This commit is contained in:
Casper V. Kristensen 2024-04-22 23:59:18 +02:00
parent d8801c0794
commit aea0104f41
4 changed files with 81 additions and 27 deletions

View file

@ -1,3 +1,10 @@
{secrets, ...}: {
services.caddy.virtualHosts = secrets.sigma.caddy.virtualHosts;
age.secrets.caddy-auth-sigma = {
file = "${secrets}/secrets/caddy-auth-sigma.age";
mode = "600";
owner = "caddy";
group = "caddy";
};
}

View file

@ -6,6 +6,7 @@
./acme.nix
./borg.nix
./caddy.nix
./deluge.nix
./gitea.nix
./hardware.nix
./network.nix

67
hosts/sigma/deluge.nix Normal file
View file

@ -0,0 +1,67 @@
{
lib,
pkgs,
secrets,
...
}: {
# Deluge BitTorrent Client is a free and open-source, cross-platform
# BitTorrent client written in Python.
# https://www.deluge-torrent.org/
services.deluge = {
enable = true;
web.enable = true;
# https://git.deluge-torrent.org/deluge/tree/deluge/core/preferencesmanager.py#n41
declarative = true;
config = {
# use dedicated interface
listen_interface = secrets.sigma.sigma-p2p-ip-address;
outgoing_interface = "wg-sigma-p2p";
random_port = false;
listen_ports = [60881];
# encrypt everything
enc_in_policy = 0;
enc_out_policy = 0;
enc_level = 1;
# no limits
max_connections_global = -1;
max_upload_slots_global = -1;
max_half_open_connections = -1;
max_connections_per_second = -1;
max_active_seeding = -1;
max_active_downloading = -1;
max_active_limit = -1;
# caching
cache_size = 65536; # 65536 x 16KiB = 1GiB
# enable label plugin for sonarr
enabled_plugins = ["Label"];
};
# authfile is required with declarative=true; allow access from webui
authFile = pkgs.writeTextFile {
name = "deluge-auth";
text = ''
localclient::10
'';
};
};
# Add 'caddy' to the 'deluge' group to allow browsing files
users.groups.deluge.members = ["caddy"];
# Only allow deluged internet access through wg-sigma-p2p
systemd.services.deluged = {
serviceConfig = {
RestrictNetworkInterfaces = "lo wg-sigma-p2p";
};
};
environment.persistence."/nix/persist" = {
directories = [
{
directory = "/var/lib/deluge";
user = "deluge";
group = "deluge";
mode = "0770";
}
];
};
}

View file

@ -4,32 +4,6 @@
secrets,
...
}: {
# TODO
virtualisation.oci-containers.containers = {
qbittorrent = {
# https://docs.linuxserver.io/images/docker-qbittorrent
image = "lscr.io/linuxserver/qbittorrent:4.5.2";
# outbound_addr ensures we use the sigma-p2p IP address for outbound
# connections. port_handler allows the application access to the real
# source IP addresses.
# TODO: use systemd service with `RestrictNetworkInterfaces = "wg-sigma-p2p"` instead
# https://github.com/NixOS/nixpkgs/pull/287923
extraOptions = ["--network=slirp4netns:outbound_addr=wg-sigma-p2p,port_handler=slirp4netns"];
environment = {
TZ = "Europe/Copenhagen";
};
ports = [
# WebUI (localhost for Caddy reverse proxy) TODO
# "127.0.0.1:80:80"
"${secrets.sigma.sigma-p2p-ip-address}:1337:1337/tcp"
"${secrets.sigma.sigma-p2p-ip-address}:1337:1337/udp"
];
volumes = [
"/mnt/lol/:/data/downloads/"
];
};
};
systemd.network = {
config = {
routeTables = {
@ -145,6 +119,8 @@
"enp5s0" = {
allowedTCPPorts = [
22 # SSH
80 # Caddy
443 # Caddy
];
};
"wg-sigma-public" = {
@ -156,7 +132,10 @@
};
"wg-sigma-p2p" = {
allowedTCPPorts = [
1337 # random testing (TODO)
60881 # Deluge
];
allowedUDPPorts = [
60881 # Deluge
];
};
};