From 374bf4d63a87012c1ae9d69fd0174d7709036557 Mon Sep 17 00:00:00 2001
From: Lillian-Violet <git@lillianviolet.dev>
Date: Sat, 23 Aug 2025 12:23:12 +0200
Subject: [PATCH] set up the mullvad VPN for wheatley (untested)

---
 nixos/hosts/wheatley/configuration.nix | 49 +++++++++++++++++++++-----
 1 file changed, 41 insertions(+), 8 deletions(-)

diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix
index 8b53eaf..c0fc5de 100644
--- a/nixos/hosts/wheatley/configuration.nix
+++ b/nixos/hosts/wheatley/configuration.nix
@@ -220,6 +220,35 @@
 
       # wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=
       # TODO: generate this dynamically based on other hosts
+      mullvad = {
+        address = ["10.70.93.226/32" "fc00:bbbb:bbbb:bb01::7:5de1/128"];
+        listenPort = 51820;
+        privateKeyFile = lib.mkForce config.sops.secrets."wg-private-key".path;
+        dns = ["100.64.0.7"];
+        extraOptions = {
+          FwMark = 51820;
+        };
+
+        postUp = ''
+          ${pkgs.iproute2}/bin/ip rule add from 192.168.2.43 table main
+          ${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -i end0 -j CONNMARK --set-mark 51820
+          ${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -m connmark --mark 51820 -j MARK --set-mark 51820
+        '';
+
+        preDown = ''
+          ${pkgs.iproute2}/bin/ip rule del from 192.168.2.43 table main
+          ${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -i end0 -j CONNMARK --set-mark 51820
+          ${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -m connmark --mark 51820 -j MARK --set-mark 51820
+        '';
+
+        peers = [
+          {
+            publicKey = "UrQiI9ISdPPzd4ARw1NHOPKKvKvxUhjwRjaI0JpJFgM=";
+            allowedIPs = ["0.0.0.0/0" "::0/0"];
+            endpoint = "193.32.249.66:51820";
+          }
+        ];
+      };
       wg1 = {
         # Determines the IP address and subnet of the server's end of the tunnel interface.
         address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
@@ -229,22 +258,26 @@
 
         # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
         postUp = ''
-          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
-          ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s mullvad -o end0 -j MASQUERADE
+          ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg1 -j ACCEPT
+          ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s mullvad -o end0 -j MASQUERADE
         '';
 
         # Undo the above
         preDown = ''
-          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
-          ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s mullvad -o end0 -j MASQUERADE
+          ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg1 -j ACCEPT
+          ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s mullvad -o end0 -j MASQUERADE
         '';
 
         privateKeyFile = lib.mkForce config.sops.secrets."wg-private-key".path;
 
+        extraOptions = {
+          FwMark = 51820;
+        };
+
         peers = [
           {
             #GLaDOS public key