From aad5133e9ea4b75851abafd56dd03928ce6a1c96 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 22 Jan 2025 13:35:53 +0100
Subject: [PATCH] nuc: rework torrent vpn and add exporter

---
 flake.lock                               | 24 +++++++--------
 hosts/fujitsu/default.nix                |  2 ++
 hosts/nuc/default.nix                    |  1 +
 hosts/nuc/modules/logseq/default.nix     |  2 +-
 hosts/nuc/modules/monitoring/default.nix |  6 ++++
 hosts/nuc/modules/torrent/default.nix    | 39 ++++++++++++++++++------
 hosts/nuc/modules/torrent/exporter.nix   | 13 ++++++++
 overlays/default.nix                     |  2 +-
 secrets.nix                              |  2 ++
 secrets/nuc/airvpn/private.age           |  7 +++++
 secrets/nuc/airvpn/psk.age               |  7 +++++
 11 files changed, 82 insertions(+), 23 deletions(-)
 create mode 100644 hosts/nuc/modules/torrent/exporter.nix
 create mode 100644 secrets/nuc/airvpn/private.age
 create mode 100644 secrets/nuc/airvpn/psk.age

diff --git a/flake.lock b/flake.lock
index 8f9e29e..7b298cb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -12,11 +12,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
         "type": "github"
       },
       "original": {
@@ -301,11 +301,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736508663,
-        "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
+        "lastModified": 1737461688,
+        "narHash": "sha256-zQCFe5FcSSGzY3qauAAHZcPt7Ej4WSGo78ShSTCSBvU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
+        "rev": "bb14224f51ae4caed12a7b26f245d042c8cf8553",
         "type": "github"
       },
       "original": {
@@ -450,11 +450,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736652904,
-        "narHash": "sha256-8uolHABgroXqzs03QdulHp8H9e5kWQZnnhcda1MKbBM=",
+        "lastModified": 1737257306,
+        "narHash": "sha256-lEGgpA4kGafc76+Amnz+gh1L/cwUS2pePFlf22WEyh8=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "271e5bd7c57e1f001693799518b10a02d1123b12",
+        "rev": "744d330659e207a1883d2da0141d35e520eb87bd",
         "type": "github"
       },
       "original": {
@@ -524,11 +524,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1736701207,
-        "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=",
+        "lastModified": 1737062831,
+        "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6",
+        "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
         "type": "github"
       },
       "original": {
diff --git a/hosts/fujitsu/default.nix b/hosts/fujitsu/default.nix
index d1b30a0..6b26205 100644
--- a/hosts/fujitsu/default.nix
+++ b/hosts/fujitsu/default.nix
@@ -41,6 +41,8 @@
     btdu
     tcpdump
     mtr
+    dnsutils
+    mediainfo
   ];
   programs.git = {
     enable = true;
diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix
index b77564b..c5f9c7f 100644
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@@ -65,6 +65,7 @@
     btdu
     tcpdump
     mtr
+    dnsutils
   ];
   programs.git = {
     enable = true;
diff --git a/hosts/nuc/modules/logseq/default.nix b/hosts/nuc/modules/logseq/default.nix
index b21d2e9..6b3d440 100644
--- a/hosts/nuc/modules/logseq/default.nix
+++ b/hosts/nuc/modules/logseq/default.nix
@@ -4,7 +4,7 @@ let
 in
 {
   virtualisation.oci-containers = {
-    containers.kanboard = {
+    containers.logseq = {
       image = "ghcr.io/logseq/logseq-webapp:latest";
       ports = [ "127.0.0.1:8045:80" ];
     };
diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix
index 9097c6f..86c8522 100644
--- a/hosts/nuc/modules/monitoring/default.nix
+++ b/hosts/nuc/modules/monitoring/default.nix
@@ -141,6 +141,12 @@ in
           targets = [ "nuc.vpn.rfive.de:9300" ];
         }];
       }
+      {
+        job_name = "qbittorrent";
+        static_configs = [{
+          targets = [ "nuc.vpn.rfive.de:8009" ];
+        }];
+      }
       # {
       #   job_name = "pegel_dresden";
       #   metrics_path = "/probe";
diff --git a/hosts/nuc/modules/torrent/default.nix b/hosts/nuc/modules/torrent/default.nix
index 08b580e..d55f270 100644
--- a/hosts/nuc/modules/torrent/default.nix
+++ b/hosts/nuc/modules/torrent/default.nix
@@ -8,9 +8,14 @@ let
   };
 in
 {
+  imports = [
+    ./exporter.nix
+  ];
   age.secrets.mullvad.file = ../../../../secrets/nuc/mullvad.age;
+  age.secrets.airvpn-private.file = ../../../../secrets/nuc/airvpn/private.age;
+  age.secrets.airvpn-psk.file = ../../../../secrets/nuc/airvpn/psk.age;
   environment.etc."netns/torrent/resolv.conf".text = ''
-    nameserver 10.64.0.1
+    nameserver 9.9.9.9
   '';
 
