diff --git a/SwarselSystems.org b/SwarselSystems.org index 232ceb4..9db65cb 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -7576,189 +7576,169 @@ Also, the system state version is set here. No need to touch it. **** transmission #+begin_src nix :tangle profiles/server/common/transmission.nix -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.transmission { + { pkgs, lib, config, ... }: + { + config = lib.mkIf config.swarselsystems.server.transmission { - boot = { - kernelModules = [ "tun" ]; - kernel.sysctl = { - "net.ipv4.conf.all.rp_filter" = 2; - "net.ipv4.conf.default.rp_filter" = 2; - "net.ipv4.conf.enp3s0.rp_filter" = 2; - }; - }; - environment.systemPackages = with pkgs; [ - jq - traceroute - curl - ]; - environment.etc = { - "openvpn/iptables.sh" = - { - source = ../../../scripts/server1/iptables.sh; - mode = "0755"; - }; - "openvpn/update-resolv-conf" = - { - source = ../../../scripts/server1/update-resolv-conf; - mode = "0755"; - }; - "openvpn/routing.sh" = - { - source = ../../../scripts/server1/routing.sh; - mode = "0755"; - }; - "openvpn/ca.rsa.2048.crt" = - { - source = ../../../secrets/certs/ca.rsa.2048.crt; - mode = "0644"; - }; - "openvpn/crl.rsa.2048.pem" = - { - source = ../../../secrets/certs/crl.rsa.2048.pem; - mode = "0644"; + boot = { + kernelModules = [ "tun" ]; + kernel.sysctl = { + "net.ipv4.conf.all.rp_filter" = 2; + "net.ipv4.conf.default.rp_filter" = 2; + "net.ipv4.conf.enp3s0.rp_filter" = 2; }; - }; + }; + environment.systemPackages = with pkgs; [ + jq + traceroute + curl + ]; + environment.etc = { + "openvpn/iptables.sh" = + { + source = ../../../scripts/server1/iptables.sh; + mode = "0755"; + }; + "openvpn/update-resolv-conf" = + { + source = ../../../scripts/server1/update-resolv-conf; + mode = "0755"; + }; + "openvpn/routing.sh" = + { + source = ../../../scripts/server1/routing.sh; + mode = "0755"; + }; + "openvpn/ca.rsa.2048.crt" = + { + source = ../../../secrets/certs/ca.rsa.2048.crt; + mode = "0644"; + }; + "openvpn/crl.rsa.2048.pem" = + { + source = ../../../secrets/certs/crl.rsa.2048.pem; + mode = "0644"; + }; + }; - networking = { - firewall.extraCommands = '' - sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP - ''; - iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn + networking = { + firewall.extraCommands = '' + sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP ''; + iproute2 = { + enable = true; + rttablesExtraConfig = '' + 200 vpn + ''; + }; }; - }; - users = { - groups = { - vpn = { }; - }; users = { - vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; + groups = { + vpn = { }; }; - }; - }; - - sops = { - secrets = { - vpnuser = { }; - rpcuser = { owner = "vpn"; }; - vpnpass = { }; - rpcpass = { owner = "vpn"; }; - vpnprot = { }; - vpnloc = { }; - }; - templates = { - "transmission-rpc" = { - owner = "vpn"; - content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; + users = { + vpn = { + isNormalUser = true; + group = "vpn"; + home = "/home/vpn"; }; }; - - pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; - - vpn = { - path = "/etc/openvpn/openvpn.conf"; - mode = "0644"; - content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - auth-nocache - comp-lzo - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - script-security 2 - route-noexec - - up /etc/openvpn/iptables.sh - down /etc/openvpn/update-resolv-conf - ''; - }; }; - }; - systemd = { - timers."restart-pia-monthly" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1M"; - OnUnitActiveSec = "1M"; - Unit = "restart-pia-monthly.service"; + sops = { + secrets = { + vpnuser = { }; + rpcuser = { owner = "vpn"; }; + vpnpass = { }; + rpcpass = { owner = "vpn"; }; + vpnprot = { }; + vpnloc = { }; }; - }; + templates = { + "transmission-rpc" = { + owner = "vpn"; + content = builtins.toJSON { + rpc-username = config.sops.placeholder.rpcuser; + rpc-password = config.sops.placeholder.rpcpass; + }; + }; - services."restart-pia-monthly" = { - script = '' - systemctl restart pia-pf.