bittorrent: setup
This commit is contained in:
parent
9df8da711b
commit
fe4b048743
6 changed files with 207 additions and 2 deletions
64
container/autobrr/default.nix
Normal file
64
container/autobrr/default.nix
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /var/lib/autobrr 0755 root root"
|
||||||
|
"d /var/lib/omegabrr 0755 root root"
|
||||||
|
];
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.autobrr = {
|
||||||
|
image = "ghcr.io/autobrr/autobrr:latest";
|
||||||
|
ports = [ "192.168.42.2:7474:7474" ];
|
||||||
|
environment = {
|
||||||
|
"TZ" = "Europe/Berlin";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/autobrr:/config"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.omegabrr = {
|
||||||
|
image = "ghcr.io/autobrr/omegabrr:latest";
|
||||||
|
ports = [ "192.168.42.2:7441:7441" ];
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/omegabrr:/config"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=ns:/var/run/netns/wg"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.podman-autobrr = {
|
||||||
|
bindsTo = [ "wg.service" ];
|
||||||
|
after = lib.mkForce [ "wg.service" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
TimeoutStopSec = lib.mkForce 10;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.podman-omegabrr = {
|
||||||
|
bindsTo = [ "wg.service" ];
|
||||||
|
after = lib.mkForce [ "wg.service" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
TimeoutStopSec = lib.mkForce 10;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."autobrr.internal.kempkens.network" = {
|
||||||
|
quic = true;
|
||||||
|
http3 = true;
|
||||||
|
|
||||||
|
onlySSL = true;
|
||||||
|
useACMEHost = "internal.kempkens.network";
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
proxyPass = "http://192.168.42.2:7474";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Binary file not shown.
|
@ -24,6 +24,7 @@ in
|
||||||
|
|
||||||
../nixos/mediaserver-setup.nix
|
../nixos/mediaserver-setup.nix
|
||||||
(import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
|
(import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
|
||||||
|
(import ../nixos/wireguard-firewall-mediaserver.nix (args // { inherit secret; }))
|
||||||
../nixos/prowlarr.nix
|
../nixos/prowlarr.nix
|
||||||
../nixos/sonarr.nix
|
../nixos/sonarr.nix
|
||||||
../nixos/radarr.nix
|
../nixos/radarr.nix
|
||||||
|
@ -35,6 +36,7 @@ in
|
||||||
../nixos/container.nix
|
../nixos/container.nix
|
||||||
../../container/homepage-dashboard
|
../../container/homepage-dashboard
|
||||||
../../container/tubearchivist
|
../../container/tubearchivist
|
||||||
|
../../container/autobrr
|
||||||
../../secret/container/additional-media
|
../../secret/container/additional-media
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -25,8 +25,25 @@
|
||||||
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
||||||
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||||
];
|
];
|
||||||
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=/var/lib/qbittorrent";
|
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=/var/lib/qbittorrent --webui-port=8071";
|
||||||
AmbientCapabilities = [ "CAP_NET_RAW" ];
|
AmbientCapabilities = [ "CAP_NET_RAW" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."qbittorrent.internal.kempkens.network" = {
|
||||||
|
quic = true;
|
||||||
|
http3 = true;
|
||||||
|
|
||||||
|
onlySSL = true;
|
||||||
|
useACMEHost = "internal.kempkens.network";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 32m;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
proxyPass = "http://192.168.42.2:8071";
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d /var/lib/sabnzbd 0700 media_user media_group"
|
"d /var/lib/sabnzbd 0750 media_user media_group"
|
||||||
];
|
];
|
||||||
|
|
||||||
# The nix-provided options force a sabnzbd-user to a certain degree
|
# The nix-provided options force a sabnzbd-user to a certain degree
|
||||||
|
|
122
system/nixos/wireguard-firewall-mediaserver.nix
Normal file
122
system/nixos/wireguard-firewall-mediaserver.nix
Normal file
|
@ -0,0 +1,122 @@
|
||||||
|
{ pkgs, secret, ... }:
|
||||||
|
|
||||||
|
# Heavily inspired by the built-in firewall scripts, minus the nice interface
|
||||||
|
|
||||||
|
let
|
||||||
|
writeShScript = name: text:
|
||||||
|
let
|
||||||
|
dir = pkgs.writeScriptBin name ''
|
||||||
|
#! ${pkgs.runtimeShell} -e
|
||||||
|
|
||||||
|
ip46tables() {
|
||||||
|
iptables -w "$@"
|
||||||
|
ip6tables -w "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
