diff --git a/flake.lock b/flake.lock index 222ac27..7910967 100644 --- a/flake.lock +++ b/flake.lock @@ -40,7 +40,8 @@ "inputs": { "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "sops-nix": "sops-nix" + "sops-nix": "sops-nix", + "vpn-confinement": "vpn-confinement" } }, "sops-nix": { @@ -62,6 +63,21 @@ "repo": "sops-nix", "type": "github" } + }, + "vpn-confinement": { + "locked": { + "lastModified": 1759956062, + "narHash": "sha256-NUZu0Rb0fwUjfdp51zMm0xM3lcK8Kw4c97LLog7+JjA=", + "owner": "Maroka-chan", + "repo": "VPN-Confinement", + "rev": "fabe7247b720b5eb4c3c053e24a2b3b70e64c52b", + "type": "github" + }, + "original": { + "owner": "Maroka-chan", + "repo": "VPN-Confinement", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index db39ed7..928ed1c 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ # flake for blakes nixos config # define new devices in outputs -# generation: 116 current 2025-10-08 19:06:36 25.05.20251006.20c4598 6.12.50 * +# generation: 117 current 2025-10-08 19:07:36 25.05.20251006.20c4598 6.12.50 * { description = "blakes nix config"; inputs = { @@ -13,6 +13,10 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + vpn-confinement = { + url = "github:Maroka-chan/VPN-Confinement"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { self, nixpkgs, home-manager, ... }@inputs: diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix index c2c355f..e61a996 100644 --- a/hosts/snowbelle/configuration.nix +++ b/hosts/snowbelle/configuration.nix @@ -20,6 +20,7 @@ tailscale.enable = true; vpns.enable = true; vpns.wg_mex = false; + vpn-confinement.enable = true; nvidia.enable = true; }; homelab = { diff --git a/modules/homelab/services/qbittorrent/default.nix b/modules/homelab/services/qbittorrent/default.nix index 226f51d..21d1fa0 100644 --- a/modules/homelab/services/qbittorrent/default.nix +++ b/modules/homelab/services/qbittorrent/default.nix @@ -53,10 +53,18 @@ in }; # override umask to make permissions work out - systemd.services.qbittorrent.serviceConfig = { - UMask = lib.mkForce "0007"; -# User = "qbittorrent"; -# Group = "qbittorrent"; + systemd.services.qbittorrent = { + serviceConfig = { + UMask = lib.mkForce "0007"; +# User = "qbittorrent"; +# Group = "qbittorrent"; + }; + + # add systemd service to VPN network namespace + vpnConfinement = { + enable = true; + vpnNamespace = "wgmex"; + }; }; # # open firewall diff --git a/modules/system/default.nix b/modules/system/default.nix index 35c7a31..ed76488 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -8,6 +8,7 @@ ./docker.nix ./tailscale.nix ./vpns.nix + ./vpn-confinement.nix ./syncthing.nix ./nvidia.nix ]; @@ -18,6 +19,7 @@ modules.system.docker.enable = lib.mkDefault false; modules.system.tailscale.enable = lib.mkDefault true; modules.system.vpns.enable = lib.mkDefault