From 4ee2e2a877e81e552ce650366579ef44c14dc150 Mon Sep 17 00:00:00 2001
From: ooks-io <ooks@protonmail.com>
Date: Mon, 2 Dec 2024 12:30:13 +1100
Subject: [PATCH] ookflix: add gluetun

---
 .../nixos/server/services/ookflix/gluetun.nix | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 modules/nixos/server/services/ookflix/gluetun.nix

diff --git a/modules/nixos/server/services/ookflix/gluetun.nix b/modules/nixos/server/services/ookflix/gluetun.nix
new file mode 100644
index 0000000..3f5fb84
--- /dev/null
+++ b/modules/nixos/server/services/ookflix/gluetun.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  ook,
+  self,
+  ...
+}: let
+  ookflixLib = import ./lib.nix {inherit self lib config;};
+  inherit (ookflixLib) mkServiceUser;
+  inherit (lib) mkIf;
+  inherit (ook.lib.container) mkContainerEnvironment mkContainerPort mkServiceSecret;
+  inherit (config.ooknet.server.ookflix.services) transmission gluetun;
+in {
+  config = mkIf gluetun.enable {
+    users = mkServiceUser gluetun.user.name;
+    age.secrets.vpn_env = mkServiceSecret "vpn_env" "gluetun";
+    virtualisation.oci-containers.containers = {
+      # vpn container
+      gluetun = mkIf {
+        image = "qmcgaw/gluetun:latest";
+        # should make this an option.
+        environmentFiles = [config.age.secrets.vpn_env.path];
+        ports = [
+          (mkContainerPort transmission.port)
+        ];
+        environment = mkContainerEnvironment gluetun.user.id gluetun.group.id {
+          VPN_SERVICE_PROVIDER = gluetun.provider;
+          VPN_TYPE = "wireguard";
+        };
+        extraOptions = [
+          # give network admin permissions
+          "--cap-add=NET_ADMIN"
+          # pass the network tunnel device
+          "--device=/dev/net/tun"
+        ];
+      };
+    };
+  };
+}