[Gluetun] Switches to Wireguard config

2026-02-24 16:33:28 -08:00
parent a4bb91e68e
commit 383c7bb15e
2 changed files with 39 additions and 8 deletions
--- a/system/hosts/mcp/containers/media-system.nix
+++ b/system/hosts/mcp/containers/media-system.nix
@@ -6,9 +6,42 @@ let
    havenisms
    mkContainer
    ;
+  gluetun_env = "gluetun-proton-vpn-wireguard.env";
 in
 {

+  sops.secrets = {
+    "protonvpn/private_key" = {
+      restartUnits = [ "${config.local.container-backend}-gluetun.service" ];
+    };
+  };
+
+  # Example Wireguard config file:
+  # # Key for MCP Wireguard
+  # # Bouncing = 13
+  # # NetShield = 1
+  # # Moderate NAT = off
+  # # NAT-PMP (Port Forwarding) = on
+  # # VPN Accelerator = on
+  # PrivateKey = ${config.sops.placeholder."protonvpn/private_key"}
+  # Address = 10.2.0.2/32
+  # DNS = 10.2.0.1
+  #
+  # [Peer]
+  # # US-CA#906
+  # PublicKey = 2xvxhMK0AalXOMq6Dh0QMVJ0Cl3WQTmWT5tdeb8SpR0=
+  # AllowedIPs = 0.0.0.0/0, ::/0
+  # Endpoint = 79.127.185.166:51820
+  #
+  # PersistentKeepalive = 25
+  sops.templates.${gluetun_env}.content = ''
+    VPN_SERVICE_PROVIDER=protonvpn
+    VPN_TYPE=wireguard
+    WIREGUARD_PRIVATE_KEY="${config.sops.placeholder."protonvpn/private_key"}"
+    SERVER_COUNTRIES="United States,United Kingdom,Netherlands,Switzerland,Sweden"
+    VPN_PORT_FORWARDING=on
+  '';
+
  virtualisation.oci-containers.containers = {
    jellyfin = {
      image = "lscr.io/linuxserver/jellyfin:10.11.6";
@@ -110,12 +143,8 @@ in
        "127.0.0.1:8083:8000"
      ];
      environmentFiles = [
-        "/tank/config/gluetun/vpn.env"
+        config.sops.templates.${gluetun_env}.path
      ];
-      environment = {
-        VPN_SERVICE_PROVIDER = "protonvpn";
-        UMASK = "002";
-      };
    };
    prowlarr = {
      image = "lscr.io/linuxserver/prowlarr";