mediaserver: big wgns rework
This commit is contained in:
parent
1908975e83
commit
75cc6e2834
16 changed files with 303 additions and 185 deletions
Binary file not shown.
|
@ -1,68 +0,0 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/autobrr 0755 root root"
|
||||
"d /var/lib/omegabrr 0755 root root"
|
||||
];
|
||||
|
||||
virtualisation.oci-containers.containers.autobrr = {
|
||||
image = "ghcr.io/autobrr/autobrr:latest";
|
||||
ports = [ "192.168.42.2:7474:7474" ];
|
||||
environment = {
|
||||
"TZ" = "Europe/Berlin";
|
||||
};
|
||||
volumes = [
|
||||
"/var/lib/autobrr:/config"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.omegabrr = {
|
||||
image = "ghcr.io/autobrr/omegabrr:latest";
|
||||
ports = [ "192.168.42.2:7441:7441" ];
|
||||
volumes = [
|
||||
"/var/lib/omegabrr:/config"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.podman-autobrr = {
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce [ "wg.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
TimeoutStopSec = lib.mkForce 10;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.podman-omegabrr = {
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce [ "wg.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
TimeoutStopSec = lib.mkForce 10;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."autobrr.internal.kempkens.network" = {
|
||||
quic = true;
|
||||
http3 = true;
|
||||
|
||||
onlySSL = true;
|
||||
useACMEHost = "internal.kempkens.network";
|
||||
|
||||
locations."/" = {
|
||||
recommendedProxySettings = true;
|
||||
proxyPass = "http://192.168.42.2:7474";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,27 +0,0 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
virtualisation.oci-containers.containers.flaresolverr = {
|
||||
image = "ghcr.io/flaresolverr/flaresolverr:latest";
|
||||
ports = [ "192.168.42.2:8191:8191" ];
|
||||
environment = {
|
||||
"HOST" = "192.168.42.2";
|
||||
"PORT" = "8191";
|
||||
"LOG_LEVEL" = "info";
|
||||
};
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.podman-flaresolverr = {
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce [ "wg.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
TimeoutStopSec = lib.mkForce 10;
|
||||
};
|
||||
};
|
||||
}
|
18
flake.lock
18
flake.lock
|
@ -253,11 +253,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1684741999,
|
||||
"narHash": "sha256-KZLKsFZ6cLjCdCNKZoT8bc1y+rYBuFgKatmIB38zqy4=",
|
||||
"lastModified": 1684788503,
|
||||
"narHash": "sha256-ewr/8U0/iCs8K+MP5Fw9Q1IQ1Pt57ZgC2k/dg1c+CMk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "ba006d7cca2cb871c6a31bdbc130c05cde5ca8e8",
|
||||
"rev": "d9995d94f194955d1f1af0e1ad5866a904196c20",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -300,11 +300,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1684743638,
|
||||
"narHash": "sha256-S+qJm+KEP9MM6VHmp8613x3e4xcZ0584NjFNxjS+dW0=",
|
||||
"lastModified": 1684800269,
|
||||
"narHash": "sha256-xVzKIpw8a/VdZKRZUK7qwTQMTH6MO+ozme4Vmw9xgSA=",
|
||||
"owner": "nifoc",
|
||||
"repo": "nix-overlay",
|
||||
"rev": "801010f1d3b6352992ff6e32cfdbe169e81bcb5c",
|
||||
"rev": "7566d2108487b63894e0437cc47926c446907994",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -315,11 +315,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1684698729,
|
||||
"narHash": "sha256-eFX+g0JNHYDuoGq3XvT+360UDIzRGFWcHh0il6rGz7g=",
|
||||
"lastModified": 1684724044,
|
||||
"narHash": "sha256-OysG4ORx60BcUyBVClbOBVybqZ4Ep8Xh8EIDvNam4WU=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9356eead97d8d16956b0226d78f76bd66e06cb60",
|
||||
"rev": "b31c968ff28927d477eed85012e8090578c70852",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -308,12 +308,12 @@ in
|
|||
};
|
||||
friendly-snippets = buildVimPluginFrom2Nix {
|
||||
pname = "friendly-snippets";
