feat(libvirtd): adding virtualisation

modules/nixos/services/mullvad-netns/default.nix

@@ -0,0 +1,50 @@
+{ self, pkgs, ... }:
+{
+  age.secrets.wgCredentials = {
+    file = "${self}/secrets/wgCredentials.age";
+    mode = "0400";
+    owner = "root";
+    group = "root";
+    path = "/etc/wireguard/mullvad.conf";
+  };
+
+  systemd.services.mullvad-netns = {
+    description = "WireGuard Mullvad netns for VMs";
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+
+      ExecStart = "${pkgs.writeShellScript "mullvad-netns-up" ''
+        set -euo pipefail
+
+        ip netns add mullvad || true
+
+        ip link add veth0 type veth peer name veth1 || true
+        ip link set veth1 netns mullvad
+        ip addr add 10.250.0.1/24 dev veth0 || true
+        ip link set veth0 up
+        ip netns exec mullvad ip addr add 10.250.0.2/24 dev veth1 || true
+        ip netns exec mullvad ip link set veth1 up
+
+        ip netns exec mullvad wg-quick up /etc/wireguard/mullvad.conf
+        ip netns exec mullvad ip route add default dev wg0 || true
+
+        nft add table ip mullvad-nat || true
+        nft add chain ip mullvad-nat postrouting { type nat hook postrouting priority 100 \; } || true
+        nft add rule ip mullvad-nat postrouting ip saddr 10.250.0.0/24 oif "wg0" masquerade || true
+      ''}";
+
+      ExecStop = "${pkgs.writeShellScript "mullvad-netns-down" ''
+        set -euo pipefail
+
+        ip netns exec mullvad wg-quick down /etc/wireguard/mullvad.conf || true
+        ip link delete veth0 || true
+        ip netns delete mullvad || true
+        nft delete table ip mullvad-nat || true
+      ''}";
+    };
+
+    # no wantedBy here -> won't start at boot
+  };
+}