[Gluetun] Switches to Wireguard config

[Wallabag] Adds wallabag
[Obelisk] Adds Reflex FRP binary caches to the system
2026-02-24 16:40:02 -08:00 · 2026-02-24 16:40:02 -08:00 · 2026-02-12 15:53:26 -08:00 · 2026-02-06 09:47:12 -08:00 · 2026-02-03 15:42:41 -08:00 · 2026-02-02 17:18:04 -08:00
10 changed files with 123 additions and 34 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -2,9 +2,7 @@
  description = "System Configuration";
  inputs = {
-    nixpkgs = {
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.11";
      url = "github:nixos/nixpkgs?ref=nixos-25.11";
    };
    home-manager = {
      url = "github:nix-community/home-manager?ref=release-25.11";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -16,7 +14,11 @@
  };
  outputs =
-    { self, nixpkgs, ... }@inputs:
+    {
      self,
      nixpkgs,
      ...
    }@inputs:
    let
      local = import ./lib;
      mkNixosConfig =
--- a/home-manager/features/3d-printing.nix
+++ b/home-manager/features/3d-printing.nix
@@ -1,14 +1,40 @@
-{ pkgs, ... }:
+{
  pkgs,
  ...
 }:
 let
  freecad-wrapped = pkgs.symlinkJoin {
    name = "freecad-wrapped";
    paths = [ pkgs.freecad ];
    buildInputs = [ pkgs.makeWrapper ];
    postBuild = ''
      wrapProgram $out/bin/freecad \
        --prefix MESA_LOADER_DRIVER_OVERRIDE : zink \
        --prefix __EGL_VENDOR_LIBRARY_FILENAMES : ${pkgs.mesa}/share/glvnd/egl_vendor.d/50_mesa.json
    '';
  };
  bambu-studio-wrapped = pkgs.symlinkJoin {
    name = "bambu-studio-wrapped";
    paths = [ pkgs.bambu-studio ];
    buildInputs = [ pkgs.makeWrapper ];
    postBuild = ''
      wrapProgram $out/bin/bambu-studio \
        --prefix MESA_LOADER_DRIVER_OVERRIDE : zink \
        --prefix __EGL_VENDOR_LIBRARY_FILENAMES : ${pkgs.mesa}/share/glvnd/egl_vendor.d/50_mesa.json
    '';
  };
 in
 {
  home.packages = with pkgs; [
-    bambu-studio
+    bambu-studio-wrapped
    LycheeSlicer
    orca-slicer
    blender
-    freecad
+    freecad-wrapped
    openscad
  ];
--- a/home-manager/features/neovim/config/lua/plugins/lsp.lua
+++ b/home-manager/features/neovim/config/lua/plugins/lsp.lua
@@ -3,9 +3,14 @@ return {
    "neovim/nvim-lspconfig",
    opts = {
      servers = {
        -- Lua
        lua_ls = {},
        -- Nix
        nil_ls = {},
        -- Typescript
        vtsls = {},
        -- Haskell
        hls = {},
      },
      codelens = {
        enable = true,
--- a/home-manager/features/notes.nix
+++ b/home-manager/features/notes.nix
@@ -58,8 +58,8 @@
          compression = "always";
        };
        proxima = {
-          id = "7FE67SC-2KQQWQD-OY5Q44O-WPIVQYG-WMWDBEH-SRABY4C-WD3L4AO-GDAYVAX";
+          id = "NWZL6LY-ULJQMZE-EWY3MQU-XPDAFQB-LTIBZV7-GPKIABJ-WBJE36F-SK6LVAY";
-          name = "Pixel 6a";
+          name = "Proxima";
          addresses = [
            "relay://syncthing.blazestar.net:22067"
          ];
--- a/secrets/mcp.yaml
+++ b/secrets/mcp.yaml
@@ -14,6 +14,8 @@ offen:
 traefik:
    oauth2-client-secret: ENC[AES256_GCM,data:p7/6OsN2ytBj8mQiK0YL7J6NYLtMHOXIIs/6+bIDpsU=,iv:k6jLZifJEFLYKSFMkyn/kA7iBE+EFB8O/3/3fyTh1SY=,tag:6s49O2+tdlZoXyAGEamuMQ==,type:str]
    oauth2-plugin-secret: ENC[AES256_GCM,data:sArqwKHAdW35o5kD7DGfXSYCXFUXqvKQdoVnXutsNLw=,iv:qWf597QS3BqkVQkeAb99HbpDB0kUhdD+qKdpUPZEB0o=,tag:vXnb93npaklItWkMZ+/M9Q==,type:str]