${text}
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
"${dir}/bin/${name}";
|
||||||
|
|
||||||
|
startScript = writeShScript "wg-firewall-start" ''
|
||||||
|
ip46tables -D INPUT -j wg-fw 2> /dev/null || true
|
||||||
|
for chain in wg-fw wg-fw-accept wg-fw-log-refuse wg-fw-refuse; do
|
||||||
|
ip46tables -F "$chain" 2> /dev/null || true
|
||||||
|
ip46tables -X "$chain" 2> /dev/null || true
|
||||||
|
done
|
||||||
|
|
||||||
|
ip46tables -N wg-fw-accept
|
||||||
|
ip46tables -A wg-fw-accept -j ACCEPT
|
||||||
|
|
||||||
|
ip46tables -N wg-fw-refuse
|
||||||
|
ip46tables -A wg-fw-refuse -j DROP
|
||||||
|
|
||||||
|
ip46tables -N wg-fw-log-refuse
|
||||||
|
ip46tables -A wg-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "refused connection: "
|
||||||
|
ip46tables -A wg-fw-log-refuse -m pkttype ! --pkt-type unicast -j wg-fw-refuse
|
||||||
|
ip46tables -A wg-fw-log-refuse -j wg-fw-refuse
|
||||||
|
|
||||||
|
ip46tables -N wg-fw
|
||||||
|
|
||||||
|
ip46tables -A wg-fw -i lo -j wg-fw-accept
|
||||||
|
|
||||||
|
ip46tables -A wg-fw -m conntrack --ctstate ESTABLISHED,RELATED -j wg-fw-accept
|
||||||
|
|
||||||
|
# Ports
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 6801 -j wg-fw-accept -i vethwgns0
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 7474 -j wg-fw-accept -i vethwgns0
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 7878 -j wg-fw-accept -i vethwgns0
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 8071 -j wg-fw-accept -i vethwgns0
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 8080 -j wg-fw-accept -i vethwgns0
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 8989 -j wg-fw-accept -i vethwgns0
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 9696 -j wg-fw-accept -i vethwgns0
|
||||||
|
ip46tables -A wg-fw -p tcp --dport 9999 -j wg-fw-accept -i vethwgns0
|
||||||
|
|
||||||
|
ip46tables -A wg-fw -p tcp --dport ${builtins.toString secret.wireguard.forwardedPort} -j wg-fw-accept -i wg0
|
||||||
|
ip46tables -A wg-fw -p udp --dport ${builtins.toString secret.wireguard.forwardedPort} -j wg-fw-accept -i wg0
|
||||||
|
|
||||||
|
iptables -w -A wg-fw -p icmp --icmp-type echo-request -j wg-fw-accept
|
||||||
|
|
||||||
|
ip6tables -A wg-fw -p icmpv6 --icmpv6-type redirect -j DROP
|
||||||
|
ip6tables -A wg-fw -p icmpv6 --icmpv6-type 139 -j DROP
|
||||||
|
ip6tables -A wg-fw -p icmpv6 -j wg-fw-accept
|
||||||
|
|
||||||
|
ip46tables -A wg-fw -j wg-fw-log-refuse
|
||||||
|
ip46tables -A INPUT -j wg-fw
|
||||||
|
'';
|
||||||
|
|
||||||
|
stopScript = writeShScript "wg-firewall-stop" ''
|
||||||
|
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||||
|
|
||||||
|
ip46tables -D INPUT -j wg-fw 2>/dev/null || true
|
||||||
|
'';
|
||||||
|
|
||||||
|
reloadScript = writeShScript "wg-firewall-reload" ''
|
||||||
|
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||||
|
ip46tables -F wg-drop 2>/dev/null || true
|
||||||
|
ip46tables -X wg-drop 2>/dev/null || true
|
||||||
|
ip46tables -N wg-drop
|
||||||
|
ip46tables -A wg-drop -j DROP
|
||||||
|
|
||||||
|
ip46tables -A INPUT -j wg-drop
|
||||||
|
|
||||||
|
if ${startScript}; then
|
||||||
|
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
|
||||||
|
else
|
||||||
|
echo "Failed to reload firewall... Stopping"
|
||||||
|
${stopScript}
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
systemd.services.wg-firewall = {
|
||||||
|
description = "Wireguard Firewall";
|
||||||
|
bindsTo = [ "wg.service" ];
|
||||||
|
after = [ "wg.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
path = [ pkgs.iptables ];
|
||||||
|
|
||||||
|
# FIXME: this module may also try to load kernel modules, but
|
||||||
|
# containers don't have CAP_SYS_MODULE. So the host system had
|
||||||
|
# better have all necessary modules already loaded.
|
||||||
|
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
|
||||||
|
unitConfig.DefaultDependencies = false;
|
||||||
|
|
||||||
|
reloadIfChanged = true;
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
NetworkNamespacePath = "/var/run/netns/wg";
|
||||||
|
BindReadOnlyPaths = [
|
||||||
|
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
|
||||||
|
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||||
|
];
|
||||||
|
ExecStart = "@${startScript} wg-firewall-start";
|
||||||
|
ExecReload = "@${reloadScript} wg-firewall-reload";
|
||||||
|
ExecStop = "@${stopScript} wg-firewall-stop";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue