mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-22 13:25:38 +00:00
wireguard working but not transmission
This commit is contained in:
parent
e309889b0b
commit
129e4bba4b
@ -20,6 +20,7 @@ nixpkgs.lib.nixosSystem {
|
|||||||
bookServer = "books.masu.rs";
|
bookServer = "books.masu.rs";
|
||||||
streamServer = "stream.masu.rs";
|
streamServer = "stream.masu.rs";
|
||||||
nextcloudServer = "cloud.masu.rs";
|
nextcloudServer = "cloud.masu.rs";
|
||||||
|
transmissionServer = "download.masu.rs";
|
||||||
|
|
||||||
# Disable passwords, only use SSH key
|
# Disable passwords, only use SSH key
|
||||||
passwordHash = null;
|
passwordHash = null;
|
||||||
@ -44,5 +45,6 @@ nixpkgs.lib.nixosSystem {
|
|||||||
../../modules/services/calibre.nix
|
../../modules/services/calibre.nix
|
||||||
../../modules/services/jellyfin.nix
|
../../modules/services/jellyfin.nix
|
||||||
../../modules/services/nextcloud.nix
|
../../modules/services/nextcloud.nix
|
||||||
|
../../modules/services/transmission.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
92
modules/services/transmission.nix
Normal file
92
modules/services/transmission.nix
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let credentialsFile = "/var/lib/private/transmission.json";
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
|
imports = [ ./wireguard.nix ];
|
||||||
|
|
||||||
|
options = {
|
||||||
|
transmissionServer = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Hostname for Transmission";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
|
||||||
|
# Setup transmission
|
||||||
|
services.transmission = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
port-forwarding-enabled = false;
|
||||||
|
rpc-authentication-required = true;
|
||||||
|
rpc-port = 9091;
|
||||||
|
rpc-bind-address = "0.0.0.0";
|
||||||
|
rpc-username = config.user;
|
||||||
|
rpc-host-whitelist = config.transmissionServer;
|
||||||
|
rpc-host-whitelist-enabled = true;
|
||||||
|
rpc-whitelist-enabled = false;
|
||||||
|
};
|
||||||
|
credentialsFile = credentialsFile;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Bind transmission to wireguard namespace
|
||||||
|
systemd.services.transmission = {
|
||||||
|
bindsTo = [ "netns@wg.service" ];
|
||||||
|
requires = [ "network-online.target" ];
|
||||||
|
after = [ "wireguard-wg0.service" ];
|
||||||
|
unitConfig.JoinsNamespaceOf = "netns@wg.service";
|
||||||
|
serviceConfig = { PrivateNetwork = true; };
|
||||||
|
};
|
||||||
|
|
||||||
|
# Create reverse proxy for web UI
|
||||||
|
caddyRoutes = [{
|
||||||
|
match = [{ host = [ config.transmissionServer ]; }];
|
||||||
|
handle = [{
|
||||||
|
handler = "reverse_proxy";
|
||||||
|
upstreams = [{ dial = "localhost:9091"; }];
|
||||||
|
}];
|
||||||
|
}];
|
||||||
|
|
||||||
|
# Allow inbound connections to reach namespace
|
||||||
|
systemd.services.transmission-web-netns = {
|
||||||
|
description = "Forward to transmission in netns";
|
||||||
|
requires = [ "transmission.service" ];
|
||||||
|
after = [ "transmission.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
User = "transmission";
|
||||||
|
Group = "transmission";
|
||||||
|
Restart = "on-failure";
|
||||||
|
TimeoutStopSec = 300;
|
||||||
|
};
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
script = ''
|
||||||
|
${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Create credentials file for transmission
|
||||||
|
systemd.services.transmission-creds = {
|
||||||
|
requiredBy = [ "transmission.service" ];
|
||||||
|
before = [ "transmission.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
if [ ! -f "${credentialsFile}" ]; then
|
||||||
|
mkdir --parents ${builtins.dirOf credentialsFile}
|
||||||
|
${pkgs.age}/bin/age --decrypt \
