mediaserver: big wgns rework
This commit is contained in:
parent
1908975e83
commit
75cc6e2834
16 changed files with 303 additions and 185 deletions
Binary file not shown.
|
@ -1,68 +0,0 @@
|
||||||
{ lib, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d /var/lib/autobrr 0755 root root"
|
|
||||||
"d /var/lib/omegabrr 0755 root root"
|
|
||||||
];
|
|
||||||
|
|
||||||
virtualisation.oci-containers.containers.autobrr = {
|
|
||||||
image = "ghcr.io/autobrr/autobrr:latest";
|
|
||||||
ports = [ "192.168.42.2:7474:7474" ];
|
|
||||||
environment = {
|
|
||||||
"TZ" = "Europe/Berlin";
|
|
||||||
};
|
|
||||||
volumes = [
|
|
||||||
"/var/lib/autobrr:/config"
|
|
||||||
];
|
|
||||||
extraOptions = [
|
|
||||||
"--network=ns:/var/run/netns/wg"
|
|
||||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
|
||||||
"--label=io.containers.autoupdate=registry"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualisation.oci-containers.containers.omegabrr = {
|
|
||||||
image = "ghcr.io/autobrr/omegabrr:latest";
|
|
||||||
ports = [ "192.168.42.2:7441:7441" ];
|
|
||||||
volumes = [
|
|
||||||
"/var/lib/omegabrr:/config"
|
|
||||||
];
|
|
||||||
extraOptions = [
|
|
||||||
"--network=ns:/var/run/netns/wg"
|
|
||||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
|
||||||
"--label=io.containers.autoupdate=registry"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.podman-autobrr = {
|
|
||||||
bindsTo = [ "wg.service" ];
|
|
||||||
after = lib.mkForce [ "wg.service" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
TimeoutStopSec = lib.mkForce 10;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.podman-omegabrr = {
|
|
||||||
bindsTo = [ "wg.service" ];
|
|
||||||
after = lib.mkForce [ "wg.service" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
TimeoutStopSec = lib.mkForce 10;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."autobrr.internal.kempkens.network" = {
|
|
||||||
quic = true;
|
|
||||||
http3 = true;
|
|
||||||
|
|
||||||
onlySSL = true;
|
|
||||||
useACMEHost = "internal.kempkens.network";
|
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
proxyPass = "http://192.168.42.2:7474";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,27 +0,0 @@
|
||||||
{ lib, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
virtualisation.oci-containers.containers.flaresolverr = {
|
|
||||||
image = "ghcr.io/flaresolverr/flaresolverr:latest";
|
|
||||||
ports = [ "192.168.42.2:8191:8191" ];
|
|
||||||
environment = {
|
|
||||||
"HOST" = "192.168.42.2";
|
|
||||||
"PORT" = "8191";
|
|
||||||
"LOG_LEVEL" = "info";
|
|
||||||
};
|
|
||||||
extraOptions = [
|
|
||||||
"--network=ns:/var/run/netns/wg"
|
|
||||||
"--label=com.centurylinklabs.watchtower.enable=true"
|
|
||||||
"--label=io.containers.autoupdate=registry"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.podman-flaresolverr = {
|
|
||||||
bindsTo = [ "wg.service" ];
|
|
||||||
after = lib.mkForce [ "wg.service" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
TimeoutStopSec = lib.mkForce 10;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
18
flake.lock
18
flake.lock
|
@ -253,11 +253,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1684741999,
|
"lastModified": 1684788503,
|
||||||
"narHash": "sha256-KZLKsFZ6cLjCdCNKZoT8bc1y+rYBuFgKatmIB38zqy4=",
|
"narHash": "sha256-ewr/8U0/iCs8K+MP5Fw9Q1IQ1Pt57ZgC2k/dg1c+CMk=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "ba006d7cca2cb871c6a31bdbc130c05cde5ca8e8",
|
