From d0b886ea3dd09bd6f0fb5278a7aebc18586a5535 Mon Sep 17 00:00:00 2001 From: baritone Date: Tue, 11 Mar 2025 10:29:40 +0100 Subject: [PATCH] it actually fucking works this time --- configuration.nix | 14 ++-- flake.nix | 8 +- modules/microvm.nix | 56 +++++-------- modules/users.nix | 14 ++-- services/auto-torrent.nix | 162 +++++++++++++++++++++----------------- 5 files changed, 126 insertions(+), 128 deletions(-) diff --git a/configuration.nix b/configuration.nix index 46bd07d..67b95fb 100755 --- a/configuration.nix +++ b/configuration.nix @@ -38,13 +38,13 @@ # Enable microcode updates hardware.enableRedistributableFirmware = true; - programs.zsh = { - enable = true; - enableGlobalCompInit = true; - shellAliases = { - "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos"; - }; - }; + # programs.zsh = { + # enable = true; + # enableGlobalCompInit = true; + # shellAliases = { + # "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos"; + # }; + # }; programs.ssh.startAgent = true; programs.nano.enable = false; diff --git a/flake.nix b/flake.nix index ef0b83f..15899dc 100755 --- a/flake.nix +++ b/flake.nix @@ -79,10 +79,10 @@ swap-size = "128G"; root-disk = "/dev/nvme0n1"; raid-disks = [ - # "sda" - # "sdb" - # "sdc" - # "sdd" + "sda" + "sdb" + "sdc" + "sdd" ]; }) diff --git a/modules/microvm.nix b/modules/microvm.nix index 9ea7212..fecdc2b 100755 --- a/modules/microvm.nix +++ b/modules/microvm.nix @@ -8,51 +8,33 @@ index = i; }) (builtins.attrNames config.microvm.vms); in { - systemd.network.networks = - if routed - then - builtins.listToAttrs (builtins.map ({ - name, - index, - }: { - name = "30-vm${toString index}"; - value = { - matchConfig.Name = "vm${toString index}"; - address = [ - "10.0.0.0/32" - ]; - routes = [ - { - Destination = "10.0.0.${toString index}/32"; - } - ]; - networkConfig = {IPv4Forwarding = true;}; - }; - }) - attrSet) - else { - "10-microvm" = { - matchConfig.Name = "microvm"; - networkConfig.DHCPServer = true; - networkConfig.IPv6SendRA = true; - addresses = [ + systemd.network.networks = builtins.listToAttrs (builtins.map ({ + name, + index, + }: { + name = "30-vm${toString index}"; + value = { + matchConfig.Name = "vm${toString index}"; + address = [ + "10.0.${toString index}.254/24" # Host gateway + ]; + routes = [ { - Address = "10.0.0.1/24"; + Destination = "10.0.${toString index}.1/24"; } ]; + networkConfig = { + IPv4Forwarding = true; + }; }; - "11-microvm" = pkgs.lib.mkIf (!routed) { - matchConfig.Name = "vm-*"; - # Attach to bridge configured above - networkConfig.Bridge = "microvm"; - }; - }; + }) + attrSet); # NAT (make vms accessible in host) networking.nat = { enable = true; externalInterface = "enp2s0"; - internalIPs = pkgs.lib.mkIf routed ["10.0.0.0/24"]; - internalInterfaces = pkgs.lib.mkIf (!routed) ["microvm"]; + internalIPs = ["10.0.1.0/24"]; + internalInterfaces = ["vm1"]; }; } diff --git a/modules/users.nix b/modules/users.nix index 2836f53..4a38d83 100755 --- a/modules/users.nix +++ b/modules/users.nix @@ -25,14 +25,14 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ3uc8UB9m6NPkXHETTJrzxB6M+SfUiBx6YeWUSADU sxsgamer@gmail.com" ]; - shell = pkgs.zsh; + shell = pkgs.fish; }; - users.users."nixos" = { - isNormalUser = true; - extraGroups = ["wheel"]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFhTExbc9m4dCK6676wGiA8zPjE0l/9Fz2yf0IKvUvg snorre@archlinux" - ]; + programs.fish = { + enable = true; + shellAbbrs = { + "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos"; + "vmr" = "rm ~/.ssh/known_hosts; ssh root@10.0.0.1"; + }; }; } diff --git a/services/auto-torrent.nix b/services/auto-torrent.nix index 0d06887..fb1602e 100644 --- a/services/auto-torrent.nix +++ b/services/auto-torrent.nix @@ -4,11 +4,13 @@ ... }: let lib = pkgs.lib; - host = "10.0.0.${toString vm-index}"; + host = "10.0.${toString vm-index}.1"; port = 8989; vm-index = 1; vm-mac = "02:00:00:00:00:02"; vm-name = "auto-torrent"; + vpn-endpoint = "193.32.248.70"; + enable-services = true; in { microvm.autostart = [vm-name]; @@ -37,7 +39,9 @@ in { # 1gb of memory microvm.mem = 1024; - microvm.shares = [ + microvm.shares = let + proto = "virtiofs"; + in [ { tag = "ro-store"; source = "/nix/store"; @@ -47,13 +51,13 @@ in { tag = "data-dir"; source = "/var/lib/${vm-name}"; mountPoint = "/mnt"; - proto = "virtiofs"; + inherit proto; } { tag = "media-dir"; source = "/media"; mountPoint = "/media"; - proto = "virtiofs"; + inherit proto; } ]; @@ -62,18 +66,13 @@ in { systemd.network.networks."10-eth" = { matchConfig.MACAddress = vm-mac; address = [ - "10.0.0.${toString vm-index}/32" + "10.0.${toString vm-index}.1/24" ]; routes = [ - # Host Route - { - Destination = "10.0.0.0/32"; - GatewayOnLink = true; - } # Default route { - Destination = "0.0.0.0/0"; - Gateway = "10.0.0.0"; + Destination = "${toString vpn-endpoint}/32"; + Gateway = "10.0.