wireguard working but not transmission

This commit is contained in:
Noah Masur 2022-10-09 14:12:31 +00:00
parent e309889b0b
commit 129e4bba4b
5 changed files with 169 additions and 6 deletions

View File

@ -20,6 +20,7 @@ nixpkgs.lib.nixosSystem {
bookServer = "books.masu.rs"; bookServer = "books.masu.rs";
streamServer = "stream.masu.rs"; streamServer = "stream.masu.rs";
nextcloudServer = "cloud.masu.rs"; nextcloudServer = "cloud.masu.rs";
transmissionServer = "download.masu.rs";
# Disable passwords, only use SSH key # Disable passwords, only use SSH key
passwordHash = null; passwordHash = null;
@ -44,5 +45,6 @@ nixpkgs.lib.nixosSystem {
../../modules/services/calibre.nix ../../modules/services/calibre.nix
../../modules/services/jellyfin.nix ../../modules/services/jellyfin.nix
../../modules/services/nextcloud.nix ../../modules/services/nextcloud.nix
../../modules/services/transmission.nix
]; ];
} }

View File

@ -0,0 +1,92 @@
{ config, pkgs, lib, ... }:
let credentialsFile = "/var/lib/private/transmission.json";
in {
imports = [ ./wireguard.nix ];
options = {
transmissionServer = lib.mkOption {
type = lib.types.str;
description = "Hostname for Transmission";
};
};
config = {
# Setup transmission
services.transmission = {
enable = true;
settings = {
port-forwarding-enabled = false;
rpc-authentication-required = true;
rpc-port = 9091;
rpc-bind-address = "0.0.0.0";
rpc-username = config.user;
rpc-host-whitelist = config.transmissionServer;
rpc-host-whitelist-enabled = true;
rpc-whitelist-enabled = false;
};
credentialsFile = credentialsFile;
};
# Bind transmission to wireguard namespace
systemd.services.transmission = {
bindsTo = [ "netns@wg.service" ];
requires = [ "network-online.target" ];
after = [ "wireguard-wg0.service" ];
unitConfig.JoinsNamespaceOf = "netns@wg.service";
serviceConfig = { PrivateNetwork = true; };
};
# Create reverse proxy for web UI
caddyRoutes = [{
match = [{ host = [ config.transmissionServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:9091"; }];
}];
}];
# Allow inbound connections to reach namespace
systemd.services.transmission-web-netns = {
description = "Forward to transmission in netns";
requires = [ "transmission.service" ];
after = [ "transmission.service" ];
serviceConfig = {
User = "transmission";
Group = "transmission";
Restart = "on-failure";
TimeoutStopSec = 300;
};
wantedBy = [ "multi-user.target" ];
script = ''
${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
'';
};
# Create credentials file for transmission
systemd.services.transmission-creds = {
requiredBy = [ "transmission.service" ];
before = [ "transmission.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if [ ! -f "${credentialsFile}" ]; then
mkdir --parents ${builtins.dirOf credentialsFile}
${pkgs.age}/bin/age --decrypt \
--identity ${config.identityFile} \
--output ${credentialsFile} \
${builtins.toString ../../private/transmission.json.age}
chown transmission:transmission ${credentialsFile}
chmod 0700 ${credentialsFile}
fi
'';
};
};
}

View File

@ -1,18 +1,77 @@
{ ... }: { { config, pkgs, ... }:
let privateKeyFile = "/private/wireguard/wg0";
in {
networking.wireguard = { networking.wireguard = {
enable = true; enable = true;
interfaces = { interfaces = {
wg0 = { wg0 = {
ips = [ "10.66.127.235/32" "fc00:bbbb:bbbb:bb01::3:7fea/128" ];
generatePrivateKeyFile = true; # The local IPs for this machine within the Wireguard network
privateKeyFile = "/private/wireguard/wg0"; # Any inbound traffic bound for these IPs should be kept on localhost
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
# Establishes identity of this machine
generatePrivateKeyFile = false;
privateKeyFile = privateKeyFile;
peers = [{ peers = [{
publicKey = "cVDIYPzNChIeANp+0jE12kWM5Ga1MbmNErT1Pmaf12A=";
# Identity of Wireguard target peer (VPN)
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
# Which outgoing IP ranges should be sent through Wireguard
allowedIPs = [ "0.0.0.0/0" "::0/0" ]; allowedIPs = [ "0.0.0.0/0" "::0/0" ];
endpoint = "89.46.62.197:51820";
# The public internet address of the target peer
endpoint = "86.106.143.132:51820";
# Send heartbeat signal within the network
persistentKeepalive = 25; persistentKeepalive = 25;
}]; }];
# Namespaces
interfaceNamespace = "wg";
# socketNamespace = "wg";
}; };
}; };
}; };
# Create namespace for Wireguard
systemd.services."netns@" = {
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
};
};
# Private key file for wireguard
systemd.services.wireguard-private-key = {
wantedBy = [ "wireguard-wg0.service" ];
requiredBy = [ "wireguard-wg0.service" ];
before = [ "wireguard-wg0.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
if [ ! -f "${privateKeyFile}" ]; then
${pkgs.age}/bin/age --decrypt \
--identity ${config.identityFile} \
--output ${privateKeyFile} \
${builtins.toString ../../private/wireguard.age}
chmod 0700 ${privateKeyFile}
fi
'';
};
} }

View File

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 MgHaOw PAAWnpc5bJ5S972U+L6YgHpI2a7aqwxWaNZrvQIODVg
A6zRWD6TmlVb8b5J3gdMf3JAeHIHgUQA3C8PpR8GveQ
--- xP8vbUGtTlvaZ0K2J0+J0ICoL9gvCbhQg6GxG8ZYCS0
±7¸½½5åL2céJ¿œÄ€»eÅ,÷ßÝ<C39F>ÉTù°§n$Mó<4D>ýi4þêYßiæ[á! ¸Å<C2B8>L%ß(Ði‰§F;‡ù6<C3B9>·¨¡†ã¹ÄÂÍÔŠjO

5
private/wireguard.age Normal file
View File

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 MgHaOw lG6VtLpEU/33egpB9WqJiulVdL3K5a2IGjekIu6HtSI
VsAfCbtQuHU9tptKQR4buD3ydwb89aSbUVdEoetU1gc
--- kts74pY8NdQh4pTlMT3NTHxU0qnA0txwQKH5FkQCdXA
ø¿SŸÐ8˜A 0<>`0åªýÕ$,1*/H¼íÞå³ÏV ½þñZtWˆ¬<CB86>ÔBC¯[<¬N@cûá™h_QtÀÀ(ÞÈ Â£fz