (pkgs.runCommandNoCC "mullvad-on-demand" { } ''
        install -D ${./mullvad.sh} $out/bin/mullvad
        install -D ${./mullvad-fzf.sh} $out/bin/mullvad-fzf
      '');
    };
  };
}