diff --git a/SwarselSystems.org b/SwarselSystems.org index 9f424f09..f20679bc 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -7480,7 +7480,7 @@ Also, the system state version is set here. No need to touch it. port = 3001; openFirewall = true; mediaLocation = "/Vault/Eternor/Immich"; - environment.IMMICH_MACHINE_LEARNING_URL = "http://127.0.0.1:3003"; + environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://127.0.0.1:3003"; }; @@ -7572,237 +7572,269 @@ Also, the system state version is set here. No need to touch it. **** transmission #+begin_src nix :tangle profiles/server/common/transmission.nix - { pkgs, lib, config, ... }: - { - config = lib.mkIf config.swarselsystems.server.transmission { + { pkgs, lib, config, ... }: + { + config = lib.mkIf config.swarselsystems.server.transmission { - kernelModules = [ "tun" ]; - kernel.sysctl = { - "net.ipv4.conf.all.rp_filter" = 2; - "net.ipv4.conf.default.rp_filter" = 2; - "net.ipv4.conf.enp3s0.rp_filter" = 2; - }; + boot = { + kernelModules = [ "tun" ]; + kernel.sysctl = { + "net.ipv4.conf.all.rp_filter" = 2; + "net.ipv4.conf.default.rp_filter" = 2; + "net.ipv4.conf.enp3s0.rp_filter" = 2; + }; + }; - networking = { - firewall.extraCommands = '' - sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP - ''; - iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn - ''; + environment.etc = { + "openvpn/iptables.sh" = + { + source = ../../scripts/server1/iptables.sh; + mode = "0755"; + }; + "openvpn/update-resolv-conf" = + { + source = ../../scripts/server1/update-resolv-conf; + mode = "0755"; }; + "openvpn/routing.sh" = + { + source = ../../scripts/server1/routing.sh; + mode = "0755"; + }; + "openvpn/ca.rsa.2048.crt" = + { + source = ../../secrets/certs/ca.rsa.2048.crt; + mode = "0644"; + }; + "openvpn/crl.rsa.2048.pem" = + { + source = ../../secrets/certs/crl.rsa.2048.pem; + mode = "0644"; + }; + }; + + networking = { + firewall.extraCommands = '' + sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP + ''; + iproute2 = { + enable = true; + rttablesExtraConfig = '' + 200 vpn + ''; }; + }; + users = { + groups = { + vpn = { }; + }; users = { - groups = { - vpn = { }; - }; - users = { - vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; - }; + vpn = { + isNormalUser = true; + group = "vpn"; + home = "/home/vpn"; }; }; + }; - sops = { - secrets = { - vpnuser = { }; - rpcuser = { owner = "vpn"; }; - vpnpass = { }; - rpcpass = { owner = "vpn"; }; - vpnprot = { }; - vpnloc = { }; - }; - templates = { - "transmission-rpc" = { - owner = "vpn"; - content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; - }; + sops = { + secrets = { + vpnuser = { }; + rpcuser = { owner = "vpn"; }; + vpnpass = { }; + rpcpass = { owner = "vpn"; }; + vpnprot = { }; + vpnloc = { }; + }; + templates = { + "transmission-rpc" = { + owner = "vpn"; + content = builtins.toJSON { + rpc-username = config.sops.placeholder.rpcuser; + rpc-password = config.sops.placeholder.rpcpass; }; + }; - pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; + pia.content = '' + ${config.sops.placeholder.vpnuser} + ${config.sops.placeholder.vpnpass} + ''; - vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - auth-nocache - comp-lzo - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - script-security 2 - route-noexec - - up /etc/openvpn/iptables.sh - down /etc/openvpn/update-resolv-conf - ''; + vpn = { + path = "/etc/openvpn/openvpn.conf"; + content = '' + client + dev tun + proto ${config.sops.placeholder.vpnprot} + remote ${config.sops.placeholder.vpnloc} + resolv-retry infinite + nobind + persist-key + persist-tun + cipher aes-128-cbc + auth sha1 + tls-client + remote-cert-tls server + + auth-user-pass ${config.sops.templates.pia.path} + auth-nocache + comp-lzo + compress + verb 1 + reneg-sec 0 + + crl-verify /etc/openvpn/crl.rsa.2048.pem + ca /etc/openvpn/ca.rsa.2048.crt + + disable-occ + script-security 2 + route-noexec + + up /etc/openvpn/iptables.sh + down /etc/openvpn/update-resolv-conf + ''; }; }; + }; + + systemd.services."openvpn@openvpn" = { + + description = "Open VPN connection to %i"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + RuntmeDirectory = "openvpn"; + PrivateTmp = true; + Killode = "mixed"; + Type = "forking"; + ExecStart = "${pkgs.openvpn}/bin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid"; + PIDFile = "/run/openvpn/%i.pid"; + ExecReload = "/bin/kill -HUP $MAINPID"; + WorkingDirectory="/etc/openvpn"; + Restart="on-failure"; + RestartSec=3; + ProtectSystem="yes"; + LimitNPROC="10"; + DeviceAllow= [ + "/dev/null rw" + "/dev/net/tun rw" + ]; + }; + }; - systemd.services.openvpntest = { - Unit = { - Description = "Open VPN connection to %i"; - After = [ "network.target" ]; + services = { + radarr = { + enable = true; }; - Service = { - RuntmeDirectory = "openvpn"; - PrivateTmp = true; - Killode = "mixed"; - Type = "forking"; - ExecStart = "${pkgs.openvpn}/bin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid"; - PIDFile = "/run/openvpn/%i.pid"; - ExecReload = "/bin/kill -HUP $MAINPID"; - WorkingDirectory="/etc/openvpn"; - Restart="on-failure"; - RestartSec=3; - ProtectSystem="yes"; - LimitNPROC="10"; - DeviceAllow="/dev/null rw"; - DeviceAllow="/dev/net/tun rw"; + readarr = { + enable = true; }; - Install = { - WantedBy = [ "multi-user.target" ]; + sonarr = { + enable = true; }; - }; - - services = { - radarr = { - enable = true; - }; - readarr = { - enable = true; - }; - sonarr = { - enable = true; - }; - lidarr = { - enable = true; - }; - prowlarr = { - enable = true; - }; - openvpn.servers = { - pia = { - autoStart = false; - updateResolvConf = false; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; - transmission = { - enable = true; - package = let - pkgs2_94 = import - (builtins.fetchGit { - name = "Revision with Transmission 2.94"; - url = "https://github.com/NixOS/nixpkgs/"; - ref = "refs/heads/nixpkgs-unstable"; - rev = "4426104c8c900fbe048c33a0e6f68a006235ac50"; - }) - { }; - - transmission2_94 = pkgs2_94.transmission; - in transmission2_94; - user = "vpn"; - settings = { - alt-speed-down = 6000; - alt-speed-enabled = false; - alt-speed-time-begin = 0; - alt-speed-time-day = 127; - alt-speed-time-enabled = true; - alt-speed-time-end = 360; - alt-speed-up = 1000; - bind-address-ipv4 = "0.0.0.0"; - bind-address-ipv6 = "::"; - blocklist-enabled = false; - blocklist-url = "http://www.example.com/blocklist"; - cache-size-mb = 256; - dht-enabled = false; - download-dir = "/test"; - download-limit = 100; - download-limit-enabled = 0; - download-queue-enabled = true; - download-queue-size = 5; - encryption = 2; - idle-seeding-limit = 30; - idle-seeding-limit-enabled = false; - incomplete-dir = "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled = false; - lpd-enabled = false; - max-peers-global = 200; - message-level = 1; - peer-congestion-algorithm = ""; - peer-id-ttl-hours = 6; - peer-limit-global = 100; - peer-limit-per-torrent = 40; - peer-port = 22371; - peer-port-random-high = 65535; - peer-port-random-low = 49152; - peer-port-random-on-start = false; - peer-socket-tos = "default"; - pex-enabled = false; - port-forwarding-enabled = false; - preallocation = 1; - prefetch-enabled = true; - queue-stalled-enabled = true; - queue-stalled-minutes = 30; - ratio-limit = 2; - ratio-limit-enabled = false; - rename-partial-files = true; - rpc-authentication-required = true; - rpc-bind-address = "0.0.0.0"; - rpc-enabled = true; - rpc-host-whitelist = ""; - rpc-host-whitelist-enabled = true; - rpc-port = 9091; - rpc-url = "/transmission/"; - rpc-whitelist = "127.0.0.1,192.168.3.2,192.168.3.3"; - rpc-whitelist-enabled = true; - scrape-paused-torrents-enabled = true; - script-torrent-done-enabled = false; - seed-queue-enabled = false; - seed-queue-size = 10; - speed-limit-down = 6000; - speed-limit-down-enabled = true; - speed-limit-up = 500; - speed-limit-up-enabled = true; - start-added-torrents = true; - trash-original-torrent-files = false; - umask = 2; - upload-limit = 100; - upload-limit-enabled = 0; - upload-slots-per-torrent = 14; - utp-enabled = false; - }; + lidarr = { + enable = true; + }; + prowlarr = { + enable = true; + }; + # openvpn.servers = { + # pia = { + # autoStart = false; + # updateResolvConf = false; + # config = "config ${config.sops.templates.vpn.path}"; + # }; + # }; + transmission = { + enable = true; + package = let + pkgs2_94 = import + (builtins.fetchGit { + name = "transmission-2.94"; + url = "https://github.com/NixOS/nixpkgs/"; + ref = "refs/heads/nixpkgs-unstable"; + rev = "4426104c8c900fbe048c33a0e6f68a006235ac50"; + }) + { }; + + transmission2_94 = pkgs2_94.transmission; + in transmission2_94; + user = "vpn"; + settings = { + alt-speed-down = 6000; + alt-speed-enabled = false; + alt-speed-time-begin = 0; + alt-speed-time-day = 127; + alt-speed-time-enabled = true; + alt-speed-time-end = 360; + alt-speed-up = 1000; + bind-address-ipv4 = "0.0.0.0"; + bind-address-ipv6 = "::"; + blocklist-enabled = false; + blocklist-url = "http://www.example.com/blocklist"; + cache-size-mb = 256; + dht-enabled = false; + download-dir = "/Vault/Eternor/New"; + download-limit = 100; + download-limit-enabled = 0; + download-queue-enabled = true; + download-queue-size = 5; + encryption = 2; + idle-seeding-limit = 30; + idle-seeding-limit-enabled = false; + incomplete-dir = "/var/lib/transmission-daemon/Downloads"; + incomplete-dir-enabled = false; + lpd-enabled = false; + max-peers-global = 200; + message-level = 1; + peer-congestion-algorithm = ""; + peer-id-ttl-hours = 6; + peer-limit-global = 100; + peer-limit-per-torrent = 40; + peer-port = 22371; + peer-port-random-high = 65535; + peer-port-random-low = 49152; + peer-port-random-on-start = false; + peer-socket-tos = "default"; + pex-enabled = false; + port-forwarding-enabled = false; + preallocation = 1; + prefetch-enabled = true; + queue-stalled-enabled = true; + queue-stalled-minutes = 30; + ratio-limit = 2; + ratio-limit-enabled = false; + rename-partial-files = true; + rpc-authentication-required = true; + rpc-bind-address = "0.0.0.0"; + rpc-enabled = true; + rpc-host-whitelist = ""; + rpc-host-whitelist-enabled = true; + rpc-port = 9091; + rpc-url = "/transmission/"; + rpc-whitelist = "127.0.0.1,192.168.3.2,192.168.3.3"; + rpc-whitelist-enabled = true; + scrape-paused-torrents-enabled = true; + script-torrent-done-enabled = false; + seed-queue-enabled = false; + seed-queue-size = 10; + speed-limit-down = 6000; + speed-limit-down-enabled = true; + speed-limit-up = 500; + speed-limit-up-enabled = true; + start-added-torrents = true; + trash-original-torrent-files = false; + umask = 2; + upload-limit = 100; + upload-limit-enabled = 0; + upload-slots-per-torrent = 14; + utp-enabled = false; }; }; }; - } + }; + } #+end_src diff --git a/profiles/server/common/immich.nix b/profiles/server/common/immich.nix index 86757599..9dde25ec 100644 --- a/profiles/server/common/immich.nix +++ b/profiles/server/common/immich.nix @@ -13,7 +13,7 @@ port = 3001; openFirewall = true; mediaLocation = "/Vault/Eternor/Immich"; - environment.IMMICH_MACHINE_LEARNING_URL = "http://127.0.0.1:3003"; + environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://127.0.0.1:3003"; }; diff --git