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; + pia.content = '' + ${config.sops.placeholder.vpnuser} + ${config.sops.placeholder.vpnpass} + ''; + + vpn = { + path = "/etc/openvpn/openvpn.conf"; + mode = "0644"; + content = '' + client + dev tun + proto ${config.sops.placeholder.vpnprot} + remote ${config.sops.placeholder.vpnloc} + resolv-retry infinite + nobind + persist-key + persist-tun + cipher aes-128-cbc + auth sha1 + tls-client + remote-cert-tls server + + auth-user-pass ${config.sops.templates.pia.path} + auth-nocache + comp-lzo + compress + verb 1 + reneg-sec 0 + + crl-verify /etc/openvpn/crl.rsa.2048.pem + ca /etc/openvpn/ca.rsa.2048.crt + + disable-occ + script-security 2 + route-noexec + + up /etc/openvpn/iptables.sh + down /etc/openvpn/update-resolv-conf + ''; + }; }; }; - timers."reboot-portforward-2h" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "2h"; - OnUnitActiveSec = "2h"; - Unit = "reboot-portforward-2h.service"; + systemd = { + timers."restart-pia-monthly" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1M"; + OnUnitActiveSec = "1M"; + Unit = "restart-pia-monthly.service"; + }; }; - }; - services."reboot-portforward-2h" = { - script = '' - /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1 - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; + services."restart-pia-monthly" = { + script = '' + systemctl restart pia-pf.service + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; }; - }; - timers."hourly-services" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1h"; - OnUnitActiveSec = "1h"; - Unit = "hourly-services.service"; + timers."reboot-portforward-2h" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "2h"; + OnUnitActiveSec = "2h"; + Unit = "reboot-portforward-2h.service"; + }; }; - }; - services."hourly-services" = { + services."reboot-portforward-2h" = { script = '' - ${pkgs.sudo}/bin/sudo -u vpn -i -- ${pkgs.curl}/bin/curl -c /opt/persists/mam.cookies -b /opt/persists/mam.cookies https://t.myanonamouse.net/json/dynamicSeedbox.php - ${pkgs.sudo}/bin/sudo /etc/openvpn/iptables.sh + /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1 ''; serviceConfig = { Type = "oneshot"; @@ -7766,206 +7746,233 @@ Also, the system state version is set here. No need to touch it. }; }; - timers."reboot-portforward" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1m"; - Unit = "reboot-portforward.service"; + timers."hourly-services" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1h"; + OnUnitActiveSec = "1h"; + Unit = "hourly-services.service"; + }; }; - }; - services."reboot-portforward" = { - script = '' - sleep 60 - /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1 - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; + services."hourly-services" = { + script = '' + ${pkgs.sudo}/bin/sudo -u vpn -i -- ${pkgs.curl}/bin/curl -c /opt/persists/mam.cookies -b /opt/persists/mam.cookies https://t.myanonamouse.net/json/dynamicSeedbox.php + ${pkgs.sudo}/bin/sudo /etc/openvpn/iptables.sh + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + timers."reboot-portforward" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1m"; + Unit = "reboot-portforward.service"; + }; }; - }; - tmpfiles.rules = [ - "d /run/openvpn 644 root root 10d" - "f /run/openvpn/openvpn.pid 0644 root root" - "f /run/openvpn/openvpn.status 0644 root root" - ]; + services."reboot-portforward" = { + script = '' + sleep 60 + /etc/openvpn/portforward.sh | while IFS= read -r line; do echo "$(date) $line"; done >> /var/log/pia_portforward.log 2>&1 + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; - services."pia-pf" = { + tmpfiles.rules = [ + "d /run/openvpn 644 root root 10d" + "f /run/openvpn/openvpn.pid 0644 root root" + "f /run/openvpn/openvpn.status 0644 root root" + ]; - description = "PIA Port Forwarding Daemon"; - after = [ "network.target" "openvpn@openvpn.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - SyslogIdentifier = "pia-pf"; - Type = "simple"; - ExecStartPre = "${pkgs.toybox}/bin/sleep 10"; - ExecStart = "/etc/openvpn/pia-portforward.sh -f tun0 -p /etc/openvpn/port.dat -s /etc/openvpn/portforward.sh"; - WorkingDirectory = "/etc/openvpn"; - Restart = "always"; - RestartSec = 5; - TimeoutStopSec = 30; + services."pia-pf" = { + + path = with pkgs; [ + toybox + jq + curl + traceroute + bash + ]; + description = "PIA Port Forwarding Daemon"; + after = [ "network.target" "openvpn@openvpn.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + SyslogIdentifier = "pia-pf"; + Type = "simple"; + ExecStartPre = "sleep 10"; + ExecStart = "/etc/openvpn/pia-portforward.sh -f tun0 -p /etc/openvpn/port.dat -s /etc/openvpn/portforward.sh"; + WorkingDirectory = "/etc/openvpn"; + Restart = "always"; + RestartSec = 5; + TimeoutStopSec = 30; + }; }; - }; - services."openvpn@openvpn" = { + services."openvpn@openvpn" = { - description = "Open VPN connection to %i"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - RuntimeDirectory = "openvpn"; - PrivateTmp = true; - KillMode = "mixed"; - Type = "forking"; - ExecStart = "${pkgs.openvpn}/bin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid"; - PIDFile = "/run/openvpn/%i.pid"; - ExecReload = "/bin/kill -HUP $MAINPID"; - WorkingDirectory = "/etc/openvpn"; - Restart = "on-failure"; - RestartSec = 3; - ProtectSystem = "yes"; - LimitNPROC = 10; - DeviceAllow = [ - "/dev/null rw" - "/dev/net/tun rw" - ]; + description = "Open VPN connection to %i"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + RuntimeDirectory = "openvpn"; + PrivateTmp = true; + KillMode = "mixed"; + Type = "forking"; + ExecStart = "${pkgs.openvpn}/bin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid"; + PIDFile = "/run/openvpn/%i.pid"; + ExecReload = "/bin/kill -HUP $MAINPID"; + WorkingDirectory = "/etc/openvpn"; + Restart = "on-failure"; + RestartSec = 3; + ProtectSystem = "yes"; + LimitNPROC = 10; + DeviceAllow = [ + "/dev/null rw" + "/dev/net/tun rw" + ]; + }; }; }; - }; - services = { - radarr = { - enable = true; - }; - readarr = { - enable = true; - }; - sonarr = { - enable = true; - }; - lidarr = { - enable = true; - }; - prowlarr = { - enable = true; - }; - # openvpn.servers = { - # pia = { - # autoStart = false; - # updateResolvConf = false; - # config = "config ${config.sops.templates.vpn.path}"; - # }; - # }; - transmission = { - enable = true; - package = - let - pkgs2_94 = import - (builtins.fetchGit { - name = "transmission-2.94"; - url = "https://github.com/NixOS/nixpkgs/"; - ref = "refs/heads/nixpkgs-unstable"; - rev = "4426104c8c900fbe048c33a0e6f68a006235ac50"; - }) - { }; - - transmission2_94 = pkgs2_94.transmission; - in - transmission2_94; - user = "vpn"; - credentialsFile = config.sops.templates."transmission-rpc".path; - settings = { - alt-speed-down = 6000; - alt-speed-enabled = false; - alt-speed-time-begin = 0; - alt-speed-time-day = 127; - alt-speed-time-enabled = true; - alt-speed-time-end = 360; - alt-speed-up = 1000; - bind-address-ipv4 = "0.0.0.0"; - bind-address-ipv6 = "::"; - blocklist-enabled = false; - blocklist-url = "http://www.example.com/blocklist"; - cache-size-mb = 256; - dht-enabled = false; - download-dir = "/Vault/Eternor/New"; - download-limit = 100; - download-limit-enabled = 0; - download-queue-enabled = true; - download-queue-size = 5; - encryption = 2; - idle-seeding-limit = 30; - idle-seeding-limit-enabled = false; - incomplete-dir = "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled = false; - lpd-enabled = false; - max-peers-global = 200; - message-level = 1; - peer-congestion-algorithm = ""; - peer-id-ttl-hours = 6; - peer-limit-global = 100; - peer-limit-per-torrent = 40; - peer-port = 22371; - peer-port-random-high = 65535; - peer-port-random-low = 49152; - peer-port-random-on-start = false; - peer-socket-tos = "default"; - pex-enabled = false; - port-forwarding-enabled = false; - preallocation = 1; - prefetch-enabled = true; - queue-stalled-enabled = true; - queue-stalled-minutes = 30; - ratio-limit = 2; - ratio-limit-enabled = false; - rename-partial-files = true; - rpc-authentication-required = true; - rpc-bind-address = "0.0.0.0"; - rpc-enabled = true; - rpc-host-whitelist = ""; - rpc-host-whitelist-enabled = true; - rpc-port = 9091; - rpc-url = "/transmission/"; - rpc-whitelist = "127.0.0.1,192.168.3.2,192.168.3.3"; - rpc-whitelist-enabled = true; - scrape-paused-torrents-enabled = true; - script-torrent-done-enabled = false; - seed-queue-enabled = false; - seed-queue-size = 10; - speed-limit-down = 6000; - speed-limit-down-enabled = true; - speed-limit-up = 500; - speed-limit-up-enabled = true; - start-added-torrents = true; - trash-original-torrent-files = false; - umask = 2; - upload-limit = 100; - upload-limit-enabled = 0; - upload-slots-per-torrent = 14; - utp-enabled = false; + services = { + radarr = { + enable = true; + }; + readarr = { + enable = true; + }; + sonarr = { + enable = true; + }; + lidarr = { + enable = true; + }; + prowlarr = { + enable = true; + }; + # openvpn.servers = { + # pia = { + # autoStart = false; + # updateResolvConf = false; + # config = "config ${config.sops.templates.vpn.path}"; + # }; + # }; + transmission = { + enable = true; + package = + let + pkgs2_94 = import + (builtins.fetchGit { + name = "transmission-2.94"; + url = "https://github.com/NixOS/nixpkgs/"; + ref = "refs/heads/nixpkgs-unstable"; + rev = "4426104c8c900fbe048c33a0e6f68a006235ac50"; + }) + { }; + + transmission2_94 = pkgs2_94.transmission; + in + transmission2_94; + user = "vpn"; + credentialsFile = config.sops.templates."transmission-rpc".path; + settings = { + alt-speed-down = 6000; + alt-speed-enabled = false; + alt-speed-time-begin = 0; + alt-speed-time-day = 127; + alt-speed-time-enabled = true; + alt-speed-time-end = 360; + alt-speed-up = 1000; + bind-address-ipv4 = "0.0.0.0"; + bind-address-ipv6 = "::"; + blocklist-enabled = false; + blocklist-url = "http://www.example.com/blocklist"; + cache-size-mb = 256; + dht-enabled = false; + download-dir = "/Vault/Eternor/New"; + download-limit = 100; + download-limit-enabled = 0; + download-queue-enabled = true; + download-queue-size = 5; + encryption = 2; + idle-seeding-limit = 30; + idle-seeding-limit-enabled = false; + incomplete-dir = "/var/lib/transmission-daemon/Downloads"; + incomplete-dir-enabled = false; + lpd-enabled = false; + max-peers-global = 200; + message-level = 1; + peer-congestion-algorithm = ""; + peer-id-ttl-hours = 6; + peer-limit-global = 100; + peer-limit-per-torrent = 40; + peer-port = 22371; + peer-port-random-high = 65535; + peer-port-random-low = 49152; + peer-port-random-on-start = false; + peer-socket-tos = "default"; + pex-enabled = false; + port-forwarding-enabled = false; + preallocation = 1; + prefetch-enabled = true; + queue-stalled-enabled = true; + queue-stalled-minutes = 30; + ratio-limit = 2; + ratio-limit-enabled = false; + rename-partial-files = true; + rpc-authentication-required = true; + rpc-bind-address = "0.0.0.0"; + rpc-enabled = true; + rpc-host-whitelist = ""; + rpc-host-whitelist-enabled = true; + rpc-port = 9091; + rpc-url = "/transmission/"; + rpc-whitelist = "127.0.0.1,192.168.3.2,192.168.3.3"; + rpc-whitelist-enabled = true; + scrape-paused-torrents-enabled = true; + script-torrent-done-enabled = false; + seed-queue-enabled = false; + seed-queue-size = 10; + speed-limit-down = 6000; + speed-limit-down-enabled = true; + speed-limit-up = 500; + speed-limit-up-enabled = true; + start-added-torrents = true; + trash-original-torrent-files = false; + umask = 2; + upload-limit = 100; + upload-limit-enabled = 0; + upload-slots-per-torrent = 14; + utp-enabled = false; + }; }; - }; - nginx = { - virtualHosts = { - "store.swarsel.win" = { - enableACME = false; - forceSSL = false; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:9091"; - extraConfig = '' - client_max_body_size 0; - ''; + nginx = { + virtualHosts = { + "store.swarsel.win" = { + enableACME = false; + forceSSL = false; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:9091"; + extraConfig = '' + client_max_body_size 0; + ''; + }; }; }; }; }; }; }; - }; -} + } #+end_src diff --git a/profiles/server/common/transmission.nix b/profiles/server/common/transmission.nix index 469c36a..834a583 100644 --- a/profiles/server/common/transmission.nix +++ b/profiles/server/common/transmission.nix @@ -215,13 +215,20 @@ services."pia-pf" = { + path = with pkgs; [ + toybox + jq + curl + traceroute + bash + ]; description = "PIA Port Forwarding Daemon"; after = [ "network.target" "openvpn@openvpn.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { SyslogIdentifier = "pia-pf"; Type = "simple"; - ExecStartPre = "${pkgs.toybox}/bin/sleep 10"; + ExecStartPre = "sleep 10"; ExecStart = "/etc/openvpn/pia-portforward.sh -f tun0 -p /etc/openvpn/port.dat -s /etc/openvpn/portforward.sh"; WorkingDirectory = "/etc/openvpn"; Restart = "always";