From 129e4bba4bb88d5520ce682014c6b0b37fe6c177 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Sun, 9 Oct 2022 14:12:31 +0000
Subject: [PATCH] wireguard working but not transmission

---
 hosts/oracle/default.nix          |  2 +
 modules/services/transmission.nix | 92 +++++++++++++++++++++++++++++++
 modules/services/wireguard.nix    | 71 ++++++++++++++++++++++--
 private/transmission.json.age     |  5 ++
 private/wireguard.age             |  5 ++
 5 files changed, 169 insertions(+), 6 deletions(-)
 create mode 100644 modules/services/transmission.nix
 create mode 100644 private/transmission.json.age
 create mode 100644 private/wireguard.age

diff --git a/hosts/oracle/default.nix b/hosts/oracle/default.nix
index 096185a..fb22aa8 100644
--- a/hosts/oracle/default.nix
+++ b/hosts/oracle/default.nix
@@ -20,6 +20,7 @@ nixpkgs.lib.nixosSystem {
       bookServer = "books.masu.rs";
       streamServer = "stream.masu.rs";
       nextcloudServer = "cloud.masu.rs";
+      transmissionServer = "download.masu.rs";
 
       # Disable passwords, only use SSH key
       passwordHash = null;
@@ -44,5 +45,6 @@ nixpkgs.lib.nixosSystem {
     ../../modules/services/calibre.nix
     ../../modules/services/jellyfin.nix
     ../../modules/services/nextcloud.nix
+    ../../modules/services/transmission.nix
   ];
 }
diff --git a/modules/services/transmission.nix b/modules/services/transmission.nix
new file mode 100644
index 0000000..d224ba6
--- /dev/null
+++ b/modules/services/transmission.nix
@@ -0,0 +1,92 @@
+{ config, pkgs, lib, ... }:
+
+let credentialsFile = "/var/lib/private/transmission.json";
+
+in {
+
+  imports = [ ./wireguard.nix ];
+
+  options = {
+    transmissionServer = lib.mkOption {
+      type = lib.types.str;
+      description = "Hostname for Transmission";
+    };
+  };
+
+  config = {
+
+    # Setup transmission
+    services.transmission = {
+      enable = true;
+      settings = {
+        port-forwarding-enabled = false;
+        rpc-authentication-required = true;
+        rpc-port = 9091;
+        rpc-bind-address = "0.0.0.0";
+        rpc-username = config.user;
+        rpc-host-whitelist = config.transmissionServer;
+        rpc-host-whitelist-enabled = true;
+        rpc-whitelist-enabled = false;
+      };
+      credentialsFile = credentialsFile;
+    };
+
+    # Bind transmission to wireguard namespace
+    systemd.services.transmission = {
+      bindsTo = [ "netns@wg.service" ];
+      requires = [ "network-online.target" ];
+      after = [ "wireguard-wg0.service" ];
+      unitConfig.JoinsNamespaceOf = "netns@wg.service";
+      serviceConfig = { PrivateNetwork = true; };
+    };
+
+    # Create reverse proxy for web UI
+    caddyRoutes = [{
+      match = [{ host = [ config.transmissionServer ]; }];
+      handle = [{
+        handler = "reverse_proxy";
+        upstreams = [{ dial = "localhost:9091"; }];
+      }];
+    }];
+
+    # Allow inbound connections to reach namespace
+    systemd.services.transmission-web-netns = {
+      description = "Forward to transmission in netns";
+      requires = [ "transmission.service" ];
+      after = [ "transmission.service" ];
+      serviceConfig = {
+        User = "transmission";
+        Group = "transmission";
+        Restart = "on-failure";
+        TimeoutStopSec = 300;
+      };
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        ${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
+      '';
+    };
+
+    # Create credentials file for transmission
+    systemd.services.transmission-creds = {
+      requiredBy = [ "transmission.service" ];
+      before = [ "transmission.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        if [ ! -f "${credentialsFile}" ]; then
