dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/kelder: Add acquisition

Browse Source
This commit is contained in:
Jack O'Sullivan
2023-05-23 21:32:38 +01:00
parent 18ad20a8c5
commit 1fa718c20a
42 changed files with 964 additions and 407 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
nixos/boxes/kelder/containers/acquisition/default.nix Normal file
View File

@@ -0,0 +1,105 @@
{ lib, ... }: {
nixos.systems.kelder-acquisition = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "acquisition-ctr";
domain = lib.my.kelder.domain;
ipv4.address = "${lib.my.kelder.start.ctrs.v4}2";
};
};
configuration = { lib, pkgs, config, ... }:
let
inherit (lib);
in
{
imports = [ ./networking.nix ];
config = {
# Hardware acceleration for Jellyfin
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
vaapiIntel
intel-ocl
];
};
my = {
deploy.enable = false;
server.enable = true;
user.config.name = "kontent";
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJ8d0prcSvyYi0UasnxMk/HGF5lWZz/t/VFYgQuFwO";
};
};
users = {
groups.media.gid = lib.my.kelder.groups.media;
users = {
"${config.my.user.config.name}".extraGroups = [ "media" ];
transmission.extraGroups = [ "media" ];
radarr.extraGroups = [ "media" ];
sonarr.extraGroups = [ "media" ];
jellyfin.extraGroups = [ "render" ];
};
};
environment.systemPackages = with pkgs; [
libva-utils
clinfo
jellyfin-ffmpeg
];
systemd = {
services = {
jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
radarr.serviceConfig.UMask = "0002";
sonarr.serviceConfig.UMask = "0002";
};
};
services = {
transmission = {
enable = true;
downloadDirPermissions = null;
performanceNetParameters = true;
settings = {
download-dir = "/mnt/media/downloads/torrents";
incomplete-dir-enabled = true;
incomplete-dir = "/mnt/media/downloads/torrents/.incomplete";
umask = 002;
utp-enabled = true;
port-forwarding-enabled = false;
speed-limit-down = 20480;
speed-limit-down-enabled = true;
speed-limit-up = 1024;
speed-limit-up-enabled = true;
ratio-limit = 2.0;
ratio-limit-enabled = true;
rpc-bind-address = "::";
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
};
};
jackett.enable = true;
radarr.enable = true;
sonarr.enable = true;
jellyfin.enable = true;
};
};
};
};
}

137
nixos/boxes/kelder/containers/acquisition/networking.nix Normal file
View File

@@ -0,0 +1,137 @@
{ lib, pkgs, config, assignments, ... }:
let
inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment;
wg = {
keyFile = "kelder/acquisition/mullvad-privkey";
fwMark = 42;
routeTable = 51820;
};
# Forwarded in Mullvad config
transmissionPeerPort = 56630;
in
{
config = mkMerge [
{
my = {
secrets = {
files."${wg.keyFile}" = {
group = "systemd-network";
mode = "440";
};
};
firewall = {
extraRules = ''
# Make sure that VPN connections are dropped (except for the Transmission port)
table inet filter {
chain tcp-ext {
tcp dport ${toString transmissionPeerPort} accept
iifname vpn return
tcp dport { 9091, 9117, 7878, 8989, 8096 } accept
return
}
chain input {
tcp flags & (fin|syn|rst|ack) == syn ct state new jump tcp-ext
}
}
'';
};
};
environment.systemPackages = with pkgs; [
wireguard-tools
];
services = {
transmission.settings.peer-port = transmissionPeerPort;
};
systemd = {
network = {
netdevs."30-vpn" = with wg; {
netdevConfig = {
Name = "vpn";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."${keyFile}".path;
FirewallMark = fwMark;
RouteTable = routeTable;
};
wireguardPeers = [
{
# mlvd-ie-dub-wg-101
wireguardPeerConfig = {
Endpoint = "146.70.189.2:51820";
PublicKey = "lHrukA9+vn7Jjzx2Nb/1NQ0WiaiKppEqVxrGT5X1RFQ=";
AllowedIPs = [ "0.0.0.0/0" "::/0" ];
};
}
];
};
networks = {
"80-container-host0" = mkMerge [
(networkdAssignment "host0" assignments.internal)
{
networkConfig.DNSDefaultRoute = false;
}
];
"90-vpn" = with wg; {
matchConfig.Name = "vpn";
address = [ "10.66.242.99/32" "fc00:bbbb:bbbb:bb01::3:f262/128" ];
dns = [ "10.64.0.1" ];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 100;
}
{
From = lib.my.kelder.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.kelder.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
Family = "both";
InvertRule = true;
FirewallMark = fwMark;
Table = routeTable;
Priority = 110;
}
];
};
};
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
# Transmission
{ from = "host"; host.port = 9091; guest.port = 9091; }
# Jackett
{ from = "host"; host.port = 9117; guest.port = 9117; }
# Radarr
{ from = "host"; host.port = 7878; guest.port = 7878; }
# Sonarr
{ from = "host"; host.port = 8989; guest.port = 8989; }
# Jellyfin
{ from = "host"; host.port = 8096; guest.port = 8096; }
];
};
})
];
}

5
nixos/boxes/kelder/containers/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{
imports = [
./acquisition
];
}

