swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 17:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

init: transmission

Browse source
This commit is contained in:
Swarsel 2024-10-05 13:44:55 +02:00
parent 3a56b30a91
commit 1e7f25c979
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
13 changed files with 971 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

442
SwarselSystems.org
View file

@ -2039,6 +2039,7 @@ My work machine. Built for more security, this is the gold standard of my config
hostName = "winters"; hostName = "winters";
hostId = "b7778a4a"; hostId = "b7778a4a";
firewall.enable = true; firewall.enable = true;
enableIPv6 = false;
firewall.allowedTCPPorts = [ 80 443 ]; firewall.allowedTCPPorts = [ 80 443 ];
}; };
@ -2060,6 +2061,7 @@ My work machine. Built for more security, this is the gold standard of my config
nextcloud = true; nextcloud = true;
immich = true; immich = true;
paperless = true; paperless = true;
transmission = true;
}; };
}; };
@ -4747,6 +4749,7 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne
options.swarselsystems.server.nextcloud = lib.mkEnableOption "enable nextcloud on server"; options.swarselsystems.server.nextcloud = lib.mkEnableOption "enable nextcloud on server";
options.swarselsystems.server.immich = lib.mkEnableOption "enable immich on server"; options.swarselsystems.server.immich = lib.mkEnableOption "enable immich on server";
options.swarselsystems.server.paperless = lib.mkEnableOption "enable paperless on server"; options.swarselsystems.server.paperless = lib.mkEnableOption "enable paperless on server";
options.swarselsystems.server.transmission = lib.mkEnableOption "enable transmission and friends on server";
} }
#+end_src #+end_src
@ -6640,6 +6643,7 @@ Also, the system state version is set here. No need to touch it.
./nextcloud.nix ./nextcloud.nix
./immich.nix ./immich.nix
./paperless.nix ./paperless.nix
./transmission.nix
]; ];
nix = nix =
@ -7396,7 +7400,8 @@ Also, the system state version is set here. No need to touch it.
]; ];
locations = { locations = {
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://localhost:8008"; # proxyPass = "http://localhost:8008";
proxyPass = "http://192.168.1.2:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -7465,9 +7470,9 @@ Also, the system state version is set here. No need to touch it.
{ {
config = lib.mkIf config.swarselsystems.server.immich { config = lib.mkIf config.swarselsystems.server.immich {
users.users.immich = { users.users.immich = {
extraGroups = [ "users" ]; extraGroups = [ "video" "render" "users" ];
}; };
# sops.secrets.nextcloudadminpass = { owner = "nextcloud"; }; # sops.secrets.nextcloudadminpass = { owner = "nextcloud"; };
@ -7476,6 +7481,7 @@ Also, the system state version is set here. No need to touch it.
port = 3001; port = 3001;
openFirewall = true; openFirewall = true;
mediaLocation = "/Vault/Eternor/Immich"; mediaLocation = "/Vault/Eternor/Immich";
environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://127.0.0.1:3003";
}; };
@ -7487,15 +7493,25 @@ Also, the system state version is set here. No need to touch it.
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://[::1]:3001"; proxyPass = "http://127.0.0.1:3001";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
''; '';
}; };
}; };
}; };
}; };
}; };
}; };
} }
@ -7517,14 +7533,15 @@ Also, the system state version is set here. No need to touch it.
services.paperless = { services.paperless = {
enable = true; enable = true;
mediaDir = "/Vault/Eternor/Dokumente"; mediaDir = "/Vault/Eternor/Paperless";
dataDir = "/Vault/data/paperless";
user = "paperless"; user = "paperless";
port = 28981; port = 28981;
passwordFile = config.sops.secrets.paperless_admin.path; passwordFile = config.sops.secrets.paperless_admin.path;
address = "0.0.0.0"; address = "0.0.0.0";
extraConfig = { settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_URL = "scan.swarsel.win"; PAPERLESS_URL = "https://scan.swarsel.win";
PAPERLESS_OCR_USER_ARGS = builtins.toJSON { PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
optimize = 1; optimize = 1;
pdfa_image_compression = "lossless"; pdfa_image_compression = "lossless";
