diff --git a/modules/nixos/base/secrets.nix b/modules/nixos/base/secrets.nix index 63406e2..c6297e8 100644 --- a/modules/nixos/base/secrets.nix +++ b/modules/nixos/base/secrets.nix @@ -8,7 +8,7 @@ inherit (config.ooknet) host; inherit (host) admin; - inherit (config.services) tailscale; + inherit (config.services) tailscale transmission; in { age.identityPaths = [ "/home/${admin.name}/.ssh/id_ed25519" @@ -36,5 +36,8 @@ in { owner = "${admin.name}"; group = "users"; }; + mullvad_wg = mkIf transmission.enable { + file = "${self}/secrets/mullvad_wg.age"; + }; }; } diff --git a/modules/nixos/server/services/media-server/default.nix b/modules/nixos/server/services/media-server/default.nix index a5bbd81..2e17c8d 100644 --- a/modules/nixos/server/services/media-server/default.nix +++ b/modules/nixos/server/services/media-server/default.nix @@ -1,6 +1,7 @@ { lib, config, + inputs, ... }: let inherit (lib) mkIf elem; @@ -13,6 +14,8 @@ in { ./jellyfin.nix ./transmission.nix ./file-permissions.nix + ./vpn.nix + inputs.vpn-confinement.nixosModules.default ]; # short cut for enabling all media-server modules diff --git a/modules/nixos/server/services/media-server/vpn.nix b/modules/nixos/server/services/media-server/vpn.nix new file mode 100644 index 0000000..7724a97 --- /dev/null +++ b/modules/nixos/server/services/media-server/vpn.nix @@ -0,0 +1,39 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.ooknet.server.media-server) ports transmission; + inherit (config.age) secrets; +in { + config = mkIf transmission.enable { + vpnNamespaces.wg = { + enable = true; + wireguardConfigFile = secrets.mullvad_wg.path; + accessibleFrom = [ + "192.168.0.1/24" + "127.0.0.1" + "10.0.0.0/8" + ]; + openVPNPorts = [ + # Transmission + { + port = ports.transmission.peer; + protocol = "both"; + } + ]; + portMappings = [ + # Transmission + { + from = ports.transmission.web; + to = ports.transmission.web; + } + ]; + }; + systemd.services.transmission.vpnConfinement = { + enable = true; + vpnNamespace = "wg"; + }; + }; +}