"rev": "d9995d94f194955d1f1af0e1ad5866a904196c20",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -300,11 +300,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1684743638,
|
"lastModified": 1684800269,
|
||||||
"narHash": "sha256-S+qJm+KEP9MM6VHmp8613x3e4xcZ0584NjFNxjS+dW0=",
|
"narHash": "sha256-xVzKIpw8a/VdZKRZUK7qwTQMTH6MO+ozme4Vmw9xgSA=",
|
||||||
"owner": "nifoc",
|
"owner": "nifoc",
|
||||||
"repo": "nix-overlay",
|
"repo": "nix-overlay",
|
||||||
"rev": "801010f1d3b6352992ff6e32cfdbe169e81bcb5c",
|
"rev": "7566d2108487b63894e0437cc47926c446907994",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -315,11 +315,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1684698729,
|
"lastModified": 1684724044,
|
||||||
"narHash": "sha256-eFX+g0JNHYDuoGq3XvT+360UDIzRGFWcHh0il6rGz7g=",
|
"narHash": "sha256-OysG4ORx60BcUyBVClbOBVybqZ4Ep8Xh8EIDvNam4WU=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "9356eead97d8d16956b0226d78f76bd66e06cb60",
|
"rev": "b31c968ff28927d477eed85012e8090578c70852",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -308,12 +308,12 @@ in
|
||||||
};
|
};
|
||||||
friendly-snippets = buildVimPluginFrom2Nix {
|
friendly-snippets = buildVimPluginFrom2Nix {
|
||||||
pname = "friendly-snippets";
|
pname = "friendly-snippets";
|
||||||
version = "2023-05-21";
|
version = "2023-05-23";
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "rafamadriz";
|
owner = "rafamadriz";
|
||||||
repo = "friendly-snippets";
|
repo = "friendly-snippets";
|
||||||
rev = "2bb3958e1fe0a613e028f3c6fd2d2923fc23bd0c";
|
rev = "ef6547d2f586e08e071efeebac835e545f3015cc";
|
||||||
sha256 = "1nlbm7ji73ggg48pzvlbb32jfscnj71bgfzg4q1p3zfvssisz85c";
|
sha256 = "0xjcnx787kc1xc259czwn6masym2v2r4ixjb772cb3lb5bn9v73q";
|
||||||
fetchSubmodules = false;
|
fetchSubmodules = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -473,12 +473,12 @@ in
|
||||||
};
|
};
|
||||||
nvim-surround = buildVimPluginFrom2Nix {
|
nvim-surround = buildVimPluginFrom2Nix {
|
||||||
pname = "nvim-surround";
|
pname = "nvim-surround";
|
||||||
version = "2023-04-30";
|
version = "2023-05-22";
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "kylechui";
|
owner = "kylechui";
|
||||||
repo = "nvim-surround";
|
repo = "nvim-surround";
|
||||||
rev = "219bd66585aa467b1c90fd01b54a2a423aaed4ab";
|
rev = "26b5067c3b56815eafbf41b7b830f1ab52819a45";
|
||||||
sha256 = "0aximc9fiicmhxkqrazjsqfr9mqw7llnfdc778acn5rkhwj1xms9";
|
sha256 = "17r7klq852wq3kwhjlpc6a5k6d6h4bm8rf9ivjxgc7b4whiris5n";
|
||||||
fetchSubmodules = false;
|
fetchSubmodules = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -47,6 +47,8 @@ rec {
|
||||||
hostname = "adsb-antenna";
|
hostname = "adsb-antenna";
|
||||||
sshUser = "root";
|
sshUser = "root";
|
||||||
remoteBuild = true;
|
remoteBuild = true;
|
||||||
|
autoRollback = false;
|
||||||
|
magicRollback = false;
|
||||||
|
|
||||||
profiles.system = {
|
profiles.system = {
|
||||||
path = deploy-rs.lib.${default-system}.activate.nixos system;
|
path = deploy-rs.lib.${default-system}.activate.nixos system;
|
||||||
|
|
|
@ -22,10 +22,12 @@ in
|
||||||
|
|
||||||
../nixos/tailscale.nix
|
../nixos/tailscale.nix
|
||||||
|
|
||||||
|
../nixos/container.nix
|
||||||
../nixos/mediaserver-setup.nix
|
../nixos/mediaserver-setup.nix
|
||||||
(import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
|
(import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
|
||||||
(import ../nixos/wireguard-firewall-mediaserver.nix (args // { inherit secret; }))
|
(import ../nixos/wireguard-firewall-mediaserver.nix (args // { inherit secret; }))