a/profiles/server/common/transmission.nix b/profiles/server/common/transmission.nix index 211a179e..5a198e54 100644 --- a/profiles/server/common/transmission.nix +++ b/profiles/server/common/transmission.nix @@ -2,11 +2,41 @@ { config = lib.mkIf config.swarselsystems.server.transmission { - kernelModules = [ "tun" ]; - kernel.sysctl = { - "net.ipv4.conf.all.rp_filter" = 2; - "net.ipv4.conf.default.rp_filter" = 2; - "net.ipv4.conf.enp3s0.rp_filter" = 2; + boot = { + kernelModules = [ "tun" ]; + kernel.sysctl = { + "net.ipv4.conf.all.rp_filter" = 2; + "net.ipv4.conf.default.rp_filter" = 2; + "net.ipv4.conf.enp3s0.rp_filter" = 2; + }; + }; + + environment.etc = { + "openvpn/iptables.sh" = + { + source = ../../scripts/server1/iptables.sh; + mode = "0755"; + }; + "openvpn/update-resolv-conf" = + { + source = ../../scripts/server1/update-resolv-conf; + mode = "0755"; + }; + "openvpn/routing.sh" = + { + source = ../../scripts/server1/routing.sh; + mode = "0755"; + }; + "openvpn/ca.rsa.2048.crt" = + { + source = ../../secrets/certs/ca.rsa.2048.crt; + mode = "0644"; + }; + "openvpn/crl.rsa.2048.pem" = + { + source = ../../secrets/certs/crl.rsa.2048.pem; + mode = "0644"; + }; }; networking = { @@ -57,46 +87,49 @@ ${config.sops.placeholder.vpnpass} ''; - vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server + vpn = { + path = "/etc/openvpn/openvpn.conf"; + content = '' + client + dev tun + proto ${config.sops.placeholder.vpnprot} + remote ${config.sops.placeholder.vpnloc} + resolv-retry infinite + nobind + persist-key + persist-tun + cipher aes-128-cbc + auth sha1 + tls-client + remote-cert-tls server - auth-user-pass ${config.sops.templates.pia.path} - auth-nocache - comp-lzo - compress - verb 1 - reneg-sec 0 + auth-user-pass ${config.sops.templates.pia.path} + auth-nocache + comp-lzo + compress + verb 1 + reneg-sec 0 - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt + crl-verify /etc/openvpn/crl.rsa.2048.pem + ca /etc/openvpn/ca.rsa.2048.crt - disable-occ - script-security 2 - route-noexec + disable-occ + script-security 2 + route-noexec - up /etc/openvpn/iptables.sh - down /etc/openvpn/update-resolv-conf - ''; + up /etc/openvpn/iptables.sh + down /etc/openvpn/update-resolv-conf + ''; + }; }; }; - systemd.services.openvpntest = { - Unit = { - Description = "Open VPN connection to %i"; - After = [ "network.target" ]; - }; - Service = { + systemd.services."openvpn@openvpn" = { + + description = "Open VPN connection to %i"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { RuntmeDirectory = "openvpn"; PrivateTmp = true; Killode = "mixed"; @@ -109,11 +142,10 @@ RestartSec = 3; ProtectSystem = "yes"; LimitNPROC = "10"; - DeviceAllow = "/dev/null rw"; - DeviceAllow = "/dev/net/tun rw"; - }; - Install = { - WantedBy = [ "multi-user.target" ]; + DeviceAllow = [ + "/dev/null rw" + "/dev/net/tun rw" + ]; }; }; @@ -133,20 +165,20 @@ prowlarr = { enable = true; }; - openvpn.servers = { - pia = { - autoStart = false; - updateResolvConf = false; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; + # openvpn.servers = { + # pia = { + # autoStart = false; + # updateResolvConf = false; + # config = "config ${config.sops.templates.vpn.path}"; + # }; + # }; transmission = { enable = true; package = let pkgs2_94 = import (builtins.fetchGit { - name = "Revision with Transmission 2.94"; + name = "transmission-2.94"; url = "https://github.com/NixOS/nixpkgs/"; ref = "refs/heads/nixpkgs-unstable"; rev = "4426104c8c900fbe048c33a0e6f68a006235ac50"; @@ -171,7 +203,7 @@ blocklist-url = "http://www.example.com/blocklist"; cache-size-mb = 256; dht-enabled = false; - download-dir = "/test"; + download-dir = "/Vault/Eternor/New"; download-limit = 100; download-limit-enabled = 0; download-queue-enabled = true;