{ config, pkgs, modulesPath, ... }: { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ./hardware-configuration.nix # ./openvpn.nix #this file holds the vpn login data ]; environment.systemPackages = with pkgs; [ git gnupg ssh-to-age openvpn jq iptables busybox wireguard-tools ]; users.groups.lxc_shares = { gid = 10000; members = [ "vpn" "radarr" "sonarr" "lidarr" "readarr" "root" ]; }; users.groups.vpn = { }; users.users.vpn = { isNormalUser = true; group = "vpn"; home = "/home/vpn"; }; services.xserver.xkb = { layout = "us"; variant = "altgr-intl"; }; nix.settings.experimental-features = [ "nix-command" "flakes" ]; sops = { age.sshKeyPaths = [ "/etc/ssh/sops" ]; defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml"; validateSopsFiles = false; }; boot.kernelModules = [ "tun" ]; proxmoxLXC = { manageNetwork = true; # manage network myself manageHostName = false; # manage hostname myself }; networking = { hostName = "transmission"; # Define your hostname. useDHCP = true; enableIPv6 = false; firewall.enable = false; }; services = { radarr = { enable = true; }; readarr = { enable = true; }; sonarr = { enable = true; }; lidarr = { enable = true; }; prowlarr = { enable = true; }; }; networking.iproute2 = { enable = true; rttablesExtraConfig = '' 200 vpn ''; }; environment.etc = { "openvpn/iptables.sh" = { source = ../../../scripts/server1/iptables.sh; mode = "0755"; }; "openvpn/update-resolv-conf" = { source = ../../../scripts/server1/update-resolv-conf; mode = "0755"; }; "openvpn/routing.sh" = { source = ../../../scripts/server1/routing.sh; mode = "0755"; }; "openvpn/ca.rsa.2048.crt" = { source = ../../../secrets/certs/ca.rsa.2048.crt; mode = "0644"; }; "openvpn/crl.rsa.2048.pem" = { source = ../../../secrets/certs/crl.rsa.2048.pem; mode = "0644"; }; }; services.openssh = { enable = true; settings.PermitRootLogin = "yes"; listenAddresses = [{ port = 22; addr = "0.0.0.0"; }]; }; users.users.root.openssh.authorizedKeys.keyFiles = [ ../../../secrets/keys/authorized_keys ]; system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change # users.users.root.password = "TEMPLATE"; environment.shellAliases = { nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; }; sops = { templates = { "transmission-rpc" = { owner = "vpn"; content = builtins.toJSON { rpc-username = config.sops.placeholder.rpcuser; rpc-password = config.sops.placeholder.rpcpass; }; }; pia.content = '' ${config.sops.placeholder.vpnuser} ${config.sops.placeholder.vpnpass} ''; vpn.content = '' client dev tun proto ${config.sops.placeholder.vpnprot} remote ${config.sops.placeholder.vpnloc} resolv-retry infinite nobind persist-key persist-tun cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass ${config.sops.templates.pia.path} compress verb 1 reneg-sec 0 crl-verify /etc/openvpn/crl.rsa.2048.pem ca /etc/openvpn/ca.rsa.2048.crt disable-occ dhcp-option DNS 209.222.18.222 dhcp-option DNS 209.222.18.218 dhcp-option DNS 8.8.8.8 route-noexec ''; }; secrets = { vpnuser = { }; rpcuser = { owner = "vpn"; }; vpnpass = { }; rpcpass = { owner = "vpn"; }; vpnprot = { }; vpnloc = { }; }; }; services.openvpn.servers = { pia = { autoStart = false; updateResolvConf = true; config = "config ${config.sops.templates.vpn.path}"; }; }; services.transmission = { enable = true; credentialsFile = config.sops.templates."transmission-rpc".path; user = "vpn"; group = "lxc_shares"; settings = { alt-speed-down = 8000; alt-speed-enabled = false; alt-speed-time-begin = 0; alt-speed-time-day = 127; alt-speed-time-enabled = true; alt-speed-time-end = 360; alt-speed-up = 2000; bind-address-ipv4 = "0.0.0.0"; bind-address-ipv6 = "::"; blocklist-enabled = false; blocklist-url = "http://www.example.com/blocklist"; cache-size-mb = 4; dht-enabled = false; download-dir = "/media/Eternor/New"; download-limit = 100; download-limit-enabled = 0; download-queue-enabled = true; download-queue-size = 5; encryption = 2; idle-seeding-limit = 30; idle-seeding-limit-enabled = false; incomplete-dir = "/var/lib/transmission-daemon/Downloads"; incomplete-dir-enabled = false; lpd-enabled = false; max-peers-global = 200; message-level = 1; peer-congestion-algorithm = ""; peer-id-ttl-hours = 6; peer-limit-global = 100; peer-limit-per-torrent = 40; peer-port = 22371; peer-port-random-high = 65535; peer-port-random-low = 49152; peer-port-random-on-start = false; peer-socket-tos = "default"; pex-enabled = false; port-forwarding-enabled = false; preallocation = 1; prefetch-enabled = true; queue-stalled-enabled = true; queue-stalled-minutes = 30; ratio-limit = 2; ratio-limit-enabled = false; rename-partial-files = true; rpc-authentication-required = true; rpc-bind-address = "0.0.0.0"; rpc-enabled = true; rpc-host-whitelist = ""; rpc-host-whitelist-enabled = true; rpc-port = 9091; rpc-url = "/transmission/"; rpc-whitelist = "127.0.0.1,192.168.3.2"; rpc-whitelist-enabled = true; scrape-paused-torrents-enabled = true; script-torrent-done-enabled = false; seed-queue-enabled = false; seed-queue-size = 10; speed-limit-down = 6000; speed-limit-down-enabled = true; speed-limit-up = 500; speed-limit-up-enabled = true; start-added-torrents = true; trash-original-torrent-files = false; umask = 2; upload-limit = 100; upload-limit-enabled = 0; upload-slots-per-torrent = 14; utp-enabled = false; }; }; }