spoody/server-configuration
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

it actually fucking works this time

Browse source
This commit is contained in:
baritone 2025-03-11 10:29:40 +01:00
parent 4f71dadd01
commit d0b886ea3d
5 changed files with 126 additions and 128 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
configuration.nix
View file

@ -38,13 +38,13 @@
# Enable microcode updates # Enable microcode updates
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
programs.zsh = { # programs.zsh = {
enable = true; # enable = true;
enableGlobalCompInit = true; # enableGlobalCompInit = true;
shellAliases = { # shellAliases = {
"nrb" = "sudo nixos-rebuild switch --flake /etc/nixos"; # "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
}; # };
}; # };
programs.ssh.startAgent = true; programs.ssh.startAgent = true;
programs.nano.enable = false; programs.nano.enable = false;

8
flake.nix
View file

@ -79,10 +79,10 @@
swap-size = "128G"; swap-size = "128G";
root-disk = "/dev/nvme0n1"; root-disk = "/dev/nvme0n1";
raid-disks = [ raid-disks = [
# "sda" "sda"
# "sdb" "sdb"
# "sdc" "sdc"
# "sdd" "sdd"
]; ];
}) })

56
modules/microvm.nix
View file

@ -8,51 +8,33 @@
index = i; index = i;
}) (builtins.attrNames config.microvm.vms); }) (builtins.attrNames config.microvm.vms);
in { in {
systemd.network.networks = systemd.network.networks = builtins.listToAttrs (builtins.map ({
if routed name,
then index,
builtins.listToAttrs (builtins.map ({ }: {
name, name = "30-vm${toString index}";
index, value = {
}: { matchConfig.Name = "vm${toString index}";
name = "30-vm${toString index}"; address = [
value = { "10.0.${toString index}.254/24" # Host gateway
matchConfig.Name = "vm${toString index}"; ];
address = [ routes = [
"10.0.0.0/32"
];
routes = [
{
Destination = "10.0.0.${toString index}/32";
}
];
networkConfig = {IPv4Forwarding = true;};
};
})
attrSet)
else {
"10-microvm" = {
matchConfig.Name = "microvm";
networkConfig.DHCPServer = true;
networkConfig.IPv6SendRA = true;
addresses = [
{ {
Address = "10.0.0.1/24"; Destination = "10.0.${toString index}.1/24";
} }
]; ];
networkConfig = {
IPv4Forwarding = true;
};
}; };
"11-microvm" = pkgs.lib.mkIf (!routed) { })
matchConfig.Name = "vm-*"; attrSet);
# Attach to bridge configured above
networkConfig.Bridge = "microvm";
};
};
# NAT (make vms accessible in host) # NAT (make vms accessible in host)
networking.nat = { networking.nat = {
enable = true; enable = true;
externalInterface = "enp2s0"; externalInterface = "enp2s0";
internalIPs = pkgs.lib.mkIf routed ["10.0.0.0/24"]; internalIPs = ["10.0.1.0/24"];
internalInterfaces = pkgs.lib.mkIf (!routed) ["microvm"]; internalInterfaces = ["vm1"];
}; };
} }

14
modules/users.nix
View file

@ -25,14 +25,14 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ3uc8UB9m6NPkXHETTJrzxB6M+SfUiBx6YeWUSADU sxsgamer@gmail.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ3uc8UB9m6NPkXHETTJrzxB6M+SfUiBx6YeWUSADU sxsgamer@gmail.com"
]; ];
shell = pkgs.zsh; shell = pkgs.fish;
}; };
users.users."nixos" = { programs.fish = {
isNormalUser = true; enable = true;
extraGroups = ["wheel"]; shellAbbrs = {
openssh.authorizedKeys.keys = [ "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFhTExbc9m4dCK6676wGiA8zPjE0l/9Fz2yf0IKvUvg snorre@archlinux" "vmr" = "rm ~/.ssh/known_hosts; ssh root@10.0.0.1";
]; };
}; };
} }

