felschr/nixos-config
1
1
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat(vpn): automatic login

Browse source
This commit is contained in:
Felix Schröter 2022-08-26 21:36:21 +02:00
parent abfc044256
commit 05c0341e4c
Signed by: felschr
GPG key ID: 671E39E6744C807D
3 changed files with 37 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
secrets/mullvad.age Normal file
View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 OAZQhA UZtvPNQ0lEoJrvn0I9jtTqtK04YJijd0KHbFJN/RQ2o
Uy7I/8efCDFDiQi6BanjCVV7lbKVkY+kjYoq1O44o3k
-> ssh-ed25519 lJaKnA skWMUNL4GGcMzgFIq3jocTEILh1AyKgFDng0MIY2ZzU
7J/i94LAZv177Jw73nm3Xm7OZUFqUvHkRO2TvLkVcVw
-> ssh-ed25519 72ij7w p5ly/JaKY1Z5Lw+UjQAQDvMBa4lHkk1Osy9r6+eSmS8
G5g/EHvEM5gLNfMZkrB8hVf6yy/aGv4NePaNE+6kC+s
-> b=`0o-grease R_rtaq7e {$@
Ls+2eHvMRvNGBE0Tq8C4yonu71ZS7046O7S3haU6KB3GhrvBsI8JzGSE9kEf1LHs
O+uwx20bGLKzd+rUFhszbk2oxH1zioyAy/JxYueIuN9v4DkNEb7eXI/gujxZLqJN
oX8A
--- 7WzUR59dqccce/oIN5yTEa63r6SjoHKFoJKbh1s3MVw
Łâ"S6űr(ęĐgÚ”a6D}ć±DÂęđ<C499>5<EFBFBD>Ž´¨Ď-rţBT¸P%. 3Ëľ>ł

1
secrets/secrets.nix
View file

@ -11,6 +11,7 @@ let
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILO+OLPr8zdOMYyKtm98AFJai7zbaxw7JhVWgOwu7K3C"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILO+OLPr8zdOMYyKtm98AFJai7zbaxw7JhVWgOwu7K3C";
systems = [ home-pc home-server ]; systems = [ home-pc home-server ];
in { in {
"mullvad.age".publicKeys = [ felschr home-pc home-server ];
"restic/b2.age".publicKeys = [ felschr home-pc home-server ]; "restic/b2.age".publicKeys = [ felschr home-pc home-server ];
"restic/password.age".publicKeys = [ felschr home-pc home-server ]; "restic/password.age".publicKeys = [ felschr home-pc home-server ];
"smtp.age".publicKeys = [ felschr home-pc home-server ]; "smtp.age".publicKeys = [ felschr home-pc home-server ];

33
system/vpn.nix
View file

@ -1,20 +1,33 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
age.secrets.mullvad.file = ../secrets/mullvad.age;
networking.wireguard.enable = true; networking.wireguard.enable = true;
services.mullvad-vpn.enable = true; services.mullvad-vpn.enable = true;
# set some options after every daemon start # set some options after every daemon start
# to avoid accidentally leaving unsafe settings # to avoid accidentally leaving unsafe settings
systemd.services."mullvad-daemon".postStart = '' systemd.services."mullvad-daemon" = {
while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done serviceConfig.LoadCredential =
${pkgs.mullvad}/bin/mullvad always-require-vpn set on [ "account:${config.age.secrets.mullvad.path}" ];
${pkgs.mullvad}/bin/mullvad dns set default \ postStart = ''
--block-ads --block-trackers --block-malware while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
${pkgs.mullvad}/bin/mullvad lan set allow
${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on account="$(<"$CREDENTIALS_DIRECTORY/account")"
${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard current_account="$(${pkgs.mullvad}/bin/mullvad account get | grep "account:" | sed 's/.* //')"
${pkgs.mullvad}/bin/mullvad relay set location de dus if [[ "$current_account" != "$account" ]]; then
''; ${pkgs.mullvad}/bin/mullvad account login "$account"
fi
${pkgs.mullvad}/bin/mullvad always-require-vpn set on
${pkgs.mullvad}/bin/mullvad dns set default \
--block-ads --block-trackers --block-malware
${pkgs.mullvad}/bin/mullvad lan set allow
${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on
${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
${pkgs.mullvad}/bin/mullvad relay set location de dus
'';
};
} }