deluge

hosts/sigma/caddy.nix

@@ -1,3 +1,10 @@
 {secrets, ...}: {
   services.caddy.virtualHosts = secrets.sigma.caddy.virtualHosts;
+
+  age.secrets.caddy-auth-sigma = {
+    file = "${secrets}/secrets/caddy-auth-sigma.age";
+    mode = "600";
+    owner = "caddy";
+    group = "caddy";
+  };
 }

hosts/sigma/default.nix

@@ -6,6 +6,7 @@
     ./acme.nix
     ./borg.nix
     ./caddy.nix
+    ./deluge.nix
     ./gitea.nix
     ./hardware.nix
     ./network.nix

hosts/sigma/deluge.nix

@@ -0,0 +1,67 @@
+{
+  lib,
+  pkgs,
+  secrets,
+  ...
+}: {
+  # Deluge BitTorrent Client is a free and open-source, cross-platform
+  # BitTorrent client written in Python.
+  # https://www.deluge-torrent.org/
+  services.deluge = {
+    enable = true;
+    web.enable = true;
+    # https://git.deluge-torrent.org/deluge/tree/deluge/core/preferencesmanager.py#n41
+    declarative = true;
+    config = {
+      # use dedicated interface
+      listen_interface = secrets.sigma.sigma-p2p-ip-address;
+      outgoing_interface = "wg-sigma-p2p";
+      random_port = false;
+      listen_ports = [60881];
+      # encrypt everything
+      enc_in_policy = 0;
+      enc_out_policy = 0;
+      enc_level = 1;
+      # no limits
+      max_connections_global = -1;
+      max_upload_slots_global = -1;
+      max_half_open_connections = -1;
+      max_connections_per_second = -1;
+      max_active_seeding = -1;
+      max_active_downloading = -1;
+      max_active_limit = -1;
+      # caching
+      cache_size = 65536; # 65536 x 16KiB = 1GiB
+      # enable label plugin for sonarr
+      enabled_plugins = ["Label"];
+    };
+    # authfile is required with declarative=true; allow access from webui
+    authFile = pkgs.writeTextFile {
+      name = "deluge-auth";
+      text = ''
+        localclient::10
+      '';
+    };
+  };
+
+  # Add 'caddy' to the 'deluge' group to allow browsing files
+  users.groups.deluge.members = ["caddy"];
+
+  # Only allow deluged internet access through wg-sigma-p2p
+  systemd.services.deluged = {
+    serviceConfig = {
+      RestrictNetworkInterfaces = "lo wg-sigma-p2p";
+    };
+  };
+
+  environment.persistence."/nix/persist" = {
+    directories = [
+      {
+        directory = "/var/lib/deluge";
+        user = "deluge";
+        group = "deluge";
+        mode = "0770";
+      }
+    ];
+  };
+}

hosts/sigma/network.nix

@@ -4,32 +4,6 @@
   secrets,
   ...
 }: {
-  # TODO
-  virtualisation.oci-containers.containers = {
-    qbittorrent = {
-      # https://docs.linuxserver.io/images/docker-qbittorrent
-      image = "lscr.io/linuxserver/qbittorrent:4.5.2";
-      # outbound_addr ensures we use the sigma-p2p IP address for outbound
-      # connections. port_handler allows the application access to the real
-      # source IP addresses.
-      # TODO: use systemd service with `RestrictNetworkInterfaces = "wg-sigma-p2p"` instead
-      # https://github.com/NixOS/nixpkgs/pull/287923
-      extraOptions = ["--network=slirp4netns:outbound_addr=wg-sigma-p2p,port_handler=slirp4netns"];
-      environment = {
-        TZ = "Europe/Copenhagen";
-      };
-      ports = [
-        # WebUI (localhost for Caddy reverse proxy) TODO
-        # "127.0.0.1:80:80"
-        "${secrets.sigma.sigma-p2p-ip-address}:1337:1337/tcp"
-        "${secrets.sigma.sigma-p2p-ip-address}:1337:1337/udp"
-      ];
-      volumes = [
-        "/mnt/lol/:/data/downloads/"
-      ];
-    };
-  };
-
   systemd.network = {
     config = {
       routeTables = {
@@ -145,6 +119,8 @@
       "enp5s0" = {
         allowedTCPPorts = [
           22 # SSH
+          80 # Caddy
+          443 # Caddy
         ];
       };
       "wg-sigma-public" = {
@@ -156,7 +132,10 @@
       };
       "wg-sigma-p2p" = {
         allowedTCPPorts = [
-          1337 # random testing (TODO)
+          60881 # Deluge
+        ];
+        allowedUDPPorts = [
+          60881 # Deluge
         ];
       };
     };