|
||||
version = "2023-05-21";
|
||||
version = "2023-05-23";
|
||||
src = fetchFromGitHub {
|
||||
owner = "rafamadriz";
|
||||
repo = "friendly-snippets";
|
||||
rev = "2bb3958e1fe0a613e028f3c6fd2d2923fc23bd0c";
|
||||
sha256 = "1nlbm7ji73ggg48pzvlbb32jfscnj71bgfzg4q1p3zfvssisz85c";
|
||||
rev = "ef6547d2f586e08e071efeebac835e545f3015cc";
|
||||
sha256 = "0xjcnx787kc1xc259czwn6masym2v2r4ixjb772cb3lb5bn9v73q";
|
||||
fetchSubmodules = false;
|
||||
};
|
||||
};
|
||||
|
@ -473,12 +473,12 @@ in
|
|||
};
|
||||
nvim-surround = buildVimPluginFrom2Nix {
|
||||
pname = "nvim-surround";
|
||||
version = "2023-04-30";
|
||||
version = "2023-05-22";
|
||||
src = fetchFromGitHub {
|
||||
owner = "kylechui";
|
||||
repo = "nvim-surround";
|
||||
rev = "219bd66585aa467b1c90fd01b54a2a423aaed4ab";
|
||||
sha256 = "0aximc9fiicmhxkqrazjsqfr9mqw7llnfdc778acn5rkhwj1xms9";
|
||||
rev = "26b5067c3b56815eafbf41b7b830f1ab52819a45";
|
||||
sha256 = "17r7klq852wq3kwhjlpc6a5k6d6h4bm8rf9ivjxgc7b4whiris5n";
|
||||
fetchSubmodules = false;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -47,6 +47,8 @@ rec {
|
|||
hostname = "adsb-antenna";
|
||||
sshUser = "root";
|
||||
remoteBuild = true;
|
||||
autoRollback = false;
|
||||
magicRollback = false;
|
||||
|
||||
profiles.system = {
|
||||
path = deploy-rs.lib.${default-system}.activate.nixos system;
|
||||
|
|
|
@ -22,10 +22,12 @@ in
|
|||
|
||||
../nixos/tailscale.nix
|
||||
|
||||
../nixos/container.nix
|
||||
../nixos/mediaserver-setup.nix
|
||||
(import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
|
||||
(import ../nixos/wireguard-firewall-mediaserver.nix (args // { inherit secret; }))
|
||||
../nixos/prowlarr.nix
|
||||
../nixos/autobrr.nix
|
||||
../nixos/unpackerr.nix
|
||||
../nixos/sonarr.nix
|
||||
../nixos/radarr.nix
|
||||
|
@ -34,10 +36,9 @@ in
|
|||
../nixos/jellyfin.nix
|
||||
../nixos/aria2.nix
|
||||
|
||||
../nixos/container.nix
|
||||
../nixos/convos.nix
|
||||
|
||||
../../container/tubearchivist
|
||||
../../container/autobrr
|
||||
../../container/flaresolverr
|
||||
../../secret/container/additional-media
|
||||
];
|
||||
|
||||
|
|
80
system/nixos/autobrr.nix
Normal file
80
system/nixos/autobrr.nix
Normal file
|
@ -0,0 +1,80 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/autobrr 0755 root root"
|
||||
"d /var/lib/omegabrr 0755 root root"
|
||||
];
|
||||
|
||||
virtualisation.oci-containers.containers = {
|
||||
autobrr = {
|
||||
image = "ghcr.io/autobrr/autobrr:latest";
|
||||
ports = [ "192.168.42.2:7474:7474" ];
|
||||
environment = {
|
||||
"TZ" = "Europe/Berlin";
|
||||
};
|
||||
volumes = [
|
||||
"/var/lib/autobrr:/config"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
omegabrr = {
|
||||
image = "ghcr.io/autobrr/omegabrr:latest";
|
||||
ports = [ "192.168.42.2:7441:7441" ];
|
||||
volumes = [
|
||||
"/var/lib/omegabrr:/config"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.podman-autobrr =
|
||||
let
|
||||
depends = [ "podman-sonarr.service" "podman-radarr.service" ];
|
||||
in
|
||||
{
|
||||
requires = lib.mkAfter depends;
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce ([ "wg.service" ] ++ depends);
|
||||
|
||||
serviceConfig = {
|
||||
TimeoutStopSec = lib.mkForce 10;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.podman-omegabrr =
|
||||
let
|
||||
depends = [ "podman-autobrr.service" ];
|
||||
in
|
||||
{
|
||||
requires = lib.mkAfter depends;
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce ([ "wg.service" ] ++ depends);
|
||||
|
||||
serviceConfig = {
|
||||
TimeoutStopSec = lib.mkForce 10;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."autobrr.internal.kempkens.network" = {
|
||||
quic = true;
|
||||
http3 = true;
|
||||
|
||||
onlySSL = true;
|
||||
useACMEHost = "internal.kempkens.network";
|
||||
|
