diff --git a/hosts/sigma/caddy.nix b/hosts/sigma/caddy.nix index cb12155..39eca73 100644 --- a/hosts/sigma/caddy.nix +++ b/hosts/sigma/caddy.nix @@ -1,3 +1,10 @@ {secrets, ...}: { services.caddy.virtualHosts = secrets.sigma.caddy.virtualHosts; + + age.secrets.caddy-auth-sigma = { + file = "${secrets}/secrets/caddy-auth-sigma.age"; + mode = "600"; + owner = "caddy"; + group = "caddy"; + }; } diff --git a/hosts/sigma/default.nix b/hosts/sigma/default.nix index bbd590a..93a7883 100644 --- a/hosts/sigma/default.nix +++ b/hosts/sigma/default.nix @@ -6,6 +6,7 @@ ./acme.nix ./borg.nix ./caddy.nix + ./deluge.nix ./gitea.nix ./hardware.nix ./network.nix diff --git a/hosts/sigma/deluge.nix b/hosts/sigma/deluge.nix new file mode 100644 index 0000000..6c2d5be --- /dev/null +++ b/hosts/sigma/deluge.nix @@ -0,0 +1,67 @@ +{ + lib, + pkgs, + secrets, + ... +}: { + # Deluge BitTorrent Client is a free and open-source, cross-platform + # BitTorrent client written in Python. + # https://www.deluge-torrent.org/ + services.deluge = { + enable = true; + web.enable = true; + # https://git.deluge-torrent.org/deluge/tree/deluge/core/preferencesmanager.py#n41 + declarative = true; + config = { + # use dedicated interface + listen_interface = secrets.sigma.sigma-p2p-ip-address; + outgoing_interface = "wg-sigma-p2p"; + random_port = false; + listen_ports = [60881]; + # encrypt everything + enc_in_policy = 0; + enc_out_policy = 0; + enc_level = 1; + # no limits + max_connections_global = -1; + max_upload_slots_global = -1; + max_half_open_connections = -1; + max_connections_per_second = -1; + max_active_seeding = -1; + max_active_downloading = -1; + max_active_limit = -1; + # caching + cache_size = 65536; # 65536 x 16KiB = 1GiB + # enable label plugin for sonarr + enabled_plugins = ["Label"]; + }; + # authfile is required with declarative=true; allow access from webui + authFile = pkgs.writeTextFile { + name = "deluge-auth"; + text = '' + localclient::10 + ''; + }; + }; + + # Add 'caddy' to the 'deluge' group to allow browsing files + users.groups.deluge.members = ["caddy"]; + + # Only allow deluged internet access through wg-sigma-p2p + systemd.services.deluged = { + serviceConfig = { + RestrictNetworkInterfaces = "lo wg-sigma-p2p"; + }; + }; + + environment.persistence."/nix/persist" = { + directories = [ + { + directory = "/var/lib/deluge"; + user = "deluge"; + group = "deluge"; + mode = "0770"; + } + ]; + }; +} diff --git a/hosts/sigma/network.nix b/hosts/sigma/network.nix index e985419..fb38f62 100644 --- a/hosts/sigma/network.nix +++ b/hosts/sigma/network.nix @@ -4,32 +4,6 @@ secrets, ... }: { - # TODO - virtualisation.oci-containers.containers = { - qbittorrent = { - # https://docs.linuxserver.io/images/docker-qbittorrent - image = "lscr.io/linuxserver/qbittorrent:4.5.2"; - # outbound_addr ensures we use the sigma-p2p IP address for outbound - # connections. port_handler allows the application access to the real - # source IP addresses. - # TODO: use systemd service with `RestrictNetworkInterfaces = "wg-sigma-p2p"` instead - # https://github.com/NixOS/nixpkgs/pull/287923 - extraOptions = ["--network=slirp4netns:outbound_addr=wg-sigma-p2p,port_handler=slirp4netns"]; - environment = { - TZ = "Europe/Copenhagen"; - }; - ports = [ - # WebUI (localhost for Caddy reverse proxy) TODO - # "127.0.0.1:80:80" - "${secrets.sigma.sigma-p2p-ip-address}:1337:1337/tcp" - "${secrets.sigma.sigma-p2p-ip-address}:1337:1337/udp" - ]; - volumes = [ - "/mnt/lol/:/data/downloads/" - ]; - }; - }; - systemd.network = { config = { routeTables = { @@ -145,6 +119,8 @@ "enp5s0" = { allowedTCPPorts = [ 22 # SSH + 80 # Caddy + 443 # Caddy ]; }; "wg-sigma-public" = { @@ -156,7 +132,10 @@ }; "wg-sigma-p2p" = { allowedTCPPorts = [ - 1337 # random testing (TODO) + 60881 # Deluge + ]; + allowedUDPPorts = [ + 60881 # Deluge ]; }; };