|
||||||
|
--identity ${config.identityFile} \
|
||||||
|
--output ${credentialsFile} \
|
||||||
|
${builtins.toString ../../private/transmission.json.age}
|
||||||
|
chown transmission:transmission ${credentialsFile}
|
||||||
|
chmod 0700 ${credentialsFile}
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
@ -1,18 +1,77 @@
|
|||||||
{ ... }: {
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
let privateKeyFile = "/private/wireguard/wg0";
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
networking.wireguard = {
|
networking.wireguard = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interfaces = {
|
interfaces = {
|
||||||
wg0 = {
|
wg0 = {
|
||||||
ips = [ "10.66.127.235/32" "fc00:bbbb:bbbb:bb01::3:7fea/128" ];
|
|
||||||
generatePrivateKeyFile = true;
|
# The local IPs for this machine within the Wireguard network
|
||||||
privateKeyFile = "/private/wireguard/wg0";
|
# Any inbound traffic bound for these IPs should be kept on localhost
|
||||||
|
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
|
||||||
|
|
||||||
|
# Establishes identity of this machine
|
||||||
|
generatePrivateKeyFile = false;
|
||||||
|
privateKeyFile = privateKeyFile;
|
||||||
|
|
||||||
peers = [{
|
peers = [{
|
||||||
publicKey = "cVDIYPzNChIeANp+0jE12kWM5Ga1MbmNErT1Pmaf12A=";
|
|
||||||
|
# Identity of Wireguard target peer (VPN)
|
||||||
|
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
|
||||||
|
|
||||||
|
# Which outgoing IP ranges should be sent through Wireguard
|
||||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||||
endpoint = "89.46.62.197:51820";
|
|
||||||
|
# The public internet address of the target peer
|
||||||
|
endpoint = "86.106.143.132:51820";
|
||||||
|
|
||||||
|
# Send heartbeat signal within the network
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
|
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
# Namespaces
|
||||||
|
interfaceNamespace = "wg";
|
||||||
|
# socketNamespace = "wg";
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Create namespace for Wireguard
|
||||||
|
systemd.services."netns@" = {
|
||||||
|
description = "%I network namespace";
|
||||||
|
before = [ "network.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
|
||||||
|
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Private key file for wireguard
|
||||||
|
systemd.services.wireguard-private-key = {
|
||||||
|
wantedBy = [ "wireguard-wg0.service" ];
|
||||||
|
requiredBy = [ "wireguard-wg0.service" ];
|
||||||
|
before = [ "wireguard-wg0.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
|
||||||
|
if [ ! -f "${privateKeyFile}" ]; then
|
||||||
|
${pkgs.age}/bin/age --decrypt \
|
||||||
|
--identity ${config.identityFile} \
|
||||||
|
--output ${privateKeyFile} \
|
||||||
|
${builtins.toString ../../private/wireguard.age}
|
||||||
|
chmod 0700 ${privateKeyFile}
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
5
private/transmission.json.age
Normal file
5
private/transmission.json.age
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 MgHaOw PAAWnpc5bJ5S972U+L6YgHpI2a7aqwxWaNZrvQIODVg
|
||||||
|
A6zRWD6TmlVb8b5J3gdMf3JAeHIHgUQA3C8PpR8GveQ
|
||||||
|
--- xP8vbUGtTlvaZ0K2J0+J0ICoL9gvCbhQg6GxG8ZYCS0
|
||||||
|
±7¸½½5åL2céJ¿œÄ€»eÅ,÷ßÝ<C39F>ÉTù°§n$Mó<4D>ýi4þêYßiæ[á!¸Å<C2B8>L%ß(Ði‰§F;‡ù6<C3B9>·¨¡†ã¹ÄÂÍÔŠjO
|
5
private/wireguard.age
Normal file
5
private/wireguard.age
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 MgHaOw lG6VtLpEU/33egpB9WqJiulVdL3K5a2IGjekIu6HtSI
|
||||||
|
VsAfCbtQuHU9tptKQR4buD3ydwb89aSbUVdEoetU1gc
|
||||||
|
--- kts74pY8NdQh4pTlMT3NTHxU0qnA0txwQKH5FkQCdXA
|
||||||
|
ø¿SŸÐ8˜A0<>`0åªýÕ$,1*/H¼íÞå³ÏV½þñZtWˆ¬<CB86>ÔBC¯[<¬N@’cûá™h_QtÀÀ(ÞÈ Â£fz
|
Loading…
Reference in New Issue
Block a user