From 411da0d1a5c5b0a7122fec1e545b7268fe38c8b8 Mon Sep 17 00:00:00 2001
From: matt1432 <matt@nelim.org>
Date: Mon, 26 Feb 2024 20:41:59 -0500
Subject: [PATCH] feat(qbittorrent): setup wireguard namespace

---
 devices/nas/default.nix                       |  1 +
 devices/nas/modules/qbittorrent/default.nix   |  5 ++
 devices/nas/modules/qbittorrent/wireguard.nix | 70 +++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 devices/nas/modules/qbittorrent/default.nix
 create mode 100644 devices/nas/modules/qbittorrent/wireguard.nix

diff --git a/devices/nas/default.nix b/devices/nas/default.nix
index f657727..7f415df 100644
--- a/devices/nas/default.nix
+++ b/devices/nas/default.nix
@@ -5,5 +5,6 @@
     ./modules/borgbackup.nix
     ./modules/mergerfs.nix
     ./modules/nfs.nix
+    ./modules/qbittorrent
   ];
 }
diff --git a/devices/nas/modules/qbittorrent/default.nix b/devices/nas/modules/qbittorrent/default.nix
new file mode 100644
index 0000000..82d1a54
--- /dev/null
+++ b/devices/nas/modules/qbittorrent/default.nix
@@ -0,0 +1,5 @@
+{...}: {
+  imports = [
+    ./wireguard.nix
+  ];
+}
diff --git a/devices/nas/modules/qbittorrent/wireguard.nix b/devices/nas/modules/qbittorrent/wireguard.nix
new file mode 100644
index 0000000..54f984e
--- /dev/null
+++ b/devices/nas/modules/qbittorrent/wireguard.nix
@@ -0,0 +1,70 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.sops) secrets;
+in {
+  networking.wireguard = {
+    enable = true;
+
+    interfaces = {
+      wg0 = {
+        interfaceNamespace = "wg";
+        ips = ["10.2.0.2/32"];
+
+        listenPort = 51820;
+
+        generatePrivateKeyFile = false;
+        privateKeyFile = secrets.vpn.path;
+
+        peers = [
+          {
+            publicKey = "aQ2NoOYEObG9tDMwdc4VxK6hjW+eA0PLfgbH7ffmagU=";
+            allowedIPs = ["0.0.0.0/0"];
+            endpoint = "146.70.198.2:51820";
+          }
+        ];
+      };
+    };
+  };
+
+  systemd.services = let
+    joinWgNamespace = {
+      bindsTo = [ "netns@wg.service" ];
+      requires = [ "network-online.target" ];
+      after = [ "wireguard-wg0.service" ];
+      unitConfig.JoinsNamespaceOf = "netns@wg.service";
+      serviceConfig.NetworkNamespacePath = "/var/run/netns/wg";
+    };
+
+    mkPortRoute = service: port: {
+      description = "Forward to ${service} in wireguard namespace";
+      requires = ["${service}.service"];
+      after = ["${service}.service"];
+      serviceConfig = {
+        Restart = "on-failure";
+        TimeoutStopSec = 300;
+      };
+      wantedBy = ["multi-user.target"];
+      script = ''
+        ${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.iproute2}/bin/ip link set dev lo up
+        ${pkgs.socat}/bin/socat tcp-listen:${port},fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.2.0.2:${port}"',nofork
+      '';
+    };
+  in {
+    # Create namespace for Wireguard
+    # This allows us to isolate specific programs to Wireguard
+    "netns@" = {
+      description = "%I network namespace";
+      before = ["network.target"];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
+        ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
+      };
+    };
+    "wireguard-wg0".wants = ["netns@wg.service"];
+  };
+}