aughr

configuration.nix

@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  inputs,
+  ...
+}: {
   imports = [
     ./services/nginx.nix
     ./services/openssh.nix
@@ -11,6 +15,7 @@
     ./services/sonarr.nix
     ./services/misc.nix
 
+    ./modules/age.nix
     ./modules/microvm.nix
     ./modules/git.nix
     ./modules/nix-settings.nix
@@ -45,6 +50,8 @@
     curl
     git
     vim
+
+    inputs.agenix.packages."${system}".default
   ];
 
   environment.variables = {

flake.nix

@@ -35,10 +35,6 @@
     nixpkgs,
     ...
   } @ inputs: let
-    # lib = import ./lib {
-    #   inherit nixpkgs;
-    #   inherit self;
-    # };
     system = "x86_64-linux";
     pkgs = import nixpkgs {inherit system;};
   in {

modules/age.nix

@@ -0,0 +1,3 @@
+{config, ...}: {
+  # This is where the age files go
+}

secrets/secrets.nix

@@ -0,0 +1,4 @@
+let
+  public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server";
+in {
+}

services/forgejo.nix

@@ -29,7 +29,7 @@ in {
   };
 
   services.nginx.virtualHosts."git.spoodythe.one" = {
-    addSSL = true;
+    forceSSL = true;
     enableACME = true;
     locations."/" = {
       proxyPass = "http://${host}:${toString port}";

services/jellyfin.nix

@@ -45,14 +45,22 @@ in {
 
   config.services.nginx.
     virtualHosts."media.spoodythe.one" = {
-    addSSL = true;
+    forceSSL = true;
     enableACME = true;
     locations."/" = {
       proxyPass = "http://${host}:${toString port}";
+      extraConfig = ''
+        # Websocket support
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+      '';
     };
   };
 
   # Open port 80 and 443 for reverse proxy
-  config.networking.firewall.allowedTCPPorts = [80 443];
-  config.networking.firewall.allowedUDPPorts = [80 443];
+  config.networking.firewall.allowedTCPPorts = [port 80 443];
+  config.networking.firewall.allowedUDPPorts = [port 80 443];
 }

services/sonarr.nix

@@ -1,24 +1,56 @@
 {
   pkgs,
   lib,
+  config,
   ...
 }: let
   host = "127.0.0.1";
   port = 8989;
   vm-index = 1;
   vm-mac = "00:00:00:00:00:01";
-  vm-name = "sonarr";
+  vm-name = "necoarc";
 in {
   config.microvm.autostart = [vm-name];
 
+  config.users.extraUsers.microvm.extraGroups = [
+    "jellyfin" # access to media folder
+  ];
+
   config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
     mkdir -p /var/lib/${vm-name}
     chmod -R 777 /var/lib/${vm-name}
     chown -R microvm /var/lib/${vm-name}
+    chmod -R 777 /media
   '';
 
+  # config.networking.wireguard.enable = true;
+  # # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
+
+  # config.networking.wireguard.interfaces.wg0 = {
+  #   ips = ["10.75.60.108/32"];
+  #   listenPort = 51820;
+  #   privateKeyFile = "${./wireguard-secret}";
+  #   peers = [
+  #     {
+  #       publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
+  #       endpoint = "185.254.75.4:51820";
+  #       allowedIPs = ["0.0.0.0/0"];
+  #       persistentKeepalive = 25;
+  #     }
+  #   ];
+  # };
+
+  # config.systemd.network.networks.wg0 = {
+  #   matchConfig.Name = "wg0";
+  #   address = ["10.0.1.${toString vm-index}/24"];
+  #   networkConfig = {
+  #     IPMasquerade = "ipv4";
+  #     IPv4Forwarding = true;
+  #   };
+  # };
+
   config.microvm.vms.${vm-name} = {
-    config = {
+    config = {config, ...}: {
       system.stateVersion = "24.11";
       # Storage share configuration
       microvm.shares = [
@@ -30,19 +62,25 @@ in {
         {
           tag = "data-dir";
           source = "/var/lib/${vm-name}";
-          mountPoint = "/var/lib/sonarr";
+          mountPoint = "/mnt";
+          proto = "virtiofs";
+        }
+        {
+          tag = "media-dir";
+          source = "/media/shows";
+          mountPoint = "/media/shows";
           proto = "virtiofs";
         }
       ];
 
