From b0c6f4ae0537804b24fdd1b9580d7eb1e7ff6a83 Mon Sep 17 00:00:00 2001
From: Patrick Jackson <patrick@jackson.dev>
Date: Mon, 7 Nov 2022 09:40:21 -0800
Subject: [PATCH] nixos/mullvad-vpn: add mullvad-exclude wrapper &
 systemPackage

---
 .../services/networking/mullvad-vpn.nix       | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix
index 7eb3761aad37..82e68bf92af1 100644
--- a/nixos/modules/services/networking/mullvad-vpn.nix
+++ b/nixos/modules/services/networking/mullvad-vpn.nix
@@ -14,6 +14,15 @@ with lib;
       '';
     };
 
+    enableExcludeWrapper = mkOption {
+      type = types.bool;
+      default = true;
+      description = lib.mdDoc ''
+        This option activates the wrapper that allows the use of mullvad-exclude.
+        Might have minor security impact, so consider disabling if you do not use the feature.
+      '';
+    };
+
     package = mkOption {
       type = types.package;
       default = pkgs.mullvad;
@@ -27,12 +36,22 @@ with lib;
   config = mkIf cfg.enable {
     boot.kernelModules = [ "tun" ];
 
+    environment.systemPackages = [ cfg.package ];
+
     # mullvad-daemon writes to /etc/iproute2/rt_tables
     networking.iproute2.enable = true;
 
     # See https://github.com/NixOS/nixpkgs/issues/113589
     networking.firewall.checkReversePath = "loose";
 
+    # See https://github.com/NixOS/nixpkgs/issues/176603
+    security.wrappers.mullvad-exclude = mkIf cfg.enableExcludeWrapper {
+      setuid = true;
+      owner = "root";
+      group = "root";
+      source = "${cfg.package}/bin/mullvad-exclude";
+    };
+
     systemd.services.mullvad-daemon = {
       description = "Mullvad VPN daemon";
       wantedBy = [ "multi-user.target" ];