feat(system): enable Mullvad VPN for server

Configure it to exclude incoming traffic for web server.

home-server.nix

@@ -106,7 +106,6 @@ in with builtins; {
 
   services.nginx = {
     enable = true;
-
     recommendedTlsSettings = true;
     recommendedOptimisation = true;
     recommendedGzipSettings = true;

system/server.nix

@@ -1,8 +1,29 @@
 { config, pkgs, ... }:
 
 {
-  imports = [ ./common.nix ];
+  imports = [ ./common.nix ./vpn.nix ];
 
   # use xserver without display manager
   services.xserver.displayManager.startx.enable = true;
+
+  # Allow web server to be accessible outside of Mullvad VPN
+  networking.firewall.extraCommands = ''
+    ${pkgs.nftables}/bin/nft -f ${
+      pkgs.writeText "mullvad-incoming" ''
+        table inet allow-incoming-traffic {
+          chain allow-incoming {
+            type filter hook input priority -100; policy accept;
+            tcp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            udp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+
+          chain allow-outgoing {
+            type route hook output priority -100; policy accept;
+            tcp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            udp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+        }
+      ''
+    }
+  '';
 }