 protonvpn:
    private_key: ENC[AES256_GCM,data:41pfbR1klj1F24v3HlCCA4ofW2sCEnyE5TH8iX4Ug8D+kmwstTaj5RG2Zz8=,iv:P6XyQnDVoOmdkP8ilBR9DyfqPZA6GsQ6VUwY/tSGhx4=,tag:Bzgdv29lbk/gYlADPZMGVA==,type:str]
 deploy-key:
    mcp: ENC[AES256_GCM,data:eQcX8xdz5qZ6nU8ISOvZo+ZtP4Z/ePd+/ZZReX1BKvTUqGQPPFxConbLMwFzvzpD6xAUbA1MLkcR/bT98QbNx6LJYlhbofuDUg2DI79RB0fcrAcj/wUV0YPhmgofUdYYDaimH5A2PSvtmKfB3CtKKuA5HNeLymoXeLEpFzbckkGhzPee/CHiUmxayogp6za6btsDJsiT8hdHbrzyD2S6fhMJrzX+PlRzT32M/6eaFuFWE8EUO1gbkRlNfKPXw/EM2GXWJfR4qXfN2YKIKigqrtlAAoxnrUbp5EBrn/hGHS2ZYZXeRUFr3avFjcI0bLX423PWRHAylfQCPxgYVEtbcRv11CAFmq4rfFl0ZdvnAKbTLNmWcrQNijBATZPaAdQzgKPDHs8pwPUFR9Tcg8pZNbzw0mK9kPolniAOL2PBKUHv6LP/uEkB1E6Pxc7yms0kGpeJyo7hrFVOiVAckCey+SI9dpbJMSB3md070I1xk6Ik7PywrWh2QDeUtOU1U28UkYgnJ/9MJelWsNlUX9SR,iv:oCNeanaV/7UZ3dhmq4ZmJUZ5hb61AnHpHCfskM2Jsm8=,tag:F2uJKN5beM/rfiBMSyUP7w==,type:str]
 matrix:
@@ -45,7 +47,7 @@ sops:
            by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
            vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-25T22:21:11Z"
+    lastmodified: "2026-02-25T00:28:13Z"
-    mac: ENC[AES256_GCM,data:1Ru10z/hiMNgzgbBpzuo6jNi5eF87nNMfryurO75k9PvYzsOX4iUwDQf/PppP/YP/g73HJdYaGGEzE8YxaSDtOnmf5qbQe1+5rZmHSO/iIZr/rfV3nkGfqxE4TpPlR/NXB5ktToe7GB6BF1AXwbVIbjWe6Ymsi6Dy2e56Ml1x7k=,iv:v3GV7TL2+BHWETD0mtUBpM/B6vIjNgLiNn45boBjNUg=,tag:a4MplFxRfBF10iwxVGVUOA==,type:str]
+    mac: ENC[AES256_GCM,data:hDmqObrtfoVkQqz8JPkqlyXMbiuyBophjdZNLvTFrZw3pAVNCuzsH4zxFBOaxJttkzLc65DWDHDeEIBY5YZam1GLFFXUQ5E3Dxno7hnyzOoM2ipgDTOacI0gbKJAWgGUF3LNDdqVoREA9LC91LoNUJoNmzpTSFtuLb7ORuwCrH4=,iv:8+W3n1Cr6woEiPU9ECaMYM64HNmFHr2AIw6UohCJi00=,tag:7drkZiPAUHaEx5PagXA9JQ==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
--- a/system/features/web-containers.nix
+++ b/system/features/web-containers.nix
@@ -79,7 +79,7 @@
          }:
          let
            fqn = "${hostname}.${domain}";
-            serviceName = lib.strings.replaceChars [ "." ] [ "-" ] fqn;
+            serviceName = builtins.replaceStrings [ "." ] [ "-" ] fqn;
            routerRule = if public then hostRule hostname domain else localHostRule hostname domain;
            homepageLabels =
              if homepageOpts == { } then
@@ -109,8 +109,7 @@
              extraOptions
              ;
            autoStart = true;
-            labels =
+            labels = {
              {
              "traefik.enable" = "true";
              "traefik.http.routers.${serviceName}.rule" = "${routerRule}";
              "traefik.http.routers.${serviceName}.service" = "${serviceName}";
--- a/system/hosts/mcp/containers/havenisms.com/default.nix
+++ b/system/hosts/mcp/containers/havenisms.com/default.nix
@@ -6,5 +6,6 @@
    # ./immich.nix
    ./storyden.nix
    ./tandoor.nix
    ./wallabag.nix
  ];
 }
--- a/system/hosts/mcp/containers/havenisms.com/wallabag.nix
+++ b/system/hosts/mcp/containers/havenisms.com/wallabag.nix
@@ -0,0 +1,19 @@
 { config, ... }:
 let
  inherit (import ../lib.nix config) havenisms;
 in
 {
  virtualisation.web-containers.containers.wallabag = {
    image = "wallabag/wallabag";
    hostname = "wallabag";
    domain = havenisms;
    port = 80;
    volumes = [
      "wallabag-data:/var/www/wallabag/data"
      "wallabag-images:/var/www/wallabag/web/assets/images"
    ];
    environment = {
      SYMFONY__ENV__DOMAIN_NAME = "https://wallabag.${havenisms}";
    };
  };
 }
--- a/system/hosts/mcp/containers/media-system.nix
+++ b/system/hosts/mcp/containers/media-system.nix
@@ -6,12 +6,45 @@ let
    havenisms
    mkContainer
    ;
  gluetun_env = "gluetun-proton-vpn-wireguard.env";
 in
 {
  sops.secrets = {
    "protonvpn/private_key" = {
      restartUnits = [ "${config.local.container-backend}-gluetun.service" ];
    };
  };
  # Example Wireguard config file:
  # # Key for MCP Wireguard
  # # Bouncing = 13
  # # NetShield = 1
  # # Moderate NAT = off
  # # NAT-PMP (Port Forwarding) = on
  # # VPN Accelerator = on
  # PrivateKey = ${config.sops.placeholder."protonvpn/private_key"}
  # Address = 10.2.0.2/32
  # DNS = 10.2.0.1
  #
  # [Peer]
  # # US-CA#906
  # PublicKey = 2xvxhMK0AalXOMq6Dh0QMVJ0Cl3WQTmWT5tdeb8SpR0=
  # AllowedIPs = 0.0.0.0/0, ::/0
  # Endpoint = 79.127.185.166:51820
  #
  # PersistentKeepalive = 25
  sops.templates.${gluetun_env}.content = ''
    VPN_SERVICE_PROVIDER=protonvpn
    VPN_TYPE=wireguard
    WIREGUARD_PRIVATE_KEY="${config.sops.placeholder."protonvpn/private_key"}"
    SERVER_COUNTRIES="United States,United Kingdom,Netherlands,Switzerland,Sweden"
    VPN_PORT_FORWARDING=on
  '';
  virtualisation.oci-containers.containers = {
    jellyfin = {
-      image = "lscr.io/linuxserver/jellyfin";
+      image = "lscr.io/linuxserver/jellyfin:10.11.6";
      autoStart = true;
      extraOptions = [
        "--device=/dev/dri:/dev/dri"
@@ -110,12 +143,8 @@ in
        "127.0.0.1:8083:8000"
      ];
      environmentFiles = [
-        "/tank/config/gluetun/vpn.env"
+        config.sops.templates.${gluetun_env}.path
      ];
      environment = {
        VPN_SERVICE_PROVIDER = "protonvpn";
        UMASK = "002";
      };
    };
    prowlarr = {
      image = "lscr.io/linuxserver/prowlarr";
--- a/system/hosts/vega/configuration.nix
+++ b/system/hosts/vega/configuration.nix
@@ -107,10 +107,16 @@
  };
  # Enable flakes
-  nix.settings.experimental-features = [
+  nix = {
    # Binary caches for Reflex FRP
    binaryCaches = [ "https://nixcache.reflex-frp.org" ];
    binaryCachePublicKeys = [ "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ];
    settings.experimental-features = [
      "nix-command"
      "flakes"
    ];
  };
  services.openssh.enable = true;
Author	SHA1	Message	Date
Drew Haven	383c7bb15e	[Gluetun] Switches to Wireguard config	2026-02-24 16:40:02 -08:00
Drew Haven	a4bb91e68e	[Wallabag] Adds wallabag	2026-02-24 16:40:02 -08:00
Drew Haven	13f301c4fb	[Obelisk] Adds Reflex FRP binary caches to the system	2026-02-12 15:53:26 -08:00
Drew Haven	114a1ae125	[notes] Update Syncthing config for Proxima	2026-02-06 09:47:12 -08:00
Drew Haven	9a4ab98506	[Jellyfin] Update to 10.11.6	2026-02-03 15:42:41 -08:00
Drew Haven	bf0d4a11d2	[nix] Fixes deprecated function usage.	2026-02-02 17:18:04 -08:00
Drew Haven	0950758532	[3d printing] Fix FreeCAD launcher	2026-01-27 23:20:31 -08:00
Drew Haven	31907ff47b	[Haskell] Adds support to the LSP. [neovim] Merges and checks in lazyvim.json	2026-01-26 12:44:23 -08:00