server-configuration/services/auto-torrent.nix

{
  config,
  pkgs,
  ...
}: let
  lib = pkgs.lib;
  host = "10.0.${toString vm-index}.1";
  port = 8989;
  vm-index = 1;
  vm-mac = "02:00:00:00:00:02";
  vm-name = "auto-torrent";
  vpn-endpoint = "193.32.248.70";
  enable-services = true;
in {
  microvm.autostart = [vm-name];

  users.extraUsers.microvm.extraGroups = [
    "jellyfin" # access to media folder
  ];

  system.activationScripts."make-${vm-name}-data-dir" = lib.stringAfter ["var"] ''
    mkdir -p /var/lib/${vm-name}
    chmod -R 777 /var/lib/${vm-name}
    chown -R microvm /var/lib/${vm-name}
    chmod -R 777 /media
  '';

  microvm.vms.${vm-name} = {
    config = {...}: {
      system.stateVersion = "25.05";
      microvm.interfaces = [
        {
          id = "vm${toString vm-index}";
          type = "tap";
          mac = vm-mac;
        }
      ];

      # 1gb of memory
      microvm.mem = 1024;

      microvm.shares = let
        proto = "virtiofs";
      in [
        {
          tag = "ro-store";
          source = "/nix/store";
          mountPoint = "/nix/.ro-store";
        }
        {
          tag = "data-dir";
          source = "/var/lib/${vm-name}";
          mountPoint = "/mnt";
          inherit proto;
        }
        {
          tag = "media-dir";
          source = "/media";
          mountPoint = "/media";
          inherit proto;
        }
      ];

      networking.useNetworkd = true;
      networking.usePredictableInterfaceNames = false;
      systemd.network.networks."10-eth" = {
        matchConfig.MACAddress = vm-mac;
        address = [
          "10.0.${toString vm-index}.1/24"
        ];
        routes = [
          # Default route
          {
            Destination = "${toString vpn-endpoint}/32";
            Gateway = "10.0.${toString vm-index}.254";
            GatewayOnLink = true;
          }
        ];
        networkConfig = {
          DNS = [
            "9.9.9.9"
            "8.8.8.8"
            "8.8.4.4"
          ];
        };
      };

      networking.useDHCP = false;
      networking.nameservers = [
        "10.0.101.1"
        "8.8.8.8"
        "8.8.4.4"
      ];

      # systemd.services."wireguard-kill-switch" = {
      #   description = "Wireguard Kill Switch";
      #   after = ["network-online.target"];
      #   wants = ["network-online.target"];
      #   wantedBy = ["multi-user.target"];

      #   serviceConfig = {
      #     type = "oneshot";
      #     ExecStart = pkgs.writeShellScript "wgconf.sh" ''
      #       # Block any traffic not going throug the vpn that isnt to the local network
      #       ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT

      #       # Route local traffic through wg0 except local traffic
      #       ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
      #       ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0
      #     '';
      #     RemainAfterExit = "yes";
      #   };
      # };

      systemd.services."start-wireguard" = {
        description = "Start wireguard mullvad";
        after = ["network-online.target"];
        wants = ["network-online.target"];
        wantedBy = ["multi-user.target"];

        serviceConfig = {
          type = "oneshot";
          ExecStart = pkgs.writeShellScript "wgconf.sh" ''
            ${pkgs.wireguard-tools}/bin/wg-quick up /mnt/de-ber-wg-005.conf
          '';
          RemainAfterExit = "yes";
        };
      };

      networking.wireguard.enable = true;
      # systemd.network = {
      #   netdevs."10-wg0" = {
      #     netdevConfig = {
      #       Kind = "wireguard";
      #       Name = "wg0";
      #       MTUBytes = "1300";
      #     };
      #     wireguardConfig = {
      #       PrivateKeyFile = "${./wireguard-secret}";
      #       FirewallMark = 42;
      #       ListenPort = 51820;
      #     };
      #     wireguardPeers = [
      #       {
      #         PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
      #         AllowedIPs = ["0.0.0.0/0"];
      #         Endpoint = "193.32.248.66:51820";
      #         PersistentKeepalive = 25;
      #       }
      #     ];
      #   };
      #   networks."wg0" = {
      #     matchConfig.Name = "wg0";
      #     address = [
      #       "10.65.241.123/32"
      #     ];
      #     DHCP = "no";
      #     dns = ["10.64.0.1"];
      #     # gateway = [
      #     #   "10.0.0.0"
      #     # ];
      #   };
      # };

      # Sleep them for a while to make sure everything is set up
      systemd.services.sonarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
      systemd.services.radarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
      systemd.services.jackett.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
      systemd.services.rutorrent.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";

      # fuck nano
      programs.nano.enable = lib.mkForce false;
      programs.vim.enable = true;

      # Services
      services.sonarr = pkgs.lib.mkIf enable-services {
        enable = true;
        openFirewall = true;
        dataDir = "/mnt/sonarr";
      };
      services.radarr = pkgs.lib.mkIf enable-services {
        enable = true;
        openFirewall = true;
        dataDir = "/mnt/radarr";
      };
      services.jackett = pkgs.lib.mkIf enable-services {
        enable = true;
        dataDir = "/mnt/jackett";
        openFirewall = true;
      };

      services.transmission = pkgs.lib.mkIf enable-services {
        enable = true;
        openFirewall = true;
        home = "/mnt/transmission";
        settings.download-dir = "/mnt/transmission";
        settings.incomplete-dir = "/mnt/transmission/.incomplete";
        downloadDirPermissions = "775";
      };

      # debugging
      # users.users.root = {
      #   password = "1";
      # };

      environment.systemPackages = [pkgs.wireguard-tools pkgs.tcpdump];

      services.openssh = {
        enable = true;
        settings = {
          PermitRootLogin = "yes";
          AllowUsers = null;
          PasswordAuthentication = true;
          KbdInteractiveAuthentication = true;
        };
      };
    };
  };

  # networking.nat.forwardPorts = [
  #   {
  #     proto = "tcp";
  #     sourcePort = 8989;
  #     destination = "10.0.1.1:8989";
  #   }
  # ];

  # Sonarr
  services.nginx.virtualHosts."sonarr.spoodythe.one" = {
    addSSL = true;
    enableACME = true;
    listen = [
      {
        inherit port;
        addr = "0.0.0.0";
        ssl = false;
      }
      {
        port = 443;
        addr = "0.0.0.0";
        ssl = true;
      }
    ];
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
    };
  };

  # Radarr
  services.nginx.virtualHosts."radarr.spoodythe.one" = let
    port = 7878;
  in {
    addSSL = true;
    enableACME = true;
    listen = [
      {
        inherit port;
        addr = "0.0.0.0";
        ssl = false;
      }
      {
        port = 443;
        addr = "0.0.0.0";
        ssl = true;
      }
    ];
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
    };
  };

  # Jackett
  services.nginx.virtualHosts."jackett.spoodythe.one" = let
    port = 9117;
  in {
    addSSL = true;
    enableACME = true;
    listen = [
      {
        inherit port;
        addr = "0.0.0.0";
        ssl = false;
      }
      {
        port = 443;
        addr = "0.0.0.0";
        ssl = true;
      }
    ];
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
    };
  };

  networking.firewall.allowedTCPPorts = [port 9117 7878 9696 80 433];
  networking.firewall.allowedUDPPorts = [port 9117 7878 9696 80 433];
}