{ config, inputs, lib, outputs, pkgs, ... }: { imports = [ common/core ]; home.file = { "bin/vpnctl" = { executable = true; text = '' #!${pkgs.zsh}/bin/zsh function status_vpn { ip netns exec vpn su -c 'curl -m 10 -s https://bitgnome.net/ip/ | grep REMOTE_ADDR' nipsy ip netns exec vpn su -c 'curl -m 10 -s https://www.cloudflarestatus.com | grep "Cloudflare Status"' nipsy } function start_vpn { ip netns add vpn ip link add veth.host type veth peer veth.vpn ip link set dev veth.host up ip link set veth.vpn netns vpn up ip -n vpn address add 192.168.1.3/24 dev veth.vpn ip route add 192.168.1.3/32 dev veth.host ip link add wg1 type wireguard ip link set wg1 netns vpn ip -n vpn -4 address add $(grep ^#Address /run/secrets/wireguard/wg1_conf | cut -d= -f2 | cut -d, -f1 | xargs) dev wg1 ip netns exec vpn wg setconf wg1 /run/secrets/wireguard/wg1_conf ip -n vpn link set wg1 up ip -n vpn route add default dev wg1 ip netns exec vpn nft -f /etc/nftables-vpn.conf } function stop_vpn { systemctl stop prowlarr.service qbittorrent.service if ip netns | grep -q '^vpn '; then ip netns del vpn fi if ip link show veth.host > /dev/null; then ip link del veth.host fi } if [[ -z "''${1}" || "''${1}" == "status" ]]; then status_vpn elif [[ "''${1}" == "restart" ]]; then stop_vpn sleep 2 start_vpn systemctl restart prowlarr.service qbittorrent.service elif [[ "''${1}" == "restart_firewall" ]]; then ip netns exec vpn nft -f /etc/nftables-vpn.conf elif [[ "''${1}" == "start" ]]; then if [[ ! -f /run/netns/vpn ]]; then start_vpn else echo 'VPN service already appears to be running' >&2 fi elif [[ "''${1}" == "stop" ]]; then stop_vpn fi exit 0 ''; }; }; nix.extraOptions = '' !include /run/secrets/nix-access-token-github ''; }