||||
locations."/" = {
|
||||
recommendedProxySettings = true;
|
||||
proxyPass = "http://192.168.42.2:7474";
|
||||
};
|
||||
};
|
||||
}
|
51
system/nixos/convos.nix
Normal file
51
system/nixos/convos.nix
Normal file
|
@ -0,0 +1,51 @@
|
|||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/convos 0755 root root"
|
||||
];
|
||||
|
||||
virtualisation.oci-containers.containers.convos = {
|
||||
image = "docker.io/convos/convos:stable";
|
||||
ports = [ "192.168.42.2:3000:3000" ];
|
||||
environment = {
|
||||
"CONVOS_REVERSE_PROXY" = "1";
|
||||
"TZ" = "Etc/UTC";
|
||||
};
|
||||
volumes = [
|
||||
"/var/lib/convos:/data"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.podman-convos = {
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce [ "wg.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
TimeoutStopSec = lib.mkForce 5;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."convos.internal.kempkens.network" = {
|
||||
quic = true;
|
||||
http3 = true;
|
||||
|
||||
onlySSL = true;
|
||||
useACMEHost = "internal.kempkens.network";
|
||||
|
||||
locations."/" = {
|
||||
recommendedProxySettings = true;
|
||||
proxyPass = "http://192.168.42.2:3000";
|
||||
proxyWebsockets = true;
|
||||
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Request-Base "$scheme://$host/";
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,21 +1,30 @@
|
|||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
services.prowlarr = {
|
||||
enable = true;
|
||||
openFirewall = false;
|
||||
virtualisation.oci-containers.containers.prowlarr = {
|
||||
image = "lscr.io/linuxserver/prowlarr:latest";
|
||||
ports = [ "192.168.42.2:9696:9696" ];
|
||||
environment = {
|
||||
"PUID" = "1001";
|
||||
"PGID" = "2001";
|
||||
"TZ" = "Etc/UTC";
|
||||
};
|
||||
volumes = [
|
||||
"/var/lib/prowlarr:/config"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.prowlarr = {
|
||||
systemd.services.podman-prowlarr = {
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce [ "wg.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
NetworkNamespacePath = "/var/run/netns/wg";
|
||||
BindReadOnlyPaths = [
|
||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||
];
|
||||
TimeoutStopSec = lib.mkForce 5;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,32 +1,45 @@
|
|||
{ pkgs, ... }:
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/qbittorrent 0750 media_user media_group"
|
||||
];
|
||||
|
||||
systemd.services.qbittorrent =
|
||||
virtualisation.oci-containers.containers.qbittorrent = {
|
||||
image = "lscr.io/linuxserver/qbittorrent:latest";
|
||||
ports = [ "192.168.42.2:8071:8071" ];
|
||||
environment = {
|
||||
"PUID" = "1001";
|
||||
"PGID" = "2001";
|
||||
"TZ" = "Etc/UTC";
|
||||
"WEBUI_PORT" = "8071";
|
||||
};
|
||||
volumes = [
|
||||
"/var/lib/qbittorrent:/config"
|
||||
"/mnt/downloads:/mnt/downloads"
|
||||
"${pkgs.vuetorrent}/share:/usr/local/share/vuetorrent"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--cap-add=CAP_NET_RAW"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.podman-qbittorrent =
|
||||
let
|
||||
mounts = [ "mnt-downloads.mount" ];
|
||||
mounts = [
|
||||
"mnt-downloads.mount"
|
||||
];
|
||||
in
|
||||
{
|
||||
description = "qbittorrent instance";
|
||||
requires = mounts;
|
||||
requires = lib.mkAfter mounts;
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = [ "wg.service" ] ++ mounts;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
||||
|
||||
serviceConfig = {
|
||||
Type = "exec";
|
||||
User = "media_user";
|
||||
Group = "media_group";
|
||||
NetworkNamespacePath = "/var/run/netns/wg";
|
||||
BindReadOnlyPaths = [
|
||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||
];
|
||||
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=/var/lib/qbittorrent --webui-port=8071";
