From 470ab2074dde3004013b645710d7876c5a1690ef Mon Sep 17 00:00:00 2001 From: baritone Date: Thu, 6 Mar 2025 11:36:02 +0100 Subject: [PATCH] the fucking shitty fuck vpn in the vm is finally fucking working --- configuration.nix | 8 +- modules/age.nix | 1 + modules/microvm.nix | 61 ++++++---- secrets/nextcloud.age | 5 + secrets/secrets.nix | 3 +- services/auto-torrent.nix | 214 +++++++++++++++++++++++++++++++++ services/jellyfin.nix | 29 +++++ services/nextcloud.nix | 17 ++- services/nginx.nix | 4 +- services/rtorrent.nix | 18 +++ services/seafile.nix | 28 +++++ services/sonarr-old.nix | 189 +++++++++++++++++++++++++++++ services/sonarr.nix | 243 +++----------------------------------- services/vm-test.nix | 133 +++++++++++++++++++++ services/vpn.nix | 4 + 15 files changed, 701 insertions(+), 256 deletions(-) create mode 100644 secrets/nextcloud.age create mode 100644 services/auto-torrent.nix create mode 100644 services/rtorrent.nix create mode 100644 services/seafile.nix create mode 100755 services/sonarr-old.nix mode change 100755 => 100644 services/sonarr.nix create mode 100644 services/vm-test.nix create mode 100644 services/vpn.nix diff --git a/configuration.nix b/configuration.nix index 7a659d3..46bd07d 100755 --- a/configuration.nix +++ b/configuration.nix @@ -7,20 +7,24 @@ ./services/nginx.nix ./services/openssh.nix ./services/forgejo.nix + # ./services/nextcloud.nix + # ./services/seafile.nix ./services/vaultwarden.nix ./services/jellyfin.nix ./services/website.nix ./services/mailserver.nix ./services/fail2ban.nix - ./services/sonarr.nix + + ./services/auto-torrent.nix + ./services/misc.nix ./modules/age.nix - ./modules/microvm.nix ./modules/git.nix ./modules/nix-settings.nix ./modules/zfs.nix + (import ./modules/microvm.nix {routed = true;}) (import ./modules/networking-shared.nix {hostname = "server";}) (import ./modules/users.nix {main-user = "baritone";}) ]; diff --git a/modules/age.nix b/modules/age.nix index 6cbc0dc..c786b42 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -1,3 +1,4 @@ {config, ...}: { # This is where the age files go + # age.secrets.nextcloud.file = ../secrets/nextcloud.age; } diff --git a/modules/microvm.nix b/modules/microvm.nix index 16d9e18..9ea7212 100755 --- a/modules/microvm.nix +++ b/modules/microvm.nix @@ -1,37 +1,58 @@ -{ +{routed ? false}: { + pkgs, config, - lib, ... }: let - attrSet = lib.lists.imap1 (i: v: { + attrSet = pkgs.lib.lists.imap1 (i: v: { name = v; index = i; }) (builtins.attrNames config.microvm.vms); in { - config.systemd.network.networks = builtins.listToAttrs (builtins.map ({ - name, - index, - }: { - name = "30-vm${toString index}"; - value = { - matchConfig.Name = "vm${toString index}"; - address = [ - "10.0.0.0/32" - ]; - routes = [ + systemd.network.networks = + if routed + then + builtins.listToAttrs (builtins.map ({ + name, + index, + }: { + name = "30-vm${toString index}"; + value = { + matchConfig.Name = "vm${toString index}"; + address = [ + "10.0.0.0/32" + ]; + routes = [ + { + Destination = "10.0.0.${toString index}/32"; + } + ]; + networkConfig = {IPv4Forwarding = true;}; + }; + }) + attrSet) + else { + "10-microvm" = { + matchConfig.Name = "microvm"; + networkConfig.DHCPServer = true; + networkConfig.IPv6SendRA = true; + addresses = [ { - Destination = "10.0.0.