@ -7554,6 +7571,415 @@ Also, the system state version is set here. No need to touch it.
} }
#+end_src #+end_src
**** transmission
#+begin_src nix :tangle profiles/server/common/transmission.nix
{ pkgs, lib, config, ... }:
{
config = lib.mkIf config.swarselsystems.server.transmission {
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
docker
];
# boot = {
# kernelModules = [ "tun" ];
# kernel.sysctl = {
# "net.ipv4.conf.all.rp_filter" = 2;
# "net.ipv4.conf.default.rp_filter" = 2;
# "net.ipv4.conf.enp3s0.rp_filter" = 2;
# };
# };
# environment.systemPackages = with pkgs; [
# jq
# traceroute
# curl
# ];
# environment.etc = {
# "openvpn/iptables.sh" =
# {
# source = ../../../scripts/server1/iptables.sh;
# mode = "0755";
# };
# "openvpn/update-resolv-conf" =
# {
# source = ../../../scripts/server1/update-resolv-conf;
# mode = "0755";
# };
# "openvpn/routing.sh" =
# {
# source = ../../../scripts/server1/routing.sh;
# mode = "0755";
# };
# "openvpn/ca.rsa.2048.crt" =
# {
# source = ../../../secrets/certs/ca.rsa.2048.crt;
# mode = "0644";
# };
# "openvpn/crl.rsa.2048.pem" =
# {
# source = ../../../secrets/certs/crl.rsa.2048.pem;
# mode = "0644";
# };
# };
# networking = {
# firewall.extraCommands = ''
# sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
# '';
# iproute2 = {
# enable = true;
# rttablesExtraConfig = ''
# 200 vpn
# '';
# };
# };
# users = {
# groups = {
# vpn = { };
# };
# users = {
# vpn = {
# isNormalUser = true;
# group = "vpn";
# home = "/home/vpn";
# };
# };
# };
# sops = {
# secrets = {
# vpnuser = { };
# rpcuser = { owner = "vpn"; };
# vpnpass = { };
# rpcpass = { owner = "vpn"; };
# vpnprot = { };
# vpnloc = { };
# };
# templates = {
# "transmission-rpc" = {
# owner = "vpn";
# content = builtins.toJSON {
# rpc-username = config.sops.placeholder.rpcuser;
# rpc-password = config.sops.placeholder.rpcpass;
# };
# };
# pia.content = ''
# ${config.sops.placeholder.vpnuser}
# ${config.sops.placeholder.vpnpass}
# '';
# vpn = {
# path = "/etc/openvpn/openvpn.conf";
# mode = "0644";
# content = ''
# client
# dev tun
# proto ${config.sops.placeholder.vpnprot}
# remote ${config.sops.placeholder.vpnloc}
# resolv-retry infinite
# nobind
# persist-key
# persist-tun
# cipher aes-128-cbc
# auth sha1
# tls-client
# remote-cert-tls server
# auth-user-pass ${config.sops.templates.pia.path}
# auth-nocache
# comp-lzo
# compress
# verb 1
# reneg-sec 0
# crl-verify /etc/openvpn/crl.rsa.2048.pem
# ca /etc/openvpn/ca.rsa.2048.crt
# disable-occ
# script-security 2
# route-noexec
# up /etc/openvpn/iptables.sh
# down /etc/openvpn/update-resolv-conf
# '';
# };
# };
# };
# systemd = {
# timers."restart-pia-monthly" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = "1M";
# OnUnitActiveSec = "1M";
# Unit = "restart-pia-monthly.service";
# };
# };
# services."restart-pia-monthly" = {
# script = ''
# systemctl restart pia-pf.service
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
# timers."reboot-portforward-2h" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = "2h";
# OnUnitActiveSec = "2h";
# Unit = "reboot-portforward-2h.service";
# };
# };
# services."reboot-portforward-2h" = {
# script = ''
# /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
# timers."hourly-services" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = "1h";
# OnUnitActiveSec = "1h";
# Unit = "hourly-services.service";
# };
# };
# services."hourly-services" = {
# script = ''
# ${pkgs.sudo}/bin/sudo /etc/openvpn/iptables.sh
# ${pkgs.sudo}/bin/sudo -u vpn -i -- ${pkgs.curl}/bin/curl -c /opt/persists/mam.cookies -b /opt/persists/mam.cookies https://t.myanonamouse.net/json/dynamicSeedbox.php
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