|
||||||
../nixos/prowlarr.nix
|
../nixos/prowlarr.nix
|
||||||
|
../nixos/autobrr.nix
|
||||||
../nixos/unpackerr.nix
|
../nixos/unpackerr.nix
|
||||||
../nixos/sonarr.nix
|
../nixos/sonarr.nix
|
||||||
../nixos/radarr.nix
|
../nixos/radarr.nix
|
||||||
|
@ -34,10 +36,9 @@ in
|
||||||
../nixos/jellyfin.nix
|
../nixos/jellyfin.nix
|
||||||
../nixos/aria2.nix
|
../nixos/aria2.nix
|
||||||
|
|
||||||
../nixos/container.nix
|
../nixos/convos.nix
|
||||||
|
|
||||||
../../container/tubearchivist
|
../../container/tubearchivist
|
||||||
../../container/autobrr
|
|
||||||
../../container/flaresolverr
|
|
||||||
../../secret/container/additional-media
|
../../secret/container/additional-media
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
80
system/nixos/autobrr.nix
Normal file
80
system/nixos/autobrr.nix
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /var/lib/autobrr 0755 root root"
|
||||||
|
"d /var/lib/omegabrr 0755 root root"
|
||||||
|
];
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers = {
|
||||||
|
autobrr = {
|
||||||
|
image = "ghcr.io/autobrr/autobrr:latest";
|
||||||
|
ports = [ "192.168.42.2:7474:7474" ];
|
||||||
|
environment = {
|
||||||
|
"TZ" = "Europe/Berlin";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/autobrr:/config"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||||
|
"--label=io.containers.autoupdate=registry"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
omegabrr = {
|
||||||
|
image = "ghcr.io/autobrr/omegabrr:latest";
|
||||||
|
ports = [ "192.168.42.2:7441:7441" ];
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/omegabrr:/config"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||||
|
"--label=io.containers.autoupdate=registry"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.podman-autobrr =
|
||||||
|
let
|
||||||
|
depends = [ "podman-sonarr.service" "podman-radarr.service" ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
requires = lib.mkAfter depends;
|
||||||
|
bindsTo = [ "wg.service" ];
|
||||||
|
after = lib.mkForce ([ "wg.service" ] ++ depends);
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
TimeoutStopSec = lib.mkForce 10;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.podman-omegabrr =
|
||||||
|
let
|
||||||
|
depends = [ "podman-autobrr.service" ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
requires = lib.mkAfter depends;
|
||||||
|
bindsTo = [ "wg.service" ];
|
||||||
|
after = lib.mkForce ([ "wg.service" ] ++ depends);
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
TimeoutStopSec = lib.mkForce 10;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."autobrr.internal.kempkens.network" = {
|
||||||
|
quic = true;
|
||||||
|
http3 = true;
|
||||||
|
|
||||||
|
onlySSL = true;
|
||||||
|
useACMEHost = "internal.kempkens.network";
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
proxyPass = "http://192.168.42.2:7474";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
51
system/nixos/convos.nix
Normal file
51
system/nixos/convos.nix
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /var/lib/convos 0755 root root"
|
||||||
|
];
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.convos = {
|
||||||
|
image = "docker.io/convos/convos:stable";
|
||||||
|
ports = [ "192.168.42.2:3000:3000" ];
|
||||||
|
environment = {
|
||||||
|
"CONVOS_REVERSE_PROXY" = "1";
|
||||||
|
"TZ" = "Etc/UTC";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/convos:/data"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||||