${toString index}/32"; + Address = "10.0.0.1/24"; } ]; - networkConfig = {IPv4Forwarding = true;}; }; - }) - attrSet); + "11-microvm" = pkgs.lib.mkIf (!routed) { + matchConfig.Name = "vm-*"; + # Attach to bridge configured above + networkConfig.Bridge = "microvm"; + }; + }; # NAT (make vms accessible in host) - config.networking.nat = { + networking.nat = { enable = true; - internalIPs = ["10.0.0.0/24"]; externalInterface = "enp2s0"; + internalIPs = pkgs.lib.mkIf routed ["10.0.0.0/24"]; + internalInterfaces = pkgs.lib.mkIf (!routed) ["microvm"]; }; } diff --git a/secrets/nextcloud.age b/secrets/nextcloud.age new file mode 100644 index 0000000..32e1111 --- /dev/null +++ b/secrets/nextcloud.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 rgw77A FBgTHsvCbpuhDFHCOQ4MtkSu3b9WmlSDboN4x3J/p1M +Mwts15GY7TwmWhB/wZPQ7EfBJ61aV+1QbjwZL8xRcgM +--- PI2311X1EC/csuMWV1Nx5Wnu4ajhh6e42NkDYW/fNgE +SdAId*}w;]7] <@)^Ԙ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a763b3a..3a786a6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,4 +1,5 @@ let - public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"; + public-keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"]; in { + "nextcloud.age".publicKeys = public-keys; } diff --git a/services/auto-torrent.nix b/services/auto-torrent.nix new file mode 100644 index 0000000..45eafdf --- /dev/null +++ b/services/auto-torrent.nix @@ -0,0 +1,214 @@ +{ + config, + pkgs, + ... +}: let + lib = pkgs.lib; + host = "10.0.0.${toString vm-index}"; + port = 8989; + vm-index = 1; + vm-mac = "02:00:00:00:00:02"; + vm-name = "auto-torrent"; +in { + microvm.autostart = [vm-name]; + + users.extraUsers.microvm.extraGroups = [ + "jellyfin" # access to media folder + ]; + + system.activationScripts."make-${vm-name}-data-dir" = lib.stringAfter ["var"] '' + mkdir -p /var/lib/${vm-name} + chmod -R 777 /var/lib/${vm-name} + chown -R microvm /var/lib/${vm-name} + chmod -R 777 /media + ''; + + microvm.vms.${vm-name} = { + config = {...}: { + system.stateVersion = "25.05"; + microvm.interfaces = [ + { + id = "vm${toString vm-index}"; + type = "tap"; + mac = vm-mac; + } + ]; + + microvm.shares = [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + { + tag = "data-dir"; + source = "/var/lib/${vm-name}"; + mountPoint = "/mnt"; + proto = "virtiofs"; + } + { + tag = "media-dir"; + source = "/media"; + mountPoint = "/media"; + proto = "virtiofs"; + } + ]; + + networking.useNetworkd = true; + networking.usePredictableInterfaceNames = false; + systemd.network.networks."10-eth" = { + matchConfig.MACAddress = vm-mac; + address = [ + "10.0.0.${toString vm-index}/32" + ]; + routes = [ + # Host Route + { + Destination = "10.0.0.0/32"; + GatewayOnLink = true; + } + # Default route + { + Destination = "0.0.0.0/0"; + Gateway = "10.0.0.0"; + GatewayOnLink = true; + } + ]; + networkConfig = { + DNS = [ + "9.9.9.9" + "8.8.8.8" + "8.8.4.4" + ]; + }; + }; + + networking.useDHCP = false; + networking.nameservers = [ + "10.0.101.1" + "8.8.8.8" + "8.8.4.4" + ]; + + systemd.services."wireguard-kill-switch" = { + description = "Wireguard Kill Switch"; + after = ["network-online.target"]; + wants = ["network-online.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + type = "oneshot"; + ExecStart = pkgs.writeShellScript "wgconf.sh" '' + # Stay a while and listen + # ${pkgs.toybox}/bin/sleep 5 + # Route local traffic through wg0 except local traffic + ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \ + ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0 + # Block all traffic that isnt local or through the vpn + ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT + ''; + RemainAfterExit = "yes"; + }; + }; + + networking.wireguard.enable = true; + systemd.network = { + netdevs."10-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1300"; + }; + wireguardConfig = { + PrivateKeyFile = "${./wireguard-secret}"; + FirewallMark = 42; + ListenPort = 51820; + }; + wireguardPeers = [ + { + PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw="; + AllowedIPs = ["0.0.0.0/0"]; + Endpoint = "193.32.248.66:51820"; + # PersistentKeepalive = 25; + } + ]; + }; + networks."wg0" = { + matchConfig.Name = "wg0"; + address = [ + " 10.65.241.123/32" + ]; + DHCP = "no"; + dns = ["10.64.0.1"]; + gateway = [ + "10.0.0.0" + ]; + }; + }; + + # Sleep them for a while to make sure everything is set up + systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; + systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; + + # fuck nano + programs.nano.enable = lib.mkForce false; + programs.vim.enable = true; + + # Services + services.sonarr = { + enable = true; + openFirewall = true; + dataDir = "/mnt/sonarr"; + }; + services.radarr = { + enable = true; + openFirewall = false; + dataDir = "/mnt/radarr"; + }; + + services.transmission = { + enable = true; + openFirewall = false; + settings.rpc-port = 9091; + }; + + # debugging + users.users.root = { + password = "1234"; + }; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + AllowUsers = null; + PasswordAuthentication = true; + KbdInteractiveAuthentication = true; + }; + }; + }; + }; + + services.nginx.virtualHosts."sonarr.spoodythe.one" = { + addSSL = true; + enableACME = true; + listen = [ + { + port = 8989; + addr = "0.0.0.0"; + ssl = false; + } + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${host}:${toString port}"; + }; + }; + + networking.firewall.allowedTCPPorts = [port 80 433]; + networking.firewall.allowedUDPPorts = [port 80 433]; +} diff --git a/services/jellyfin.nix b/services/jellyfin.nix index db4b6ff..39bfbf3 100755 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -6,6 +6,34 @@ }: let host = "127.0.0.1"; port = 8096; + jellyfin = + if config.services.mullvad-vpn.enable == true + then + pkgs.callPackage ({...}: + pkgs.stdenv.mkDerivation { + pname = "jellyfin-excluded"; + version = "1.0.0"; + + phases = ["installPhase"]; + + buildInputs = [pkgs.jellyfin]; + + # Define the install phase + installPhase = '' + mkdir -p $out/bin + # Create a wrapper script + echo "${pkgs.mullvad-vpn}/bin/mullvad-exclude ${pkgs.jellyfin}/bin/jellyfin \"$@\"" > $out/bin/jellyfin-excluded + chmod +x $out/bin/jellyfin-excluded + ''; + + # Specify the output + meta = with pkgs.lib; { + description = "A wrapper for the hello command"; + mainProgram = "jellyfin-excluded"; + license = licenses.mit; + }; + }) {} + else pkgs.jellyfin; in { # Enable VAAPI config.nixpkgs.config.packageOverrides = pkgs: { @@ -32,6 +60,7 @@ in { # Enable Jellyfin config.services.jellyfin = { enable = true; + package = jellyfin; openFirewall = false; # We want jellyfin behind a reverse proxy }; diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 6d914e4..d24ba5e 100755 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -1,13 +1,24 @@ -{pkgs, ...}: let +{ + config, + pkgs, + ... +}: let nextcloud-pkg = pkgs.nextcloud30; host = "127.0.0.1"; port = 8008; + lib = pkgs.lib; in { + # system.activationScripts."make-nextcloud-dir" = lib.stringAfter ["var"] '' + # mkdir -p /var/lib/nextcloud + # chmod -R 770 /var/lib/nextcloud + # chown -R nextcloud:nextcloud /var/lib/nextcloud + # ''; + services.nextcloud = { enable = true; package = nextcloud-pkg; hostName = "localhost"; - config.adminpassFile = "/var/lib/db/nextcloud/admin-password"; + config.adminpassFile = "/etc/nextcloud-admin-password"; config.dbtype = "sqlite"; }; @@ -19,7 +30,7 @@ in { } ]; services.nginx.virtualHosts."nextcloud.spoodythe.one" = { - addSSL = true; + forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://${host}:${toString port}"; diff --git a/services/nginx.nix b/services/nginx.nix index 7bf3379..7538fd0 100755 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -6,7 +6,9 @@ recommendedProxySettings = true; recommendedTlsSettings = true; - virtualHosts."_" = { + virtualHosts."spoodythe.one" = { + forceSSL = true; + enableACME = true; default = true; locations."/" = { return = 404; diff --git a/services/rtorrent.nix b/services/rtorrent.nix new file mode 100644 index 0000000..67c7f83 --- /dev/null +++ b/services/rtorrent.nix @@ -0,0 +1,18 @@ +{pkgs, ...}: let + port = 9091; +in { + # services.rtorrent = { + # enable = true; + # dataDir = "/mnt/rtorrent"; + # user = "rtorrent"; + # group = "rtorrent"; + # package = pkgs.jesec-rtorrent; + # inherit port; + # }; + + services.transmission = { + enable = true; + openFirewall = false; + settings.rpc-port = port; + }; +} diff --git a/services/seafile.nix b/services/seafile.nix new file mode 100644 index 0000000..77e242c --- /dev/null +++ b/services/seafile.nix @@ -0,0 +1,28 @@ +{ + config, + pkgs, + ... +}: let + host = "127.0.0.1"; + port = 8008; +in { + services.seafile = { + enable = true; + adminEmail = "snorre@altschul.dk"; + seahubAddress = "http://${host}:${toString port}"; + # seafileSettings.fileserver = { + # inherit host port; + # }; + }; + services.nginx.virtualHosts."files.spoodythe.one" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${host}:${toString port}"; + }; + }; + + # Open port 80 and 443 for reverse proxy + networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedUDPPorts = [80 443]; +} diff --git a/services/sonarr-old.nix b/services/sonarr-old.nix new file mode 100755 index 0000000..a0b9140 --- /dev/null +++ b/services/sonarr-old.nix @@ -0,0 +1,189 @@ +{ + pkgs, + lib, + config, + ... +}: let + host = "127.0.0.1"; + port = 8989; + vm-index = 1; + vm-mac = "00:00:00:00:00:01"; + vm-name = "necoarc"; +in { + config.microvm.autostart = [vm-name]; + + config.users.extraUsers.microvm.extraGroups = [ + "jellyfin" # access to media folder + ]; + + config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] '' + mkdir -p /var/lib/${vm-name} + chmod -R 777 /var/lib/${vm-name} + chown -R microvm /var/lib/${vm-name} + chmod -R 777 /media + ''; + + # config.networking.wireguard.enable = true; + # # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard]; + + # config.networking.wireguard.interfaces.wg0 = { + # ips = ["10.75.60.108/32"]; + # listenPort = 51820; + # privateKeyFile = "${./wireguard-secret}"; + # peers = [ + # { + # publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc="; + # endpoint = "185.254.75.4:51820"; + # allowedIPs = ["0.0.0.0/0"]; + # persistentKeepalive = 25; + # } + # ]; + # }; + + # config.systemd.network.networks.wg0 = { + # matchConfig.Name = "wg0"; + # address = ["10.0.1.${toString vm-index}/24"]; + # networkConfig = { + # IPMasquerade = "ipv4"; + # IPv4Forwarding = true; + # }; + # }; + + config.microvm.vms.${vm-name} = { + config = {config, ...}: { + system.stateVersion = "24.11"; + # Storage share configuration + microvm.shares = [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + { + tag = "data-dir"; + source = "/var/lib/${vm-name}"; + mountPoint = "/mnt"; + proto = "virtiofs"; + } + { + tag = "media-dir"; + source = "/media/shows"; + mountPoint = "/media/shows"; + proto = "virtiofs"; + } + ]; + + # Allow the service to use the share + system.activationScripts."chownDataDir" = lib.stringAfter ["var"] '' + mkdir -p /mnt + chmod -R 770 /mnt + chown -R sonarr:sonarr /mnt + ''; + systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; + systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; + + microvm.hypervisor = "qemu"; + + # VM Networking + microvm.interfaces = [ + { + id = "vm${toString vm-index}"; + type = "tap"; + mac = vm-mac; + } + ]; + networking.useNetworkd = true; + systemd.network.networks."10-eth" = { + matchConfig.MACAddress = vm-mac; + address = [ + "10.0.0.${toString vm-index}/32" + ]; + routes = [ + # Host Route + { + Destination = "10.0.0.0/32"; + GatewayOnLink = true; + } + # Default route + { + Destination = "0.0.0.0/0"; + Gateway = "10.0.0.0"; + GatewayOnLink = true; + } + ]; + networkConfig = { + DNS = [ + "9.9.9.9" + "8.8.8.8" + "8.8.4.4" + ]; + }; + }; + + networking.useDHCP = false; + networking.nameservers = [ + "10.0.101.1" + "8.8.8.8" + "8.8.4.4" + ]; + + programs.nano.enable = lib.mkForce false; + programs.vim.enable = true; + + # Services + services.sonarr = { + enable = true; + openFirewall = true; + dataDir = "/mnt/sonarr"; + }; + + services.rtorrent = { + enable = true; + dataDir = "/mnt/rtorrent"; + user = "rtorrent"; + group = "rtorrent"; + port = 9999; + }; + + # Debug user + users.users."root" = { + password = "1234"; + }; + + environment.systemPackages = [pkgs.dig]; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + AllowUsers = null; + PasswordAuthentication = true; + KbdInteractiveAuthentication = true; + }; + }; + }; + }; + + config.networking.firewall.allowedTCPPorts = [port 80 433]; + config.networking.firewall.allowedUDPPorts = [port 80 433]; + + config.services.nginx.virtualHosts."sonarr.spoodythe.one" = { + addSSL = true; + enableACME = true; + listen = [ + { + port = 8989; + addr = "0.0.0.0"; + ssl = false; + } + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://10.0.0.${toString vm-index}:${toString port}"; + }; + }; +} diff --git a/services/sonarr.nix b/services/sonarr.nix old mode 100755 new mode 100644 index 2fabb73..b3a271c --- a/services/sonarr.nix +++ b/services/sonarr.nix @@ -1,240 +1,25 @@ -{ - pkgs, - lib, - config, - ... -}: let +{...}: let host = "127.0.0.1"; port = 8989; - vm-index = 1; - vm-mac = "00:00:00:00:00:01"; - vm-name = "necoarc"; in { - config.microvm.autostart = [vm-name]; - - config.users.extraUsers.microvm.extraGroups = [ - "jellyfin" # access to media folder - ]; - - config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] '' - mkdir -p /var/lib/${vm-name} - chmod -R 777 /var/lib/${vm-name} - chown -R microvm /var/lib/${vm-name} - chmod -R 777 /media - ''; - - # config.networking.wireguard.enable = true; - # # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard]; - - # config.networking.wireguard.interfaces.wg0 = { - # ips = ["10.75.60.108/32"]; - # listenPort = 51820; - # privateKeyFile = "${./wireguard-secret}"; - # peers = [ - # { - # publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc="; - # endpoint = "185.254.75.4:51820"; - # allowedIPs = ["0.0.0.0/0"]; - # persistentKeepalive = 25; - # } - # ]; - # }; - - # config.systemd.network.networks.wg0 = { - # matchConfig.Name = "wg0"; - # address = ["10.0.1.${toString vm-index}/24"]; - # networkConfig = { - # IPMasquerade = "ipv4"; - # IPv4Forwarding = true; - # }; - # }; - - config.microvm.vms.