117 current 2025-10-08 19:07:36 25.05.20251006.20c4598 6.12.50 *

2025-10-08 19:41:45 -05:00
parent ff4faf34f6
commit f106d9b565
6 changed files with 41 additions and 8 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -40,7 +40,8 @@
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "vpn-confinement": "vpn-confinement"
      }
    },
    "sops-nix": {
@@ -62,6 +63,21 @@
        "repo": "sops-nix",
        "type": "github"
      }
+    },
+    "vpn-confinement": {
+      "locked": {
+        "lastModified": 1759956062,
+        "narHash": "sha256-NUZu0Rb0fwUjfdp51zMm0xM3lcK8Kw4c97LLog7+JjA=",
+        "owner": "Maroka-chan",
+        "repo": "VPN-Confinement",
+        "rev": "fabe7247b720b5eb4c3c053e24a2b3b70e64c52b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Maroka-chan",
+        "repo": "VPN-Confinement",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 116 current  2025-10-08 19:06:36  25.05.20251006.20c4598  6.12.50                          *
+# generation: 117 current  2025-10-08 19:07:36  25.05.20251006.20c4598  6.12.50                          *
 {
  description = "blakes nix config";
  inputs = {
@@ -13,6 +13,10 @@
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    vpn-confinement = {
+      url = "github:Maroka-chan/VPN-Confinement";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };
  
  outputs = { self, nixpkgs, home-manager, ... }@inputs: 
--- a/hosts/snowbelle/configuration.nix
+++ b/hosts/snowbelle/configuration.nix
@@ -20,6 +20,7 @@
      tailscale.enable = true;
      vpns.enable = true;
      vpns.wg_mex = false;
+      vpn-confinement.enable = true;
      nvidia.enable = true;
    };
    homelab = {
--- a/modules/homelab/services/qbittorrent/default.nix
+++ b/modules/homelab/services/qbittorrent/default.nix
@@ -53,10 +53,18 @@ in
    };

    # override umask to make permissions work out
-    systemd.services.qbittorrent.serviceConfig = {
-      UMask = lib.mkForce "0007";
-#      User = "qbittorrent";
-#      Group = "qbittorrent";
+    systemd.services.qbittorrent = {
+      serviceConfig = {
+        UMask = lib.mkForce "0007";
+#       User = "qbittorrent";
+#       Group = "qbittorrent";
+      };
+
+      # add systemd service to VPN network namespace
+      vpnConfinement = {
+        enable = true;
+        vpnNamespace = "wgmex";
+      };
    };

 #    # open firewall
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -8,6 +8,7 @@
    ./docker.nix
    ./tailscale.nix
    ./vpns.nix
+    ./vpn-confinement.nix
    ./syncthing.nix
    ./nvidia.nix
  ];
@@ -18,6 +19,7 @@
  modules.system.docker.enable = lib.mkDefault false;
  modules.system.tailscale.enable = lib.mkDefault true;
  modules.system.vpns.enable = lib.mkDefault false;
+  modules.system.vpn-confinement.enable = lib.mkDefault false;
  modules.system.syncthing.enable = lib.mkDefault false;
  modules.system.nvidia.enable = lib.mkDefault false;

--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -14,6 +14,8 @@ pia_auth: ENC[AES256_GCM,data:rwAu4f5XVS4v4FCLj2zXAegIZeRPLIzUVv6TCrdfg9RGSDJYHg
 openvpn_pia_mexico_config: ENC[AES256_GCM,data:59HQ3OZ0QKq92jI=,iv:DZTNvfi6kLXG7dsNkPcXUmXhAG2UdPZBy/L9eWNmRdE=,tag:ndxDDQNL2z1fjxFfU2VRwQ==,type:str]
 #ENC[AES256_GCM,data:mbIgMJBhL8nWJzl8q2dFL8XtO1Xa1Q==,iv:caYHYp1boK9wRgCcQe40HTWT/HxAIvYe+HyaruI53Vc=,tag:S6wowhAHObEcs7z8FimZ1g==,type:comment]
 wg_mex_key: ENC[AES256_GCM,data:vxDXixo6X6D33+p21L4hB0/yCH+TvMHZl991BkRsE/jdz7rzZuJF+zI7h+Q=,iv:8WR+feHXNUcat8DB2wY7wpos+P7TzgRF7rFD0fYosjY=,tag:p9b9ck0/VZjyLxtHut3n5Q==,type:str]
+#ENC[AES256_GCM,data:3ATkokBKeOp97uORzaePROrKKfG94ic=,iv:MNJRh6Vrso1heqNUJc0M4xGNcMLGwcF9IzoiQ5+SS+g=,tag:xj8Actwkirvq4GE+Ly1M9w==,type:comment]
+vpncon_mex_config: ENC[AES256_GCM,data:TKz0vDdIp9VdoFZ9SD+dZvPK4w00Rrbe7RfaqOAX14wXdbwgA0RwmMq2jHuw7YObPLGFQXVKF1uWily2tvEqHWTsDNhafPpTZVt6dlR4SoVrsATzP1Nr5Rv5FzkROkqipcT/GDT5NJDPBxbJ7fbqbzyGVaejWteC9QJ234kSf8BCT0R1RxNS+7NqYBGtstBuLp3Ly8D4REtNqd0oWuDoUdlGTOzWwHtQ/HcXxIhZBCbGQk926ef6WFPsJWPLYoUDohk/+RSTIWP7MJ39rpFUSWKVEKPuNwPbwdAsudlrEDiZZaWd66N8FvIWZlIAVRhmSjs1mYO/4jglqls=,iv:o0sfYbfjIuxNS2PbFJVNPxs+TeVropqqIklkkER7TpM=,tag:nHBJq/LAwPwbtN1Gc9rlHA==,type:str]
 #ENC[AES256_GCM,data:CO5nrcDbgymnEmCvuTexOBEMncuNM5lQ,iv:6HrxqSN6e7ODuz09MIFgPbIqDCKQySRDaKk5Wdu4HoQ=,tag:JBRjZeEdOg+trohfanO6Mg==,type:comment]
 vaultwarden_admin_token: ENC[AES256_GCM,data:G1v3N064ci0Fw5EtTzaryailWpsv6f4w6eoHp2vjXIBtIlScdQk1Q0W+eDNRk8Wr2C3ysTXQNbyYismNsls+jeS3W+YqkKL4fnh3a5UTzQrMqvaH11n3ak0X9R9vmt+ZJXBrUrAOKJ6RPHJJSWenhjDB77kwEdQ=,iv:f8X+x/AdmZ3b3dtcSFrxGgA2tCgDRpgddjlVu3mdCmM=,tag:c0MXljVvhwOdvrb/8hWlsQ==,type:str]
 #ENC[AES256_GCM,data:2ESzSsQZqKdjD7OXN8ZPThj6g9acJREe,iv:aDFPB0vs8NNo8ExLcJw7qtQvWbCb1XK6TJrHSK86qss=,tag:z+dypHAGUjEXP7Y9MHYWwg==,type:comment]
@@ -29,7 +31,7 @@ sops:
            U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
            PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-08T20:46:50Z"
-    mac: ENC[AES256_GCM,data:kSWpiorgrx4Ohv/ZpUCKuBy+g3VZ95UjaOeotUwXJzao3qbHHAKIRLCJnlJPjMDyT3aZc8AF3urQunl65LDHYAisTV1LxTAeFSsWm4xkJ5DcyhvTHh1yxa+G9lGZ6mBQK60Hg92+fqwS43ObYz8hwoVeeKXc0ZSwDqI5d8gSF9o=,iv:gVonEcRQTupdLEYgAfgI10L86h6q+PFdgpLHNsLHB/8=,tag:Rd2nlookzmUc0ZWnC/f1Dg==,type:str]
+    lastmodified: "2025-10-09T00:25:39Z"
+    mac: ENC[AES256_GCM,data:pmIX5axxMkslErt8PG9uDu9vcgbCbP5LdlolzTcZyrIqYivmUZBKVPGp5ym/o8kdiTM5GonSbS4xVzFhm6VGGLEqDRMtCFMz+bmZX5O/G6abWZPCBAMXFNE2wLS44tCnZQkjeAPGPB7Z4jQYPloloVI5j1jn/qH9kvcI3GaHxBE=,iv:s0Fj3WRxW5gby8P6CWrmW2UdHJTFhl+7kvK7wd/vNpY=,tag:Hpr1YMuMlWdi5zU4LOcRmA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0