1 files changed, 145 insertions, 0 deletions
diff --git a/services/torrent/default.nix b/services/torrent/default.nix
new file mode 100644
index 0000000..4e505ba
--- /dev/null
+++ b/services/torrent/default.nix
@@ -0,0 +1,145 @@
+{
+  me,
+  config,
+  lib,
+  pkgs,
+  auxiliaryPkgs,
+  ...
+}:
+
+let
+  inherit (pkgs) dockerTools;
+  inherit (auxiliaryPkgs) common;
+
+  torrentLocalPort = 2018;
+  torrentDir = "/srv/torrent";
+
+  mtu = 1280;
+
+  # gluetun openvpn likes to ignore my mtu settings,
+  # so we set it forcefully every 15 seconds.
+  vpn-force-mtu = pkgs.writeTextFile {
+    name = "vpn-force-mtu";
+    destination = "/scripts/vpn-force-mtu.sh";
+    executable = true;
+    text = ''
+      #!/bin/ash
+      while true; do
+        /bin/sleep 15
+        /sbin/ip link set dev tun0 mtu ${toString mtu} 2>/dev/null || true
+      done
+    '';
+  };
+  vpn-entry = pkgs.writeTextFile {
+    name = "vpn-entry";
+    destination = "/scripts/vpn-entry.sh";
+    executable = true;
+    text = ''
+      #!/bin/ash
+      /scripts/vpn-force-mtu.sh &
+      /gluetun-entrypoint
+    '';
+  };
+
+  vpn-scripts = pkgs.symlinkJoin {
+    name = "vpn-scripts";
+    paths = [
+      vpn-entry
+      vpn-force-mtu
+    ];
+  };
+
+  gluetunImage = common.pullImage {
+    name = "qmcgaw/gluetun";
+    tag = "v3.39";
+    digest = "sha256:6a8058e626763cbf735ac2f78c774dbb24fec2490bd9d9f7d67e22592cb4a991";
+    x86.sha256 = "1cg43lmp3ql64zsfwp2f52kigijs30n3hnja12msr9npbgq8a8ga";
+  };
+
+  vpnImage = dockerTools.streamLayeredImage {
+    name = "vpn";
+    tag = "3.39.0-renard";
+    fromImage = gluetunImage.base;
+    contents = [ vpn-scripts ];
+  };
+
+  piaCountries = [
+    "Albania"
+    "Austria"
+    "Belgium"
+    "Bosnia and Herzegovina"
+    "Bulgaria"
+    "Czech Republic"
+    "ES Madrid"
+    "ES Valencia"
+    "Estonia"
+    "Georgia"
+    "Greece"
+    "Hungary"
+    "IT Milano"
+    "Poland"
+    "Portugal"
+    "Romania"
+    "Serbia"
+    "Turkey"
+    "Ukraine"
+  ];
+in
+{
+  imports = [
+    # pick current client through import
+    ./transmission.nix
+    #./qbittorrent.nix
+  ];
+
+  age.secrets.pia-login-secrets = {
+    file = ../../secrets/pia-login-secrets.age;
+  };
+
+  foundation = {
+    networks.vpn = {
+      enable = true;
+      driver = "bridge";
+      # current vpn does not support ipv6!
+      ipv6.enable = false;
+      # lower MTU to prevent packet non-deliverability
+      inherit mtu;
+    };
+
+    services = {
+      vpn = {
+        network = "vpn";
+
+        image = vpnImage;
+
+        ports = [
+          (common.tailnetPort me [
+            torrentLocalPort
+            torrentLocalPort
+          ])
+        ];
+
+        volumes = [
+          [
+            "${torrentDir}/gluetun"
+            "/gluetun"
+          ]
+        ];
+
+        entrypoint = "/scripts/vpn-entry.sh";
+
+        capabilities = [ "NET_ADMIN" ];
+        devices = [ "/dev/net/tun" ];
+
+        environment = {
+          VPN_SERVICE_PROVIDER = "private internet access";
+          VPN_TYPE = "openvpn";
+          OPENVPN_MSSFIX = toString mtu;
+          SERVER_REGIONS = lib.concatStringsSep "," piaCountries;
+        };
+
+        environmentFiles = [ config.age.secrets.pia-login-secrets.path ];
+      };
+    };
+  };
+}