       # Allow the service to use the share
       system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
-        mkdir -p /var/lib/sonarr
-        chmod -R 770 /var/lib/sonarr
-        chown -R sonarr:sonarr /var/lib/sonarr
+        mkdir -p /mnt
+        chmod -R 770 /mnt
+        chown -R sonarr:sonarr /mnt
       '';
-
-		systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
+      systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
+      systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
 
       microvm.hypervisor = "qemu";
 
@@ -75,9 +113,12 @@ in {
         ];
         networkConfig = {
           DNS = [
-            "9.9.9.9"
-            "8.8.8.8"
-            "8.8.4.4"
+            # "9.9.9.9"
+            # "8.8.8.8"
+            # "8.8.4.4"
+
+            # Only allow mullvad DNS server
+            "10.64.0.1"
           ];
         };
       };
@@ -89,12 +130,72 @@ in {
         "8.8.4.4"
       ];
 
-      # Service
+      # Services
       services.sonarr = {
         enable = true;
         openFirewall = true;
+        dataDir = "/mnt/sonarr";
       };
 
+      services.rtorrent = {
+        enable = true;
+        dataDir = "/mnt/rtorrent";
+        user = "rtorrent";
+        group = "rtorrent";
+        port = 9999;
+      };
+
+      # networking.wireguard.enable = true;
+      # boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
+
+      # networking.wireguard.interfaces.wg0 = {
+      #   ips = ["10.75.60.108/32"];
+      #   listenPort = 51820;
+      #   privateKeyFile = "${./wireguard-secret}";
+      #   peers = [
+      #     {
+      #       publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
+      #       endpoint = "185.254.75.4:51820";
+      #       allowedIPs = ["0.0.0.0/0"];
+      #       persistentKeepalive = 25;
+      #     }
+      #   ];
+      # };
+
+      # networking.firewall.extraCommands = ''
+      #   ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+      # '';
+
+     #  services.openvpn.servers.mullvad = {
+     #    config = ''
+     #      client
+     #      dev tun
+     #      resolv-retry infinite
+     #      nobind
+     #      persist-key
+     #      persist-tun
+     #      verb 3
+     #      remote-cert-tls server
+     #      ping 10
+     #      ping-restart 60
+     #      sndbuf 524288
+     #      rcvbuf 524288
+     #      cipher AES-256-GCM
+     #      tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+     #      proto udp
+     #      auth-user-pass mullvad_userpass.txt
+     #      ca mullvad_ca.crt
+     #      script-security 2
+     #      up /etc/openvpn/update-resolv-conf
+     #      down /etc/openvpn/update-resolv-conf
+     #      fast-io
+     #      remote 193.32.248.72 1301 # de-ber-ovpn-001
+     #    '';
+     #    authUserPass.username = "9898431198930064";
+     #    authUserPass.password = "m";
+     #    updateResolvConf = true;
+     #  };
+
       # Debug user
       users.users."root" = {
         password = "1234";
@@ -113,4 +214,27 @@ in {
       };
     };
   };
+
+  config.networking.firewall.allowedTCPPorts = [port 80 433];
+  config.networking.firewall.allowedUDPPorts = [port 80 433];
+
+  config.services.nginx.virtualHosts."sonarr.spoodythe.one" = {
+    addSSL = true;
+    enableACME = true;
+    listen = [
+      {
+        port = 8989;
+        addr = "0.0.0.0";
+        ssl = false;
+      }
+      {
+        port = 443;
+        addr = "0.0.0.0";
+        ssl = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://10.0.0.${toString vm-index}:${toString port}";
+    };
+  };
 }