+          mkdir --parents ${builtins.dirOf credentialsFile}
+          ${pkgs.age}/bin/age --decrypt \
+            --identity ${config.identityFile} \
+            --output ${credentialsFile} \
+            ${builtins.toString ../../private/transmission.json.age}
+          chown transmission:transmission ${credentialsFile}
+          chmod 0700 ${credentialsFile}
+        fi
+      '';
+    };
+
+  };
+
+}
diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix
index 34af565..e6eba2e 100644
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -1,18 +1,77 @@
-{ ... }: {
+{ config, pkgs, ... }:
+
+let privateKeyFile = "/private/wireguard/wg0";
+
+in {
+
   networking.wireguard = {
     enable = true;
     interfaces = {
       wg0 = {
-        ips = [ "10.66.127.235/32" "fc00:bbbb:bbbb:bb01::3:7fea/128" ];
-        generatePrivateKeyFile = true;
-        privateKeyFile = "/private/wireguard/wg0";
+
+        # The local IPs for this machine within the Wireguard network
+        # Any inbound traffic bound for these IPs should be kept on localhost
+        ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
+
+        # Establishes identity of this machine
+        generatePrivateKeyFile = false;
+        privateKeyFile = privateKeyFile;
+
         peers = [{
-          publicKey = "cVDIYPzNChIeANp+0jE12kWM5Ga1MbmNErT1Pmaf12A=";
+
+          # Identity of Wireguard target peer (VPN)
+          publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
+
+          # Which outgoing IP ranges should be sent through Wireguard
           allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-          endpoint = "89.46.62.197:51820";
+
+          # The public internet address of the target peer
+          endpoint = "86.106.143.132:51820";
+
+          # Send heartbeat signal within the network
           persistentKeepalive = 25;
+
         }];
+
+        # Namespaces
+        interfaceNamespace = "wg";
+        # socketNamespace = "wg";
+
       };
     };
   };
+
+  # Create namespace for Wireguard
+  systemd.services."netns@" = {
+    description = "%I network namespace";
+    before = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
+      ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
+    };
+  };
+
+  # Private key file for wireguard
+  systemd.services.wireguard-private-key = {
+    wantedBy = [ "wireguard-wg0.service" ];
+    requiredBy = [ "wireguard-wg0.service" ];
+    before = [ "wireguard-wg0.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
+      if [ ! -f "${privateKeyFile}" ]; then
+        ${pkgs.age}/bin/age --decrypt \
+          --identity ${config.identityFile} \
+          --output ${privateKeyFile} \
+          ${builtins.toString ../../private/wireguard.age}
+        chmod 0700 ${privateKeyFile}
+      fi
+    '';
+  };
+
 }
diff --git a/private/transmission.json.age b/private/transmission.json.age
new file mode 100644
index 0000000..a98cddd
--- /dev/null
+++ b/private/transmission.json.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 MgHaOw PAAWnpc5bJ5S972U+L6YgHpI2a7aqwxWaNZrvQIODVg
+A6zRWD6TmlVb8b5J3gdMf3JAeHIHgUQA3C8PpR8GveQ
+--- xP8vbUGtTlvaZ0K2J0+J0ICoL9gvCbhQg6GxG8ZYCS0
+�7���5�L2c�J��Ā�e�,��ݝ�T���n$M��i4��Y�i�[�!�ŁL%�(�i��F;��6���������ԊjO
\ No newline at end of file
diff --git a/private/wireguard.age b/private/wireguard.age
new file mode 100644
index 0000000..a055a02
--- /dev/null
+++ b/private/wireguard.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 MgHaOw lG6VtLpEU/33egpB9WqJiulVdL3K5a2IGjekIu6HtSI
+VsAfCbtQuHU9tptKQR4buD3ydwb89aSbUVdEoetU1gc
+--- kts74pY8NdQh4pTlMT3NTHxU0qnA0txwQKH5FkQCdXA
+��S��8�A0�`0����$,1*/H�����V���ZtW����BC�[<�N@�c��h_Qt��(�� £fz
\ No newline at end of file