${vm-name} = { - config = {config, ...}: { - system.stateVersion = "24.11"; - # Storage share configuration - microvm.shares = [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - { - tag = "data-dir"; - source = "/var/lib/${vm-name}"; - mountPoint = "/mnt"; - proto = "virtiofs"; - } - { - tag = "media-dir"; - source = "/media/shows"; - mountPoint = "/media/shows"; - proto = "virtiofs"; - } - ]; - - # Allow the service to use the share - system.activationScripts."chownDataDir" = lib.stringAfter ["var"] '' - mkdir -p /mnt - chmod -R 770 /mnt - chown -R sonarr:sonarr /mnt - ''; - systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; - systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; - - microvm.hypervisor = "qemu"; - - # VM Networking - microvm.interfaces = [ - { - id = "vm${toString vm-index}"; - type = "tap"; - mac = vm-mac; - } - ]; - networking.useNetworkd = true; - systemd.network.networks."10-eth" = { - matchConfig.MACAddress = vm-mac; - address = [ - "10.0.0.${toString vm-index}/32" - ]; - routes = [ - # Host Route - { - Destination = "10.0.0.0/32"; - GatewayOnLink = true; - } - # Default route - { - Destination = "0.0.0.0/0"; - Gateway = "10.0.0.0"; - GatewayOnLink = true; - } - ]; - networkConfig = { - DNS = [ - # "9.9.9.9" - # "8.8.8.8" - # "8.8.4.4" - - # Only allow mullvad DNS server - "10.64.0.1" - ]; - }; - }; - - networking.useDHCP = false; - networking.nameservers = [ - "10.0.101.1" - "8.8.8.8" - "8.8.4.4" - ]; - - # Services - services.sonarr = { - enable = true; - openFirewall = true; - dataDir = "/mnt/sonarr"; - }; - - services.rtorrent = { - enable = true; - dataDir = "/mnt/rtorrent"; - user = "rtorrent"; - group = "rtorrent"; - port = 9999; - }; - - # networking.wireguard.enable = true; - # boot.extraModulePackages = [config.boot.kernelPackages.wireguard]; - - # networking.wireguard.interfaces.wg0 = { - # ips = ["10.75.60.108/32"]; - # listenPort = 51820; - # privateKeyFile = "${./wireguard-secret}"; - # peers = [ - # { - # publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc="; - # endpoint = "185.254.75.4:51820"; - # allowedIPs = ["0.0.0.0/0"]; - # persistentKeepalive = 25; - # } - # ]; - # }; - - # networking.firewall.extraCommands = '' - # ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - # ''; - - # services.openvpn.servers.mullvad = { - # config = '' - # client - # dev tun - # resolv-retry infinite - # nobind - # persist-key - # persist-tun - # verb 3 - # remote-cert-tls server - # ping 10 - # ping-restart 60 - # sndbuf 524288 - # rcvbuf 524288 - # cipher AES-256-GCM - # tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 - # proto udp - # auth-user-pass mullvad_userpass.txt - # ca mullvad_ca.crt - # script-security 2 - # up /etc/openvpn/update-resolv-conf - # down /etc/openvpn/update-resolv-conf - # fast-io - # remote 193.32.248.72 1301 # de-ber-ovpn-001 - # ''; - # authUserPass.username = "9898431198930064"; - # authUserPass.password = "m"; - # updateResolvConf = true; - # }; - - # Debug user - users.users."root" = { - password = "1234"; - }; - - environment.systemPackages = [pkgs.dig]; - - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "yes"; - AllowUsers = null; - PasswordAuthentication = true; - KbdInteractiveAuthentication = true; - }; - }; - }; + users.extraUsers.sonarr.extraGroups = ["jellyfin"]; # Access to the media folder + services.sonarr = { + enable = true; + openFirewall = true; + }; + services.rtorrent = { + enable = true; + dataDir = "/mnt/rtorrent"; + user = "rtorrent"; + group = "rtorrent"; + port = 9999; }; - config.networking.firewall.allowedTCPPorts = [port 80 433]; - config.networking.firewall.allowedUDPPorts = [port 80 433]; - - config.services.nginx.virtualHosts."sonarr.spoodythe.one" = { + services.nginx.virtualHosts."sonarr.spoodythe.one" = { addSSL = true; enableACME = true; - listen = [ - { - port = 8989; - addr = "0.0.0.0"; - ssl = false; - } - { - port = 443; - addr = "0.0.0.0"; - ssl = true; - } - ]; locations."/" = { - proxyPass = "http://10.0.0.${toString vm-index}:${toString port}"; + proxyPass = "http://${host}:${toString port}"; }; }; } diff --git a/services/vm-test.nix b/services/vm-test.nix new file mode 100644 index 0000000..207d0bf --- /dev/null +++ b/services/vm-test.nix @@ -0,0 +1,133 @@ +{ + config, + pkgs, + ... +}: let + vm-index = 1; + vm-mac = "02:00:00:00:00:02"; +in { + config.microvm.vms."vm-test" = { + config = {...}: { + microvm.interfaces = [ + { + id = "vm${toString vm-index}"; + type = "tap"; + mac = vm-mac; + } + ]; + + microvm.shares = [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + + networking.useNetworkd = true; + networking.usePredictableInterfaceNames = false; + systemd.network.networks."10-eth" = { + matchConfig.MACAddress = vm-mac; + address = [ + "10.0.0.${toString vm-index}/32" + ]; + routes = [ + # Host Route + { + Destination = "10.0.0.0/32"; + GatewayOnLink = true; + } + # Default route + { + Destination = "0.0.0.0/0"; + Gateway = "10.0.0.0"; + GatewayOnLink = true; + } + ]; + networkConfig = { + DNS = [ + "9.9.9.9" + "8.8.8.8" + "8.8.4.4" + ]; + }; + }; + + networking.useDHCP = false; + networking.nameservers = [ + "10.0.101.1" + "8.8.8.8" + "8.8.4.4" + ]; + + systemd.services."wireguard-kill-switch" = { + description = "Wireguard Kill Switch"; + after = ["network-online.target"]; + wants = ["network-online.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + type = "oneshot"; + ExecStart = pkgs.writeShellScript "wgconf.sh" '' + # Stay a while and listen + # ${pkgs.toybox}/bin/sleep 5 + # Route local traffic through wg0 except local traffic + ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \ + ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0 + # Block all traffic that isnt local or through the vpn + ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT + ''; + RemainAfterExit = "yes"; + }; + }; + + networking.wireguard.enable = true; + systemd.network = { + netdevs."10-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1300"; + }; + wireguardConfig = { + PrivateKeyFile = "${./wireguard-secret}"; + FirewallMark = 42; + ListenPort = 51820; + }; + wireguardPeers = [ + { + PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw="; + AllowedIPs = ["0.0.0.0/0"]; + Endpoint = "193.32.248.66:51820"; + # PersistentKeepalive = 25; + } + ]; + }; + networks."wg0" = { + matchConfig.Name = "wg0"; + address = [ + " 10.65.241.123/32" + ]; + DHCP = "no"; + dns = ["10.64.0.1"]; + gateway = [ + "10.0.0.0" + ]; + }; + }; + + users.users.root = { + password = "1234"; + }; + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + AllowUsers = null; + PasswordAuthentication = true; + KbdInteractiveAuthentication = true; + }; + }; + }; + }; +} diff --git a/services/vpn.nix b/services/vpn.nix new file mode 100644 index 0000000..988ebf9 --- /dev/null +++ b/services/vpn.nix @@ -0,0 +1,4 @@ +{pkgs, ...}: { + services.mullvad-vpn.enable = true; + environment.systemPackages = [pkgs.wireguard-tools]; +}