Phase 5: add connectivity service manifests — wireguard-ext, openvpn-client, tor

Each manifest declares container requirements (host network, NET_ADMIN) for
connectivity_manager.py to use when launching exit tunnel containers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

index.json

@@ -5,6 +5,9 @@
     {"id": "calendar", "name": "Calendar & Contacts", "version": "1.0.0", "description": "CalDAV/CardDAV server (Radicale)", "author": "roof"},
     {"id": "files", "name": "File Storage", "version": "1.0.0", "description": "WebDAV file storage", "author": "roof"},
     {"id": "email", "name": "Email Server", "version": "1.0.0", "description": "Full email server (Postfix + Dovecot)", "author": "roof"},
-    {"id": "webmail", "name": "Webmail", "version": "1.0.0", "description": "Rainloop webmail UI", "author": "roof"}
+    {"id": "webmail", "name": "Webmail", "version": "1.0.0", "description": "Rainloop webmail UI", "author": "roof"},
+    {"id": "wireguard-ext", "name": "WireGuard External Exit", "version": "1.0.0", "description": "Connect PIC as a WireGuard client to an external VPN server.", "author": "roof", "category": "connectivity"},
+    {"id": "openvpn-client", "name": "OpenVPN Exit", "version": "1.0.0", "description": "Connect PIC as an OpenVPN client. Selected peers exit through this tunnel.", "author": "roof", "category": "connectivity"},
+    {"id": "tor", "name": "Tor Exit", "version": "1.0.0", "description": "Route selected peers through the Tor anonymization network.", "author": "roof", "category": "connectivity"}
   ]
 }

services/openvpn-client/manifest.json

@@ -0,0 +1,22 @@
+{
+  "id": "openvpn-client",
+  "name": "OpenVPN Exit",
+  "description": "Connect PIC as an OpenVPN client. Selected peers exit through this tunnel.",
+  "version": "1.0.0",
+  "author": "roof",
+  "image": "git.pic.ngo/roof/svc-openvpn-client:latest",
+  "container_name": "cell-openvpn",
+  "network_mode": "host",
+  "cap_add": ["NET_ADMIN"],
+  "devices": ["/dev/net/tun"],
+  "volumes": [
+    { "name": "openvpn-config", "mount": "/etc/openvpn" }
+  ],
+  "env": [],
+  "caddy_route": null,
+  "iptables_rules": [],
+  "config_schema": [
+    { "key": "ovpn_text", "type": "textarea", "label": "OpenVPN config (.ovpn)", "required": true }
+  ],
+  "requires_host_network": true
+}

services/tor/manifest.json

@@ -0,0 +1,23 @@
+{
+  "id": "tor",
+  "name": "Tor Exit",
+  "description": "Route selected peers through the Tor anonymization network via transparent proxy.",
+  "version": "1.0.0",
+  "author": "roof",
+  "image": "git.pic.ngo/roof/svc-tor:latest",
+  "container_name": "cell-tor",
+  "network_mode": "host",
+  "cap_add": ["NET_ADMIN"],
+  "volumes": [
+    { "name": "tor-data", "mount": "/var/lib/tor" },
+    { "name": "tor-config", "mount": "/etc/tor" }
+  ],
+  "env": [
+    { "key": "TOR_TRANS_PORT", "value": "9040" },
+    { "key": "TOR_DNS_PORT", "value": "5353" }
+  ],
+  "caddy_route": null,
+  "iptables_rules": [],
+  "config_schema": [],
+  "requires_host_network": true
+}

services/wireguard-ext/manifest.json

@@ -0,0 +1,22 @@
+{
+  "id": "wireguard-ext",
+  "name": "WireGuard External Exit",
+  "description": "Connect PIC as a WireGuard client to an external VPN server. Selected peers exit through this tunnel.",
+  "version": "1.0.0",
+  "author": "roof",
+  "image": "git.pic.ngo/roof/svc-wireguard-ext:latest",
+  "container_name": "cell-wg-ext",
+  "network_mode": "host",
+  "cap_add": ["NET_ADMIN"],
+  "sysctls": ["net.ipv4.ip_forward=1"],
+  "volumes": [
+    { "name": "wg-ext-config", "mount": "/etc/wireguard" }
+  ],
+  "env": [],
+  "caddy_route": null,
+  "iptables_rules": [],
+  "config_schema": [
+    { "key": "conf_text", "type": "textarea", "label": "WireGuard config (.conf)", "required": true }
+  ],
+  "requires_host_network": true
+}