Skip to content

Instantly share code, notes, and snippets.

@myypo

myypo/nordvpn.nix

Created August 14, 2024 15:36
Show Gist options
  • Save myypo/31c52196f7987ef62f54092cb07aefd7 to your computer and use it in GitHub Desktop.
Save myypo/31c52196f7987ef62f54092cb07aefd7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nordvpn.nix
{
config,
lib,
pkgs,
...
}: let
nordVpnPkg = pkgs.callPackage ({
autoPatchelfHook,
buildFHSEnvChroot,
dpkg,
fetchurl,
lib,
stdenv,
sysctl,
iptables,
iproute2,
procps,
cacert,
libxml2,
libidn2,
zlib,
wireguard-tools,
}: let
pname = "nordvpn";
version = "3.18.3";
nordVPNBase = stdenv.mkDerivation {
inherit pname version;
src = fetchurl {
url = "https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_${version}_amd64.deb";
hash = "sha256-pCveN8cEwEXdvWj2FAatzg89fTLV9eYehEZfKq5JdaY=";
};
buildInputs = [libxml2 libidn2];
nativeBuildInputs = [dpkg autoPatchelfHook stdenv.cc.cc.lib];
dontConfigure = true;
dontBuild = true;
unpackPhase = ''
runHook preUnpack
dpkg --extract $src .
runHook postUnpack
'';
installPhase = ''
runHook preInstall
mkdir -p $out
mv usr/* $out/
mv var/ $out/
mv etc/ $out/
runHook postInstall
'';
};
nordVPNfhs = buildFHSEnvChroot {
name = "nordvpnd";
runScript = "nordvpnd";
# hardcoded path to /sbin/ip
targetPkgs = pkgs: [
nordVPNBase
sysctl
iptables
iproute2
procps
cacert
libxml2
libidn2
zlib
wireguard-tools
];
};
in
stdenv.mkDerivation {
inherit pname version;
dontUnpack = true;
dontConfigure = true;
dontBuild = true;
installPhase = ''
runHook preInstall
mkdir -p $out/bin $out/share
ln -s ${nordVPNBase}/bin/nordvpn $out/bin
ln -s ${nordVPNfhs}/bin/nordvpnd $out/bin
ln -s ${nordVPNBase}/share/* $out/share/
ln -s ${nordVPNBase}/var $out/
runHook postInstall
'';
meta = with lib; {
description = "CLI client for NordVPN";
homepage = "https://www.nordvpn.com";
license = licenses.unfreeRedistributable;
maintainers = with maintainers; [dr460nf1r3];
platforms = ["x86_64-linux"];
};
}) {};
in
with lib; {
options.myypo.services.custom.nordvpn.enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the NordVPN daemon. Note that you'll have to set
`networking.firewall.checkReversePath = false;`, add UDP 1194
and TCP 443 to the list of allowed ports in the firewall and add your
user to the "nordvpn" group (`users.users.<username>.extraGroups`).
'';
};
config = mkIf config.myypo.services.custom.nordvpn.enable {
networking.firewall.checkReversePath = false;
environment.systemPackages = [nordVpnPkg];
users.groups.nordvpn = {};
users.groups.nordvpn.members = ["myypo"];
systemd = {
services.nordvpn = {
description = "NordVPN daemon.";
serviceConfig = {
ExecStart = "${nordVpnPkg}/bin/nordvpnd";
ExecStartPre = pkgs.writeShellScript "nordvpn-start" ''
mkdir -m 700 -p /var/lib/nordvpn;
if [ -z "$(ls -A /var/lib/nordvpn)" ]; then
cp -r ${nordVpnPkg}/var/lib/nordvpn/* /var/lib/nordvpn;
fi
'';
NonBlocking = true;
KillMode = "process";
Restart = "on-failure";
RestartSec = 5;
RuntimeDirectory = "nordvpn";
RuntimeDirectoryMode = "0750";
Group = "nordvpn";
};
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = ["network-online.target"];
};
};
};
}
@craigfurman
Copy link

This is really useful, thanks! For anyone struggling to upgrade to v3.20.1, I had to add libnl and libcap_ng to nativeBuildInputs (and of course the derivation parameter attribute set).

@sgremm
Copy link

sgremm commented May 9, 2025

hi, a am new in nixos. how can i integrate this flake. i have flakes and home-manager

@craigfurman
Copy link

@sgremm not my gist, but: it's a nixos module. You can integrate by copying it into into your flake, import it into your configuration, then set myypo.services.custom.nordvpn.enable=true somewhere in that same configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment