feat(system): enable Mullvad VPN for server

Configure it to exclude incoming traffic for web server.
2023-04-29 21:13:21 +02:00 · 2023-04-29 21:13:21 +02:00 · c90efc40f8
parent a2d2991e32
commit c90efc40f8
2 changed files with 22 additions and 2 deletions
--- a/home-server.nix
+++ b/home-server.nix
@ -106,7 +106,6 @@ in with builtins; {

  services.nginx = {
    enable = true;
-
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
--- a/system/server.nix
+++ b/system/server.nix
@ -1,8 +1,29 @@
 { config, pkgs, ... }:

 {
-  imports = [ ./common.nix ];
+  imports = [ ./common.nix ./vpn.nix ];

  # use xserver without display manager
  services.xserver.displayManager.startx.enable = true;
+
+  # Allow web server to be accessible outside of Mullvad VPN
+  networking.firewall.extraCommands = ''
+    ${pkgs.nftables}/bin/nft -f ${
+      pkgs.writeText "mullvad-incoming" ''
+        table inet allow-incoming-traffic {
+          chain allow-incoming {
+            type filter hook input priority -100; policy accept;
+            tcp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            udp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+
+          chain allow-outgoing {
+            type route hook output priority -100; policy accept;
+            tcp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            udp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+        }
+      ''
+    }
+  '';
 }