libkookie: add mullvad wireguard namespace module

infra/libkookie/configuration/server/warez/default.nix

@@ -0,0 +1,68 @@
+{ pkgs, ... }:
+
+{
+  systemd.services.mullvad-ns = {
+    description = "Mullvad NetNS";
+    path = with pkgs; [ iproute ];
+    
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      PrivateNetwork = false;
+    };
+
+    script = ''
+      ip netns add mullvad-ns
+
+      # Create veth to tunnel traffic into/out of the ns
+      ip link add veth-mullvad type veth peer veth-main netns mullvad-ns
+      ip address add 10.49.0.1/30 dev veth-mullvad
+      ip netns exec mullvad-ns ip address add 10.49.0.2/30 dev veth-main
+      ip link set veth-mullvad up
+      ip netns exec mullvad-ns ip link set veth-main up
+    '';
+
+    postStop = ''
+      ip netns del mullvad-ns
+    '';
+  };
+
+  # services.ferm2.extraForwards = ''
+  #   proto tcp ACCEPT;
+  # '';
+  
+  networking.wireguard.interfaces.mullvad = {
+    interfaceNamespace = "mullvad-ns";
+    privateKeyFile = "/var/lib/mullvad/private";
+    ips = [ "10.67.102.9/32" "fc00:bbbb:bbbb:bb01::4:6608/128"];
+    peers = [ {
+      publicKey = "veGD6/aEY6sMfN3Ls7YWPmNgu3AheO7nQqsFT47YSws=";
+      allowedIPs = [ "0.0.0.0/0" "::0/0"];
+      endpoint = "185.213.154.69:51820";
+    }];
+  };
+
+  systemd.services.wireguard-mullvad = {
+    requires = [ "mullvad-ns.service" ];
+    after = [ "mullvad-ns.service" ];
+  };
+
+  environment.etc."netns/mullvad-ns/resolv.conf" = {
+    enable = true;
+    text = ''
+      nameserver 193.138.218.74
+      options edns0
+    '';
+  };
+
+  services.transmission.enable = true;
+  systemd.services.transmission = {
+    serviceConfig = {
+      NetworkNamespacePath = "/run/netns/mullvad-ns";
+      BindPaths= ["/etc/netns/mullvad-ns/resolv.conf:/etc/resolv.conf"];
+    };
+    requires = [ "wireguard-mullvad.service" ];
+    after = [ "wireguard-mullvad.service" ];
+  };
+}
+