From 33e5d8fbea7760694da0b842d5815297aa940b4e Mon Sep 17 00:00:00 2001
From: ooks-io <ooks@protonmail.com>
Date: Wed, 27 Nov 2024 22:26:55 +1100
Subject: [PATCH] media-server: add vpn module

---
 modules/nixos/base/secrets.nix                |  5 ++-
 .../server/services/media-server/default.nix  |  3 ++
 .../server/services/media-server/vpn.nix      | 39 +++++++++++++++++++
 3 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 modules/nixos/server/services/media-server/vpn.nix

diff --git a/modules/nixos/base/secrets.nix b/modules/nixos/base/secrets.nix
index 63406e2..c6297e8 100644
--- a/modules/nixos/base/secrets.nix
+++ b/modules/nixos/base/secrets.nix
@@ -8,7 +8,7 @@
 
   inherit (config.ooknet) host;
   inherit (host) admin;
-  inherit (config.services) tailscale;
+  inherit (config.services) tailscale transmission;
 in {
   age.identityPaths = [
     "/home/${admin.name}/.ssh/id_ed25519"
@@ -36,5 +36,8 @@ in {
       owner = "${admin.name}";
       group = "users";
     };
+    mullvad_wg = mkIf transmission.enable {
+      file = "${self}/secrets/mullvad_wg.age";
+    };
   };
 }
diff --git a/modules/nixos/server/services/media-server/default.nix b/modules/nixos/server/services/media-server/default.nix
index a5bbd81..2e17c8d 100644
--- a/modules/nixos/server/services/media-server/default.nix
+++ b/modules/nixos/server/services/media-server/default.nix
@@ -1,6 +1,7 @@
 {
   lib,
   config,
+  inputs,
   ...
 }: let
   inherit (lib) mkIf elem;
@@ -13,6 +14,8 @@ in {
     ./jellyfin.nix
     ./transmission.nix
     ./file-permissions.nix
+    ./vpn.nix
+    inputs.vpn-confinement.nixosModules.default
   ];
 
   # short cut for enabling all media-server modules
diff --git a/modules/nixos/server/services/media-server/vpn.nix b/modules/nixos/server/services/media-server/vpn.nix
new file mode 100644
index 0000000..7724a97
--- /dev/null
+++ b/modules/nixos/server/services/media-server/vpn.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.ooknet.server.media-server) ports transmission;
+  inherit (config.age) secrets;
+in {
+  config = mkIf transmission.enable {
+    vpnNamespaces.wg = {
+      enable = true;
+      wireguardConfigFile = secrets.mullvad_wg.path;
+      accessibleFrom = [
+        "192.168.0.1/24"
+        "127.0.0.1"
+        "10.0.0.0/8"
+      ];
+      openVPNPorts = [
+        # Transmission
+        {
+          port = ports.transmission.peer;
+          protocol = "both";
+        }
+      ];
+      portMappings = [
+        # Transmission
+        {
+          from = ports.transmission.web;
+          to = ports.transmission.web;
+        }
+      ];
+    };
+    systemd.services.transmission.vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+  };
+}