diff --git a/SwarselSystems.org b/SwarselSystems.org index d9229db..9570cc6 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -2039,6 +2039,7 @@ My work machine. Built for more security, this is the gold standard of my config hostName = "winters"; hostId = "b7778a4a"; firewall.enable = true; + enableIPv6 = false; firewall.allowedTCPPorts = [ 80 443 ]; }; @@ -2060,6 +2061,7 @@ My work machine. Built for more security, this is the gold standard of my config nextcloud = true; immich = true; paperless = true; + transmission = true; }; }; @@ -4747,6 +4749,7 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne options.swarselsystems.server.nextcloud = lib.mkEnableOption "enable nextcloud on server"; options.swarselsystems.server.immich = lib.mkEnableOption "enable immich on server"; options.swarselsystems.server.paperless = lib.mkEnableOption "enable paperless on server"; + options.swarselsystems.server.transmission = lib.mkEnableOption "enable transmission and friends on server"; } #+end_src @@ -6640,6 +6643,7 @@ Also, the system state version is set here. No need to touch it. ./nextcloud.nix ./immich.nix ./paperless.nix + ./transmission.nix ]; nix = @@ -7396,7 +7400,8 @@ Also, the system state version is set here. No need to touch it. ]; locations = { "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://localhost:8008"; + # proxyPass = "http://localhost:8008"; + proxyPass = "http://192.168.1.2:8008"; extraConfig = '' client_max_body_size 0; ''; @@ -7465,9 +7470,9 @@ Also, the system state version is set here. No need to touch it. { config = lib.mkIf config.swarselsystems.server.immich { - users.users.immich = { - extraGroups = [ "users" ]; - }; + users.users.immich = { + extraGroups = [ "video" "render" "users" ]; + }; # sops.secrets.nextcloudadminpass = { owner = "nextcloud"; }; @@ -7476,6 +7481,7 @@ Also, the system state version is set here. No need to touch it. port = 3001; openFirewall = true; mediaLocation = "/Vault/Eternor/Immich"; + environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://127.0.0.1:3003"; }; @@ -7487,15 +7493,25 @@ Also, the system state version is set here. No need to touch it. acmeRoot = null; locations = { "/" = { - proxyPass = "http://[::1]:3001"; + proxyPass = "http://127.0.0.1:3001"; extraConfig = '' client_max_body_size 0; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; ''; }; }; }; }; }; + }; } @@ -7517,14 +7533,15 @@ Also, the system state version is set here. No need to touch it. services.paperless = { enable = true; - mediaDir = "/Vault/Eternor/Dokumente"; + mediaDir = "/Vault/Eternor/Paperless"; + dataDir = "/Vault/data/paperless"; user = "paperless"; port = 28981; passwordFile = config.sops.secrets.paperless_admin.path; address = "0.0.0.0"; - extraConfig = { + settings = { PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_URL = "scan.swarsel.win"; + PAPERLESS_URL = "https://scan.swarsel.win"; PAPERLESS_OCR_USER_ARGS = builtins.toJSON { optimize = 1; pdfa_image_compression = "lossless"; @@ -7554,6 +7571,415 @@ Also, the system state version is set here. No need to touch it. } #+end_src +**** transmission + +#+begin_src nix :tangle profiles/server/common/transmission.nix + { pkgs, lib, config, ... }: + { + config = lib.mkIf config.swarselsystems.server.transmission { + + virtualisation.docker.enable = true; + environment.systemPackages = with pkgs; [ + docker + ]; + # boot = { + # kernelModules = [ "tun" ]; + # kernel.sysctl = { + # "net.ipv4.conf.all.rp_filter" = 2; + # "net.ipv4.conf.default.rp_filter" = 2; + # "net.ipv4.conf.enp3s0.rp_filter" = 2; + # }; + # }; + # environment.systemPackages = with pkgs; [ + # jq + # traceroute + # curl + # ]; + # environment.etc = { + # "openvpn/iptables.sh" = + # { + # source = ../../../scripts/server1/iptables.sh; + # mode = "0755"; + # }; + # "openvpn/update-resolv-conf" = + # { + # source = ../../../scripts/server1/update-resolv-conf; + # mode = "0755"; + # }; + # "openvpn/routing.sh" = + # { + # source = ../../../scripts/server1/routing.sh; + # mode = "0755"; + # }; + # "openvpn/ca.rsa.2048.crt" = + # { + # source = ../../../secrets/certs/ca.rsa.2048.crt; + # mode = "0644"; + # }; + # "openvpn/crl.rsa.2048.pem" = + # { + # source = ../../../secrets/certs/crl.rsa.2048.pem; + # mode = "0644"; + # }; + # }; + + # networking = { + # firewall.extraCommands = '' + # sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP + # ''; + # iproute2 = { + # enable = true; + # rttablesExtraConfig = '' + # 200 vpn + # ''; + # }; + # }; + + # users = { + # groups = { + # vpn = { }; + # }; + # users = { + # vpn = { + # isNormalUser = true; + # group = "vpn"; + # home = "/home/vpn"; + # }; + # }; + # }; + + # sops = { + # secrets = { + # vpnuser = { }; + # rpcuser = { owner = "vpn"; }; + # vpnpass = { }; + # rpcpass = { owner = "vpn"; }; + # vpnprot = { }; + # vpnloc = { }; + # }; + # templates = { + # "transmission-rpc" = { + # owner = "vpn"; + # content = builtins.toJSON { + # rpc-username = config.sops.placeholder.rpcuser; + # rpc-password = config.sops.placeholder.rpcpass; + # }; + # }; + + # pia.content = '' + # ${config.sops.placeholder.vpnuser} + # ${config.sops.placeholder.vpnpass} + # ''; + + # vpn = { + # path = "/etc/openvpn/openvpn.conf"; + # mode = "0644"; + # content = '' + # client + # dev tun + # proto ${config.sops.placeholder.vpnprot} + # remote ${config.sops.placeholder.vpnloc} + # resolv-retry infinite + # nobind + # persist-key + # persist-tun + # cipher aes-128-cbc + # auth sha1 + # tls-client + # remote-cert-tls server + + # auth-user-pass ${config.sops.templates.pia.path} + # auth-nocache + # comp-lzo + # compress + # verb 1 + # reneg-sec 0 + + # crl-verify /etc/openvpn/crl.rsa.2048.pem + # ca /etc/openvpn/ca.rsa.2048.crt + + # disable-occ + # script-security 2 + # route-noexec + + # up /etc/openvpn/iptables.sh + # down /etc/openvpn/update-resolv-conf + # ''; + # }; + # }; + # }; + + # systemd = { + # timers."restart-pia-monthly" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnBootSec = "1M"; + # OnUnitActiveSec = "1M"; + # Unit = "restart-pia-monthly.service"; + # }; + # }; + + # services."restart-pia-monthly" = { + # script = '' + # systemctl restart pia-pf.service + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "root"; + # }; + # }; + + # timers."reboot-portforward-2h" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnBootSec = "2h"; + # OnUnitActiveSec = "2h"; + # Unit = "reboot-portforward-2h.service"; + # }; + # }; + + # services."reboot-portforward-2h" = { + # script = '' + # /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1 + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "root"; + # }; + # }; + + # timers."hourly-services" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnBootSec = "1h"; + # OnUnitActiveSec = "1h"; + # Unit = "hourly-services.service"; + # }; + # }; + + # services."hourly-services" = { + # script = '' + # ${pkgs.sudo}/bin/sudo /etc/openvpn/iptables.sh + # ${pkgs.sudo}/bin/sudo -u vpn -i -- ${pkgs.curl}/bin/curl -c /opt/persists/mam.cookies -b /opt/persists/mam.cookies https://t.myanonamouse.net/json/dynamicSeedbox.php + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "root"; + # }; + # }; + + # timers."reboot-portforward" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnBootSec = "1m"; + # Unit = "reboot-portforward.service"; + # }; + # }; + + # services."reboot-portforward" = { + # script = '' + # sleep 60 + # /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1 + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "root"; + # }; + # }; + + # tmpfiles.rules = [ + # "d /run/openvpn 644 root root 10d" + # "f /run/openvpn/openvpn.pid 0644 root root" + # "f /run/openvpn/openvpn.status 0644 root root" + # ]; + + # services."pia-pf" = { + + # path = with pkgs; [ + # toybox + # jq + # curl + # traceroute + # bash + # gawk + # ]; + # description = "PIA Port Forwarding Daemon"; + # after = [ "network.target" "openvpn@openvpn.service" ]; + # wantedBy = [ "multi-user.target" ]; + # serviceConfig = { + # SyslogIdentifier = "pia-pf"; + # Type = "simple"; + # ExecStartPre = "${pkgs.toybox}/bin/sleep 10"; + # ExecStart = "/etc/openvpn/pia-portforward.sh -f tun0 -p /etc/openvpn/port.dat -s /etc/openvpn/portforward.sh"; + # WorkingDirectory = "/etc/openvpn"; + # Restart = "always"; + # RestartSec = 5; + # TimeoutStopSec = 30; + # }; + # }; + # services."openvpn@openvpn" = { + + # description = "Open VPN connection to %i"; + # after = [ "network.target" ]; + # wantedBy = [ "multi-user.target" ]; + # serviceConfig = { + # RuntimeDirectory = "openvpn"; + # PrivateTmp = true; + # KillMode = "mixed"; + # Type = "forking"; + # ExecStart = "${pkgs.openvpn}/bin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid"; + # PIDFile = "/run/openvpn/%i.pid"; + # ExecReload = "/bin/kill -HUP $MAINPID"; + # WorkingDirectory = "/etc/openvpn"; + # Restart = "on-failure"; + # RestartSec = 3; + # ProtectSystem = "yes"; + # LimitNPROC = 10; + # DeviceAllow = [ + # "/dev/null rw" + # "/dev/net/tun rw" + # ]; + # }; + # }; + # }; + + services = { + radarr = { + enable = true; + }; + readarr = { + enable = true; + }; + sonarr = { + enable = true; + }; + lidarr = { + enable = true; + }; + prowlarr = { + enable = true; + }; + # openvpn.servers = { + # pia = { + # autoStart = false; + # updateResolvConf = false; + # config = "config ${config.sops.templates.vpn.path}"; + # }; + # }; + # transmission = { + # enable = true; + # package = + # let + # pkgs2_94 = import + # (builtins.fetchGit { + # name = "transmission-2.94"; + # url = "https://github.com/NixOS/nixpkgs/"; + # ref = "refs/heads/nixpkgs-unstable"; + # rev = "4426104c8c900fbe048c33a0e6f68a006235ac50"; + # }) + # { }; + + # transmission2_94 = pkgs2_94.transmission; + # in + # transmission2_94; + # user = "vpn"; + # credentialsFile = config.sops.templates."transmission-rpc".path; + # openPeerPorts = true; + # settings = { + # alt-speed-down = 6000; + # alt-speed-enabled = false; + # alt-speed-time-begin = 0; + # alt-speed-time-day = 127; + # alt-speed-time-enabled = true; + # alt-speed-time-end = 360; + # alt-speed-up = 1000; + # bind-address-ipv4 = "0.0.0.0"; + # bind-address-ipv6 = "fe80::"; + # blocklist-enabled = false; + # blocklist-url = "http://www.example.com/blocklist"; + # cache-size-mb = 256; + # dht-enabled = false; + # download-dir = "/Vault/Eternor/New"; + # download-limit = 100; + # download-limit-enabled = 0; + # download-queue-enabled = true; + # download-queue-size = 5; + # encryption = 2; + # idle-seeding-limit = 30; + # idle-seeding-limit-enabled = false; + # incomplete-dir = "/var/lib/transmission-daemon/Downloads"; + # incomplete-dir-enabled = false; + # lpd-enabled = false; + # max-peers-global = 200; + # message-level = 1; + # peer-congestion-algorithm = ""; + # peer-id-ttl-hours = 6; + # peer-limit-global = 100; + # peer-limit-per-torrent = 40; + # peer-port = 22371; + # peer-port-random-high = 65535; + # peer-port-random-low = 49152; + # peer-port-random-on-start = false; + # peer-socket-tos = "default"; + # pex-enabled = false; + # port-forwarding-enabled = false; + # preallocation = 1; + # prefetch-enabled = true; + # queue-stalled-enabled = true; + # queue-stalled-minutes = 30; + # ratio-limit = 2; + # ratio-limit-enabled = false; + # rename-partial-files = true; + # rpc-authentication-required = true; + # rpc-bind-address = "0.0.0.0"; + # rpc-enabled = true; + # rpc-host-whitelist = ""; + # rpc-host-whitelist-enabled = true; + # rpc-port = 9091; + # rpc-url = "/transmission/"; + # rpc-whitelist = "127.0.0.1,192.168.3.2,192.168.3.3"; + # rpc-whitelist-enabled = true; + # scrape-paused-torrents-enabled = true; + # script-torrent-done-enabled = false; + # seed-queue-enabled = false; + # seed-queue-size = 10; + # speed-limit-down = 6000; + # speed-limit-down-enabled = true; + # speed-limit-up = 500; + # speed-limit-up-enabled = true; + # start-added-torrents = true; + # trash-original-torrent-files = false; + # umask = 2; + # upload-limit = 100; + # upload-limit-enabled = 0; + # upload-slots-per-torrent = 14; + # utp-enabled = false; + # }; + # }; + + nginx = { + virtualHosts = { + "store.swarsel.win" = { + enableACME = false; + forceSSL = false; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:9091"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + }; + }; + } + +#+end_src + *** Optional :PROPERTIES: diff --git a/modules/nixos/setup.nix b/modules/nixos/setup.nix index ec2029b..5828528 100644 --- a/modules/nixos/setup.nix +++ b/modules/nixos/setup.nix @@ -19,4 +19,5 @@ in options.swarselsystems.server.nextcloud = lib.mkEnableOption "enable nextcloud on server"; options.swarselsystems.server.immich = lib.mkEnableOption "enable immich on server"; options.swarselsystems.server.paperless = lib.mkEnableOption "enable paperless on server"; + options.swarselsystems.server.transmission = lib.mkEnableOption "enable transmission and friends on server"; } diff --git a/profiles/server/common/default.nix b/profiles/server/common/default.nix index 11497f9..0a98054 100644 --- a/profiles/server/common/default.nix +++ b/profiles/server/common/default.nix @@ -22,6 +22,7 @@ ./nextcloud.nix ./immich.nix ./paperless.nix + ./transmission.nix ]; nix = diff --git a/profiles/server/common/immich.nix b/profiles/server/common/immich.nix index 809d24c..82b63f0 100644 --- a/profiles/server/common/immich.nix +++ b/profiles/server/common/immich.nix @@ -3,7 +3,7 @@ config = lib.mkIf config.swarselsystems.server.immich { users.users.immich = { - extraGroups = [ "users" ]; + extraGroups = [ "video" "render" "users" ]; }; # sops.secrets.nextcloudadminpass = { owner = "nextcloud"; }; @@ -13,6 +13,7 @@ port = 3001; openFirewall = true; mediaLocation = "/Vault/Eternor/Immich"; + environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://127.0.0.1:3003"; }; @@ -24,15 +25,25 @@ acmeRoot = null; locations = { "/" = { - proxyPass = "http://[::1]:3001"; + proxyPass = "http://127.0.0.1:3001"; extraConfig = '' client_max_body_size 0; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; ''; }; }; }; }; }; + }; } diff --git a/profiles/server/common/matrix.nix b/profiles/server/common/matrix.nix index 8995418..9be223b 100644 --- a/profiles/server/common/matrix.nix +++ b/profiles/server/common/matrix.nix @@ -283,7 +283,8 @@ in ]; locations = { "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://localhost:8008"; + # proxyPass = "http://localhost:8008"; + proxyPass = "http://192.168.1.2:8008"; extraConfig = '' client_max_body_size 0; ''; diff --git a/profiles/server/common/paperless.nix b/profiles/server/common/paperless.nix index dc271c3..e45b1bb 100644 --- a/profiles/server/common/paperless.nix +++ b/profiles/server/common/paperless.nix @@ -11,14 +11,15 @@ services.paperless = { enable = true; - mediaDir = "/Vault/Eternor/Dokumente"; + mediaDir = "/Vault/Eternor/Paperless"; + dataDir = "/Vault/data/paperless"; user = "paperless"; port = 28981; passwordFile = config.sops.secrets.paperless_admin.path; address = "0.0.0.0"; - extraConfig = { + settings = { PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_URL = "scan.swarsel.win"; + PAPERLESS_URL = "https://scan.swarsel.win"; PAPERLESS_OCR_USER_ARGS = builtins.toJSON { optimize = 1; pdfa_image_compression = "lossless"; diff --git a/profiles/server/common/transmission.nix b/profiles/server/common/transmission.nix new file mode 100644 index 0000000..c90c9ec --- /dev/null +++ b/profiles/server/common/transmission.nix @@ -0,0 +1,403 @@ +{ pkgs, lib, config, ... }: +{ + config = lib.mkIf config.swarselsystems.server.transmission { + + virtualisation.docker.enable = true; + environment.systemPackages = with pkgs; [ + docker + ]; + # boot = { + # kernelModules = [ "tun" ]; + # kernel.sysctl = { + # "net.ipv4.conf.all.rp_filter" = 2; + # "net.ipv4.conf.default.rp_filter" = 2; + # "net.ipv4.conf.enp3s0.rp_filter" = 2; + # }; + # }; + # environment.systemPackages = with pkgs; [ + # jq + # traceroute + # curl + # ]; + # environment.etc = { + # "openvpn/iptables.sh" = + # { + # source = ../../../scripts/server1/iptables.sh; + # mode = "0755"; + # }; + # "openvpn/update-resolv-conf" = + # { + # source = ../../../scripts/server1/update-resolv-conf; + # mode = "0755"; + # }; + # "openvpn/routing.sh" = + # { + # source = ../../../scripts/server1/routing.sh; + # mode = "0755"; + # }; + # "openvpn/ca.rsa.2048.crt" = + # { + # source = ../../../secrets/certs/ca.rsa.2048.crt; + # mode = "0644"; + # }; + # "openvpn/crl.rsa.2048.pem" = + # { + # source = ../../../secrets/certs/crl.rsa.2048.pem; + # mode = "0644"; + # }; + # }; + + # networking = { + # firewall.extraCommands = '' + # sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP + # ''; + # iproute2 = { + # enable = true; + # rttablesExtraConfig = '' + # 200 vpn + # ''; + # }; + # }; + + # users = { + # groups = { + # vpn = { }; + # }; + # users = { + # vpn = { + # isNormalUser = true; + # group = "vpn"; + # home = "/home/vpn"; + # }; + # }; + # }; + + # sops = { + # secrets = { + # vpnuser = { }; + # rpcuser = { owner = "vpn"; }; + # vpnpass = { }; + # rpcpass = { owner = "vpn"; }; + # vpnprot = { }; + # vpnloc = { }; + # }; + # templates = { + # "transmission-rpc" = { + # owner = "vpn"; + # content = builtins.toJSON { + # rpc-username = config.sops.placeholder.rpcuser; + # rpc-password = config.sops.placeholder.rpcpass; + # }; + # }; + + # pia.content = '' + # ${config.sops.placeholder.vpnuser} + # ${config.sops.placeholder.vpnpass} + # ''; + + # vpn = { + # path = "/etc/openvpn/openvpn.conf"; + # mode = "0644"; + # content = '' + # client + # dev tun + # proto ${config.sops.placeholder.vpnprot} + # remote ${config.sops.placeholder.vpnloc} + # resolv-retry infinite + # nobind + # persist-key + # persist-tun + # cipher aes-128-cbc + # auth sha1 + # tls-client + # remote-cert-tls server + + # auth-user-pass ${config.sops.templates.pia.path} + # auth-nocache + # comp-lzo + # compress + # verb 1 + # reneg-sec 0 + + # crl-verify /etc/openvpn/crl.rsa.2048.pem + # ca /etc/openvpn/ca.rsa.2048.crt + + # disable-occ + # script-security 2 + # route-noexec + + # up /etc/openvpn/iptables.sh + # down /etc/openvpn/update-resolv-conf + # ''; + # }; + # }; + # }; + + # systemd = { + # timers."restart-pia-monthly" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnBootSec = "1M"; + # OnUnitActiveSec = "1M"; + # Unit = "restart-pia-monthly.service"; + # }; + # }; + + # services."restart-pia-monthly" = { + # script = '' + # systemctl restart pia-pf.service + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "root"; + # }; + # }; + + # timers."reboot-portforward-2h" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnBootSec = "2h"; + # OnUnitActiveSec = "2h"; + # Unit = "reboot-portforward-2h.service"; + # }; + # }; + + # services."reboot-portforward-2h" = { + # script = '' + # /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1 + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "root"; + # }; + # }; + + # timers."hourly-services" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnBootSec = "1h"; + # OnUnitActiveSec = "1h"; + # Unit = "hourly-services.service"; + # }; + # }; + + # services."hourly-services" = { + # script = '' + # ${pkgs.sudo}/bin/sudo /etc/openvpn/iptables.sh + # ${pkgs.sudo}/bin/sudo -u vpn -i -- ${pkgs.curl}/bin/curl -c /opt/persists/mam.cookies -b /opt/persists/mam.cookies https://t.myanonamouse.net/json/dynamicSeedbox.php + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "root"; + # }; + # }; + + # timers."reboot-portforward" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnBootSec = "1m"; + # Unit = "reboot-portforward.service"; + # }; + # }; + + # services."reboot-portforward" = { + # script = '' + # sleep 60 + # /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1 + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "root"; + # }; + # }; + + # tmpfiles.rules = [ + # "d /run/openvpn 644 root root 10d" + # "f /run/openvpn/openvpn.pid 0644 root root" + # "f /run/openvpn/openvpn.status 0644 root root" + # ]; + + # services."pia-pf" = { + + # path = with pkgs; [ + # toybox + # jq + # curl + # traceroute + # bash + # gawk + # ]; + # description = "PIA Port Forwarding Daemon"; + # after = [ "network.target" "openvpn@openvpn.service" ]; + # wantedBy = [ "multi-user.target" ]; + # serviceConfig = { + # SyslogIdentifier = "pia-pf"; + # Type = "simple"; + # ExecStartPre = "${pkgs.toybox}/bin/sleep 10"; + # ExecStart = "/etc/openvpn/pia-portforward.sh -f tun0 -p /etc/openvpn/port.dat -s /etc/openvpn/portforward.sh"; + # WorkingDirectory = "/etc/openvpn"; + # Restart = "always"; + # RestartSec = 5; + # TimeoutStopSec = 30; + # }; + # }; + # services."openvpn@openvpn" = { + + # description = "Open VPN connection to %i"; + # after = [ "network.target" ]; + # wantedBy = [ "multi-user.target" ]; + # serviceConfig = { + # RuntimeDirectory = "openvpn"; + # PrivateTmp = true; + # KillMode = "mixed"; + # Type = "forking"; + # ExecStart = "${pkgs.openvpn}/bin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid"; + # PIDFile = "/run/openvpn/%i.pid"; + # ExecReload = "/bin/kill -HUP $MAINPID"; + # WorkingDirectory = "/etc/openvpn"; + # Restart = "on-failure"; + # RestartSec = 3; + # ProtectSystem = "yes"; + # LimitNPROC = 10; + # DeviceAllow = [ + # "/dev/null rw" + # "/dev/net/tun rw" + # ]; + # }; + # }; + # }; + + services = { + radarr = { + enable = true; + }; + readarr = { + enable = true; + }; + sonarr = { + enable = true; + }; + lidarr = { + enable = true; + }; + prowlarr = { + enable = true; + }; + # openvpn.servers = { + # pia = { + # autoStart = false; + # updateResolvConf = false; + # config = "config ${config.sops.templates.vpn.path}"; + # }; + # }; + # transmission = { + # enable = true; + # package = + # let + # pkgs2_94 = import + # (builtins.fetchGit { + # name = "transmission-2.94"; + # url = "https://github.com/NixOS/nixpkgs/"; + # ref = "refs/heads/nixpkgs-unstable"; + # rev = "4426104c8c900fbe048c33a0e6f68a006235ac50"; + # }) + # { }; + + # transmission2_94 = pkgs2_94.transmission; + # in + # transmission2_94; + # user = "vpn"; + # credentialsFile = config.sops.templates."transmission-rpc".path; + # openPeerPorts = true; + # settings = { + # alt-speed-down = 6000; + # alt-speed-enabled = false; + # alt-speed-time-begin = 0; + # alt-speed-time-day = 127; + # alt-speed-time-enabled = true; + # alt-speed-time-end = 360; + # alt-speed-up = 1000; + # bind-address-ipv4 = "0.0.0.0"; + # bind-address-ipv6 = "fe80::"; + # blocklist-enabled = false; + # blocklist-url = "http://www.example.com/blocklist"; + # cache-size-mb = 256; + # dht-enabled = false; + # download-dir = "/Vault/Eternor/New"; + # download-limit = 100; + # download-limit-enabled = 0; + # download-queue-enabled = true; + # download-queue-size = 5; + # encryption = 2; + # idle-seeding-limit = 30; + # idle-seeding-limit-enabled = false; + # incomplete-dir = "/var/lib/transmission-daemon/Downloads"; + # incomplete-dir-enabled = false; + # lpd-enabled = false; + # max-peers-global = 200; + # message-level = 1; + # peer-congestion-algorithm = ""; + # peer-id-ttl-hours = 6; + # peer-limit-global = 100; + # peer-limit-per-torrent = 40; + # peer-port = 22371; + # peer-port-random-high = 65535; + # peer-port-random-low = 49152; + # peer-port-random-on-start = false; + # peer-socket-tos = "default"; + # pex-enabled = false; + # port-forwarding-enabled = false; + # preallocation = 1; + # prefetch-enabled = true; + # queue-stalled-enabled = true; + # queue-stalled-minutes = 30; + # ratio-limit = 2; + # ratio-limit-enabled = false; + # rename-partial-files = true; + # rpc-authentication-required = true; + # rpc-bind-address = "0.0.0.0"; + # rpc-enabled = true; + # rpc-host-whitelist = ""; + # rpc-host-whitelist-enabled = true; + # rpc-port = 9091; + # rpc-url = "/transmission/"; + # rpc-whitelist = "127.0.0.1,192.168.3.2,192.168.3.3"; + # rpc-whitelist-enabled = true; + # scrape-paused-torrents-enabled = true; + # script-torrent-done-enabled = false; + # seed-queue-enabled = false; + # seed-queue-size = 10; + # speed-limit-down = 6000; + # speed-limit-down-enabled = true; + # speed-limit-up = 500; + # speed-limit-up-enabled = true; + # start-added-torrents = true; + # trash-original-torrent-files = false; + # umask = 2; + # upload-limit = 100; + # upload-limit-enabled = 0; + # upload-slots-per-torrent = 14; + # utp-enabled = false; + # }; + # }; + + nginx = { + virtualHosts = { + "store.swarsel.win" = { + enableACME = false; + forceSSL = false; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:9091"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/profiles/server/winters/default.nix b/profiles/server/winters/default.nix index 1b9e797..1cd24d2 100644 --- a/profiles/server/winters/default.nix +++ b/profiles/server/winters/default.nix @@ -29,6 +29,7 @@ hostName = "winters"; hostId = "b7778a4a"; firewall.enable = true; + enableIPv6 = false; firewall.allowedTCPPorts = [ 80 443 ]; }; @@ -50,6 +51,7 @@ nextcloud = true; immich = true; paperless = true; + transmission = true; }; }; diff --git a/scripts/server1/iptables.sh b/scripts/server1/iptables.sh index 4317817..3b191ce 100644 --- a/scripts/server1/iptables.sh +++ b/scripts/server1/iptables.sh @@ -1,8 +1,8 @@ #! /usr/bin/env bash export INTERFACE="tun0" export VPNUSER="vpn" -export LOCALIP="192.168.1.107" -export NETIF="enp7s0" +export LOCALIP="192.168.1.2" +export NETIF="enp3s0" # flushes all the iptables rules, if you have other rules to use then add them into the script iptables -F -t nat @@ -34,14 +34,7 @@ iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # reject connections from predator IP going over $NETIF iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT -VPNIF="tun0" -VPNUSER="vpn" -GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) -if [[ `ip rule list | grep -c 0x1` == 0 ]]; then -ip rule add from all fwmark 0x1 lookup $VPNUSER -fi -ip route replace default via $GATEWAYIP table $VPNUSER -ip route append default via 127.0.0.1 dev lo table $VPNUSER -ip route flush cache +# Start routing script +/etc/openvpn/routing.sh exit 0 diff --git a/scripts/server1/iptables.sh.bak b/scripts/server1/iptables.sh.bak new file mode 100644 index 0000000..6048fa9 --- /dev/null +++ b/scripts/server1/iptables.sh.bak @@ -0,0 +1,47 @@ +#! /usr/bin/env bash +export INTERFACE="tun0" +export VPNUSER="vpn" +export LOCALIP="192.168.1.2" +export NETIF="enp3s0" + +# flushes all the iptables rules, if you have other rules to use then add them into the script +iptables -F -t nat +iptables -F -t mangle +iptables -F -t filter + +# mark packets from $VPNUSER +iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark +iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 +iptables -t mangle -A OUTPUT -j CONNMARK --save-mark + +# allow responses +iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# block everything incoming on $INTERFACE to prevent accidental exposing of ports +iptables -A INPUT -i $INTERFACE -j REJECT + +# let $VPNUSER access lo and $INTERFACE +iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT +iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT + +# all packets on $INTERFACE needs to be masqueraded +iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE +iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# reject connections from predator IP going over $NETIF +iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT + +VPNIF="tun0" +VPNUSER="vpn" +GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) +if [[ `ip rule list | grep -c 0x1` == 0 ]]; then +ip rule add from all fwmark 0x1 lookup $VPNUSER +fi +ip route replace default via $GATEWAYIP table $VPNUSER +ip route append default via 127.0.0.1 dev lo table $VPNUSER +ip route flush cache + +exit 0 diff --git a/scripts/server1/routing.sh b/scripts/server1/routing.sh index 64e0664..1bab5e5 100644 --- a/scripts/server1/routing.sh +++ b/scripts/server1/routing.sh @@ -9,6 +9,6 @@ ip route replace default via $GATEWAYIP table $VPNUSER ip route append default via 127.0.0.1 dev lo table $VPNUSER ip route flush cache -bash /etc/openvpn/update-resolv-conf +/etc/openvpn/update-resolv-conf exit 0 diff --git a/scripts/server1/routing.sh.bak b/scripts/server1/routing.sh.bak new file mode 100644 index 0000000..64e0664 --- /dev/null +++ b/scripts/server1/routing.sh.bak @@ -0,0 +1,14 @@ +#! /usr/bin/env bash +VPNIF="tun0" +VPNUSER="vpn" +GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) +if [[ `ip rule list | grep -c 0x1` == 0 ]]; then +ip rule add from all fwmark 0x1 lookup $VPNUSER +fi +ip route replace default via $GATEWAYIP table $VPNUSER +ip route append default via 127.0.0.1 dev lo table $VPNUSER +ip route flush cache + +bash /etc/openvpn/update-resolv-conf + +exit 0 diff --git a/scripts/server1/update-resolv-conf.bak b/scripts/server1/update-resolv-conf.bak new file mode 100644 index 0000000..f1e5586 --- /dev/null +++ b/scripts/server1/update-resolv-conf.bak @@ -0,0 +1,45 @@ +#! /usr/bin/env bash +foreign_option_1='dhcp-option DNS 209.222.18.222' +foreign_option_2='dhcp-option DNS 209.222.18.218' +foreign_option_3='dhcp-option DNS 8.8.8.8' + +[ -x /sbin/resolvconf ] || exit 0 +[ "$script_type" ] || exit 0 +[ "$dev" ] || exit 0 + +split_into_parts() +{ + part1="$1" + part2="$2" + part3="$3" +} + +case "$script_type" in + up) + NMSRVRS="" + SRCHS="" + for optionvarname in ${!foreign_option_*} ; do + option="${!optionvarname}" + echo "$option" + split_into_parts $option + if [ "$part1" = "dhcp-option" ] ; then + if [ "$part2" = "DNS" ] ; then + NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3" + elif [ "$part2" = "DOMAIN" ] ; then + SRCHS="${SRCHS:+$SRCHS }$part3" + fi + fi + done + R="" + [ "$SRCHS" ] && R="search $SRCHS +" + for NS in $NMSRVRS ; do + R="${R}nameserver $NS +" + done + echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn" + ;; + down) + /sbin/resolvconf -d "${dev}.openvpn" + ;; +esac