nixos/modules/services/networking/mullvad-vpn.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / mullvad-vpn.nix
at 24.11-pre 2.4 kB view raw
 1{ config, lib, pkgs, ... }:
 2let
 3  cfg = config.services.mullvad-vpn;
 4in
 5with lib;
 6{
 7  options.services.mullvad-vpn = {
 8    enable = mkOption {
 9      type = types.bool;
10      default = false;
11      description = ''
12        This option enables Mullvad VPN daemon.
13        This sets {option}`networking.firewall.checkReversePath` to "loose", which might be undesirable for security.
14      '';
15    };
16
17    enableExcludeWrapper = mkOption {
18      type = types.bool;
19      default = true;
20      description = ''
21        This option activates the wrapper that allows the use of mullvad-exclude.
22        Might have minor security impact, so consider disabling if you do not use the feature.
23      '';
24    };
25
26    package = mkPackageOption pkgs "mullvad" {
27      example = "mullvad-vpn";
28      extraDescription = ''
29        `pkgs.mullvad` only provides the CLI tool, `pkgs.mullvad-vpn` provides both the CLI and the GUI.
30      '';
31    };
32  };
33
34  config = mkIf cfg.enable {
35    boot.kernelModules = [ "tun" ];
36
37    environment.systemPackages = [ cfg.package ];
38
39    # mullvad-daemon writes to /etc/iproute2/rt_tables
40    networking.iproute2.enable = true;
41
42    # See https://github.com/NixOS/nixpkgs/issues/113589
43    networking.firewall.checkReversePath = "loose";
44
45    # See https://github.com/NixOS/nixpkgs/issues/176603
46    security.wrappers.mullvad-exclude = mkIf cfg.enableExcludeWrapper {
47      setuid = true;
48      owner = "root";
49      group = "root";
50      source = "${cfg.package}/bin/mullvad-exclude";
51    };
52
53    systemd.services.mullvad-daemon = {
54      description = "Mullvad VPN daemon";
55      wantedBy = [ "multi-user.target" ];
56      wants = [ "network.target" "network-online.target" ];
57      after = [
58        "network-online.target"
59        "NetworkManager.service"
60        "systemd-resolved.service"
61      ];
62      path = [
63        pkgs.iproute2
64        # Needed for ping
65        "/run/wrappers"
66        # See https://github.com/NixOS/nixpkgs/issues/262681
67      ] ++ (lib.optional config.networking.resolvconf.enable
68        config.networking.resolvconf.package);
69      startLimitBurst = 5;
70      startLimitIntervalSec = 20;
71      serviceConfig = {
72        ExecStart = "${cfg.package}/bin/mullvad-daemon -v --disable-stdout-timestamps";
73        Restart = "always";
74        RestartSec = 1;
75      };
76    };
77  };
78
79  meta.maintainers = with maintainers; [ arcuru ymarkus ];
80}