From 6cdf8b53cc0ba2b5c3d53e393fcc27b4be73a0c7 Mon Sep 17 00:00:00 2001
From: cnst <adam@cnst.dev>
Date: Sun, 20 Jul 2025 12:19:41 +0200
Subject: [PATCH] vpn v3

---
 hosts/kima/modules.nix                     |  1 +
 modules/server/wireguard-netns/default.nix | 45 ++++++++++++++--------
 2 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/hosts/kima/modules.nix b/hosts/kima/modules.nix
index 481a3685..5a8ad699 100644
--- a/hosts/kima/modules.nix
+++ b/hosts/kima/modules.nix
@@ -32,6 +32,7 @@
           192.168.88.14 cnst.dev
           192.168.88.14 lidarr.cnst.dev
           192.168.88.14 prowlarr.cnst.dev
+          192.168.88.14 deluge.cnst.dev
         '';
         interfaces = {
           "eno1" = {
diff --git a/modules/server/wireguard-netns/default.nix b/modules/server/wireguard-netns/default.nix
index f7693f0e..09b81c8e 100644
--- a/modules/server/wireguard-netns/default.nix
+++ b/modules/server/wireguard-netns/default.nix
@@ -19,16 +19,12 @@ in {
     };
   };
 
-  config = lib.mkIf cfg.enable {
-    systemd.services."netns@${cfg.namespace}" = {
-      description = "WireGuard VPN netns (${cfg.namespace})";
-      after = ["network-online.target"];
-      wants = ["network-online.target"];
-      wantedBy = ["multi-user.target"];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-        ExecStart = pkgs.writeShellScript "netns-${cfg.namespace}-setup" ''
+  config = lib.mkIf cfg.enable (
+    let
+      netnsSetup = pkgs.writeShellApplication {
+        name = "netns-${cfg.namespace}-setup";
+        runtimeInputs = with pkgs; [iproute2 wireguard-tools gawk coreutils];
+        text = ''
           set -eux
 
           CONFIG=${cfg.configFile}
@@ -36,9 +32,7 @@ in {
           ADDR=$(awk -F' *= *' '/^Address/ { print $2 }' "$CONFIG")
           DNS=$(awk -F' *= *' '/^DNS/ { print $2 }' "$CONFIG")
 
-          # Clean up any existing netns
           ip netns delete "$NS" 2>/dev/null || true
-
           ip netns add "$NS"
           ip link add wg0 type wireguard
           ip link set wg0 netns "$NS"
@@ -48,14 +42,33 @@ in {
           ip netns exec "$NS" ip link set lo up
           ip netns exec "$NS" ip route add default dev wg0
 
-          # Set DNS
           mkdir -p /etc/netns/"$NS"
           echo "nameserver $DNS" > /etc/netns/"$NS"/resolv.conf
         '';
-        ExecStop = pkgs.writeShellScript "netns-${cfg.namespace}-teardown" ''
+      };
+
+      netnsTeardown = pkgs.writeShellApplication {
+        name = "netns-${cfg.namespace}-teardown";
+        runtimeInputs = with pkgs; [iproute2];
+        text = ''
+          set -eu
           ip netns delete ${cfg.namespace} || true
         '';
       };
-    };
-  };
+    in {
+      systemd.services."netns@${cfg.namespace}" = {
+        description = "WireGuard VPN netns (${cfg.namespace})";
+        after = ["network-online.target"];
+        wants = ["network-online.target"];
+        wantedBy = ["multi-user.target"];
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = "${netnsSetup}/bin/netns-${cfg.namespace}-setup";
+          ExecStop = "${netnsTeardown}/bin/netns-${cfg.namespace}-teardown";
+        };
+      };
+    }
+  );
 }