diff --git a/.github/workflows/flake-health-checks.yml b/.github/workflows/flake-health-checks.yml index 123f5cb..af05117 100644 --- a/.github/workflows/flake-health-checks.yml +++ b/.github/workflows/flake-health-checks.yml @@ -6,8 +6,8 @@ on: branches: ["main"] merge_group: concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: health-check: name: "Perform Nix flake checks" diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml index acb55b7..ac4aa8a 100644 --- a/.github/workflows/flake-update.yml +++ b/.github/workflows/flake-update.yml @@ -5,8 +5,8 @@ on: schedule: - cron: "00 12 * * *" concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: update_lockfile: runs-on: ubuntu-latest diff --git a/.github/workflows/lock-health-checks.yml b/.github/workflows/lock-health-checks.yml index f27e0a3..f2724d6 100644 --- a/.github/workflows/lock-health-checks.yml +++ b/.github/workflows/lock-health-checks.yml @@ -6,8 +6,8 @@ on: branches: ["main"] merge_group: concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: health-check: name: "Check health of `flake.lock`" diff --git a/systems/palatine-hill/docker/torr.nix b/systems/palatine-hill/docker/torr.nix index 87a17a4..2a95d92 100644 --- a/systems/palatine-hill/docker/torr.nix +++ b/systems/palatine-hill/docker/torr.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: let delugeBase = { @@ -19,15 +19,27 @@ let deluge_path = "${torr_path}/deluge"; delugevpn_path = "${torr_path}/delugevpn"; - genSopsConf = file: { + #genSopsConfWg = file: { + # "${file}" = { + # format = "binary"; + # sopsFile = ./wg/${file}; + # path = "${delugevpn_path}/config/wireguard/configs/${file}"; + # owner = "docker-service"; + # group = "users"; + # restartUnits = [ "docker-delugeVPN.service" ]; + # }; + #}; + + genSopsConfOvpn = file: { "${file}" = { format = "binary"; - sopsFile = ./wg/${file}; - path = "${delugevpn_path}/config/wireguard/configs/${file}"; + sopsFile = ./openvpn/${file}; + path = "${delugevpn_path}/config/openvpn/configs/${file}"; owner = "docker-service"; group = "users"; restartUnits = [ "docker-delugeVPN.service" ]; }; + }; in { @@ -46,22 +58,20 @@ in }; delugeVPN = delugeBase // { image = "binhex/arch-delugevpn:latest"; - extraOptions = [ - "--privileged=true" - "--sysctl" - "net.ipv4.conf.all.src_valid_mark=1" - ]; + capbilities = { + NET_ADMIN = true; + }; environment = delugeBase.environment // { VPN_ENABLED = "yes"; - VPN_CLIENT = "wireguard"; - VPN_PROV = "custom"; + VPN_CLIENT = "openvpn"; + VPN_PROV = "protonvpn"; ENABLE_PRIVOXY = "yes"; LAN_NETWORK = "192.168.0.0/16"; #NAME_SERVERS = "194.242.2.9"; NAME_SERVERS = "9.9.9.9"; # note, delete /config/perms.txt to force a bulk permissions update - }; + environmentFiles = [ config.sops.secrets."docker/delugevpn".path ]; volumes = [ "${delugevpn_path}/config:/config" "${deluge_path}/data:/data" # use common torrent path yuck @@ -79,29 +89,23 @@ in }; }; - systemd.services.docker-delugeVPN = { - serviceConfig = { - ExecStartPre = [ - ( - "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs " - + "-type l -not -name wg0.conf " - + "| ${pkgs.coreutils}/bin/shuf -n 1 " - + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&" - + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&" - + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\"" - ) - ]; - ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ]; - }; - }; + # systemd.services.docker-delugeVPN = { + # serviceConfig = { + # ExecStartPre = [ + # ( + # "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs " + # + "-type l -not -name wg0.conf " + # + "| ${pkgs.coreutils}/bin/shuf -n 1 " + # + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&" + # + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&" + # + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\"" + # ) + # ]; + # ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ]; + # }; + # }; - sops.secrets = - (genSopsConf "se-mma-wg-001.conf") - // (genSopsConf "se-mma-wg-002.conf") - // (genSopsConf "se-mma-wg-003.conf") - // (genSopsConf "se-mma-wg-004.conf") - // (genSopsConf "se-mma-wg-005.conf") - // (genSopsConf "se-mma-wg-101.conf") - // (genSopsConf "se-mma-wg-102.conf") - // (genSopsConf "se-mma-wg-103.conf"); + sops.secrets = (genSopsConfOvpn "se.protonvpn.udp.ovpn") // { + "docker/delugevpn".owner = "docker-service"; + }; } diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml index c1afa14..04a9516 100644 --- a/systems/palatine-hill/secrets.yaml +++ b/systems/palatine-hill/secrets.yaml @@ -23,6 +23,7 @@ docker: redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str] act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str] collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str] + delugevpn: ENC[AES256_GCM,data:6tf6sp2M1PkVpxgjCiHKxKHh1+3dYgO0dcp7OS4QYyCumqY4b8Q1pMnKf9/+Ua4/o3DCcZSQuSAThTt6Vq+cFKe7Zcc=,iv:1VtUl7wzrqzaRTWxf8Op8j28tHPRLB5/N8UHfIQkyuw=,tag:qBVoQxv4zphaKHH8kkpKMg==,type:str] acme: bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str] dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str] @@ -41,8 +42,8 @@ sops: cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-30T04:36:41Z" - mac: ENC[AES256_GCM,data:fEsUt5g0/7j8IVgtXQ0thV93dxe6SGCglqeHdnaXFOjKcCUEFWUmi98M8X92hR9AJzscRK6wqzijd/AQBzl+GL2QtDYsn8qx9Nr0DBd6Gh1vi25eh5LtADm09COSae1THWuFLP7L1Qamyt+XzlBa7Xnrzfuzzp0s2/cZoxZiueU=,iv:VYzh833cMQwGmkB6QunRys0Eluz+0KGj8Y43B9icE9w=,tag:EWJSizBMTFZ0TZhncYe2Sw==,type:str] + lastmodified: "2025-06-01T19:02:15Z" + mac: ENC[AES256_GCM,data:SzHrUfE7nzfrR3622yvzgaRj7kIKBveceSYiUGdHOqSZf6/2v/36xqgi0FbWKv9+2q2VOz11qDSIHLqZxYJlg7BqqPeApCQBnhu2mDQ4ICryMuG0gt0h4v3DY7kfU+0L76svk4qs02t3uTwBskMM9juxlw94zX/AUSCdg//uWjc=,iv:UYwu1Qg9i15X7H8D0emxvmFwJnOolm4gQe1jIbdGAK8=,tag:c43yM+RXteuUxgSLHFsnlg==,type:str] pgp: - created_at: "2024-11-28T18:56:39Z" enc: |-