feature: Add ProtonVPN to prepare for *arr suite

hosts/andromeda/configuration.nix

@@ -73,8 +73,9 @@
 
   virtualisation.oci-containers.backend = "docker";
 
-  # Reverse Proxy setup
+  # VPN setup
   networking.wireguard.interfaces = {
+    # Reverse Proxy
     wg0 = {
       ips = [ "10.10.0.3/24" ];
       privateKeyFile = config.sops.secrets.reverse_proxy_client_privkey.path;
@@ -90,6 +91,23 @@
         persistentKeepalive = 25;
       }];
     };
+
+    # ProtonVPN
+    wg1 = {
+      ips = [ "10.2.0.2/32" ];
+      privateKeyFile = config.sops.secrets.protonvpn_privkey.path;
+      table = "70";
+
+      postSetup = "ip rule add from 10.2.0.2 table 70";
+      preShutdown = "ip rule del from 10.2.0.2 table 70";
+
+      peers = [{
+        publicKey = "OuhID2usMSMoGAiLExUhH0lrOMJQ3v8xFWS+6G3JLRs=";
+        allowedIPs = [ "0.0.0.0/0" ];
+        endpoint = "149.102.227.30:51820";
+        persistentKeepalive = 25;
+      }];
+    };
   };
 
   # Tailscale fixer-uppers

secrets

@@ -1 +1 @@
-Subproject commit 6c647408e3b8e3a6645d61f32ea12304741fc341
+Subproject commit 14e0ac1a7f2a034c270aa10dbc66179b32fc7a7e

shell.nix

@@ -0,0 +1,8 @@
+{
+  pkgs ? import <nixpkgs> { },
+}: pkgs.mkShell {
+  buildInputs = with pkgs; [
+    sops
+    compose2nix
+  ];
+}

system/sops.nix

@@ -22,6 +22,7 @@ in
         neededForUsers = true;
       };
       reverse_proxy_client_privkey = {};
+      protonvpn_privkey = {};
       caddy_docker_env = {};
       tailscale_docker_env = {};
       forgejo_db_docker_env = {};