86
nixos/boxes/kelder/default.nix
View File

@@ -1,17 +1,32 @@
{ lib, ... }: {
imports = [ ./containers ];
nixos.systems.kelder = {
system = "x86_64-linux";
nixpkgs = "mine";
home-manager = "mine";
assignments = {
ctrs = {
name = "kelder-ctrs";
domain = lib.my.kelder.domain;
ipv4 = {
address = "${lib.my.kelder.start.ctrs.v4}1";
gateway = null;
};
};
};
configuration = { lib, pkgs, modulesPath, config, systems, assignments, allAssignments, ... }:
let
inherit (builtins) mapAttrs;
inherit (lib) mkIf mkMerge mkForce;
inherit (lib.my) networkdAssignment;
vpnTable = 51820;
in
{
imports = [ ./boot.nix ];
imports = [ ./boot.nix ./nginx.nix ];
config = {
hardware = {
@@ -56,6 +71,16 @@
};
};
users = {
groups = with lib.my.kelder.groups; {
storage.gid = storage;
media.gid = media;
};
users = {
"${config.my.user.config.name}".extraGroups = [ "storage" "media" ];
};
};
environment = {
systemPackages = with pkgs; [
wireguard-tools
@@ -83,6 +108,11 @@
systemd = {
network = {
netdevs = {
"25-ctrs".netdevConfig = {
Name = "ctrs";
Kind = "bridge";
};
"30-estuary" = {
netdevConfig = {
Name = "estuary";
@@ -115,12 +145,18 @@
matchConfig.Name = "et1g0";
DHCP = "yes";
};
"80-ctrs" = mkMerge [
(networkdAssignment "ctrs" assignments.ctrs)
{
networkConfig.IPv6AcceptRA = mkForce false;
}
];
"95-estuary" = {
matchConfig.Name = "estuary";
address = [ "${lib.my.kelder.vpn.start}2/30" ];
address = [ "${lib.my.kelder.start.vpn.v4}2/30" ];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
From = "${lib.my.kelder.vpn.start}2";
From = "${lib.my.kelder.start.vpn.v4}2";
Table = vpnTable;
Priority = 100;
}
@@ -128,9 +164,17 @@
};
};
};
services = {
"systemd-nspawn@kelder-acquisition".serviceConfig.DeviceAllow = [
# For hardware acceleration in Jellyfin
"char-drm rw"
];
};
};
my = {
server.enable = true;
user = {
config.name = "kontent";
};
@@ -146,7 +190,41 @@
};
};
server.enable = true;
firewall = {
trustedInterfaces = [ "ctrs" ];
nat = {
enable = true;
externalInterface = "et1g0";
};
extraRules = ''
table inet nat {
chain postrouting {
ip saddr ${lib.my.kelder.prefixes.all.v4} oifname et1g0 masquerade
}
}
'';
};
containers.instances =
let
instances = {
kelder-acquisition = {
bindMounts = {
"/dev/dri".readOnly = false;
"/mnt/media" = {
hostPath = "/mnt/storage/media";
readOnly = false;
};
};
};
};
in
mkMerge [
instances
(mapAttrs (n: i: {
networking.bridge = "ctrs";
}) instances)
];
};
};
};

137
nixos/boxes/kelder/nginx.nix Normal file
View File

@@ -0,0 +1,137 @@
{ lib, pkgs, config, allAssignments, ... }:
let
inherit (lib) mkMerge mkIf;
in
{
config = {
my = {
secrets.files = {
"kelder/htpasswd" = {
owner = "nginx";
group = "nginx";
};
};
firewall = {
tcp.allowed = [ "http" "https" ];
};
};
services = {
nginx = {
enable = true;
enableReload = true;
recommendedTlsSettings = true;
clientMaxBodySize = "0";
serverTokens = true;
# Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = ''
# NixOS provides a logrotate config that auto-compresses :)
log_format main
'$remote_addr - $remote_user [$time_local] $scheme "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
# optimisation
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# gzip
gzip on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types
application/atom+xml
application/javascript
application/json
application/xml
application/xml+rss
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
gzip_vary on;
# proxying
proxy_buffering off;
proxy_redirect off;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
'';
virtualHosts =
let
withAuth = c: mkMerge [
{
basicAuthFile = config.age.secrets."kelder/htpasswd".path;
}
c
];
acquisition = "http://${allAssignments.kelder-acquisition.internal.ipv4.address}";
in
{
"_" = {
default = true;
locations = {
"= /".root = "${pkgs.nginx}/html";
"~ /media/?".return = "302 $scheme://$host/web/";
"= /web/".proxyPass = "${acquisition}:8096/web/index.html";
"/socket" = {
proxyPass = "${acquisition}:8096/socket";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
};
"/".proxyPass = "${acquisition}:8096";
};
};
"media.${lib.my.kelder.domain}" = {
locations = {
"/".proxyPass = "${acquisition}:8096";
"= /".return = "302 $scheme://$host/web/";
"= /web/".proxyPass = "${acquisition}:8096/web/index.html";
"/socket" = {
proxyPass = "${acquisition}:8096/socket";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
};
};
};
"torrents.${lib.my.kelder.domain}" = withAuth {
locations."/".proxyPass = "${acquisition}:9091";
};
"jackett.${lib.my.kelder.domain}" = withAuth {
locations."/".proxyPass = "${acquisition}:9117";
};
"radarr.${lib.my.kelder.domain}" = withAuth {
locations."/" = {
proxyPass = "${acquisition}:7878";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
};
};
"sonarr.${lib.my.kelder.domain}" = withAuth {
locations."/" = {
proxyPass = "${acquisition}:8989";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
};
};
};
};
};
};
}