new beginnings

hosts/sobotka/default.nix

@@ -44,22 +44,6 @@ in {
   networking = {
     hostName = "sobotka";
     domain = "cnst.dev";
-    firewall.allowedUDPPorts = [51820];
-    wireguard = {
-      interfaces.wg1 = {
-        ips = [
-          "192.168.88.14/24"
-        ];
-        peers = [
-          {
-            name = "kima";
-            allowedIPs = ["192.168.88.13/24"];
-            publicKey = "cUeRvwTwrL5GRc4dHjea89RJSa1kh4kIA/sHYzmscyQ=";
-          }
-        ];
-        privateKeyFile = config.age.secrets.wgSobotkaPrivateKey.path;
-      };
-    };
   };
 
   powerManagement.enable = false;

hosts/sobotka/server.nix

@@ -29,12 +29,5 @@
       };
     };
     deluge.enable = true;
-    wireguard-netns = {
-      enable = true;
-      namespace = "vpn";
-      configFile = config.age.secrets.wgCredentials.path;
-      privateIP = "10.68.145.193";
-      dnsIP = "10.64.0.1";
-    };
   };
 }

modules/server/deluge/default.nix

@@ -1,92 +1,88 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }: let
-  srv = config.server;
   cfg = config.server.deluge;
-  ns = config.server.wireguard-netns.namespace;
+  url = "https://deluge.${config.server.domain}";
+  port = 8112;
 in {
   options.server.deluge = {
-    enable = lib.mkEnableOption "Deluge torrent client (bound to a Wireguard VPN network)";
+    enable = lib.mkEnableOption "Enable Deluge";
-    configDir = lib.mkOption {
+    category = lib.mkOption {
       type = lib.types.str;
-      default = "/var/lib/deluge";
+      default = "Arr";
     };
-    url = lib.mkOption {
+    homepage = lib.mkOption {
-      type = lib.types.str;
+      type = lib.types.attrs;
-      default = "deluge.${srv.domain}";
+      default = {
-    };
+        name = "Deluge";
-    homepage.name = lib.mkOption {
+        icon = "deluge.svg";
-      type = lib.types.str;
+        description = "Shh";
-      default = "Deluge";
+        href = url;
-    };
+        siteMonitor = url;
-    homepage.description = lib.mkOption {
+      };
-      type = lib.types.str;
-      default = "Torrent client";
-    };
-    homepage.icon = lib.mkOption {
-      type = lib.types.str;
-      default = "deluge.svg";
-    };
-    homepage.category = lib.mkOption {
-      type = lib.types.str;
-      default = "Downloads";
     };
   };
-
   config = lib.mkIf cfg.enable {
-    services.deluge = {
+    services.caddy.virtualHosts."${url}" = {
-      enable = true;
+      useACMEHost = config.server.domain;
-      user = srv.user;
-      group = srv.group;
-      web.enable = true;
-    };
-
-    services.caddy.virtualHosts."${cfg.url}" = {
-      useACMEHost = srv.domain;
       extraConfig = ''
-        reverse_proxy http://127.0.0.1:8112
+        reverse_proxy http://127.0.0.1:${toString port}
       '';
     };
 
-    systemd = lib.mkIf srv.wireguard-netns.enable {
+    virtualisation.podman.enable = true;
-      services.deluged = {
+    virtualisation.oci-containers.containers = {
-        bindsTo = ["netns@${ns}.service"];
+      deluge = {
-        requires = [
+        image = "linuxserver/deluge:latest";
-          "network-online.target"
+        autoStart = true;
-          "${ns}.service"
+        dependsOn = ["gluetun"];
+        ports = [
+          "8112:8112"
+          "6881:6881"
         ];
-        serviceConfig.NetworkNamespacePath = "/var/run/netns/${ns}";
+        extraOptions = [
-      };
+          "--pull=newer"
-
+          "--network=container:gluetun"
-      sockets."delugedproxy" = {
-        enable = true;
-        description = "Socket for Proxy to Deluge WebUI";
-        listenStreams = ["58847"];
-        wantedBy = ["sockets.target"];
-      };
-
-      services."delugedproxy" = {
-        enable = true;
-        description = "Proxy to Deluge in Network Namespace";
-        requires = [
-          "deluged.service"
-          "delugedproxy.socket"
         ];
-        after = [
+        volumes = [
-          "deluged.service"
+          "/var/deluge/config:/config"
-          "delugedproxy.socket"
+          "/var/deluge/downloads:/var/deluge/downloads"
         ];
-        unitConfig = {
+        environmentFiles = [
-          JoinsNamespaceOf = "deluged.service";
+          config.sops.secrets.gluetunEnv.path
+        ];
+        environment = {
+          PUID = "1000";
+          PGID = "1000";
+          TZ = "Etc/UTC";
         };
-        serviceConfig = {
+      };
-          User = config.services.deluge.user;
+
-          Group = config.services.deluge.group;
+      gluetun = {
-          ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd --exit-idle-time=5min 127.0.0.1:58847";
+        image = "qmcgaw/gluetun";
-          PrivateNetwork = "yes";
+        ports = [
+          "8388:8388"
+          # Deluge
+          "58846:58846"
+          "8112:8112"
+        ];
+        devices = ["/dev/net/tun:/dev/net/tun"];
+        autoStart = true;
+        extraOptions = [
+          "--pull=newer"
+          "--cap-add=NET_ADMIN"
+        ];
+        volumes = ["/var:/gluetun"];
+        environmentFiles = [
+          config.age.secrets.gluetunEnv.path
+        ];
+        environment = {
+          DEV_MODE = "false";
+          VPN_SERVICE_PROVIDER = "mullvad";
+          VPN_TYPE = "wireguard";
+          SERVER_CITIES = "Stockholm";
         };
       };
     };

secrets/secrets.nix

@@ -19,4 +19,5 @@ in {
   "cloudflareDnsCredentials.age".publicKeys = [cnst kima usobotka rsobotka];
   "wgCredentials.age".publicKeys = [cnst kima usobotka rsobotka];
   "wgSobotkaPrivateKey.age".publicKeys = [cnst kima usobotka rsobotka];
+  "gluetunEnv.age".publicKeys = [cnst kima usobotka rsobotka];
 }