switch deluge to openvpn

.github/workflows/flake-health-checks.yml

@@ -6,8 +6,8 @@ on:
         branches: ["main"]
     merge_group:
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
     health-check:
         name: "Perform Nix flake checks"

.github/workflows/flake-update.yml

@@ -5,8 +5,8 @@ on:
     schedule:
         - cron: "00 12 * * *"
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
     update_lockfile:
         runs-on: ubuntu-latest

.github/workflows/lock-health-checks.yml

@@ -6,8 +6,8 @@ on:
         branches: ["main"]
     merge_group:
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
     health-check:
         name: "Check health of `flake.lock`"

systems/palatine-hill/docker/torr.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 let
   delugeBase = {
@@ -19,15 +19,27 @@ let
   deluge_path = "${torr_path}/deluge";
   delugevpn_path = "${torr_path}/delugevpn";
 
-  genSopsConf = file: {
+  #genSopsConfWg = file: {
+  #  "${file}" = {
+  #    format = "binary";
+  #    sopsFile = ./wg/${file};
+  #    path = "${delugevpn_path}/config/wireguard/configs/${file}";
+  #    owner = "docker-service";
+  #    group = "users";
+  #    restartUnits = [ "docker-delugeVPN.service" ];
+  #  };
+  #};
+
+  genSopsConfOvpn = file: {
     "${file}" = {
       format = "binary";
-      sopsFile = ./wg/${file};
-      path = "${delugevpn_path}/config/wireguard/configs/${file}";
+      sopsFile = ./openvpn/${file};
+      path = "${delugevpn_path}/config/openvpn/configs/${file}";
       owner = "docker-service";
       group = "users";
       restartUnits = [ "docker-delugeVPN.service" ];
     };
+
   };
 in
 {
@@ -46,22 +58,20 @@ in
     };
     delugeVPN = delugeBase // {
       image = "binhex/arch-delugevpn:latest";
-      extraOptions = [
-        "--privileged=true"
-        "--sysctl"
-        "net.ipv4.conf.all.src_valid_mark=1"
-      ];
+      capbilities = {
+        NET_ADMIN = true;
+      };
       environment = delugeBase.environment // {
         VPN_ENABLED = "yes";
-        VPN_CLIENT = "wireguard";
-        VPN_PROV = "custom";
+        VPN_CLIENT = "openvpn";
+        VPN_PROV = "protonvpn";
         ENABLE_PRIVOXY = "yes";
         LAN_NETWORK = "192.168.0.0/16";
         #NAME_SERVERS = "194.242.2.9";
         NAME_SERVERS = "9.9.9.9";
         # note, delete /config/perms.txt to force a bulk permissions update
-
       };
+      environmentFiles = [ config.sops.secrets."docker/delugevpn".path ];
       volumes = [
         "${delugevpn_path}/config:/config"
         "${deluge_path}/data:/data" # use common torrent path yuck
@@ -79,29 +89,23 @@ in
     };
   };
 
-  systemd.services.docker-delugeVPN = {
-    serviceConfig = {
-      ExecStartPre = [
-        (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
-          + "-type l -not -name wg0.conf "
-          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
-          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
-          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
-        )
-      ];
-      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
-    };
-  };
+  # systemd.services.docker-delugeVPN = {
+  #   serviceConfig = {
+  #     ExecStartPre = [
+  #       (
+  #         "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
+  #         + "-type l -not -name wg0.conf "
+  #         + "| ${pkgs.coreutils}/bin/shuf -n 1 "
+  #         + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
+  #         + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
+  #         + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
+  #       )
+  #     ];
+  #     ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
+  #   };
+  # };
 
-  sops.secrets =
-    (genSopsConf "se-mma-wg-001.conf")
-    // (genSopsConf "se-mma-wg-002.conf")
-    // (genSopsConf "se-mma-wg-003.conf")
-    // (genSopsConf "se-mma-wg-004.conf")
-    // (genSopsConf "se-mma-wg-005.conf")
-    // (genSopsConf "se-mma-wg-101.conf")
-    // (genSopsConf "se-mma-wg-102.conf")
-    // (genSopsConf "se-mma-wg-103.conf");
+  sops.secrets = (genSopsConfOvpn "se.protonvpn.udp.ovpn") // {
+    "docker/delugevpn".owner = "docker-service";
+  };
 }

systems/palatine-hill/secrets.yaml

@@ -23,6 +23,7 @@ docker:
     redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
     act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
     collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
+    delugevpn: ENC[AES256_GCM,data:6tf6sp2M1PkVpxgjCiHKxKHh1+3dYgO0dcp7OS4QYyCumqY4b8Q1pMnKf9/+Ua4/o3DCcZSQuSAThTt6Vq+cFKe7Zcc=,iv:1VtUl7wzrqzaRTWxf8Op8j28tHPRLB5/N8UHfIQkyuw=,tag:qBVoQxv4zphaKHH8kkpKMg==,type:str]
 acme:
     bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
     dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -41,8 +42,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-30T04:36:41Z"
-    mac: ENC[AES256_GCM,data:fEsUt5g0/7j8IVgtXQ0thV93dxe6SGCglqeHdnaXFOjKcCUEFWUmi98M8X92hR9AJzscRK6wqzijd/AQBzl+GL2QtDYsn8qx9Nr0DBd6Gh1vi25eh5LtADm09COSae1THWuFLP7L1Qamyt+XzlBa7Xnrzfuzzp0s2/cZoxZiueU=,iv:VYzh833cMQwGmkB6QunRys0Eluz+0KGj8Y43B9icE9w=,tag:EWJSizBMTFZ0TZhncYe2Sw==,type:str]
+    lastmodified: "2025-06-01T19:02:15Z"
+    mac: ENC[AES256_GCM,data:SzHrUfE7nzfrR3622yvzgaRj7kIKBveceSYiUGdHOqSZf6/2v/36xqgi0FbWKv9+2q2VOz11qDSIHLqZxYJlg7BqqPeApCQBnhu2mDQ4ICryMuG0gt0h4v3DY7kfU+0L76svk4qs02t3uTwBskMM9juxlw94zX/AUSCdg//uWjc=,iv:UYwu1Qg9i15X7H8D0emxvmFwJnOolm4gQe1jIbdGAK8=,tag:c43yM+RXteuUxgSLHFsnlg==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-