diff --git a/secrets/mcp.yaml b/secrets/mcp.yaml index 70699de..7665309 100644 --- a/secrets/mcp.yaml +++ b/secrets/mcp.yaml @@ -14,6 +14,8 @@ offen: traefik: oauth2-client-secret: ENC[AES256_GCM,data:p7/6OsN2ytBj8mQiK0YL7J6NYLtMHOXIIs/6+bIDpsU=,iv:k6jLZifJEFLYKSFMkyn/kA7iBE+EFB8O/3/3fyTh1SY=,tag:6s49O2+tdlZoXyAGEamuMQ==,type:str] oauth2-plugin-secret: ENC[AES256_GCM,data:sArqwKHAdW35o5kD7DGfXSYCXFUXqvKQdoVnXutsNLw=,iv:qWf597QS3BqkVQkeAb99HbpDB0kUhdD+qKdpUPZEB0o=,tag:vXnb93npaklItWkMZ+/M9Q==,type:str] +protonvpn: + private_key: ENC[AES256_GCM,data:41pfbR1klj1F24v3HlCCA4ofW2sCEnyE5TH8iX4Ug8D+kmwstTaj5RG2Zz8=,iv:P6XyQnDVoOmdkP8ilBR9DyfqPZA6GsQ6VUwY/tSGhx4=,tag:Bzgdv29lbk/gYlADPZMGVA==,type:str] deploy-key: mcp: ENC[AES256_GCM,data:eQcX8xdz5qZ6nU8ISOvZo+ZtP4Z/ePd+/ZZReX1BKvTUqGQPPFxConbLMwFzvzpD6xAUbA1MLkcR/bT98QbNx6LJYlhbofuDUg2DI79RB0fcrAcj/wUV0YPhmgofUdYYDaimH5A2PSvtmKfB3CtKKuA5HNeLymoXeLEpFzbckkGhzPee/CHiUmxayogp6za6btsDJsiT8hdHbrzyD2S6fhMJrzX+PlRzT32M/6eaFuFWE8EUO1gbkRlNfKPXw/EM2GXWJfR4qXfN2YKIKigqrtlAAoxnrUbp5EBrn/hGHS2ZYZXeRUFr3avFjcI0bLX423PWRHAylfQCPxgYVEtbcRv11CAFmq4rfFl0ZdvnAKbTLNmWcrQNijBATZPaAdQzgKPDHs8pwPUFR9Tcg8pZNbzw0mK9kPolniAOL2PBKUHv6LP/uEkB1E6Pxc7yms0kGpeJyo7hrFVOiVAckCey+SI9dpbJMSB3md070I1xk6Ik7PywrWh2QDeUtOU1U28UkYgnJ/9MJelWsNlUX9SR,iv:oCNeanaV/7UZ3dhmq4ZmJUZ5hb61AnHpHCfskM2Jsm8=,tag:F2uJKN5beM/rfiBMSyUP7w==,type:str] matrix: @@ -45,7 +47,7 @@ sops: by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-25T22:21:11Z" - mac: ENC[AES256_GCM,data:1Ru10z/hiMNgzgbBpzuo6jNi5eF87nNMfryurO75k9PvYzsOX4iUwDQf/PppP/YP/g73HJdYaGGEzE8YxaSDtOnmf5qbQe1+5rZmHSO/iIZr/rfV3nkGfqxE4TpPlR/NXB5ktToe7GB6BF1AXwbVIbjWe6Ymsi6Dy2e56Ml1x7k=,iv:v3GV7TL2+BHWETD0mtUBpM/B6vIjNgLiNn45boBjNUg=,tag:a4MplFxRfBF10iwxVGVUOA==,type:str] + lastmodified: "2026-02-25T00:28:13Z" + mac: ENC[AES256_GCM,data:hDmqObrtfoVkQqz8JPkqlyXMbiuyBophjdZNLvTFrZw3pAVNCuzsH4zxFBOaxJttkzLc65DWDHDeEIBY5YZam1GLFFXUQ5E3Dxno7hnyzOoM2ipgDTOacI0gbKJAWgGUF3LNDdqVoREA9LC91LoNUJoNmzpTSFtuLb7ORuwCrH4=,iv:8+W3n1Cr6woEiPU9ECaMYM64HNmFHr2AIw6UohCJi00=,tag:7drkZiPAUHaEx5PagXA9JQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/system/hosts/mcp/containers/media-system.nix b/system/hosts/mcp/containers/media-system.nix index e63a04d..d464a45 100644 --- a/system/hosts/mcp/containers/media-system.nix +++ b/system/hosts/mcp/containers/media-system.nix @@ -6,9 +6,42 @@ let havenisms mkContainer ; + gluetun_env = "gluetun-proton-vpn-wireguard.env"; in { + sops.secrets = { + "protonvpn/private_key" = { + restartUnits = [ "${config.local.container-backend}-gluetun.service" ]; + }; + }; + + # Example Wireguard config file: + # # Key for MCP Wireguard + # # Bouncing = 13 + # # NetShield = 1 + # # Moderate NAT = off + # # NAT-PMP (Port Forwarding) = on + # # VPN Accelerator = on + # PrivateKey = ${config.sops.placeholder."protonvpn/private_key"} + # Address = 10.2.0.2/32 + # DNS = 10.2.0.1 + # + # [Peer] + # # US-CA#906 + # PublicKey = 2xvxhMK0AalXOMq6Dh0QMVJ0Cl3WQTmWT5tdeb8SpR0= + # AllowedIPs = 0.0.0.0/0, ::/0 + # Endpoint = 79.127.185.166:51820 + # + # PersistentKeepalive = 25 + sops.templates.${gluetun_env}.content = '' + VPN_SERVICE_PROVIDER=protonvpn + VPN_TYPE=wireguard + WIREGUARD_PRIVATE_KEY="${config.sops.placeholder."protonvpn/private_key"}" + SERVER_COUNTRIES="United States,United Kingdom,Netherlands,Switzerland,Sweden" + VPN_PORT_FORWARDING=on + ''; + virtualisation.oci-containers.containers = { jellyfin = { image = "lscr.io/linuxserver/jellyfin:10.11.6"; @@ -110,12 +143,8 @@ in "127.0.0.1:8083:8000" ]; environmentFiles = [ - "/tank/config/gluetun/vpn.env" + config.sops.templates.${gluetun_env}.path ]; - environment = { - VPN_SERVICE_PROVIDER = "protonvpn"; - UMASK = "002"; - }; }; prowlarr = { image = "lscr.io/linuxserver/prowlarr";