From 046129b1993d2de38b8bf640e343302827f579a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 8 Aug 2022 22:58:02 +0200
Subject: [PATCH] feat(vpn): add mullvad configuration service

---
 system/vpn.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/system/vpn.nix b/system/vpn.nix
index 3250356..ea30b10 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -7,4 +7,17 @@
   networking.firewall.checkReversePath = "loose";
 
   services.mullvad-vpn.enable = true;
+
+  # set some options after every daemon start
+  # to avoid accidentally leaving unsafe settings
+  systemd.services."mullvad-daemon".postStart = ''
+    while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
+    ${pkgs.mullvad}/bin/mullvad always-require-vpn set on
+    ${pkgs.mullvad}/bin/mullvad dns set default \
+      --block-ads --block-trackers --block-malware
+    ${pkgs.mullvad}/bin/mullvad lan set allow
+    ${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on
+    ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
+    ${pkgs.mullvad}/bin/mullvad relay set location de dus
+  '';
 }