${toString vm-index}.254"; GatewayOnLink = true; } ]; @@ -93,8 +92,28 @@ in { "8.8.4.4" ]; - systemd.services."wireguard-kill-switch" = { - description = "Wireguard Kill Switch"; + # systemd.services."wireguard-kill-switch" = { + # description = "Wireguard Kill Switch"; + # after = ["network-online.target"]; + # wants = ["network-online.target"]; + # wantedBy = ["multi-user.target"]; + + # serviceConfig = { + # type = "oneshot"; + # ExecStart = pkgs.writeShellScript "wgconf.sh" '' + # # Block any traffic not going throug the vpn that isnt to the local network + # ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT + + # # Route local traffic through wg0 except local traffic + # ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0 + # ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 + # ''; + # RemainAfterExit = "yes"; + # }; + # }; + + systemd.services."start-wireguard" = { + description = "Start wireguard mullvad"; after = ["network-online.target"]; wants = ["network-online.target"]; wantedBy = ["multi-user.target"]; @@ -102,90 +121,77 @@ in { serviceConfig = { type = "oneshot"; ExecStart = pkgs.writeShellScript "wgconf.sh" '' - # Stay a while and listen - # ${pkgs.toybox}/bin/sleep 5 - # Route local traffic through wg0 except local traffic - ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \ - ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0 - # Block all traffic that isnt local or through the vpn - ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT + ${pkgs.wireguard-tools}/bin/wg-quick up /mnt/de-ber-wg-005.conf ''; RemainAfterExit = "yes"; }; }; networking.wireguard.enable = true; - systemd.network = { - netdevs."10-wg0" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; - MTUBytes = "1300"; - }; - wireguardConfig = { - PrivateKeyFile = "${./wireguard-secret}"; - FirewallMark = 42; - ListenPort = 51820; - }; - wireguardPeers = [ - { - PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw="; - AllowedIPs = ["0.0.0.0/0"]; - Endpoint = "193.32.248.66:51820"; - # PersistentKeepalive = 25; - } - ]; - }; - networks."wg0" = { - matchConfig.Name = "wg0"; - address = [ - " 10.65.241.123/32" - ]; - DHCP = "no"; - dns = ["10.64.0.1"]; - gateway = [ - "10.0.0.0" - ]; - }; - }; + # systemd.network = { + # netdevs."10-wg0" = { + # netdevConfig = { + # Kind = "wireguard"; + # Name = "wg0"; + # MTUBytes = "1300"; + # }; + # wireguardConfig = { + # PrivateKeyFile = "${./wireguard-secret}"; + # FirewallMark = 42; + # ListenPort = 51820; + # }; + # wireguardPeers = [ + # { + # PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw="; + # AllowedIPs = ["0.0.0.0/0"]; + # Endpoint = "193.32.248.66:51820"; + # PersistentKeepalive = 25; + # } + # ]; + # }; + # networks."wg0" = { + # matchConfig.Name = "wg0"; + # address = [ + # "10.65.241.123/32" + # ]; + # DHCP = "no"; + # dns = ["10.64.0.1"]; + # # gateway = [ + # # "10.0.0.0" + # # ]; + # }; + # }; # Sleep them for a while to make sure everything is set up - systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1"; - systemd.services.radarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1"; - systemd.services.jackett.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1"; - systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1"; + systemd.services.sonarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1"; + systemd.services.radarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1"; + systemd.services.jackett.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1"; + systemd.services.rutorrent.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1"; # fuck nano programs.nano.enable = lib.mkForce false; programs.vim.enable = true; # Services - services.sonarr = { + services.sonarr = pkgs.lib.mkIf enable-services { enable = true; openFirewall = true; dataDir = "/mnt/sonarr"; }; - services.radarr = { + services.radarr = pkgs.lib.mkIf enable-services { enable = true; openFirewall = true; dataDir = "/mnt/radarr"; }; - # services.prowlarr = { - # enable = true; - # openFirewall = true; - # }; - # Prowlarr doesnt have a dataDir option - # systemd.services.prowlarr.serviceConfig.ExecStart = pkgs.lib.mkForce "${lib.getExe pkgs.prowlarr} -nobrowser -data=/mnt/prowlarr"; - - services.jackett = { + services.jackett = pkgs.lib.mkIf enable-services { enable = true; dataDir = "/mnt/jackett"; openFirewall = true; }; - services.transmission = { + services.transmission = pkgs.lib.mkIf enable-services { enable = true; - openFirewall = false; + openFirewall = true; home = "/mnt/transmission"; settings.download-dir = "/mnt/transmission"; settings.incomplete-dir = "/mnt/transmission/.incomplete"; @@ -193,9 +199,11 @@ in { }; # debugging - users.users.root = { - password = "supersecretpassword"; - }; + # users.users.root = { + # password = "1"; + # }; + + environment.systemPackages = [pkgs.wireguard-tools pkgs.tcpdump]; services.openssh = { enable = true; @@ -209,6 +217,14 @@ in { }; }; + # networking.nat.forwardPorts = [ + # { + # proto = "tcp"; + # sourcePort = 8989; + # destination = "10.0.1.1:8989"; + # } + # ]; + # Sonarr services.nginx.virtualHosts."sonarr.spoodythe.one" = { addSSL = true;