From 77682e0ae1140c5bebf53a22e05b8c28b01f6870 Mon Sep 17 00:00:00 2001
From: Rohan Datar <me@rohandatar.com>
Date: Sat, 4 Jan 2025 18:08:23 -0600
Subject: [PATCH] add vpn options back

---
 nixarr/flaresolverr/default.nix | 62 +++++++++++++++++++++++++++++++--
 1 file changed, 60 insertions(+), 2 deletions(-)

diff --git a/nixarr/flaresolverr/default.nix b/nixarr/flaresolverr/default.nix
index a33d72e..529aeb7 100644
--- a/nixarr/flaresolverr/default.nix
+++ b/nixarr/flaresolverr/default.nix
@@ -7,6 +7,7 @@
 with lib; let
   cfg = config.nixarr.flaresolverr;
   nixarr = config.nixarr;
+  defaultPort = 8191;
 in {
   options.nixarr.flaresolverr = {
     enable = mkOption {
@@ -24,17 +25,29 @@ in {
 
     port = mkOption {
       type = types.port;
-      default = 8191;
+      default = defaultPort;
       example = 12345;
       description = "Flaresolverr port.";
     };
 
     openFirewall = mkOption {
       type = types.bool;
-      default = false;
+      defaultText = literalExpression ''!nixarr.flaresolverr.vpn.enable'';
+      default = !cfg.vpn.enable;
       example = true;
       description = "Open firewall for Flaresolverr";
     };
+
+    vpn.enable = mkOption {
+      type = types.bool;
+      default = false;
+      example = true;
+      description = ''
+        **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
+
+        Route Jellyseerr traffic through the VPN.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -46,6 +59,13 @@ in {
           nixarr.enable option to be set, but it was not.
         '';
       }
+      {
+        assertion = cfg.vpn.enable -> nixarr.vpn.enable;
+        message = ''
+          The nixarr.flaresolverr.vpn.enable option requires the
+          nixarr.vpn.enable option to be set, but it was not.
+        '';
+      }
     ];
 
     services.flaresolverr = {
@@ -54,5 +74,43 @@ in {
       openFirewall = cfg.openFirewall;
       port = cfg.port;
     };
+
+    # Enable and specify VPN namespace to confine service in.
+    systemd.services.flaresolverr.vpnConfinement = mkIf cfg.vpn.enable {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+
+    # Port mappings
+    vpnNamespaces.wg = mkIf cfg.vpn.enable {
+      portMappings = [
+        {
+          from = defaultPort;
+          to = defaultPort;
+        }
+      ];
+    };
+
+    services.nginx = mkIf cfg.vpn.enable {
+      enable = true;
+
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+
+      virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = defaultPort;
+          }
+        ];
+        locations."/" = {
+          recommendedProxySettings = true;
+          proxyWebsockets = true;
+          proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
+        };
+      };
+    };
   };
 }