Rewrite VPN container

machines/liza/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =[

machines/ponyo/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =[
@@ -55,14 +55,13 @@
   };
 
   # wrap radio in a VPN
-  containers.vpn = mkVpnContainer pkgs "/dev/null" {
+  vpn-container.enable = true;
+  vpn-container.config = {
     services.radio = {
       enable = true;
       host = "radio.runyan.org";
     };
   };
-  # containers cannot unlock their own secrets right now. unlock it here
-  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
 
   # icecast endpoint + website
   services.nginx.virtualHosts."radio.runyan.org" = {
@@ -131,13 +130,9 @@
   age.secrets.iodine.file = ../../secrets/iodine.age;
   networking.firewall.allowedUDPPorts = [ 53 ];
 
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  networking.nat.enable = true;
   networking.nat.internalInterfaces = [
     "dns0" # iodine
-    "ve-vpn" # vpn container
   ];
-  networking.nat.externalInterface = "ens3";
 
   services.nginx.enable = true;
   services.nginx.virtualHosts."jellyfin.neet.cloud" = {

machines/ponyo/hardware-configuration.nix

@@ -31,7 +31,7 @@
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
   networking.useDHCP = lib.mkDefault false;
-  networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
 
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

machines/storage/s0/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =[
@@ -42,10 +42,12 @@
   users.users.googlebot.extraGroups = [ "transmission" ];
   users.groups.transmission.gid = config.ids.gids.transmission;
 
-  containers.vpn = mkVpnContainer pkgs "/data/samba/Public/Plex" {
-    # swiss vpn
-    pia.server = "swiss.privacy.network";
-
+  vpn-container.enable = true;
+  vpn-container.mounts = [
+    "/var/lib"
+    "/data/samba/Public/Plex"
+  ];
+  vpn-container.config = {
     # servarr services
     services.prowlarr.enable = true;
     services.sonarr.enable = true;
@@ -119,15 +121,6 @@
       uid = 994;
     };
   };
-  # containers cannot unlock their own secrets right now. unlock it here
-  age.secrets."pia-login.conf".file = ../../../secrets/pia-login.conf;
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  # forwarding for vpn container
-  networking.nat.enable = true;
-  networking.nat.internalInterfaces = [
-    "ve-vpn" # vpn container
-  ];
-  networking.nat.externalInterface = "eth0";
 
   # unpackerr
   # flaresolverr