|
"--label=io.containers.autoupdate=registry"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.podman-convos = {
|
||||||
|
bindsTo = [ "wg.service" ];
|
||||||
|
after = lib.mkForce [ "wg.service" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
TimeoutStopSec = lib.mkForce 5;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."convos.internal.kempkens.network" = {
|
||||||
|
quic = true;
|
||||||
|
http3 = true;
|
||||||
|
|
||||||
|
onlySSL = true;
|
||||||
|
useACMEHost = "internal.kempkens.network";
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
proxyPass = "http://192.168.42.2:3000";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header X-Request-Base "$scheme://$host/";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,21 +1,30 @@
|
||||||
{ pkgs, lib, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.prowlarr = {
|
virtualisation.oci-containers.containers.prowlarr = {
|
||||||
enable = true;
|
image = "lscr.io/linuxserver/prowlarr:latest";
|
||||||
openFirewall = false;
|
ports = [ "192.168.42.2:9696:9696" ];
|
||||||
|
environment = {
|
||||||
|
"PUID" = "1001";
|
||||||
|
"PGID" = "2001";
|
||||||
|
"TZ" = "Etc/UTC";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/prowlarr:/config"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||||
|
"--label=io.containers.autoupdate=registry"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.prowlarr = {
|
systemd.services.podman-prowlarr = {
|
||||||
bindsTo = [ "wg.service" ];
|
bindsTo = [ "wg.service" ];
|
||||||
after = lib.mkForce [ "wg.service" ];
|
after = lib.mkForce [ "wg.service" ];
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
NetworkNamespacePath = "/var/run/netns/wg";
|
TimeoutStopSec = lib.mkForce 5;
|
||||||
BindReadOnlyPaths = [
|
|
||||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
|
||||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,32 +1,45 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d /var/lib/qbittorrent 0750 media_user media_group"
|
"d /var/lib/qbittorrent 0750 media_user media_group"
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.services.qbittorrent =
|
virtualisation.oci-containers.containers.qbittorrent = {
|
||||||
|
image = "lscr.io/linuxserver/qbittorrent:latest";
|
||||||
|
ports = [ "192.168.42.2:8071:8071" ];
|
||||||
|
environment = {
|
||||||
|
"PUID" = "1001";
|
||||||
|
"PGID" = "2001";
|
||||||
|
"TZ" = "Etc/UTC";
|
||||||
|
"WEBUI_PORT" = "8071";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/qbittorrent:/config"
|
||||||
|
"/mnt/downloads:/mnt/downloads"
|
||||||
|
"${pkgs.vuetorrent}/share:/usr/local/share/vuetorrent"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
"--cap-add=CAP_NET_RAW"
|
||||||
|
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||||
|
"--label=io.containers.autoupdate=registry"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.podman-qbittorrent =
|
||||||
let
|
let
|
||||||
mounts = [ "mnt-downloads.mount" ];
|
mounts = [
|
||||||
|
"mnt-downloads.mount"
|
||||||
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
description = "qbittorrent instance";
|
requires = lib.mkAfter mounts;
|
||||||
requires = mounts;
|
|
||||||
bindsTo = [ "wg.service" ];
|
bindsTo = [ "wg.service" ];
|
||||||
after = [ "wg.service" ] ++ mounts;
|
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "exec";
|
TimeoutStopSec = lib.mkForce 10;
|
||||||
User = "media_user";
|
|
||||||
Group = "media_group";
|
|
||||||
NetworkNamespacePath = "/var/run/netns/wg";
|
|
||||||
BindReadOnlyPaths = [
|
|
||||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
|
||||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
|
||||||
];
|
|
||||||
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=/var/lib/qbittorrent --webui-port=8071";
|
|
||||||
AmbientCapabilities = [ "CAP_NET_RAW" ];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,31 +1,45 @@
|
||||||
{ pkgs, lib, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.radarr = {
|
virtualisation.oci-containers.containers.radarr = {
|
||||||
enable = true;
|
image = "lscr.io/linuxserver/radarr:latest";
|
||||||
user = "media_user";
|
ports = [ "192.168.42.2:7878:7878" ];
|
||||||
group = "media_group";
|
environment = {
|
||||||
openFirewall = false;
|
"PUID" = "1001";
|
||||||
|
"PGID" = "2001";
|
||||||
|
"TZ" = "Etc/UTC";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/radarr/.config/Radarr:/config"
|
||||||
|
"/mnt/downloads:/mnt/downloads"
|
||||||
|
"/mnt/media/Movies:/mnt/media/Movies"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||||
|
"--label=io.containers.autoupdate=registry"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.radarr =
|
systemd.services.podman-radarr =
|
||||||
let
|
let
|
||||||
mounts = [
|
mounts = [
|
||||||
"mnt-media-Movies.mount"
|
"mnt-media-Movies.mount"
|
||||||
"mnt-downloads.mount"
|
"mnt-downloads.mount"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
depends = [
|
||||||
|
"podman-sabnzbd.service"
|
||||||
|
"podman-qbittorrent.service"
|
||||||
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
requires = mounts;
|
requires = lib.mkAfter (mounts ++ depends);
|
||||||
bindsTo = [ "wg.service" ];
|
bindsTo = [ "wg.service" ];
|
||||||
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
after = lib.mkForce ([ "wg.service" ] ++ mounts ++ depends);
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
NetworkNamespacePath = "/var/run/netns/wg";
|
TimeoutStopSec = lib.mkForce 5;
|
||||||
BindReadOnlyPaths = [
|
|
||||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
|
||||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,33 +1,42 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d /var/lib/sabnzbd 0750 media_user media_group"
|
"d /var/lib/sabnzbd 0750 media_user media_group"
|
||||||
];
|
];
|
||||||
|
|
||||||
# The nix-provided options force a sabnzbd-user to a certain degree
|
virtualisation.oci-containers.containers.sabnzbd = {
|
||||||
systemd.services.sabnzbd =
|
image = "lscr.io/linuxserver/sabnzbd:latest";
|
||||||
|
ports = [ "192.168.42.2:8080:8080" ];
|
||||||
|
environment = {
|
||||||
|
"PUID" = "1001";
|
||||||
|
"PGID" = "2001";
|
||||||
|
"TZ" = "Etc/UTC";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/sabnzbd:/config"
|
||||||
|
"/mnt/downloads:/mnt/downloads"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||||
|
"--label=io.containers.autoupdate=registry"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.podman-sabnzbd =
|
||||||
let
|
let
|
||||||
mounts = [ "mnt-downloads.mount" ];
|
mounts = [
|
||||||
|
"mnt-downloads.mount"
|
||||||
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
description = "sabnzbd server";
|
requires = lib.mkAfter mounts;
|
||||||
requires = mounts;
|
|
||||||
bindsTo = [ "wg.service" ];
|
bindsTo = [ "wg.service" ];
|
||||||
after = [ "wg.service" ] ++ mounts;
|
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "forking";
|
TimeoutStopSec = lib.mkForce 10;
|
||||||
GuessMainPID = "no";
|
|
||||||
User = "media_user";
|
|
||||||
Group = "media_group";
|
|
||||||
NetworkNamespacePath = "/var/run/netns/wg";
|
|
||||||
BindReadOnlyPaths = [
|
|
||||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
|
||||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
|
||||||
];
|
|
||||||
ExecStart = "${pkgs.sabnzbd}/bin/sabnzbd -d -f /var/lib/sabnzbd/sabnzbd.ini";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,14 +1,29 @@
|
||||||
{ pkgs, lib, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.sonarr = {
|
virtualisation.oci-containers.containers.sonarr = {
|
||||||
enable = true;
|
image = "lscr.io/linuxserver/sonarr:latest";
|
||||||
user = "media_user";
|
ports = [ "192.168.42.2:8989:8989" ];
|
||||||
group = "media_group";
|
environment = {
|
||||||
openFirewall = false;
|
"PUID" = "1001";
|
||||||
|
"PGID" = "2001";
|
||||||
|
"TZ" = "Etc/UTC";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/sonarr/.config/NzbDrone:/config"
|
||||||
|
"/mnt/downloads:/mnt/downloads"
|
||||||
|
"/mnt/media/TV Shows:/mnt/media/TV Shows"
|
||||||
|
"/mnt/media/Documentaries:/mnt/media/Documentaries"
|
||||||
|
"/mnt/media/Anime:/mnt/media/Anime"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
"--label=com.centurylinklabs.watchtower.enable=true"
|
||||||
|
"--label=io.containers.autoupdate=registry"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.sonarr =
|
systemd.services.podman-sonarr =
|
||||||
let
|
let
|
||||||
mounts = [
|
mounts = [
|
||||||
"mnt-media-TV\\x20Shows.mount"
|
"mnt-media-TV\\x20Shows.mount"
|
||||||
|
@ -18,16 +33,12 @@
|
||||||
];
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
requires = mounts;
|
requires = lib.mkAfter mounts;
|
||||||
bindsTo = [ "wg.service" ];
|
bindsTo = [ "wg.service" ];
|
||||||
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
after = lib.mkForce ([ "wg.service" ] ++ mounts);
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
NetworkNamespacePath = "/var/run/netns/wg";
|
TimeoutStopSec = lib.mkForce 5;
|
||||||
BindReadOnlyPaths = [
|
|
||||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
|
||||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,8 @@ let
|
||||||
|
|
||||||
startScript = writeShScript "wg-firewall-start" ''
|
startScript = writeShScript "wg-firewall-start" ''
|
||||||
ip46tables -D INPUT -j wg-fw 2> /dev/null || true
|
ip46tables -D INPUT -j wg-fw 2> /dev/null || true
|
||||||
for chain in wg-fw wg-fw-accept wg-fw-log-refuse wg-fw-refuse; do
|
ip46tables -D OUTPUT -j wg-fw-out 2> /dev/null || true
|
||||||
|
for chain in wg-fw wg-fw-out wg-fw-accept wg-fw-log-refuse wg-fw-refuse; do
|
||||||
ip46tables -F "$chain" 2> /dev/null || true
|
ip46tables -F "$chain" 2> /dev/null || true
|
||||||
ip46tables -X "$chain" 2> /dev/null || true
|
ip46tables -X "$chain" 2> /dev/null || true
|
||||||
done
|
done
|
||||||
|
@ -36,6 +37,8 @@ let
|
||||||
ip46tables -A wg-fw-log-refuse -m pkttype ! --pkt-type unicast -j wg-fw-refuse
|
ip46tables -A wg-fw-log-refuse -m pkttype ! --pkt-type unicast -j wg-fw-refuse
|
||||||
ip46tables -A wg-fw-log-refuse -j wg-fw-refuse
|
ip46tables -A wg-fw-log-refuse -j wg-fw-refuse
|
||||||
|
|
||||||
|
## IN
|
||||||
|
|
||||||
ip46tables -N wg-fw
|
ip46tables -N wg-fw
|
||||||
|
|
||||||
ip46tables -A wg-fw -i lo -j wg-fw-accept
|
ip46tables -A wg-fw -i lo -j wg-fw-accept
|
||||||
|
@ -43,6 +46,7 @@ let
|
||||||
ip46tables -A wg-fw -m conntrack --ctstate ESTABLISHED,RELATED -j wg-fw-accept
|
ip46tables -A wg-fw -m conntrack --ctstate ESTABLISHED,RELATED -j wg-fw-accept
|
||||||
|
|
||||||
# Ports
|
# Ports
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 3000 -j wg-fw-accept -i vethwgns0
|
||||||
ip46tables -A wg-fw -p tcp --dport 6801 -j wg-fw-accept -i vethwgns0
|
ip46tables -A wg-fw -p tcp --dport 6801 -j wg-fw-accept -i vethwgns0
|
||||||
ip46tables -A wg-fw -p tcp --dport 7441 -j wg-fw-accept -i vethwgns0
|
ip46tables -A wg-fw -p tcp --dport 7441 -j wg-fw-accept -i vethwgns0
|
||||||
ip46tables -A wg-fw -p tcp --dport 7474 -j wg-fw-accept -i vethwgns0
|
ip46tables -A wg-fw -p tcp --dport 7474 -j wg-fw-accept -i vethwgns0
|
||||||
|
@ -63,26 +67,45 @@ let
|
||||||
ip6tables -A wg-fw -p icmpv6 -j wg-fw-accept
|
ip6tables -A wg-fw -p icmpv6 -j wg-fw-accept
|
||||||
|
|
||||||
ip46tables -A wg-fw -j wg-fw-log-refuse
|
ip46tables -A wg-fw -j wg-fw-log-refuse
|
||||||
|
|
||||||
|
## OUT
|
||||||
|
|
||||||
|
ip46tables -N wg-fw-out
|
||||||
|
|
||||||
|
# Block non-local traffic
|
||||||
|
iptables -A wg-fw-out -i vethwgns0 ! -d 192.168.42.0/24 -j wg-fw-refuse
|
||||||
|
ip6tables -A wg-fw-out -i vethwgns0 -j wg-fw-refuse
|
||||||
|
|
||||||
|
ip46tables -A wg-fw-out -j wg-fw-accept
|
||||||
|
|
||||||
|
## SETUP
|
||||||
|
|
||||||
ip46tables -A INPUT -j wg-fw
|
ip46tables -A INPUT -j wg-fw
|
||||||
|
ip46tables -A OUTPUT -j wg-fw-out
|
||||||
'';
|
'';
|
||||||
|
|
||||||
stopScript = writeShScript "wg-firewall-stop" ''
|
stopScript = writeShScript "wg-firewall-stop" ''
|
||||||
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||||
|
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
|
||||||
|
|
||||||
ip46tables -D INPUT -j wg-fw 2>/dev/null || true
|
ip46tables -D INPUT -j wg-fw 2>/dev/null || true
|
||||||
|
ip46tables -D OUTPUT -j wg-fw-out 2>/dev/null || true
|
||||||
'';
|
'';
|
||||||
|
|
||||||
reloadScript = writeShScript "wg-firewall-reload" ''
|
reloadScript = writeShScript "wg-firewall-reload" ''
|
||||||
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||||
|
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
|
||||||
ip46tables -F wg-drop 2>/dev/null || true
|
ip46tables -F wg-drop 2>/dev/null || true
|
||||||
ip46tables -X wg-drop 2>/dev/null || true
|
ip46tables -X wg-drop 2>/dev/null || true
|
||||||
ip46tables -N wg-drop
|
ip46tables -N wg-drop
|
||||||
ip46tables -A wg-drop -j DROP
|
ip46tables -A wg-drop -j DROP
|
||||||
|
|
||||||
ip46tables -A INPUT -j wg-drop
|
ip46tables -A INPUT -j wg-drop
|
||||||
|
ip46tables -A OUTPUT -j wg-drop
|
||||||
|
|
||||||
if ${startScript}; then
|
if ${startScript}; then
|
||||||
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||||
|
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
|
||||||
else
|
else
|
||||||
echo "Failed to reload firewall... Stopping"
|
echo "Failed to reload firewall... Stopping"
|
||||||
${stopScript}
|
${stopScript}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ pkgs, config, secret, ... }:
|
{ pkgs, lib, config, secret, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
environment.systemPackages = with pkgs; [ ldns tcpdump wireguard-tools ];
|
environment.systemPackages = with pkgs; [ ldns tcpdump wireguard-tools ];
|
||||||
|
@ -17,7 +17,7 @@
|
||||||
group: files [success=merge] systemd
|
group: files [success=merge] systemd
|
||||||
shadow: files
|
shadow: files
|
||||||
|
|
||||||
hosts: files mymachines myhostname dns
|
hosts: dns [!UNAVAIL=return] files
|
||||||
networks: files
|
networks: files
|
||||||
|
|
||||||
ethers: files
|
ethers: files
|
||||||
|
|
Loading…
Reference in a new issue