162
services/auto-torrent.nix
View file

@ -4,11 +4,13 @@
... ...
}: let }: let
lib = pkgs.lib; lib = pkgs.lib;
host = "10.0.0.${toString vm-index}"; host = "10.0.${toString vm-index}.1";
port = 8989; port = 8989;
vm-index = 1; vm-index = 1;
vm-mac = "02:00:00:00:00:02"; vm-mac = "02:00:00:00:00:02";
vm-name = "auto-torrent"; vm-name = "auto-torrent";
vpn-endpoint = "193.32.248.70";
enable-services = true;
in { in {
microvm.autostart = [vm-name]; microvm.autostart = [vm-name];
@ -37,7 +39,9 @@ in {
# 1gb of memory # 1gb of memory
microvm.mem = 1024; microvm.mem = 1024;
microvm.shares = [ microvm.shares = let
proto = "virtiofs";
in [
{ {
tag = "ro-store"; tag = "ro-store";
source = "/nix/store"; source = "/nix/store";
@ -47,13 +51,13 @@ in {
tag = "data-dir"; tag = "data-dir";
source = "/var/lib/${vm-name}"; source = "/var/lib/${vm-name}";
mountPoint = "/mnt"; mountPoint = "/mnt";
proto = "virtiofs"; inherit proto;
} }
{ {
tag = "media-dir"; tag = "media-dir";
source = "/media"; source = "/media";
mountPoint = "/media"; mountPoint = "/media";
proto = "virtiofs"; inherit proto;
} }
]; ];
@ -62,18 +66,13 @@ in {
systemd.network.networks."10-eth" = { systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac; matchConfig.MACAddress = vm-mac;
address = [ address = [
"10.0.0.${toString vm-index}/32" "10.0.${toString vm-index}.1/24"
]; ];
routes = [ routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route # Default route
{ {
Destination = "0.0.0.0/0"; Destination = "${toString vpn-endpoint}/32";
Gateway = "10.0.0.0"; Gateway = "10.0.${toString vm-index}.254";
GatewayOnLink = true; GatewayOnLink = true;
} }
]; ];
@ -93,8 +92,28 @@ in {
"8.8.4.4" "8.8.4.4"
]; ];
systemd.services."wireguard-kill-switch" = { # systemd.services."wireguard-kill-switch" = {
description = "Wireguard Kill Switch"; # description = "Wireguard Kill Switch";
# after = ["network-online.target"];
# wants = ["network-online.target"];
# wantedBy = ["multi-user.target"];
# serviceConfig = {
# type = "oneshot";
# ExecStart = pkgs.writeShellScript "wgconf.sh" ''
# # Block any traffic not going throug the vpn that isnt to the local network
# ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
# # Route local traffic through wg0 except local traffic
# ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
# ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0
# '';
# RemainAfterExit = "yes";
# };
# };
systemd.services."start-wireguard" = {
description = "Start wireguard mullvad";
after = ["network-online.target"]; after = ["network-online.target"];
wants = ["network-online.target"]; wants = ["network-online.target"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
@ -102,90 +121,77 @@ in {
serviceConfig = { serviceConfig = {
type = "oneshot"; type = "oneshot";
ExecStart = pkgs.writeShellScript "wgconf.sh" '' ExecStart = pkgs.writeShellScript "wgconf.sh" ''
# Stay a while and listen ${pkgs.wireguard-tools}/bin/wg-quick up /mnt/de-ber-wg-005.conf
# ${pkgs.toybox}/bin/sleep 5
# Route local traffic through wg0 except local traffic
${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \
${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
# Block all traffic that isnt local or through the vpn
${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
''; '';
RemainAfterExit = "yes"; RemainAfterExit = "yes";
}; };
}; };
networking.wireguard.enable = true; networking.wireguard.enable = true;
systemd.network = { # systemd.network = {
netdevs."10-wg0" = { # netdevs."10-wg0" = {
netdevConfig = { # netdevConfig = {
Kind = "wireguard"; # Kind = "wireguard";
