{ pkgs, lib, config, ... }: let host = "127.0.0.1"; port = 8989; vm-index = 1; vm-mac = "00:00:00:00:00:01"; vm-name = "necoarc"; in { config.microvm.autostart = [vm-name]; config.users.extraUsers.microvm.extraGroups = [ "jellyfin" # access to media folder ]; config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] '' mkdir -p /var/lib/${vm-name} chmod -R 777 /var/lib/${vm-name} chown -R microvm /var/lib/${vm-name} chmod -R 777 /media ''; # config.networking.wireguard.enable = true; # # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard]; # config.networking.wireguard.interfaces.wg0 = { # ips = ["10.75.60.108/32"]; # listenPort = 51820; # privateKeyFile = "${./wireguard-secret}"; # peers = [ # { # publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc="; # endpoint = "185.254.75.4:51820"; # allowedIPs = ["0.0.0.0/0"]; # persistentKeepalive = 25; # } # ]; # }; # config.systemd.network.networks.wg0 = { # matchConfig.Name = "wg0"; # address = ["10.0.1.${toString vm-index}/24"]; # networkConfig = { # IPMasquerade = "ipv4"; # IPv4Forwarding = true; # }; # }; config.microvm.vms.${vm-name} = { config = {config, ...}: { system.stateVersion = "24.11"; # Storage share configuration microvm.shares = [ { tag = "ro-store"; source = "/nix/store"; mountPoint = "/nix/.ro-store"; } { tag = "data-dir"; source = "/var/lib/${vm-name}"; mountPoint = "/mnt"; proto = "virtiofs"; } { tag = "media-dir"; source = "/media/shows"; mountPoint = "/media/shows"; proto = "virtiofs"; } ]; # Allow the service to use the share system.activationScripts."chownDataDir" = lib.stringAfter ["var"] '' mkdir -p /mnt chmod -R 770 /mnt chown -R sonarr:sonarr /mnt ''; systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; microvm.hypervisor = "qemu"; # VM Networking microvm.interfaces = [ { id = "vm${toString vm-index}"; type = "tap"; mac = vm-mac; } ]; networking.useNetworkd = true; systemd.network.networks."10-eth" = { matchConfig.MACAddress = vm-mac; address = [ "10.0.0.${toString vm-index}/32" ]; routes = [ # Host Route { Destination = "10.0.0.0/32"; GatewayOnLink = true; } # Default route { Destination = "0.0.0.0/0"; Gateway = "10.0.0.0"; GatewayOnLink = true; } ]; networkConfig = { DNS = [ # "9.9.9.9" # "8.8.8.8" # "8.8.4.4" # Only allow mullvad DNS server "10.64.0.1" ]; }; }; networking.useDHCP = false; networking.nameservers = [ "10.0.101.1" "8.8.8.8" "8.8.4.4" ]; # Services services.sonarr = { enable = true; openFirewall = true; dataDir = "/mnt/sonarr"; }; services.rtorrent = { enable = true; dataDir = "/mnt/rtorrent"; user = "rtorrent"; group = "rtorrent"; port = 9999; }; # networking.wireguard.enable = true; # boot.extraModulePackages = [config.boot.kernelPackages.wireguard]; # networking.wireguard.interfaces.wg0 = { # ips = ["10.75.60.108/32"]; # listenPort = 51820; # privateKeyFile = "${./wireguard-secret}"; # peers = [ # { # publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc="; # endpoint = "185.254.75.4:51820"; # allowedIPs = ["0.0.0.0/0"]; # persistentKeepalive = 25; # } # ]; # }; # networking.firewall.extraCommands = '' # ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT # ''; # services.openvpn.servers.mullvad = { # config = '' # client # dev tun # resolv-retry infinite # nobind # persist-key # persist-tun # verb 3 # remote-cert-tls server # ping 10 # ping-restart 60 # sndbuf 524288 # rcvbuf 524288 # cipher AES-256-GCM # tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 # proto udp # auth-user-pass mullvad_userpass.txt # ca mullvad_ca.crt # script-security 2 # up /etc/openvpn/update-resolv-conf # down /etc/openvpn/update-resolv-conf # fast-io # remote 193.32.248.72 1301 # de-ber-ovpn-001 # ''; # authUserPass.username = "9898431198930064"; # authUserPass.password = "m"; # updateResolvConf = true; # }; # Debug user users.users."root" = { password = "1234"; }; environment.systemPackages = [pkgs.dig]; services.openssh = { enable = true; settings = { PermitRootLogin = "yes"; AllowUsers = null; PasswordAuthentication = true; KbdInteractiveAuthentication = true; }; }; }; }; config.networking.firewall.allowedTCPPorts = [port 80 433]; config.networking.firewall.allowedUDPPorts = [port 80 433]; config.services.nginx.virtualHosts."sonarr.spoodythe.one" = { addSSL = true; enableACME = true; listen = [ { port = 8989; addr = "0.0.0.0"; ssl = false; } { port = 443; addr = "0.0.0.0"; ssl = true; } ]; locations."/" = { proxyPass = "http://10.0.0.${toString vm-index}:${toString port}"; }; }; }