swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 00:57:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
.dotfiles/profiles/server1/transmission/nixos.nix
Swarsel 5acbfe0edd
refactor: split common/nixos.nix and -/home.nix 
Split these big files into modular files that
are easier to share and read on their own.
2024-07-23 11:37:11 +02:00

275 lines
6.5 KiB
Nix
Raw Blame History

{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
# ./openvpn.nix #this file holds the vpn login data
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
openvpn
jq
iptables
busybox
wireguard-tools
];
users.groups.lxc_shares = {
gid = 10000;
members = [
"vpn"
"radarr"
"sonarr"
"lidarr"
"readarr"
"root"
];
};
users.groups.vpn = { };
users.users.vpn = {
isNormalUser = true;
group = "vpn";
home = "/home/vpn";
};
services.xserver.xkb = {
layout = "us";
variant = "altgr-intl";
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml";
validateSopsFiles = false;
};
boot.kernelModules = [ "tun" ];
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "transmission"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services = {
radarr = {
enable = true;
};
readarr = {
enable = true;
};
sonarr = {
enable = true;
};
lidarr = {
enable = true;
};
prowlarr = {
enable = true;
};
};
networking.iproute2 = {
enable = true;
rttablesExtraConfig = ''
200 vpn
'';
};
environment.etc = {
"openvpn/iptables.sh" =
{
source = ../../../scripts/server1/iptables.sh;
mode = "0755";
};
"openvpn/update-resolv-conf" =
{
source = ../../../scripts/server1/update-resolv-conf;
mode = "0755";
};
"openvpn/routing.sh" =
{
source = ../../../scripts/server1/routing.sh;
mode = "0755";
};
"openvpn/ca.rsa.2048.crt" =
{
source = ../../../secrets/certs/ca.rsa.2048.crt;
mode = "0644";
};
"openvpn/crl.rsa.2048.pem" =
{
source = ../../../secrets/certs/crl.rsa.2048.pem;
mode = "0644";
};
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
# users.users.root.password = "TEMPLATE";
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
sops = {
templates = {
"transmission-rpc" = {
owner = "vpn";
content = builtins.toJSON {
rpc-username = config.sops.placeholder.rpcuser;
rpc-password = config.sops.placeholder.rpcpass;
};
};
pia.content = ''
${config.sops.placeholder.vpnuser}
${config.sops.placeholder.vpnpass}
'';
vpn.content = ''
client
dev tun
proto ${config.sops.placeholder.vpnprot}
remote ${config.sops.placeholder.vpnloc}
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass ${config.sops.templates.pia.path}
compress
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
dhcp-option DNS 8.8.8.8
route-noexec
'';
};
secrets = {
vpnuser = { };
rpcuser = { owner = "vpn"; };
vpnpass = { };
rpcpass = { owner = "vpn"; };
vpnprot = { };
vpnloc = { };
};
};
services.openvpn.servers = {
pia = {
autoStart = false;
updateResolvConf = true;
config = "config ${config.sops.templates.vpn.path}";
};
};
services.transmission = {
enable = true;
credentialsFile = config.sops.templates."transmission-rpc".path;
user = "vpn";
group = "lxc_shares";
settings = {
alt-speed-down = 8000;
alt-speed-enabled = false;
alt-speed-time-begin = 0;
alt-speed-time-day = 127;
alt-speed-time-enabled = true;
alt-speed-time-end = 360;
alt-speed-up = 2000;
bind-address-ipv4 = "0.0.0.0";
bind-address-ipv6 = "::";
blocklist-enabled = false;
blocklist-url = "http://www.example.com/blocklist";
cache-size-mb = 4;
dht-enabled = false;
download-dir = "/media/Eternor/New";
download-limit = 100;
download-limit-enabled = 0;
download-queue-enabled = true;
download-queue-size = 5;
encryption = 2;
idle-seeding-limit = 30;
idle-seeding-limit-enabled = false;
incomplete-dir = "/var/lib/transmission-daemon/Downloads";
incomplete-dir-enabled = false;
lpd-enabled = false;
max-peers-global = 200;
message-level = 1;
peer-congestion-algorithm = "";
peer-id-ttl-hours = 6;
peer-limit-global = 100;
peer-limit-per-torrent = 40;
peer-port = 22371;
peer-port-random-high = 65535;
peer-port-random-low = 49152;
peer-port-random-on-start = false;
peer-socket-tos = "default";
pex-enabled = false;
port-forwarding-enabled = false;
preallocation = 1;
prefetch-enabled = true;
queue-stalled-enabled = true;
queue-stalled-minutes = 30;
ratio-limit = 2;
ratio-limit-enabled = false;
rename-partial-files = true;
rpc-authentication-required = true;
rpc-bind-address = "0.0.0.0";
rpc-enabled = true;
rpc-host-whitelist = "";
rpc-host-whitelist-enabled = true;
rpc-port = 9091;
rpc-url = "/transmission/";
rpc-whitelist = "127.0.0.1,192.168.3.2";
rpc-whitelist-enabled = true;
scrape-paused-torrents-enabled = true;
script-torrent-done-enabled = false;
seed-queue-enabled = false;
seed-queue-size = 10;
speed-limit-down = 6000;
speed-limit-down-enabled = true;
speed-limit-up = 500;
speed-limit-up-enabled = true;
start-added-torrents = true;
trash-original-torrent-files = false;
umask = 2;
upload-limit = 100;
upload-limit-enabled = 0;
upload-slots-per-torrent = 14;
utp-enabled = false;
};
};
}
Reference in a new issue View git blame Copy permalink