pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.services.mullvad-vpn;
9in
10with lib;
11{
12 options.services.mullvad-vpn = {
13 enable = mkOption {
14 type = types.bool;
15 default = false;
16 description = ''
17 This option enables Mullvad VPN daemon.
18 '';
19 };
20
21 enableExcludeWrapper = mkOption {
22 type = types.bool;
23 default = true;
24 description = ''
25 This option activates the wrapper that allows the use of mullvad-exclude.
26 Might have minor security impact, so consider disabling if you do not use the feature.
27 '';
28 };
29
30 package = mkPackageOption pkgs "mullvad" {
31 example = "mullvad-vpn";
32 extraDescription = ''
33 `pkgs.mullvad` only provides the CLI tool, `pkgs.mullvad-vpn` provides both the CLI and the GUI.
34 '';
35 };
36 };
37
38 config = mkIf cfg.enable {
39 boot.kernelModules = [ "tun" ];
40
41 environment.systemPackages = [ cfg.package ];
42
43 # See https://github.com/NixOS/nixpkgs/issues/176603
44 security.wrappers.mullvad-exclude = mkIf cfg.enableExcludeWrapper {
45 setuid = true;
46 owner = "root";
47 group = "root";
48 source = "${cfg.package}/bin/mullvad-exclude";
49 };
50
51 systemd.services.mullvad-daemon = {
52 description = "Mullvad VPN daemon";
53 wantedBy = [ "multi-user.target" ];
54 wants = [
55 "network.target"
56 "network-online.target"
57 ];
58 after = [
59 "network-online.target"
60 "NetworkManager.service"
61 "systemd-resolved.service"
62 ];
63 # See https://github.com/NixOS/nixpkgs/issues/262681
64 path = lib.optional config.networking.resolvconf.enable config.networking.resolvconf.package;
65 startLimitBurst = 5;
66 startLimitIntervalSec = 20;
67 serviceConfig = {
68 ExecStart = "${cfg.package}/bin/mullvad-daemon -v --disable-stdout-timestamps";
69 Restart = "always";
70 RestartSec = 1;
71 };
72 };
73 };
74
75 meta.maintainers = with maintainers; [
76 arcuru
77 ymarkus
78 ];
79}