From 701778b2ed9372b9cadbd4d9231e19e990f0b37d Mon Sep 17 00:00:00 2001
From: ahuston-0 <aliceghuston@gmail.com>
Date: Sun, 1 Jun 2025 15:04:11 -0400
Subject: [PATCH] switch deluge to openvpn
---
.github/workflows/flake-health-checks.yml | 4 +-
.github/workflows/flake-update.yml | 4 +-
.github/workflows/lock-health-checks.yml | 4 +-
systems/palatine-hill/docker/torr.nix | 76 ++++++++++++-----------
systems/palatine-hill/secrets.yaml | 5 +-
5 files changed, 49 insertions(+), 44 deletions(-)
diff --git a/.github/workflows/flake-health-checks.yml b/.github/workflows/flake-health-checks.yml
index 123f5cb..af05117 100644
--- a/.github/workflows/flake-health-checks.yml
+++ b/.github/workflows/flake-health-checks.yml
@@ -6,8 +6,8 @@ on:
branches: ["main"]
merge_group:
concurrency:
- group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
- cancel-in-progress: true
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: true
jobs:
health-check:
name: "Perform Nix flake checks"
diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml
index acb55b7..ac4aa8a 100644
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@@ -5,8 +5,8 @@ on:
schedule:
- cron: "00 12 * * *"
concurrency:
- group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
- cancel-in-progress: true
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: true
jobs:
update_lockfile:
runs-on: ubuntu-latest
diff --git a/.github/workflows/lock-health-checks.yml b/.github/workflows/lock-health-checks.yml
index f27e0a3..f2724d6 100644
--- a/.github/workflows/lock-health-checks.yml
+++ b/.github/workflows/lock-health-checks.yml
@@ -6,8 +6,8 @@ on:
branches: ["main"]
merge_group:
concurrency:
- group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
- cancel-in-progress: true
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: true
jobs:
health-check:
name: "Check health of `flake.lock`"
diff --git a/systems/palatine-hill/docker/torr.nix b/systems/palatine-hill/docker/torr.nix
index 87a17a4..2a95d92 100644
--- a/systems/palatine-hill/docker/torr.nix
+++ b/systems/palatine-hill/docker/torr.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
let
delugeBase = {
@@ -19,15 +19,27 @@ let
deluge_path = "${torr_path}/deluge";
delugevpn_path = "${torr_path}/delugevpn";
- genSopsConf = file: {
+ #genSopsConfWg = file: {
+ # "${file}" = {
+ # format = "binary";
+ # sopsFile = ./wg/${file};
+ # path = "${delugevpn_path}/config/wireguard/configs/${file}";
+ # owner = "docker-service";
+ # group = "users";
+ # restartUnits = [ "docker-delugeVPN.service" ];
+ # };
+ #};
+
+ genSopsConfOvpn = file: {
"${file}" = {
format = "binary";
- sopsFile = ./wg/${file};
- path = "${delugevpn_path}/config/wireguard/configs/${file}";
+ sopsFile = ./openvpn/${file};
+ path = "${delugevpn_path}/config/openvpn/configs/${file}";
owner = "docker-service";
group = "users";
restartUnits = [ "docker-delugeVPN.service" ];
};
+
};
in
{
@@ -46,22 +58,20 @@ in
};
delugeVPN = delugeBase // {
image = "binhex/arch-delugevpn:latest";
- extraOptions = [
- "--privileged=true"
- "--sysctl"
- "net.ipv4.conf.all.src_valid_mark=1"
- ];
+ capbilities = {
+ NET_ADMIN = true;
+ };
environment = delugeBase.environment // {