# timers."reboot-portforward" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = "1m";
# Unit = "reboot-portforward.service";
# };
# };
# services."reboot-portforward" = {
# script = ''
# sleep 60
# /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
# tmpfiles.rules = [
# "d /run/openvpn 644 root root 10d"
# "f /run/openvpn/openvpn.pid 0644 root root"
# "f /run/openvpn/openvpn.status 0644 root root"
# ];
# services."pia-pf" = {
# path = with pkgs; [
# toybox
# jq
# curl
# traceroute
# bash
# gawk
# ];
# description = "PIA Port Forwarding Daemon";
# after = [ "network.target" "openvpn@openvpn.service" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# SyslogIdentifier = "pia-pf";
# Type = "simple";
# ExecStartPre = "${pkgs.toybox}/bin/sleep 10";
# ExecStart = "/etc/openvpn/pia-portforward.sh -f tun0 -p /etc/openvpn/port.dat -s /etc/openvpn/portforward.sh";
# WorkingDirectory = "/etc/openvpn";
# Restart = "always";
# RestartSec = 5;
# TimeoutStopSec = 30;
# };
# };
# services."openvpn@openvpn" = {
# description = "Open VPN connection to %i";
# after = [ "network.target" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# RuntimeDirectory = "openvpn";
# PrivateTmp = true;
# KillMode = "mixed";
# Type = "forking";
# ExecStart = "${pkgs.openvpn}/bin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid";
# PIDFile = "/run/openvpn/%i.pid";
# ExecReload = "/bin/kill -HUP $MAINPID";
# WorkingDirectory = "/etc/openvpn";
# Restart = "on-failure";
# RestartSec = 3;
# ProtectSystem = "yes";
# LimitNPROC = 10;
# DeviceAllow = [
# "/dev/null rw"
# "/dev/net/tun rw"
# ];
# };
# };
# };
services = {
radarr = {
enable = true;
};
readarr = {
enable = true;
};
sonarr = {
enable = true;
};
lidarr = {
enable = true;
};
prowlarr = {
enable = true;
};
# openvpn.servers = {
# pia = {
# autoStart = false;
# updateResolvConf = false;
# config = "config ${config.sops.templates.vpn.path}";
# };
# };
# transmission = {
# enable = true;
# package =
# let
# pkgs2_94 = import
# (builtins.fetchGit {
# name = "transmission-2.94";
# url = "https://github.com/NixOS/nixpkgs/";
# ref = "refs/heads/nixpkgs-unstable";
# rev = "4426104c8c900fbe048c33a0e6f68a006235ac50";
# })
# { };
# transmission2_94 = pkgs2_94.transmission;
# in
# transmission2_94;
# user = "vpn";
# credentialsFile = config.sops.templates."transmission-rpc".path;
# openPeerPorts = true;
# settings = {
# alt-speed-down = 6000;
# alt-speed-enabled = false;
# alt-speed-time-begin = 0;
# alt-speed-time-day = 127;
# alt-speed-time-enabled = true;
# alt-speed-time-end = 360;
# alt-speed-up = 1000;
# bind-address-ipv4 = "0.0.0.0";
# bind-address-ipv6 = "fe80::";
# blocklist-enabled = false;
# blocklist-url = "http://www.example.com/blocklist";
# cache-size-mb = 256;
# dht-enabled = false;
# download-dir = "/Vault/Eternor/New";
# download-limit = 100;
# download-limit-enabled = 0;
# download-queue-enabled = true;
# download-queue-size = 5;
# encryption = 2;
# idle-seeding-limit = 30;
# idle-seeding-limit-enabled = false;
# incomplete-dir = "/var/lib/transmission-daemon/Downloads";
# incomplete-dir-enabled = false;
# lpd-enabled = false;
# max-peers-global = 200;
# message-level = 1;
# peer-congestion-algorithm = "";
# peer-id-ttl-hours = 6;
# peer-limit-global = 100;
# peer-limit-per-torrent = 40;
# peer-port = 22371;
# peer-port-random-high = 65535;
# peer-port-random-low = 49152;
# peer-port-random-on-start = false;
# peer-socket-tos = "default";
# pex-enabled = false;
# port-forwarding-enabled = false;
# preallocation = 1;
# prefetch-enabled = true;
# queue-stalled-enabled = true;
# queue-stalled-minutes = 30;
# ratio-limit = 2;
# ratio-limit-enabled = false;
# rename-partial-files = true;
# rpc-authentication-required = true;
# rpc-bind-address = "0.0.0.0";
# rpc-enabled = true;
# rpc-host-whitelist = "";
# rpc-host-whitelist-enabled = true;
# rpc-port = 9091;
# rpc-url = "/transmission/";
# rpc-whitelist = "127.0.0.1,192.168.3.2,192.168.3.3";
# rpc-whitelist-enabled = true;
# scrape-paused-torrents-enabled = true;
# script-torrent-done-enabled = false;
# seed-queue-enabled = false;
# seed-queue-size = 10;
# speed-limit-down = 6000;
# speed-limit-down-enabled = true;
# speed-limit-up = 500;
# speed-limit-up-enabled = true;
# start-added-torrents = true;
# trash-original-torrent-files = false;
# umask = 2;
# upload-limit = 100;
# upload-limit-enabled = 0;
# upload-slots-per-torrent = 14;
# utp-enabled = false;
# };
# };
nginx = {
virtualHosts = {
"store.swarsel.win" = {
enableACME = false;
forceSSL = false;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9091";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
};
};
}
#+end_src
*** Optional *** Optional
:PROPERTIES: :PROPERTIES:

