From 4c321379827e7d0b81bf839b3fcc890235e4fc12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Sat, 6 Jan 2024 03:06:53 +0100 Subject: [PATCH] feat(vpn): fully replace Mullvad VPN with Tailscale --- home/desktop/gnome.nix | 5 +++ home/felschr-work.nix | 1 - home/felschr.nix | 1 - home/vpn.nix | 9 ------ hosts/home-server.nix | 5 +++ secrets/mullvad.age | Bin 680 -> 0 bytes secrets/secrets.nix | 1 - system/server.nix | 23 +------------ system/vpn.nix | 71 ++++++++++------------------------------- 9 files changed, 28 insertions(+), 88 deletions(-) delete mode 100644 home/vpn.nix delete mode 100644 secrets/mullvad.age diff --git a/home/desktop/gnome.nix b/home/desktop/gnome.nix index 10d2418..82df0dd 100644 --- a/home/desktop/gnome.nix +++ b/home/desktop/gnome.nix @@ -103,5 +103,10 @@ in { schedule-start-hours = 23; schedule-end-hours = 6; }; + "org/gnome/shell/extensions/tailscale-status" = { + # TODO 0 should disable refresh, but it doesn't work in this version + # refresh-interval = 0; + refresh-interval = 120; + }; }; } diff --git a/home/felschr-work.nix b/home/felschr-work.nix index af4a421..d58b21a 100644 --- a/home/felschr-work.nix +++ b/home/felschr-work.nix @@ -5,7 +5,6 @@ with pkgs; { ./shell ./editors ./desktop - ./vpn.nix ./git.nix ./keybase.nix ./element.nix diff --git a/home/felschr.nix b/home/felschr.nix index d7b91d9..2ab560d 100644 --- a/home/felschr.nix +++ b/home/felschr.nix @@ -6,7 +6,6 @@ ./editors ./desktop ./desktop/monitors.nix - ./vpn.nix ./git.nix ./keybase.nix ./element.nix diff --git a/home/vpn.nix b/home/vpn.nix deleted file mode 100644 index 80ddbe6..0000000 --- a/home/vpn.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: - -with pkgs; { - home.packages = with pkgs; [ mullvad-vpn ]; - - # autostart - xdg.configFile."autostart/mullvad-vpn.desktop".source = - "${mullvad-vpn}/share/applications/mullvad-vpn.desktop"; -} diff --git a/hosts/home-server.nix b/hosts/home-server.nix index 1e8f727..20a7202 100644 --- a/hosts/home-server.nix +++ b/hosts/home-server.nix @@ -50,6 +50,11 @@ in { security.acme.acceptTerms = true; security.acme.defaults.email = "dev@felschr.com"; + security.acme.certs = builtins.foldl' (r: domain: + r // { + ${domain}.extraDomainNames = + [ "${config.networking.hostName}.tail05275.ts.net" ]; + }) { } config.services.inadyn.domains; services.inadyn.enable = true; services.inadyn.provider = "cloudflare.com"; diff --git a/secrets/mullvad.age b/secrets/mullvad.age deleted file mode 100644 index 3c4d81bc3202fc0a05b496c5ef39e876909933ac..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 680 zcmZXRy{?mB06>kC!Nj||s4OO4Nu@xc^bRI`r7eZ>TPQ6X{mOq!DbTO9M&koG-NeD! z#KFn?3@#>4K81;^iHT0$I9{LNJH%rIWOKz+Jej z(*CLP>gdrl&L2x#?Cpu4_cNIIK03u=s)Kq+m%=F-7FDJT=Md52pqu)6x@_oMPI? zF^0m~eAjL)Gysl(;yu@7b5{i{oItd#b#puOBF{8*0{ko4X+>q=R{=g*g!2>rVhSnn zQk3z>vmO5G;&hIsq(bLi**B29NW6Xzir3cUny;HayPz5WD8NL@8Y1xLL1)+<1+z-- zl)q@z^)@YW4lr{Rcmvd=%b4w4N59maor0pWXg&c7gMM-rc#n_w~|!1HQba MfBd?Xf8Txd7ir?%_y7O^ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 731713f..96328aa 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -13,7 +13,6 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEucfNzPbDRdDjTaLG3PzN4lAzDAq3QUkaLvaRjjsCY"; systems = [ home-pc home-server pilot1 ]; in { - "mullvad.age".publicKeys = [ felschr home-pc home-server pilot1 ]; "restic/b2.age".publicKeys = [ felschr home-pc home-server pilot1 ]; "restic/password.age".publicKeys = [ felschr home-pc home-server pilot1 ]; "smtp.age".publicKeys = [ felschr home-pc home-server ]; diff --git a/system/server.nix b/system/server.nix index f961f3f..1001014 100644 --- a/system/server.nix +++ b/system/server.nix @@ -1,29 +1,8 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ ./common.nix ./vpn.nix ]; # use xserver without display manager services.xserver.displayManager.startx.enable = true; - - # Allow web server to be accessible outside of Mullvad VPN - networking.firewall.extraCommands = '' - ${pkgs.nftables}/bin/nft -f ${ - pkgs.writeText "mullvad-incoming" '' - table inet allow-incoming-traffic { - chain allow-incoming { - type filter hook input priority -100; policy accept; - tcp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - udp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - } - - chain allow-outgoing { - type route hook output priority -100; policy accept; - tcp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - udp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - } - } - '' - } - ''; } diff --git a/system/vpn.nix b/system/vpn.nix index 43291f9..780311c 100644 --- a/system/vpn.nix +++ b/system/vpn.nix @@ -1,67 +1,30 @@ -{ config, pkgs, ... }: +{ config, lib, ... }: -let tailscaleInterface = config.services.tailscale.interfaceName; +let + cfg = config.services.tailscale; + tailscaleInterface = cfg.interfaceName; in { - age.secrets.mullvad.file = ../secrets/mullvad.age; - networking.wireguard.enable = true; networking.firewall.trustedInterfaces = [ tailscaleInterface ]; services.tailscale = { enable = true; - # authKeyFile = ; # TODO add this to create auto-connect systemd job + authKeyFile = "/dummy"; openFirewall = true; useRoutingFeatures = "both"; + extraUpFlags = [ + "--reset" + "--accept-routes" + "--exit-node=de-ber-wg-004.mullvad.ts.net" + "--exit-node-allow-lan-access" + ]; }; - services.mullvad-vpn.enable = true; - - # set some options after every daemon start - # to avoid accidentally leaving unsafe settings - systemd.services."mullvad-daemon" = { - serviceConfig.LoadCredential = - [ "account:${config.age.secrets.mullvad.path}" ]; - postStart = '' - while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done - - ${pkgs.mullvad}/bin/mullvad lockdown-mode set on - ${pkgs.mullvad}/bin/mullvad auto-connect set on - ${pkgs.mullvad}/bin/mullvad dns set default - ${pkgs.mullvad}/bin/mullvad lan set allow - ${pkgs.mullvad}/bin/mullvad tunnel set ipv6 on - ${pkgs.mullvad}/bin/mullvad tunnel set wireguard --quantum-resistant=on - ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard - ${pkgs.mullvad}/bin/mullvad relay set location de ber - - account="$(<"$CREDENTIALS_DIRECTORY/account")" - current_account="$(${pkgs.mullvad}/bin/mullvad account get | grep "account:" | sed 's/.* //')" - if [[ "$current_account" != "$account" ]]; then - ${pkgs.mullvad}/bin/mullvad account login "$account" - fi - ''; - }; - - # Exclude Tailscale from Mullvad VPN - networking.firewall.extraCommands = '' - ${pkgs.nftables}/bin/nft -f ${ - pkgs.writeText "mullvad-incoming" '' - table inet allow-tailscale { - chain exclude-dns { - type filter hook output priority -10; policy accept; - ip daddr 100.00.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - ip daddr 100.00.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - } - chain exclude-outgoing { - type route hook output priority 0; policy accept; - ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - ip6 daddr fd7a:115c:a1e0::/48 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - } - chain allow-incoming { - type filter hook input priority -100; policy accept; - iifname "${tailscaleInterface}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65; - } - } - '' - } + # call taiscale up without --auth-key + systemd.services.tailscaled-autoconnect.script = '' + status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service) + if [[ $status != Connected* ]]; then + ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags} + fi ''; }