pyrox.dev
nixos/mullvad-vpn: add mullvad-exclude wrapper & systemPackage
authored by
+19
nixos/modules/services/networking/mullvad-vpn.nix
+19
nixos/modules/services/networking/mullvad-vpn.nix
···
14
'';
15
};
16
17
package = mkOption {
18
type = types.package;
19
default = pkgs.mullvad;
···
27
config = mkIf cfg.enable {
28
boot.kernelModules = [ "tun" ];
29
30
# mullvad-daemon writes to /etc/iproute2/rt_tables
31
networking.iproute2.enable = true;
32
33
# See https://github.com/NixOS/nixpkgs/issues/113589
34
networking.firewall.checkReversePath = "loose";
35
36
systemd.services.mullvad-daemon = {
37
description = "Mullvad VPN daemon";
···
14
'';
15
};
16
17
+
enableExcludeWrapper = mkOption {
18
+
type = types.bool;
19
+
default = true;
20
+
description = lib.mdDoc ''
21
+
This option activates the wrapper that allows the use of mullvad-exclude.
22
+
Might have minor security impact, so consider disabling if you do not use the feature.
23
+
'';
24
+
};
25
+
26
package = mkOption {
27
type = types.package;
28
default = pkgs.mullvad;
···
36
config = mkIf cfg.enable {
37
boot.kernelModules = [ "tun" ];
38
39
+
environment.systemPackages = [ cfg.package ];
40
+
41
# mullvad-daemon writes to /etc/iproute2/rt_tables
42
networking.iproute2.enable = true;
43
44
# See https://github.com/NixOS/nixpkgs/issues/113589
45
networking.firewall.checkReversePath = "loose";
46
+
47
+
# See https://github.com/NixOS/nixpkgs/issues/176603
48
+
security.wrappers.mullvad-exclude = mkIf cfg.enableExcludeWrapper {
49
+
setuid = true;
50
+
owner = "root";
51
+
group = "root";
52
+
source = "${cfg.package}/bin/mullvad-exclude";
53
+
};
54
55
systemd.services.mullvad-daemon = {
56
description = "Mullvad VPN daemon";