VPN_ENABLED = "yes";
- VPN_CLIENT = "wireguard";
- VPN_PROV = "custom";
+ VPN_CLIENT = "openvpn";
+ VPN_PROV = "protonvpn";
ENABLE_PRIVOXY = "yes";
LAN_NETWORK = "192.168.0.0/16";
#NAME_SERVERS = "194.242.2.9";
NAME_SERVERS = "9.9.9.9";
# note, delete /config/perms.txt to force a bulk permissions update
-
};
+ environmentFiles = [ config.sops.secrets."docker/delugevpn".path ];
volumes = [
"${delugevpn_path}/config:/config"
"${deluge_path}/data:/data" # use common torrent path yuck
@@ -79,29 +89,23 @@ in
};
};
- systemd.services.docker-delugeVPN = {
- serviceConfig = {
- ExecStartPre = [
- (
- "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
- + "-type l -not -name wg0.conf "
- + "| ${pkgs.coreutils}/bin/shuf -n 1 "
- + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
- + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
- + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
- )
- ];
- ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
- };
- };
+ # systemd.services.docker-delugeVPN = {
+ # serviceConfig = {
+ # ExecStartPre = [
+ # (
+ # "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
+ # + "-type l -not -name wg0.conf "
+ # + "| ${pkgs.coreutils}/bin/shuf -n 1 "
+ # + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
+ # + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
+ # + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
+ # )
+ # ];
+ # ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
+ # };
+ # };
- sops.secrets =
- (genSopsConf "se-mma-wg-001.conf")
- // (genSopsConf "se-mma-wg-002.conf")
- // (genSopsConf "se-mma-wg-003.conf")
- // (genSopsConf "se-mma-wg-004.conf")
- // (genSopsConf "se-mma-wg-005.conf")
- // (genSopsConf "se-mma-wg-101.conf")
- // (genSopsConf "se-mma-wg-102.conf")
- // (genSopsConf "se-mma-wg-103.conf");
+ sops.secrets = (genSopsConfOvpn "se.protonvpn.udp.ovpn") // {
+ "docker/delugevpn".owner = "docker-service";
+ };
}
diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml
index c1afa14..04a9516 100644
--- a/systems/palatine-hill/secrets.yaml
+++ b/systems/palatine-hill/secrets.yaml
@@ -23,6 +23,7 @@ docker:
redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
+ delugevpn: ENC[AES256_GCM,data:6tf6sp2M1PkVpxgjCiHKxKHh1+3dYgO0dcp7OS4QYyCumqY4b8Q1pMnKf9/+Ua4/o3DCcZSQuSAThTt6Vq+cFKe7Zcc=,iv:1VtUl7wzrqzaRTWxf8Op8j28tHPRLB5/N8UHfIQkyuw=,tag:qBVoQxv4zphaKHH8kkpKMg==,type:str]
acme:
bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -41,8 +42,8 @@ sops:
cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-05-30T04:36:41Z"
- mac: ENC[AES256_GCM,data:fEsUt5g0/7j8IVgtXQ0thV93dxe6SGCglqeHdnaXFOjKcCUEFWUmi98M8X92hR9AJzscRK6wqzijd/AQBzl+GL2QtDYsn8qx9Nr0DBd6Gh1vi25eh5LtADm09COSae1THWuFLP7L1Qamyt+XzlBa7Xnrzfuzzp0s2/cZoxZiueU=,iv:VYzh833cMQwGmkB6QunRys0Eluz+0KGj8Y43B9icE9w=,tag:EWJSizBMTFZ0TZhncYe2Sw==,type:str]
+ lastmodified: "2025-06-01T19:02:15Z"
+ mac: ENC[AES256_GCM,data:SzHrUfE7nzfrR3622yvzgaRj7kIKBveceSYiUGdHOqSZf6/2v/36xqgi0FbWKv9+2q2VOz11qDSIHLqZxYJlg7BqqPeApCQBnhu2mDQ4ICryMuG0gt0h4v3DY7kfU+0L76svk4qs02t3uTwBskMM9juxlw94zX/AUSCdg//uWjc=,iv:UYwu1Qg9i15X7H8D0emxvmFwJnOolm4gQe1jIbdGAK8=,tag:c43yM+RXteuUxgSLHFsnlg==,type:str]
pgp:
- created_at: "2024-11-28T18:56:39Z"
enc: |-