241 lines
6.2 KiB
Nix
Executable file
241 lines
6.2 KiB
Nix
Executable file
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}: let
|
|
host = "127.0.0.1";
|
|
port = 8989;
|
|
vm-index = 1;
|
|
vm-mac = "00:00:00:00:00:01";
|
|
vm-name = "necoarc";
|
|
in {
|
|
config.microvm.autostart = [vm-name];
|
|
|
|
config.users.extraUsers.microvm.extraGroups = [
|
|
"jellyfin" # access to media folder
|
|
];
|
|
|
|
config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
|
|
mkdir -p /var/lib/${vm-name}
|
|
chmod -R 777 /var/lib/${vm-name}
|
|
chown -R microvm /var/lib/${vm-name}
|
|
chmod -R 777 /media
|
|
'';
|
|
|
|
# config.networking.wireguard.enable = true;
|
|
# # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
|
|
|
|
# config.networking.wireguard.interfaces.wg0 = {
|
|
# ips = ["10.75.60.108/32"];
|
|
# listenPort = 51820;
|
|
# privateKeyFile = "${./wireguard-secret}";
|
|
# peers = [
|
|
# {
|
|
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
|
|
# endpoint = "185.254.75.4:51820";
|
|
# allowedIPs = ["0.0.0.0/0"];
|
|
# persistentKeepalive = 25;
|
|
# }
|
|
# ];
|
|
# };
|
|
|
|
# config.systemd.network.networks.wg0 = {
|
|
# matchConfig.Name = "wg0";
|
|
# address = ["10.0.1.${toString vm-index}/24"];
|
|
# networkConfig = {
|
|
# IPMasquerade = "ipv4";
|
|
# IPv4Forwarding = true;
|
|
# };
|
|
# };
|
|
|
|
config.microvm.vms.${vm-name} = {
|
|
config = {config, ...}: {
|
|
system.stateVersion = "24.11";
|
|
# Storage share configuration
|
|
microvm.shares = [
|
|
{
|
|
tag = "ro-store";
|
|
source = "/nix/store";
|
|
mountPoint = "/nix/.ro-store";
|
|
}
|
|
{
|
|
tag = "data-dir";
|
|
source = "/var/lib/${vm-name}";
|
|
mountPoint = "/mnt";
|
|
proto = "virtiofs";
|
|
}
|
|
{
|
|
tag = "media-dir";
|
|
source = "/media/shows";
|
|
mountPoint = "/media/shows";
|
|
proto = "virtiofs";
|
|
}
|
|
];
|
|
|
|
# Allow the service to use the share
|
|
system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
|
|
mkdir -p /mnt
|
|
chmod -R 770 /mnt
|
|
chown -R sonarr:sonarr /mnt
|
|
'';
|
|
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
|
|
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
|
|
|
|
microvm.hypervisor = "qemu";
|
|
|
|
# VM Networking
|
|
microvm.interfaces = [
|
|
{
|
|
id = "vm${toString vm-index}";
|
|
type = "tap";
|
|
mac = vm-mac;
|
|
}
|
|
];
|
|
networking.useNetworkd = true;
|
|
systemd.network.networks."10-eth" = {
|
|
matchConfig.MACAddress = vm-mac;
|
|
address = [
|
|
"10.0.0.${toString vm-index}/32"
|
|
];
|
|
routes = [
|
|
# Host Route
|
|
{
|
|
Destination = "10.0.0.0/32";
|
|
GatewayOnLink = true;
|
|
}
|
|
# Default route
|
|
{
|
|
Destination = "0.0.0.0/0";
|
|
Gateway = "10.0.0.0";
|
|
GatewayOnLink = true;
|
|
}
|
|
];
|
|
networkConfig = {
|
|
DNS = [
|
|
# "9.9.9.9"
|
|
# "8.8.8.8"
|
|
# "8.8.4.4"
|
|
|
|
# Only allow mullvad DNS server
|
|
"10.64.0.1"
|
|
];
|
|
};
|
|
};
|
|
|
|
networking.useDHCP = false;
|
|
networking.nameservers = [
|
|
"10.0.101.1"
|
|
"8.8.8.8"
|
|
"8.8.4.4"
|
|
];
|
|
|
|
# Services
|
|
services.sonarr = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
dataDir = "/mnt/sonarr";
|
|
};
|
|
|
|
services.rtorrent = {
|
|
enable = true;
|
|
dataDir = "/mnt/rtorrent";
|
|
user = "rtorrent";
|
|
group = "rtorrent";
|
|
port = 9999;
|
|
};
|
|
|
|
# networking.wireguard.enable = true;
|
|
# boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
|
|
|
|
# networking.wireguard.interfaces.wg0 = {
|
|
# ips = ["10.75.60.108/32"];
|
|
# listenPort = 51820;
|
|
# privateKeyFile = "${./wireguard-secret}";
|
|
# peers = [
|
|
# {
|
|
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
|
|
# endpoint = "185.254.75.4:51820";
|
|
# allowedIPs = ["0.0.0.0/0"];
|
|
# persistentKeepalive = 25;
|
|
# }
|
|
# ];
|
|
# };
|
|
|
|
# networking.firewall.extraCommands = ''
|
|
# ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
|
|
# '';
|
|
|
|
# services.openvpn.servers.mullvad = {
|
|
# config = ''
|
|
# client
|
|
# dev tun
|
|
# resolv-retry infinite
|
|
# nobind
|
|
# persist-key
|
|
# persist-tun
|
|
# verb 3
|
|
# remote-cert-tls server
|
|
# ping 10
|
|
# ping-restart 60
|
|
# sndbuf 524288
|
|
# rcvbuf 524288
|
|
# cipher AES-256-GCM
|
|
# tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
|
|
# proto udp
|
|
# auth-user-pass mullvad_userpass.txt
|
|
# ca mullvad_ca.crt
|
|
# script-security 2
|
|
# up /etc/openvpn/update-resolv-conf
|
|
# down /etc/openvpn/update-resolv-conf
|
|
# fast-io
|
|
# remote 193.32.248.72 1301 # de-ber-ovpn-001
|
|
# '';
|
|
# authUserPass.username = "9898431198930064";
|
|
# authUserPass.password = "m";
|
|
# updateResolvConf = true;
|
|
# };
|
|
|
|
# Debug user
|
|
users.users."root" = {
|
|
password = "1234";
|
|
};
|
|
|
|
environment.systemPackages = [pkgs.dig];
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "yes";
|
|
AllowUsers = null;
|
|
PasswordAuthentication = true;
|
|
KbdInteractiveAuthentication = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config.networking.firewall.allowedTCPPorts = [port 80 433];
|
|
config.networking.firewall.allowedUDPPorts = [port 80 433];
|
|
|
|
config.services.nginx.virtualHosts."sonarr.spoodythe.one" = {
|
|
addSSL = true;
|
|
enableACME = true;
|
|
listen = [
|
|
{
|
|
port = 8989;
|
|
addr = "0.0.0.0";
|
|
ssl = false;
|
|
}
|
|
{
|
|
port = 443;
|
|
addr = "0.0.0.0";
|
|
ssl = true;
|
|
}
|
|
];
|
|
locations."/" = {
|
|
proxyPass = "http://10.0.0.${toString vm-index}:${toString port}";
|
|
};
|
|
};
|
|
}
|