media-server: add vpn module

modules/nixos/base/secrets.nix

@@ -8,7 +8,7 @@
 
   inherit (config.ooknet) host;
   inherit (host) admin;
-  inherit (config.services) tailscale;
+  inherit (config.services) tailscale transmission;
 in {
   age.identityPaths = [
     "/home/${admin.name}/.ssh/id_ed25519"
@@ -36,5 +36,8 @@ in {
       owner = "${admin.name}";
       group = "users";
     };
+    mullvad_wg = mkIf transmission.enable {
+      file = "${self}/secrets/mullvad_wg.age";
+    };
   };
 }

modules/nixos/server/services/media-server/default.nix

@@ -1,6 +1,7 @@
 {
   lib,
   config,
+  inputs,
   ...
 }: let
   inherit (lib) mkIf elem;
@@ -13,6 +14,8 @@ in {
     ./jellyfin.nix
     ./transmission.nix
     ./file-permissions.nix
+    ./vpn.nix
+    inputs.vpn-confinement.nixosModules.default
   ];
 
   # short cut for enabling all media-server modules

modules/nixos/server/services/media-server/vpn.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.ooknet.server.media-server) ports transmission;
+  inherit (config.age) secrets;
+in {
+  config = mkIf transmission.enable {
+    vpnNamespaces.wg = {
+      enable = true;
+      wireguardConfigFile = secrets.mullvad_wg.path;
+      accessibleFrom = [
+        "192.168.0.1/24"
+        "127.0.0.1"
+        "10.0.0.0/8"
+      ];
+      openVPNPorts = [
+        # Transmission
+        {
+          port = ports.transmission.peer;
+          protocol = "both";
+        }
+      ];
+      portMappings = [
+        # Transmission
+        {
+          from = ports.transmission.web;
+          to = ports.transmission.web;
+        }
+      ];
+    };
+    systemd.services.transmission.vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+  };
+}