pyrox.dev / nixpkgs
lol
fork atom

nixos/mullvad-vpn: add mullvad-exclude wrapper & systemPackage

authored by arcuru.tngl.sh and committed by helbling.dev b0c6f4ae 9959fe25

+19
unified split
+19
nixos/modules/services/networking/mullvad-vpn.nix
··· 14 14 ''; 15 15 }; 16 16 17 + enableExcludeWrapper = mkOption { 18 + type = types.bool; 19 + default = true; 20 + description = lib.mdDoc '' 21 + This option activates the wrapper that allows the use of mullvad-exclude. 22 + Might have minor security impact, so consider disabling if you do not use the feature. 23 + ''; 24 + }; 25 + 17 26 package = mkOption { 18 27 type = types.package; 19 28 default = pkgs.mullvad; ··· 27 36 config = mkIf cfg.enable { 28 37 boot.kernelModules = [ "tun" ]; 29 38 39 + environment.systemPackages = [ cfg.package ]; 40 + 30 41 # mullvad-daemon writes to /etc/iproute2/rt_tables 31 42 networking.iproute2.enable = true; 32 43 33 44 # See https://github.com/NixOS/nixpkgs/issues/113589 34 45 networking.firewall.checkReversePath = "loose"; 46 + 47 + # See https://github.com/NixOS/nixpkgs/issues/176603 48 + security.wrappers.mullvad-exclude = mkIf cfg.enableExcludeWrapper { 49 + setuid = true; 50 + owner = "root"; 51 + group = "root"; 52 + source = "${cfg.package}/bin/mullvad-exclude"; 53 + }; 35 54 36 55 systemd.services.mullvad-daemon = { 37 56 description = "Mullvad VPN daemon";