1
0
Fork 0

bittorrent: setup

This commit is contained in:
Daniel Kempkens 2023-05-21 00:50:04 +02:00
parent 9df8da711b
commit fe4b048743
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
6 changed files with 207 additions and 2 deletions

View file

@ -0,0 +1,64 @@
{ lib, ... }:
{
systemd.tmpfiles.rules = [
"d /var/lib/autobrr 0755 root root"
"d /var/lib/omegabrr 0755 root root"
];
virtualisation.oci-containers.containers.autobrr = {
image = "ghcr.io/autobrr/autobrr:latest";
ports = [ "192.168.42.2:7474:7474" ];
environment = {
"TZ" = "Europe/Berlin";
};
volumes = [
"/var/lib/autobrr:/config"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
];
};
virtualisation.oci-containers.containers.omegabrr = {
image = "ghcr.io/autobrr/omegabrr:latest";
ports = [ "192.168.42.2:7441:7441" ];
volumes = [
"/var/lib/omegabrr:/config"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
];
};
systemd.services.podman-autobrr = {
bindsTo = [ "wg.service" ];
after = lib.mkForce [ "wg.service" ];
serviceConfig = {
TimeoutStopSec = lib.mkForce 10;
};
};
systemd.services.podman-omegabrr = {
bindsTo = [ "wg.service" ];
after = lib.mkForce [ "wg.service" ];
serviceConfig = {
TimeoutStopSec = lib.mkForce 10;
};
};
services.nginx.virtualHosts."autobrr.internal.kempkens.network" = {
quic = true;
http3 = true;
onlySSL = true;
useACMEHost = "internal.kempkens.network";
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://192.168.42.2:7474";
};
};
}

Binary file not shown.

View file

@ -24,6 +24,7 @@ in
../nixos/mediaserver-setup.nix ../nixos/mediaserver-setup.nix
(import ../nixos/wireguard-netns.nix (args // { inherit secret; })) (import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
(import ../nixos/wireguard-firewall-mediaserver.nix (args // { inherit secret; }))
../nixos/prowlarr.nix ../nixos/prowlarr.nix
../nixos/sonarr.nix ../nixos/sonarr.nix
../nixos/radarr.nix ../nixos/radarr.nix
@ -35,6 +36,7 @@ in
../nixos/container.nix ../nixos/container.nix
../../container/homepage-dashboard ../../container/homepage-dashboard
../../container/tubearchivist ../../container/tubearchivist
../../container/autobrr
../../secret/container/additional-media ../../secret/container/additional-media
]; ];

View file

@ -25,8 +25,25 @@
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind" "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind" "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
]; ];
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=/var/lib/qbittorrent"; ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=/var/lib/qbittorrent --webui-port=8071";
AmbientCapabilities = [ "CAP_NET_RAW" ]; AmbientCapabilities = [ "CAP_NET_RAW" ];
}; };
}; };
services.nginx.virtualHosts."qbittorrent.internal.kempkens.network" = {
quic = true;
http3 = true;
onlySSL = true;
useACMEHost = "internal.kempkens.network";
extraConfig = ''
client_max_body_size 32m;
'';
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://192.168.42.2:8071";
};
};
} }

View file

@ -2,7 +2,7 @@
{ {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/sabnzbd 0700 media_user media_group" "d /var/lib/sabnzbd 0750 media_user media_group"
]; ];
# The nix-provided options force a sabnzbd-user to a certain degree # The nix-provided options force a sabnzbd-user to a certain degree

View file

@ -0,0 +1,122 @@
{ pkgs, secret, ... }:
# Heavily inspired by the built-in firewall scripts, minus the nice interface
let
writeShScript = name: text:
let
dir = pkgs.writeScriptBin name ''
#! ${pkgs.runtimeShell} -e
ip46tables() {
iptables -w "$@"
ip6tables -w "$@"
}
${text}
'';
in
"${dir}/bin/${name}";
startScript = writeShScript "wg-firewall-start" ''
ip46tables -D INPUT -j wg-fw 2> /dev/null || true
for chain in wg-fw wg-fw-accept wg-fw-log-refuse wg-fw-refuse; do
ip46tables -F "$chain" 2> /dev/null || true
ip46tables -X "$chain" 2> /dev/null || true
done
ip46tables -N wg-fw-accept
ip46tables -A wg-fw-accept -j ACCEPT
ip46tables -N wg-fw-refuse
ip46tables -A wg-fw-refuse -j DROP
ip46tables -N wg-fw-log-refuse
ip46tables -A wg-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "refused connection: "
ip46tables -A wg-fw-log-refuse -m pkttype ! --pkt-type unicast -j wg-fw-refuse
ip46tables -A wg-fw-log-refuse -j wg-fw-refuse
ip46tables -N wg-fw
ip46tables -A wg-fw -i lo -j wg-fw-accept
ip46tables -A wg-fw -m conntrack --ctstate ESTABLISHED,RELATED -j wg-fw-accept
# Ports
ip46tables -A wg-fw -p tcp --dport 6801 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 7474 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 7878 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 8071 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 8080 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 8989 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 9696 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 9999 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport ${builtins.toString secret.wireguard.forwardedPort} -j wg-fw-accept -i wg0
ip46tables -A wg-fw -p udp --dport ${builtins.toString secret.wireguard.forwardedPort} -j wg-fw-accept -i wg0
iptables -w -A wg-fw -p icmp --icmp-type echo-request -j wg-fw-accept
ip6tables -A wg-fw -p icmpv6 --icmpv6-type redirect -j DROP
ip6tables -A wg-fw -p icmpv6 --icmpv6-type 139 -j DROP
ip6tables -A wg-fw -p icmpv6 -j wg-fw-accept
ip46tables -A wg-fw -j wg-fw-log-refuse
ip46tables -A INPUT -j wg-fw
'';
stopScript = writeShScript "wg-firewall-stop" ''
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
ip46tables -D INPUT -j wg-fw 2>/dev/null || true
'';
reloadScript = writeShScript "wg-firewall-reload" ''
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
ip46tables -F wg-drop 2>/dev/null || true
ip46tables -X wg-drop 2>/dev/null || true
ip46tables -N wg-drop
ip46tables -A wg-drop -j DROP
ip46tables -A INPUT -j wg-drop
if ${startScript}; then
ip46tables -D INPUT -j wg-drop 2>/dev/null || true
else
echo "Failed to reload firewall... Stopping"
${stopScript}
exit 1
fi
'';
in
{
systemd.services.wg-firewall = {
description = "Wireguard Firewall";
bindsTo = [ "wg.service" ];
after = [ "wg.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.iptables ];
# FIXME: this module may also try to load kernel modules, but
# containers don't have CAP_SYS_MODULE. So the host system had
# better have all necessary modules already loaded.
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
unitConfig.DefaultDependencies = false;
reloadIfChanged = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
NetworkNamespacePath = "/var/run/netns/wg";
BindReadOnlyPaths = [
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
];
ExecStart = "@${startScript} wg-firewall-start";
ExecReload = "@${reloadScript} wg-firewall-reload";
ExecStop = "@${stopScript} wg-firewall-stop";
};
};
}