1
modules/nixos/setup.nix
View file

@ -19,4 +19,5 @@ in
options.swarselsystems.server.nextcloud = lib.mkEnableOption "enable nextcloud on server"; options.swarselsystems.server.nextcloud = lib.mkEnableOption "enable nextcloud on server";
options.swarselsystems.server.immich = lib.mkEnableOption "enable immich on server"; options.swarselsystems.server.immich = lib.mkEnableOption "enable immich on server";
options.swarselsystems.server.paperless = lib.mkEnableOption "enable paperless on server"; options.swarselsystems.server.paperless = lib.mkEnableOption "enable paperless on server";
options.swarselsystems.server.transmission = lib.mkEnableOption "enable transmission and friends on server";
} }

1
profiles/server/common/default.nix
View file

@ -22,6 +22,7 @@
./nextcloud.nix ./nextcloud.nix
./immich.nix ./immich.nix
./paperless.nix ./paperless.nix
./transmission.nix
]; ];
nix = nix =

15
profiles/server/common/immich.nix
View file

@ -3,7 +3,7 @@
config = lib.mkIf config.swarselsystems.server.immich { config = lib.mkIf config.swarselsystems.server.immich {
users.users.immich = { users.users.immich = {
extraGroups = [ "users" ]; extraGroups = [ "video" "render" "users" ];
}; };
# sops.secrets.nextcloudadminpass = { owner = "nextcloud"; }; # sops.secrets.nextcloudadminpass = { owner = "nextcloud"; };
@ -13,6 +13,7 @@
port = 3001; port = 3001;
openFirewall = true; openFirewall = true;
mediaLocation = "/Vault/Eternor/Immich"; mediaLocation = "/Vault/Eternor/Immich";
environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://127.0.0.1:3003";
}; };
@ -24,15 +25,25 @@
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://[::1]:3001"; proxyPass = "http://127.0.0.1:3001";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
''; '';
}; };
}; };
}; };
}; };
}; };
}; };
} }

3
profiles/server/common/matrix.nix
View file

@ -283,7 +283,8 @@ in
]; ];
locations = { locations = {
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://localhost:8008"; # proxyPass = "http://localhost:8008";
proxyPass = "http://192.168.1.2:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

7
profiles/server/common/paperless.nix
View file

@ -11,14 +11,15 @@
services.paperless = { services.paperless = {
enable = true; enable = true;
mediaDir = "/Vault/Eternor/Dokumente"; mediaDir = "/Vault/Eternor/Paperless";
dataDir = "/Vault/data/paperless";
user = "paperless"; user = "paperless";
port = 28981; port = 28981;
passwordFile = config.sops.secrets.paperless_admin.path; passwordFile = config.sops.secrets.paperless_admin.path;
address = "0.0.0.0"; address = "0.0.0.0";
extraConfig = { settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_URL = "scan.swarsel.win"; PAPERLESS_URL = "https://scan.swarsel.win";
PAPERLESS_OCR_USER_ARGS = builtins.toJSON { PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
optimize = 1; optimize = 1;
pdfa_image_compression = "lossless"; pdfa_image_compression = "lossless";

403
profiles/server/common/transmission.nix Normal file
View file

@ -0,0 +1,403 @@
{ pkgs, lib, config, ... }:
{
config = lib.mkIf config.swarselsystems.server.transmission {
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
docker
];
# boot = {
# kernelModules = [ "tun" ];
# kernel.sysctl = {
# "net.ipv4.conf.all.rp_filter" = 2;
# "net.ipv4.conf.default.rp_filter" = 2;
# "net.ipv4.conf.enp3s0.rp_filter" = 2;
# };
# };
# environment.systemPackages = with pkgs; [
# jq
# traceroute
# curl
# ];
# environment.etc = {
# "openvpn/iptables.sh" =
# {
# source = ../../../scripts/server1/iptables.sh;
# mode = "0755";
# };
# "openvpn/update-resolv-conf" =
# {
# source = ../../../scripts/server1/update-resolv-conf;
# mode = "0755";
# };
# "openvpn/routing.sh" =
# {
# source = ../../../scripts/server1/routing.sh;
# mode = "0755";
# };
# "openvpn/ca.rsa.2048.crt" =
# {
# source = ../../../secrets/certs/ca.rsa.2048.crt;
# mode = "0644";
# };
# "openvpn/crl.rsa.2048.pem" =
# {
# source = ../../../secrets/certs/crl.rsa.2048.pem;
# mode = "0644";
# };
# };
# networking = {
# firewall.extraCommands = ''
# sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
# '';
# iproute2 = {
# enable = true;
# rttablesExtraConfig = ''
# 200 vpn
# '';
# };
# };
# users = {
# groups = {
# vpn = { };
# };
# users = {
# vpn = {
# isNormalUser = true;
# group = "vpn";
# home = "/home/vpn";
# };
# };
# };
# sops = {
# secrets = {
# vpnuser = { };
# rpcuser = { owner = "vpn"; };
# vpnpass = { };
# rpcpass = { owner = "vpn"; };
# vpnprot = { };
# vpnloc = { };
# };
# templates = {
# "transmission-rpc" = {
# owner = "vpn";
# content = builtins.toJSON {
# rpc-username = config.sops.placeholder.rpcuser;
# rpc-password = config.sops.placeholder.rpcpass;
# };
# };
# pia.content = ''
# ${config.sops.placeholder.vpnuser}
# ${config.sops.placeholder.vpnpass}
# '';
# vpn = {
# path = "/etc/openvpn/openvpn.conf";
# mode = "0644";
# content = ''
# client
# dev tun
# proto ${config.sops.placeholder.vpnprot}
# remote ${config.sops.placeholder.vpnloc}
# resolv-retry infinite
# nobind
# persist-key
# persist-tun
# cipher aes-128-cbc
# auth sha1
# tls-client
# remote-cert-tls server
# auth-user-pass ${config.sops.templates.pia.path}
# auth-nocache
# comp-lzo
# compress
# verb 1
# reneg-sec 0
# crl-verify /etc/openvpn/crl.rsa.2048.pem
# ca /etc/openvpn/ca.rsa.2048.crt
# disable-occ
# script-security 2
# route-noexec
# up /etc/openvpn/iptables.sh
# down /etc/openvpn/update-resolv-conf
# '';
# };
# };
# };
# systemd = {
# timers."restart-pia-monthly" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = "1M";
# OnUnitActiveSec = "1M";
# Unit = "restart-pia-monthly.service";
# };
# };
# services."restart-pia-monthly" = {
# script = ''
# systemctl restart pia-pf.service
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
# timers."reboot-portforward-2h" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = "2h";
# OnUnitActiveSec = "2h";
# Unit = "reboot-portforward-2h.service";
# };
# };
# services."reboot-portforward-2h" = {
# script = ''
# /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
# timers."hourly-services" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = "1h";
# OnUnitActiveSec = "1h";
# Unit = "hourly-services.service";
# };
# };
# services."hourly-services" = {
# script = ''
# ${pkgs.sudo}/bin/sudo /etc/openvpn/iptables.sh
# ${pkgs.sudo}/bin/sudo -u vpn -i -- ${pkgs.curl}/bin/curl -c /opt/persists/mam.cookies -b /opt/persists/mam.cookies https://t.myanonamouse.net/json/dynamicSeedbox.php
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
# timers."reboot-portforward" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = "1m";
# Unit = "reboot-portforward.service";
# };
# };
# services."reboot-portforward" = {
# script = ''
# sleep 60
# /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
# tmpfiles.rules = [
# "d /run/openvpn 644 root root 10d"
# "f /run/openvpn/openvpn.pid 0644 root root"
# "f /run/openvpn/openvpn.status 0644 root root"
# ];
# services."pia-pf" = {
# path = with pkgs; [
# toybox
# jq
# curl
# traceroute
# bash
# gawk
# ];
# description = "PIA Port Forwarding Daemon";
# after = [ "network.target" "openvpn@openvpn.service" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# SyslogIdentifier = "pia-pf";
# Type = "simple";
# ExecStartPre = "${pkgs.toybox}/bin/sleep 10";
# ExecStart = "/etc/openvpn/pia-portforward.sh -f tun0 -p /etc/openvpn/port.dat -s /etc/openvpn/portforward.sh";
# WorkingDirectory = "/etc/openvpn";
# Restart = "always";
# RestartSec = 5;
# TimeoutStopSec = 30;
# };
# };
# services."openvpn@openvpn" = {
# description = "Open VPN connection to %i";
# after = [ "network.target" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# RuntimeDirectory = "openvpn";
# PrivateTmp = true;
# KillMode = "mixed";
# Type = "forking";
# ExecStart = "${pkgs.openvpn}/bin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid";
# PIDFile = "/run/openvpn/%i.pid";
# ExecReload = "/bin/kill -HUP $MAINPID";
# WorkingDirectory = "/etc/openvpn";
# Restart = "on-failure";
# RestartSec = 3;
# ProtectSystem = "yes";
# LimitNPROC = 10;
# DeviceAllow = [
# "/dev/null rw"
# "/dev/net/tun rw"
# ];
# };
# };
# };
services = {
radarr = {
enable = true;
};
readarr = {
enable = true;
};
sonarr = {
enable = true;
};
lidarr = {
enable = true;
};
prowlarr = {
enable = true;
};
# openvpn.servers = {
# pia = {
# autoStart = false;
# updateResolvConf = false;
# config = "config ${config.sops.templates.vpn.path}";
# };
# };
# transmission = {
# enable = true;
# package =
# let
# pkgs2_94 = import
# (builtins.fetchGit {
# name = "transmission-2.94";
# url = "https://github.com/NixOS/nixpkgs/";
# ref = "refs/heads/nixpkgs-unstable";
# rev = "4426104c8c900fbe048c33a0e6f68a006235ac50";
# })
# { };
# transmission2_94 = pkgs2_94.transmission;
# in
# transmission2_94;
# user = "vpn";
# credentialsFile = config.sops.templates."transmission-rpc".path;
# openPeerPorts = true;
# settings = {
# alt-speed-down = 6000;
# alt-speed-enabled = false;
# alt-speed-time-begin = 0;
# alt-speed-time-day = 127;
# alt-speed-time-enabled = true;
# alt-speed-time-end = 360;
# alt-speed-up = 1000;
# bind-address-ipv4 = "0.0.0.0";
# bind-address-ipv6 = "fe80::";
# blocklist-enabled = false;
# blocklist-url = "http://www.example.com/blocklist";
# cache-size-mb = 256;
# dht-enabled = false;
# download-dir = "/Vault/Eternor/New";
# download-limit = 100;
# download-limit-enabled = 0;
# download-queue-enabled = true;
# download-queue-size = 5;
# encryption = 2;
# idle-seeding-limit = 30;
# idle-seeding-limit-enabled = false;
# incomplete-dir = "/var/lib/transmission-daemon/Downloads";
# incomplete-dir-enabled = false;
# lpd-enabled = false;
# max-peers-global = 200;
# message-level = 1;
# peer-congestion-algorithm = "";
# peer-id-ttl-hours = 6;
# peer-limit-global = 100;
# peer-limit-per-torrent = 40;
# peer-port = 22371;
# peer-port-random-high = 65535;
# peer-port-random-low = 49152;
# peer-port-random-on-start = false;
# peer-socket-tos = "default";
# pex-enabled = false;
# port-forwarding-enabled = false;
# preallocation = 1;
# prefetch-enabled = true;
# queue-stalled-enabled = true;
# queue-stalled-minutes = 30;
# ratio-limit = 2;
# ratio-limit-enabled = false;
# rename-partial-files = true;
# rpc-authentication-required = true;
# rpc-bind-address = "0.0.0.0";
# rpc-enabled = true;
# rpc-host-whitelist = "";
# rpc-host-whitelist-enabled = true;
# rpc-port = 9091;
# rpc-url = "/transmission/";
# rpc-whitelist = "127.0.0.1,192.168.3.2,192.168.3.3";
# rpc-whitelist-enabled = true;
# scrape-paused-torrents-enabled = true;
# script-torrent-done-enabled = false;
# seed-queue-enabled = false;
# seed-queue-size = 10;
# speed-limit-down = 6000;
# speed-limit-down-enabled = true;
# speed-limit-up = 500;
# speed-limit-up-enabled = true;
# start-added-torrents = true;
# trash-original-torrent-files = false;
# umask = 2;
# upload-limit = 100;
# upload-limit-enabled = 0;
# upload-slots-per-torrent = 14;
# utp-enabled = false;
# };
# };
nginx = {
virtualHosts = {
"store.swarsel.win" = {
enableACME = false;
forceSSL = false;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9091";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
};
};
}

2
profiles/server/winters/default.nix
View file

@ -29,6 +29,7 @@
hostName = "winters"; hostName = "winters";
hostId = "b7778a4a"; hostId = "b7778a4a";
firewall.enable = true; firewall.enable = true;
enableIPv6 = false;
firewall.allowedTCPPorts = [ 80 443 ]; firewall.allowedTCPPorts = [ 80 443 ];
}; };
@ -50,6 +51,7 @@
nextcloud = true; nextcloud = true;
immich = true; immich = true;
paperless = true; paperless = true;
transmission = true;
}; };
}; };

15
scripts/server1/iptables.sh
View file

@ -1,8 +1,8 @@
#! /usr/bin/env bash #! /usr/bin/env bash
export INTERFACE="tun0" export INTERFACE="tun0"
export VPNUSER="vpn" export VPNUSER="vpn"
export LOCALIP="192.168.1.107" export LOCALIP="192.168.1.2"
export NETIF="enp7s0" export NETIF="enp3s0"
# flushes all the iptables rules, if you have other rules to use then add them into the script # flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat iptables -F -t nat
@ -34,14 +34,7 @@ iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# reject connections from predator IP going over $NETIF # reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
VPNIF="tun0" # Start routing script
VPNUSER="vpn" /etc/openvpn/routing.sh
GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache
exit 0 exit 0

47
scripts/server1/iptables.sh.bak Normal file
View file

@ -0,0 +1,47 @@
#! /usr/bin/env bash
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.2"
export NETIF="enp3s0"
# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT
# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache
exit 0

2
scripts/server1/routing.sh
View file

@ -9,6 +9,6 @@ ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache ip route flush cache
bash /etc/openvpn/update-resolv-conf /etc/openvpn/update-resolv-conf
exit 0 exit 0

14
scripts/server1/routing.sh.bak Normal file
View file

@ -0,0 +1,14 @@
#! /usr/bin/env bash
VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache
bash /etc/openvpn/update-resolv-conf
exit 0

45
scripts/server1/update-resolv-conf.bak Normal file
View file

@ -0,0 +1,45 @@
#! /usr/bin/env bash
foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac