4 files changed, 51 insertions, 48 deletions

diff --git a/secrets/mullvad-gluetun.age b/secrets/mullvad-gluetun.age
new file mode 100644
index 0000000..c1fbb91
--- /dev/null
+++ b/secrets/mullvad-gluetun.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 QWV68w qFOFDR4jP/yYeZ1+KbXxlfWv3nXaYm+S4fLmjqITS20
+rEZoXbj5JBN+ED2bWv0lcl8VAfd7xWJ0QlFKpq44kts
+-> ssh-ed25519 ztr2Fw A/De3GhoPiMaiA+hXjxsY4Q2pn8r/Sq2ziAYudYPB0s
+EpjbQWTrAUqgUF/WMeqR9geK9txIUboS5WQUzWnMwuM
+-> ssh-ed25519 lYrVNQ Uj5ex9+7w41IKMVI17kmYreFtbSy/mvBjm9ylVJn9io
+/9NgnAq8LhWbKaPuGDW8VHNAkPms/cbM541WLoyV0R4
+-> ssh-ed25519 COVM9Q 3L9mqDhQzf0yrSPhZk9ug485Xz/8QPhl8OeIGHCuCTs
++i/TuCZox3XeMT/Z6aqeOxiVij5hUm4BTwxlEEZ4IeI
+-> ssh-ed25519 aV3pTQ 40yq6nPt0JxUUaXl4PxXJ7KBIYd2df3VeIrmacTb/F0
+liACOQSTRZzb6XwKlwEoL7asYCYUAaD1eE5aPuyr1rw
+-> ssh-ed25519 jWuO5g kopUw6s4qUF0JUJ8bq1hxTzjLV6LlbZYjkM5Gba+Nlk
+SvcP/vWZKLXim7Ll/3b0g+QPPxNDhHCEx/f7LkIibxk
+-> ssh-ed25519 77YXTQ dVwpon952rMjOb6UEJUGAHqihoDCnhKx7fYkn8dBU18
+Csa9e9S3CZ9pXsbFGaXOCCwP1wmW6ze3444h8roH5Ww
+-> ssh-ed25519 sqz3iQ rNX2ewC9oGyOLdUBGUcG82OwYHh7rapUT0xUDh3piDA
+bz6KOdL9QnLvy09Q2mc2T1DZJ/hAGN1uBrgjQgvtv4Y
+--- 8RL87AjCeQGARG9qxKJ2Yxy035/YWrgFjOIn7zhpM2Y
+Zo
Wi�Ai=ްt��8Z
+1�g�p����o_3�Z~��0��-��<��kҟKxӹDs�������m�"D�2�},;��c�[T�,^��i��{}�:�;b
\ No newline at end of file
diff --git a/secrets/pia-login-secrets.age b/secrets/pia-login-secrets.age
deleted file mode 100644
index a9b8f68..0000000
--- a/secrets/pia-login-secrets.age
+++ /dev/null
@@ -1,19 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 QWV68w 2v2fWZ2ZntAy8G2lLPYjzZ8jqn4B9kB4bkmXnQolbWw
-BPNQvCCY1PcDpM9DBr8Vmg1QAUBPe6yGGFhjUItBXaw
--> ssh-ed25519 ztr2Fw S3n2J9EyIed4Vk6lAoTazWbjvyhb4lEmNBiPJMZV21c
-QZN5w4jsPyB4/fyGJ4OtfIbQotpjBtfnFtV4QpteY8w
--> ssh-ed25519 lYrVNQ CcfZSWjZk1utns+CnS8HgVrEp59xFJAkyAxfu7sj5CY
-oIKijV3nPkWBgNPXlBPHk3bGrPTSSlGzsiSJH2FeHio
--> ssh-ed25519 COVM9Q D7l0QZGfpLkOAhFsLV7gtsh4rVUytIO19pWfD+mjZG0
-pGz9BxtRrQLmvoOI+SJ5DPM8CV6CljY/1SmPVslLQLY
--> ssh-ed25519 aV3pTQ xm+PRzL1m71Uc9q9ryduba3MVd/nnPAxnZXyg0yaPzE
-3xNJoiY8BRQ/UwpoZOSwdphOuVjmIoci2h8BLrwgtIE
--> ssh-ed25519 jWuO5g 95hpJm6bhnvPQjepGxEeAYolXAK+dUYMh9ZCLLdDqng
-g7hjgeKhQUkRha6QNZQvd3YUd3ST3+T90mj+i7AMebQ
--> ssh-ed25519 77YXTQ 1svxvblOtV+zmsTBs6z5kwktBOO6VHalP4jnt6+/CxQ
-QU9Xdtn7ONsteV0bNHn4iAuvwHW4yA0LF8xgw5erBAs
--> ssh-ed25519 sqz3iQ fy3a/YfVNIoInDUS3jnTdcu+rk/DrCVi6hQ0m5FKqwM
-dGpERjhVdw0xtwrZLekprB3G/XcA5v+YMeDwpfdo8OU
---- QGW5uuO2XvgJxOjprpV9RDg+fSwv+cQ6hC0a74Os7WE
-�%���*_�ƒ��[B�tC�(�(k*,͠�"�^׬�H�����J��34�J6�W.�3�s��F��m*L>�v�d�Z���
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9fc5281..3aa2880 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -27,7 +27,7 @@ in
     renard
   ] ++ allAdmins;
 
-  "pia-login-secrets.age".publicKeys = [
+  "mullvad-gluetun.age".publicKeys = [
     corsac
   ] ++ allAdmins;
 
diff --git a/services/torrent/default.nix b/services/torrent/default.nix
index 7fed955..dbbdf7c 100644
--- a/services/torrent/default.nix
+++ b/services/torrent/default.nix
@@ -18,25 +18,25 @@ let
 
   # gluetun openvpn likes to ignore my mtu settings,
   # so we set it forcefully every 15 seconds.
-  vpn-force-mtu = pkgs.writeTextFile {
-    name = "vpn-force-mtu";
-    destination = "/scripts/vpn-force-mtu.sh";
-    executable = true;
-    text = ''
-      #!/bin/ash
-      while true; do
-        /bin/sleep 15
-        /sbin/ip link set dev tun0 mtu ${toString mtu} 2>/dev/null || true
-      done
-    '';
-  };
+  #vpn-force-mtu = pkgs.writeTextFile {
+  #  name = "vpn-force-mtu";
+  #  destination = "/scripts/vpn-force-mtu.sh";
+  #  executable = true;
+  #  text = ''
+  #    #!/bin/ash
+  #    while true; do
+  #      /bin/sleep 15
+  #      /sbin/ip link set dev tun0 mtu ${toString mtu} 2>/dev/null || true
+  #    done
+  #  '';
+  #};
   vpn-entry = pkgs.writeTextFile {
     name = "vpn-entry";
     destination = "/scripts/vpn-entry.sh";
     executable = true;
     text = ''
       #!/bin/ash
-      /scripts/vpn-force-mtu.sh &
+      #/scripts/vpn-force-mtu.sh &
       /gluetun-entrypoint
     '';
   };
@@ -45,7 +45,7 @@ let
     name = "vpn-scripts";
     paths = [
       vpn-entry
-      vpn-force-mtu
+      #vpn-force-mtu
     ];
   };
 
@@ -63,20 +63,19 @@ let
     contents = [ vpn-scripts ];
   };
 
-  piaCountries = [
+  vpnCountries = [
     "Albania"
     "Austria"
     "Belgium"
-    "Bosnia and Herzegovina"
     "Bulgaria"
+    "Croatia"
+    "Cyprus"
     "Czech Republic"
-    "ES Madrid"
-    "ES Valencia"
+    "Spain"
     "Estonia"
-    "Georgia"
     "Greece"
     "Hungary"
-    "IT Milano"
+    "Italy"
     "Poland"
     "Portugal"
     "Romania"
@@ -93,15 +92,15 @@ in
     #./qbittorrent.nix
   ];
 
-  age.secrets.pia-login-secrets = {
-    file = ../../secrets/pia-login-secrets.age;
+  age.secrets.mullvad-gluetun = {
+    file = ../../secrets/mullvad-gluetun.age;
   };
 
   foundation = {
     networks.vpn = {
       enable = true;
       driver = "bridge";
-      # current vpn does not support ipv6!
+      # we currenly avoid ipv6 for vpn.
       ipv6.enable = false;
       # lower MTU to prevent packet non-deliverability
       inherit mtu;
@@ -133,13 +132,16 @@ in
         devices = [ "/dev/net/tun" ];
 
         environment = {
-          VPN_SERVICE_PROVIDER = "private internet access";
-          VPN_TYPE = "openvpn";
-          OPENVPN_MSSFIX = toString mtu;
-          SERVER_REGIONS = lib.concatStringsSep "," piaCountries;
+          # the mullvad device representing this vpn container
+          # is named "driven fish".
+          VPN_SERVICE_PROVIDER = "mullvad";
+          VPN_TYPE = "wireguard";
+          WIREGUARD_ADDRESSES = "10.73.131.255/32";
+          WIREGUARD_MTU = toString mtu;
+          SERVER_COUNTRIES = lib.concatStringsSep "," vpnCountries;
         };
 
-        environmentFiles = [ config.age.secrets.pia-login-secrets.path ];
+        environmentFiles = [ config.age.secrets.mullvad-gluetun.path ];
       };
     };
   };