{ config, pkgs, ... }: let lib = pkgs.lib; host = "10.0.${toString vm-index}.1"; port = 8989; vm-index = 1; vm-mac = "02:00:00:00:00:02"; vm-name = "auto-torrent"; vpn-endpoint = "193.32.248.70"; enable-services = true; in { microvm.autostart = [vm-name]; users.extraUsers.microvm.extraGroups = [ "jellyfin" # access to media folder ]; system.activationScripts."make-${vm-name}-data-dir" = lib.stringAfter ["var"] '' mkdir -p /var/lib/${vm-name} chmod -R 777 /var/lib/${vm-name} chown -R microvm /var/lib/${vm-name} chmod -R 777 /media ''; microvm.vms.${vm-name} = { config = {...}: { system.stateVersion = "25.05"; microvm.interfaces = [ { id = "vm${toString vm-index}"; type = "tap"; mac = vm-mac; } ]; # 1gb of memory microvm.mem = 1024; microvm.shares = let proto = "virtiofs"; in [ { tag = "ro-store"; source = "/nix/store"; mountPoint = "/nix/.ro-store"; } { tag = "data-dir"; source = "/var/lib/${vm-name}"; mountPoint = "/mnt"; inherit proto; } { tag = "media-dir"; source = "/media"; mountPoint = "/media"; inherit proto; } ]; networking.useNetworkd = true; networking.usePredictableInterfaceNames = false; systemd.network.networks."10-eth" = { matchConfig.MACAddress = vm-mac; address = [ "10.0.${toString vm-index}.1/24" ]; routes = [ # Default route { Destination = "${toString vpn-endpoint}/32"; Gateway = "10.0.${toString vm-index}.254"; GatewayOnLink = true; } ]; networkConfig = { DNS = [ "9.9.9.9" "8.8.8.8" "8.8.4.4" ]; }; }; networking.useDHCP = false; networking.nameservers = [ "10.0.101.1" "8.8.8.8" "8.8.4.4" ]; # systemd.services."wireguard-kill-switch" = { # description = "Wireguard Kill Switch"; # after = ["network-online.target"]; # wants = ["network-online.target"]; # wantedBy = ["multi-user.target"]; # serviceConfig = { # type = "oneshot"; # ExecStart = pkgs.writeShellScript "wgconf.sh" '' # # Block any traffic not going throug the vpn that isnt to the local network # ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT # # Route local traffic through wg0 except local traffic # ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0 # ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 # ''; # RemainAfterExit = "yes"; # }; # }; systemd.services."start-wireguard" = { description = "Start wireguard mullvad"; after = ["network-online.target"]; wants = ["network-online.target"]; wantedBy = ["multi-user.target"]; serviceConfig = { type = "oneshot"; ExecStart = pkgs.writeShellScript "wgconf.sh" '' ${pkgs.wireguard-tools}/bin/wg-quick up /mnt/de-ber-wg-005.conf ''; RemainAfterExit = "yes"; }; }; networking.wireguard.enable = true; # systemd.network = { # netdevs."10-wg0" = { # netdevConfig = { # Kind = "wireguard"; # Name = "wg0"; # MTUBytes = "1300"; # }; # wireguardConfig = { # PrivateKeyFile = "${./wireguard-secret}"; # FirewallMark = 42; # ListenPort = 51820; # }; # wireguardPeers = [ # { # PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw="; # AllowedIPs = ["0.0.0.0/0"]; # Endpoint = "193.32.248.66:51820"; # PersistentKeepalive = 25; # } # ]; # }; # networks."wg0" = { # matchConfig.Name = "wg0"; # address = [ # "10.65.241.123/32" # ]; # DHCP = "no"; # dns = ["10.64.0.1"]; # # gateway = [ # # "10.0.0.0" # # ]; # }; # }; # Sleep them for a while to make sure everything is set up systemd.services.sonarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1"; systemd.services.radarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1"; systemd.services.jackett.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1"; systemd.services.rutorrent.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1"; # fuck nano programs.nano.enable = lib.mkForce false; programs.vim.enable = true; # Services services.sonarr = pkgs.lib.mkIf enable-services { enable = true; openFirewall = true; dataDir = "/mnt/sonarr"; }; services.radarr = pkgs.lib.mkIf enable-services { enable = true; openFirewall = true; dataDir = "/mnt/radarr"; }; services.jackett = pkgs.lib.mkIf enable-services { enable = true; dataDir = "/mnt/jackett"; openFirewall = true; }; services.transmission = pkgs.lib.mkIf enable-services { enable = true; openFirewall = true; home = "/mnt/transmission"; settings.download-dir = "/mnt/transmission"; settings.incomplete-dir = "/mnt/transmission/.incomplete"; downloadDirPermissions = "775"; }; # debugging # users.users.root = { # password = "1"; # }; environment.systemPackages = [pkgs.wireguard-tools pkgs.tcpdump]; services.openssh = { enable = true; settings = { PermitRootLogin = "yes"; AllowUsers = null; PasswordAuthentication = true; KbdInteractiveAuthentication = true; }; }; }; }; # networking.nat.forwardPorts = [ # { # proto = "tcp"; # sourcePort = 8989; # destination = "10.0.1.1:8989"; # } # ]; # Sonarr services.nginx.virtualHosts."sonarr.spoodythe.one" = { addSSL = true; enableACME = true; listen = [ { inherit port; addr = "0.0.0.0"; ssl = false; } { port = 443; addr = "0.0.0.0"; ssl = true; } ]; locations."/" = { proxyPass = "http://${host}:${toString port}"; }; }; # Radarr services.nginx.virtualHosts."radarr.spoodythe.one" = let port = 7878; in { addSSL = true; enableACME = true; listen = [ { inherit port; addr = "0.0.0.0"; ssl = false; } { port = 443; addr = "0.0.0.0"; ssl = true; } ]; locations."/" = { proxyPass = "http://${host}:${toString port}"; }; }; # Jackett services.nginx.virtualHosts."jackett.spoodythe.one" = let port = 9117; in { addSSL = true; enableACME = true; listen = [ { inherit port; addr = "0.0.0.0"; ssl = false; } { port = 443; addr = "0.0.0.0"; ssl = true; } ]; locations."/" = { proxyPass = "http://${host}:${toString port}"; }; }; networking.firewall.allowedTCPPorts = [port 9117 7878 9696 80 433]; networking.firewall.allowedUDPPorts = [port 9117 7878 9696 80 433]; }