Name = "wg0"; # Name = "wg0";
MTUBytes = "1300"; # MTUBytes = "1300";
}; # };
wireguardConfig = { # wireguardConfig = {
PrivateKeyFile = "${./wireguard-secret}"; # PrivateKeyFile = "${./wireguard-secret}";
FirewallMark = 42; # FirewallMark = 42;
ListenPort = 51820; # ListenPort = 51820;
}; # };
wireguardPeers = [ # wireguardPeers = [
{ # {
PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw="; # PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
AllowedIPs = ["0.0.0.0/0"]; # AllowedIPs = ["0.0.0.0/0"];
Endpoint = "193.32.248.66:51820"; # Endpoint = "193.32.248.66:51820";
# PersistentKeepalive = 25; # PersistentKeepalive = 25;
} # }
]; # ];
}; # };
networks."wg0" = { # networks."wg0" = {
matchConfig.Name = "wg0"; # matchConfig.Name = "wg0";
address = [ # address = [
" 10.65.241.123/32" # "10.65.241.123/32"
]; # ];
DHCP = "no"; # DHCP = "no";
dns = ["10.64.0.1"]; # dns = ["10.64.0.1"];
gateway = [ # # gateway = [
"10.0.0.0" # # "10.0.0.0"
]; # # ];
}; # };
}; # };
# Sleep them for a while to make sure everything is set up # Sleep them for a while to make sure everything is set up
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1"; systemd.services.sonarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.radarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1"; systemd.services.radarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.jackett.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1"; systemd.services.jackett.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1"; systemd.services.rutorrent.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
# fuck nano # fuck nano
programs.nano.enable = lib.mkForce false; programs.nano.enable = lib.mkForce false;
programs.vim.enable = true; programs.vim.enable = true;
# Services # Services
services.sonarr = { services.sonarr = pkgs.lib.mkIf enable-services {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
dataDir = "/mnt/sonarr"; dataDir = "/mnt/sonarr";
}; };
services.radarr = { services.radarr = pkgs.lib.mkIf enable-services {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
dataDir = "/mnt/radarr"; dataDir = "/mnt/radarr";
}; };
# services.prowlarr = { services.jackett = pkgs.lib.mkIf enable-services {
# enable = true;
# openFirewall = true;
# };
# Prowlarr doesnt have a dataDir option
# systemd.services.prowlarr.serviceConfig.ExecStart = pkgs.lib.mkForce "${lib.getExe pkgs.prowlarr} -nobrowser -data=/mnt/prowlarr";
services.jackett = {
enable = true; enable = true;
dataDir = "/mnt/jackett"; dataDir = "/mnt/jackett";
openFirewall = true; openFirewall = true;
}; };
services.transmission = { services.transmission = pkgs.lib.mkIf enable-services {
enable = true; enable = true;
openFirewall = false; openFirewall = true;
home = "/mnt/transmission"; home = "/mnt/transmission";
settings.download-dir = "/mnt/transmission"; settings.download-dir = "/mnt/transmission";
settings.incomplete-dir = "/mnt/transmission/.incomplete"; settings.incomplete-dir = "/mnt/transmission/.incomplete";
@ -193,9 +199,11 @@ in {
}; };
# debugging # debugging
users.users.root = { # users.users.root = {
password = "supersecretpassword"; # password = "1";
}; # };
environment.systemPackages = [pkgs.wireguard-tools pkgs.tcpdump];
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -209,6 +217,14 @@ in {
}; };
}; };
# networking.nat.forwardPorts = [
# {
# proto = "tcp";
# sourcePort = 8989;
# destination = "10.0.1.1:8989";
# }
# ];
# Sonarr # Sonarr
services.nginx.virtualHosts."sonarr.spoodythe.one" = { services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true; addSSL = true;