nix-config/hosts/toaster/network/mullvad.nix

{ config, ... }:
{
  systemd.network =
    let
      pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
      endpoint = "169.150.196.15";
      port = "51820";
      addr = [
        "10.74.16.48/32"
        "fc00:bbbb:bbbb:bb01::b:102f/128"
      ];
    in
    {
      netdevs."10-wg-mullvad" = {
        netdevConfig = {
          Kind = "wireguard";
          Name = "wg-mullvad";
        };
        wireguardConfig = {
          PrivateKeyFile = config.sops.secrets."wg/mullvad".path;
          FirewallMark = 34952; # 0x8888
          RouteTable = "off";
        };
        wireguardPeers = [
          {
            PublicKey = pubkey;
            Endpoint = "${endpoint}:${port}";
            AllowedIPs = [
              "0.0.0.0/0"
              "::0/0"
            ];
          }
        ];
      };
      networks."10-wg-mullvad" = {
        matchConfig.Name = "wg-mullvad";
        address = addr;
        networkConfig = {
          DNS = "10.64.0.1";
          DNSDefaultRoute = true;
          Domains = [ "~." ];
        };
        routes =
          map
            (gate: {
              Gateway = gate;
              Table = 1000;
            })
            [
              "0.0.0.0"
              "::"
            ];

        routingPolicyRules =
          [
            {
              Family = "both";
              FirewallMark = 34952; # 0x8888
              InvertRule = true;
              Table = "1000";
              Priority = 100;
            }
            {
              Family = "both";
              SuppressPrefixLength = 0;
              Table = "main";
              Priority = 90;
            }
          ]
          ++ map
            (net: {
              # only route global addresses over VPN
              Priority = 80;
              To = net;
            })
            [
              # Mullvad endpoint
              "${endpoint}/32"
              # zw endpoint
              "81.201.149.152/32"
              # oxalab/oxa endpoint
              "188.245.196.27/32"
              # "10.0.0.0/8"
              "10.13.37.0/24"
              # 0xa-mgmt
              "10.89.87.0/24"
              # "172.16.0.0/12"
              "172.16.0.0/12"
              # "182.168.0.0/16"
              "182.168.0.0/16"
              # "fc00::/7"
            ];
      };
    };
}
deadnix 2025-01-26 14:16:47 +01:00			`{ config, ... }:`
delete legacy stuff and reformat 2025-01-11 03:55:19 +01:00			`{`
fixup toaster network 2025-01-03 19:06:42 +01:00			`systemd.network =`
			`let`
delete legacy stuff and reformat 2025-01-11 03:55:19 +01:00			`pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";`
exclude mullvad endpoint automatically 2025-01-03 21:21:47 +01:00			`endpoint = "169.150.196.15";`
			`port = "51820";`
delete legacy stuff and reformat 2025-01-11 03:55:19 +01:00			`addr = [`
			`"10.74.16.48/32"`
			`"fc00:bbbb:bbbb:bb01::b:102f/128"`
			`];`
fixup toaster network 2025-01-03 19:06:42 +01:00			`in`
			`{`
			`netdevs."10-wg-mullvad" = {`
			`netdevConfig = {`
			`Kind = "wireguard";`
			`Name = "wg-mullvad";`
			`};`
			`wireguardConfig = {`
			`PrivateKeyFile = config.sops.secrets."wg/mullvad".path;`
			`FirewallMark = 34952; # 0x8888`
			`RouteTable = "off";`
			`};`
			`wireguardPeers = [`
			`{`
			`PublicKey = pubkey;`
exclude mullvad endpoint automatically 2025-01-03 21:21:47 +01:00			`Endpoint = "${endpoint}:${port}";`
delete legacy stuff and reformat 2025-01-11 03:55:19 +01:00			`AllowedIPs = [`
			`"0.0.0.0/0"`
			`"::0/0"`
			`];`
fixup toaster network 2025-01-03 19:06:42 +01:00			`}`
			`];`
			`};`
			`networks."10-wg-mullvad" = {`
			`matchConfig.Name = "wg-mullvad";`
			`address = addr;`
			`networkConfig = {`
			`DNS = "10.64.0.1";`
			`DNSDefaultRoute = true;`
			`Domains = [ "~." ];`
			`};`
delete legacy stuff and reformat 2025-01-11 03:55:19 +01:00			`routes =`
			`map`
			`(gate: {`
			`Gateway = gate;`
			`Table = 1000;`
			`})`
			`[`
			`"0.0.0.0"`
			`"::"`
			`];`
fixup toaster network 2025-01-03 19:06:42 +01:00
delete legacy stuff and reformat 2025-01-11 03:55:19 +01:00			`routingPolicyRules =`
			`[`
			`{`
			`Family = "both";`
			`FirewallMark = 34952; # 0x8888`
			`InvertRule = true;`
			`Table = "1000";`
			`Priority = 100;`
			`}`
			`{`
			`Family = "both";`
			`SuppressPrefixLength = 0;`
			`Table = "main";`
			`Priority = 90;`
			`}`
			`]`
			`++ map`
			`(net: {`
			`# only route global addresses over VPN`
			`Priority = 80;`
			`To = net;`
			`})`
			`[`
			`# Mullvad endpoint`
			`"${endpoint}/32"`
save ourselves a hop 2025-01-11 18:10:52 +01:00			`# zw endpoint`
			`"81.201.149.152/32"`
			`# oxalab/oxa endpoint`
			`"188.245.196.27/32"`
delete legacy stuff and reformat 2025-01-11 03:55:19 +01:00			`# "10.0.0.0/8"`
			`"10.13.37.0/24"`
			`# 0xa-mgmt`
			`"10.89.87.0/24"`
			`# "172.16.0.0/12"`
			`"172.16.0.0/12"`
			`# "182.168.0.0/16"`
			`"182.168.0.0/16"`
			`# "fc00::/7"`
			`];`
			`};`
fixup toaster network 2025-01-03 19:06:42 +01:00			`};`
			`}`