|
||||
AmbientCapabilities = [ "CAP_NET_RAW" ];
|
||||
TimeoutStopSec = lib.mkForce 10;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,31 +1,45 @@
|
|||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
services.radarr = {
|
||||
enable = true;
|
||||
user = "media_user";
|
||||
group = "media_group";
|
||||
openFirewall = false;
|
||||
virtualisation.oci-containers.containers.radarr = {
|
||||
image = "lscr.io/linuxserver/radarr:latest";
|
||||
ports = [ "192.168.42.2:7878:7878" ];
|
||||
environment = {
|
||||
"PUID" = "1001";
|
||||
"PGID" = "2001";
|
||||
"TZ" = "Etc/UTC";
|
||||
};
|
||||
volumes = [
|
||||
"/var/lib/radarr/.config/Radarr:/config"
|
||||
"/mnt/downloads:/mnt/downloads"
|
||||
"/mnt/media/Movies:/mnt/media/Movies"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.radarr =
|
||||
systemd.services.podman-radarr =
|
||||
let
|
||||
mounts = [
|
||||
"mnt-media-Movies.mount"
|
||||
"mnt-downloads.mount"
|
||||
];
|
||||
|
||||
depends = [
|
||||
"podman-sabnzbd.service"
|
||||
"podman-qbittorrent.service"
|
||||
];
|
||||
in
|
||||
{
|
||||
requires = mounts;
|
||||
requires = lib.mkAfter (mounts ++ depends);
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
||||
after = lib.mkForce ([ "wg.service" ] ++ mounts ++ depends);
|
||||
|
||||
serviceConfig = {
|
||||
NetworkNamespacePath = "/var/run/netns/wg";
|
||||
BindReadOnlyPaths = [
|
||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||
];
|
||||
TimeoutStopSec = lib.mkForce 5;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,33 +1,42 @@
|
|||
{ pkgs, ... }:
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/sabnzbd 0750 media_user media_group"
|
||||
];
|
||||
|
||||
# The nix-provided options force a sabnzbd-user to a certain degree
|
||||
systemd.services.sabnzbd =
|
||||
virtualisation.oci-containers.containers.sabnzbd = {
|
||||
image = "lscr.io/linuxserver/sabnzbd:latest";
|
||||
ports = [ "192.168.42.2:8080:8080" ];
|
||||
environment = {
|
||||
"PUID" = "1001";
|
||||
"PGID" = "2001";
|
||||
"TZ" = "Etc/UTC";
|
||||
};
|
||||
volumes = [
|
||||
"/var/lib/sabnzbd:/config"
|
||||
"/mnt/downloads:/mnt/downloads"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.podman-sabnzbd =
|
||||
let
|
||||
mounts = [ "mnt-downloads.mount" ];
|
||||
mounts = [
|
||||
"mnt-downloads.mount"
|
||||
];
|
||||
in
|
||||
{
|
||||
description = "sabnzbd server";
|
||||
requires = mounts;
|
||||
requires = lib.mkAfter mounts;
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = [ "wg.service" ] ++ mounts;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
GuessMainPID = "no";
|
||||
User = "media_user";
|
||||
Group = "media_group";
|
||||
NetworkNamespacePath = "/var/run/netns/wg";
|
||||
BindReadOnlyPaths = [
|
||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||
];
|
||||
ExecStart = "${pkgs.sabnzbd}/bin/sabnzbd -d -f /var/lib/sabnzbd/sabnzbd.ini";
|
||||
TimeoutStopSec = lib.mkForce 10;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,14 +1,29 @@
|
|||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
services.sonarr = {
|
||||
enable = true;
|
||||
user = "media_user";
|
||||
group = "media_group";
|
||||
openFirewall = false;
|
||||
virtualisation.oci-containers.containers.sonarr = {
|
||||
image = "lscr.io/linuxserver/sonarr:latest";
|
||||
ports = [ "192.168.42.2:8989:8989" ];
|
||||
environment = {
|
||||
"PUID" = "1001";
|
||||
"PGID" = "2001";
|
||||
"TZ" = "Etc/UTC";
|
||||
};
|
||||
volumes = [
|
||||
"/var/lib/sonarr/.config/NzbDrone:/config"
|
||||
"/mnt/downloads:/mnt/downloads"
|
||||
"/mnt/media/TV Shows:/mnt/media/TV Shows"
|
||||
"/mnt/media/Documentaries:/mnt/media/Documentaries"
|
||||
"/mnt/media/Anime:/mnt/media/Anime"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=ns:/var/run/netns/wg"
|
||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||
"--label=io.containers.autoupdate=registry"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.sonarr =
|
||||
systemd.services.podman-sonarr =
|
||||
let
|
||||
mounts = [
|
||||
"mnt-media-TV\\x20Shows.mount"
|
||||
|
@ -18,16 +33,12 @@
|
|||
];
|
||||
in
|
||||
{
|
||||
requires = mounts;
|
||||
requires = lib.mkAfter mounts;
|
||||
bindsTo = [ "wg.service" ];
|
||||
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
||||
|
||||
serviceConfig = {
|
||||
NetworkNamespacePath = "/var/run/netns/wg";
|
||||
BindReadOnlyPaths = [
|
||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||
];
|
||||
TimeoutStopSec = lib.mkForce 5;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -20,7 +20,8 @@ let
|
|||
|
||||
startScript = writeShScript "wg-firewall-start" ''
|
||||
ip46tables -D INPUT -j wg-fw 2> /dev/null || true
|
||||
for chain in wg-fw wg-fw-accept wg-fw-log-refuse wg-fw-refuse; do
|
||||
ip46tables -D OUTPUT -j wg-fw-out 2> /dev/null || true
|
||||
for chain in wg-fw wg-fw-out wg-fw-accept wg-fw-log-refuse wg-fw-refuse; do
|
||||
ip46tables -F "$chain" 2> /dev/null || true
|
||||
ip46tables -X "$chain" 2> /dev/null || true
|
||||
done
|
||||
|
@ -36,6 +37,8 @@ let
|
|||
ip46tables -A wg-fw-log-refuse -m pkttype ! --pkt-type unicast -j wg-fw-refuse
|
||||
ip46tables -A wg-fw-log-refuse -j wg-fw-refuse
|
||||
|
||||
## IN
|
||||
|
||||
ip46tables -N wg-fw
|
||||
|
||||
ip46tables -A wg-fw -i lo -j wg-fw-accept
|
||||
|
@ -43,6 +46,7 @@ let
|
|||
ip46tables -A wg-fw -m conntrack --ctstate ESTABLISHED,RELATED -j wg-fw-accept
|
||||
|
||||
# Ports
|
||||
ip46tables -A wg-fw -p tcp --dport 3000 -j wg-fw-accept -i vethwgns0
|
||||
ip46tables -A wg-fw -p tcp --dport 6801 -j wg-fw-accept -i vethwgns0
|
||||
ip46tables -A wg-fw -p tcp --dport 7441 -j wg-fw-accept -i vethwgns0
|
||||
ip46tables -A wg-fw -p tcp --dport 7474 -j wg-fw-accept -i vethwgns0
|
||||
|
@ -63,26 +67,45 @@ let
|
|||
ip6tables -A wg-fw -p icmpv6 -j wg-fw-accept
|
||||
|
||||
ip46tables -A wg-fw -j wg-fw-log-refuse
|
||||
|
||||
## OUT
|
||||
|
||||
ip46tables -N wg-fw-out
|
||||
|
||||
# Block non-local traffic
|
||||
iptables -A wg-fw-out -i vethwgns0 ! -d 192.168.42.0/24 -j wg-fw-refuse
|
||||
ip6tables -A wg-fw-out -i vethwgns0 -j wg-fw-refuse
|
||||
|
||||
ip46tables -A wg-fw-out -j wg-fw-accept
|
||||
|
||||
## SETUP
|
||||
|
||||
ip46tables -A INPUT -j wg-fw
|
||||
ip46tables -A OUTPUT -j wg-fw-out
|
||||
'';
|
||||
|
||||
stopScript = writeShScript "wg-firewall-stop" ''
|
||||
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
|
||||
|
||||
ip46tables -D INPUT -j wg-fw 2>/dev/null || true
|
||||
ip46tables -D OUTPUT -j wg-fw-out 2>/dev/null || true
|
||||
'';
|
||||
|
||||
reloadScript = writeShScript "wg-firewall-reload" ''
|
||||
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
|
||||
ip46tables -F wg-drop 2>/dev/null || true
|
||||
ip46tables -X wg-drop 2>/dev/null || true
|
||||
ip46tables -N wg-drop
|
||||
ip46tables -A wg-drop -j DROP
|
||||
|
||||
ip46tables -A INPUT -j wg-drop
|
||||
ip46tables -A OUTPUT -j wg-drop
|
||||
|
||||
if ${startScript}; then
|
||||
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
|
||||
else
|
||||
echo "Failed to reload firewall... Stopping"
|
||||
${stopScript}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, config, secret, ... }:
|
||||
{ pkgs, lib, config, secret, ... }:
|
||||
|
||||
{
|
||||
environment.systemPackages = with pkgs; [ ldns tcpdump wireguard-tools ];
|
||||
|
@ -17,7 +17,7 @@
|
|||
group: files [success=merge] systemd
|
||||
shadow: files
|
||||
|
||||
hosts: files mymachines myhostname dns
|
||||
hosts: dns [!UNAVAIL=return] files
|
||||
networks: files
|
||||
|
||||
ethers: files
|
||||
|
|
Loading…
Reference in a new issue