false; + modules.system.vpn-confinement.enable = lib.mkDefault false; modules.system.syncthing.enable = lib.mkDefault false; modules.system.nvidia.enable = lib.mkDefault false; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index c056a97..f717b36 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -14,6 +14,8 @@ pia_auth: ENC[AES256_GCM,data:rwAu4f5XVS4v4FCLj2zXAegIZeRPLIzUVv6TCrdfg9RGSDJYHg openvpn_pia_mexico_config: ENC[AES256_GCM,data:59HQ3OZ0QKq92jI=,iv:DZTNvfi6kLXG7dsNkPcXUmXhAG2UdPZBy/L9eWNmRdE=,tag:ndxDDQNL2z1fjxFfU2VRwQ==,type:str] #ENC[AES256_GCM,data:mbIgMJBhL8nWJzl8q2dFL8XtO1Xa1Q==,iv:caYHYp1boK9wRgCcQe40HTWT/HxAIvYe+HyaruI53Vc=,tag:S6wowhAHObEcs7z8FimZ1g==,type:comment] wg_mex_key: ENC[AES256_GCM,data:vxDXixo6X6D33+p21L4hB0/yCH+TvMHZl991BkRsE/jdz7rzZuJF+zI7h+Q=,iv:8WR+feHXNUcat8DB2wY7wpos+P7TzgRF7rFD0fYosjY=,tag:p9b9ck0/VZjyLxtHut3n5Q==,type:str] +#ENC[AES256_GCM,data:3ATkokBKeOp97uORzaePROrKKfG94ic=,iv:MNJRh6Vrso1heqNUJc0M4xGNcMLGwcF9IzoiQ5+SS+g=,tag:xj8Actwkirvq4GE+Ly1M9w==,type:comment] +vpncon_mex_config: ENC[AES256_GCM,data:TKz0vDdIp9VdoFZ9SD+dZvPK4w00Rrbe7RfaqOAX14wXdbwgA0RwmMq2jHuw7YObPLGFQXVKF1uWily2tvEqHWTsDNhafPpTZVt6dlR4SoVrsATzP1Nr5Rv5FzkROkqipcT/GDT5NJDPBxbJ7fbqbzyGVaejWteC9QJ234kSf8BCT0R1RxNS+7NqYBGtstBuLp3Ly8D4REtNqd0oWuDoUdlGTOzWwHtQ/HcXxIhZBCbGQk926ef6WFPsJWPLYoUDohk/+RSTIWP7MJ39rpFUSWKVEKPuNwPbwdAsudlrEDiZZaWd66N8FvIWZlIAVRhmSjs1mYO/4jglqls=,iv:o0sfYbfjIuxNS2PbFJVNPxs+TeVropqqIklkkER7TpM=,tag:nHBJq/LAwPwbtN1Gc9rlHA==,type:str] #ENC[AES256_GCM,data:CO5nrcDbgymnEmCvuTexOBEMncuNM5lQ,iv:6HrxqSN6e7ODuz09MIFgPbIqDCKQySRDaKk5Wdu4HoQ=,tag:JBRjZeEdOg+trohfanO6Mg==,type:comment] vaultwarden_admin_token: ENC[AES256_GCM,data:G1v3N064ci0Fw5EtTzaryailWpsv6f4w6eoHp2vjXIBtIlScdQk1Q0W+eDNRk8Wr2C3ysTXQNbyYismNsls+jeS3W+YqkKL4fnh3a5UTzQrMqvaH11n3ak0X9R9vmt+ZJXBrUrAOKJ6RPHJJSWenhjDB77kwEdQ=,iv:f8X+x/AdmZ3b3dtcSFrxGgA2tCgDRpgddjlVu3mdCmM=,tag:c0MXljVvhwOdvrb/8hWlsQ==,type:str] #ENC[AES256_GCM,data:2ESzSsQZqKdjD7OXN8ZPThj6g9acJREe,iv:aDFPB0vs8NNo8ExLcJw7qtQvWbCb1XK6TJrHSK86qss=,tag:z+dypHAGUjEXP7Y9MHYWwg==,type:comment] @@ -29,7 +31,7 @@ sops: U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-08T20:46:50Z" - mac: ENC[AES256_GCM,data:kSWpiorgrx4Ohv/ZpUCKuBy+g3VZ95UjaOeotUwXJzao3qbHHAKIRLCJnlJPjMDyT3aZc8AF3urQunl65LDHYAisTV1LxTAeFSsWm4xkJ5DcyhvTHh1yxa+G9lGZ6mBQK60Hg92+fqwS43ObYz8hwoVeeKXc0ZSwDqI5d8gSF9o=,iv:gVonEcRQTupdLEYgAfgI10L86h6q+PFdgpLHNsLHB/8=,tag:Rd2nlookzmUc0ZWnC/f1Dg==,type:str] + lastmodified: "2025-10-09T00:25:39Z" + mac: ENC[AES256_GCM,data:pmIX5axxMkslErt8PG9uDu9vcgbCbP5LdlolzTcZyrIqYivmUZBKVPGp5ym/o8kdiTM5GonSbS4xVzFhm6VGGLEqDRMtCFMz+bmZX5O/G6abWZPCBAMXFNE2wLS44tCnZQkjeAPGPB7Z4jQYPloloVI5j1jn/qH9kvcI3GaHxBE=,iv:s0Fj3WRxW5gby8P6CWrmW2UdHJTFhl+7kvK7wd/vNpY=,tag:Hpr1YMuMlWdi5zU4LOcRmA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0