   systemd.services."netns@" = {
@@ -43,20 +48,36 @@ in
 
   # scripted wireguard since systemd-networkd doesn't support netns yet
   networking.wireguard.useNetworkd = false;
-  networking.wireguard.interfaces."wg0-mullvad" = {
-    # Funny Mole
-    privateKeyFile = config.age.secrets.mullvad.path;
-    ips = [ "10.67.237.93/32" ];
+  # networking.wireguard.interfaces."wg0-mullvad" = {
+  #   # Funny Mole
+  #   privateKeyFile = config.age.secrets.mullvad.path;
+  #   ips = [ "10.67.237.93/32" ];
+  #   peers = [
+  #     {
+  #       publicKey = "QEVIaIycN8p5twXCuZeQTEj9utozakw/MU8H6+/whls=";
+  #       allowedIPs = [ "0.0.0.0/0" ];
+  #       endpoint = "138.199.34.129:51820";
+  #     }
+  #   ];
+  #   interfaceNamespace = "torrent";
+  # };
+  # systemd.services."wireguard-wg0-mullvad" = {
+  #   requires = [ "netns@torrent.service" ];
+  # };
+  networking.wireguard.interfaces."wg1-airvpn" = {
+    privateKeyFile = config.age.secrets.airvpn-private.path;
+    ips = [ " 10.146.65.170/32" "fd7d:76ee:e68f:a993:366:82ed:bc88:b04a/128" ];
     peers = [
       {
-        publicKey = "QEVIaIycN8p5twXCuZeQTEj9utozakw/MU8H6+/whls=";
-        allowedIPs = [ "0.0.0.0/0" ];
-        endpoint = "138.199.34.129:51820";
+        publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+        presharedKeyFile = config.age.secrets.airvpn-psk.path;
+        allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        endpoint = "europe3.vpn.airdns.org:1637";
       }
     ];
     interfaceNamespace = "torrent";
   };
-  systemd.services."wireguard-wg0-mullvad" = {
+  systemd.services."wireguard-wg1-airvpn" = {
     requires = [ "netns@torrent.service" ];
   };
 
diff --git a/hosts/nuc/modules/torrent/exporter.nix b/hosts/nuc/modules/torrent/exporter.nix
new file mode 100644
index 0000000..9fe2b93
--- /dev/null
+++ b/hosts/nuc/modules/torrent/exporter.nix
@@ -0,0 +1,13 @@
+{ ... }:
+{
+  virtualisation.oci-containers = {
+    containers.qbittorrent-exporter = {
+      image = "caseyscarborough/qbittorrent-exporter";
+      ports = [ "0.0.0.0:8009:17871" ];
+      environment = {
+        QBITTORRENT_PORT = "8081";
+        QBITTORRENT_HOST = "nuc.vpn.rfive.de";
+      };
+    };
+  };
+}
diff --git a/overlays/default.nix b/overlays/default.nix
index 7f850db..1042eda 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -34,7 +34,7 @@ in
   jmri = callPackage ../pkgs/jmri { };
   adguardian-term = callPackage ../pkgs/adguardian-term { };
   python312 = prev.python312.override {
-    packageOverrides = final: prev: {
+    packageOverrides = _final: prev: {
       pysaml2 = prev.pysaml2.overridePythonAttrs (orig: {
         disabledTests =
           orig.disabledTests
diff --git a/secrets.nix b/secrets.nix
index f84d30d..d7554e0 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -21,6 +21,8 @@ in
   "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/mullvad.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/airvpn/private.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/airvpn/psk.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/authentik/core.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ];
diff --git a/secrets/nuc/airvpn/private.age b/secrets/nuc/airvpn/private.age
new file mode 100644
index 0000000..d8c0deb
--- /dev/null
+++ b/secrets/nuc/airvpn/private.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ eRn24OdOUxmaXy98cE749nX5YSNFEd/UWZNKgn2XdTM
+rQajaxGqfAO/C0jUuamcQQddKvqM0+TA8eW4yyp7JkE
+-> ssh-ed25519 2TRdXg zRn6vmnqyB4YPSlRH8Oe65VkQoMfWA9zdEYObQEFviE
+sNrVqHwegkwMEBodil9mNAtLweftKU6CWgG9oUnCf64
+--- W++fFNnOMSC6/PWBTBVpi5che6eyqZVLXkdPlpAXAKI
+á‰Èa€^õÝÈ ¨:…;(X†%†¯©DÏÃD©Þõv`)PÇŒ“'ÙàeÜ««r/3ªè.NU×/¯%œ¤gRè£¡/8
\ No newline at end of file
diff --git a/secrets/nuc/airvpn/psk.age b/secrets/nuc/airvpn/psk.age
new file mode 100644
index 0000000..7fe62e7
--- /dev/null
+++ b/secrets/nuc/airvpn/psk.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ K/v5vDqaxdVlk6EORXlGPMepr2XcqsN9CKw4Z+6KJAI
+a1GVmh+wxVbBhywgI4mkWFPJZnEAHBM31hQFa4NIays
+-> ssh-ed25519 2TRdXg Fl1LKF42rS6mW4qcuV7yRwz2I3O3ueT0ieMaz79SRnA
+sCevZCW6bYxbsOJgS9jn5uOeCyI39swYX/oWbNXk05w
+--- uOZ3aavCOsb0rjofhb2gbNbiLAA3cWWoSX6lqqOJpjk
+SÛòA—çwBYƒ‰Äå¨*_*~#œ²V1ù¡ „ŠmûV+Q¾?/Ï}õ¼–ö÷’¨GÝîJ”i#`ŠïD´;ÓLe7
\ No newline at end of file