diff --git a/nixos/server/package-configs/aria2/configuration.nix b/nixos/server/package-configs/aria2/configuration.nix index 6d2fc82..6cf7791 100644 --- a/nixos/server/package-configs/aria2/configuration.nix +++ b/nixos/server/package-configs/aria2/configuration.nix @@ -7,99 +7,9 @@ users.groups.aria2 = {}; users.users.aria2.isSystemUser = true; - sops.secrets."wg-private".mode = "0440"; - sops.secrets."wg-private".owner = config.users.users.aria2.name; - containers.aria2 = { - forwardPorts = [ - { - containerPort = 6969; - hostPort = 6969; - protocol = "udp"; - } - ]; - bindMounts = { - "/var/lib/media" = { - hostPath = "/var/lib/media"; - isReadOnly = false; - }; - "/var/lib/wg/private-key" = { - hostPath = config.sops.secrets."wg-private".path; - isReadOnly = true; - }; - }; - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; - hostAddress6 = "fc00::1"; - localAddress6 = "fc00::2"; - config = { - config, - pkgs, - ... - }: { - system.stateVersion = "unstable"; - networking.firewall.allowedTCPPorts = [6969]; - networking.firewall.allowedUDPPorts = [6969 51820]; - users.users = { - aria2.extraGroups = ["jellyfin" "nextcloud"]; - }; - services.aria2 = { - enable = true; - downloadDir = "/var/lib/media"; - rpcListenPort = 6969; - }; - networking.wg-quick.interfaces = { - wg0 = { - postUp = '' - # Mark packets on the wg0 interface - wg set wg0 fwmark 51820 - - # Forbid anything else which doesn't go through wireguard VPN on - # ipV4 and ipV6 - ${pkgs.iptables}/bin/iptables -A OUTPUT \ - ! -d 192.168.0.0/16 \ - ! -o wg0 \ - -m mark ! --mark $(wg show wg0 fwmark) \ - -m addrtype ! --dst-type LOCAL \ - -j REJECT - ${pkgs.iptables}/bin/ip6tables -A OUTPUT \ - ! -o wg0 \ - -m mark ! --mark $(wg show wg0 fwmark) \ - -m addrtype ! --dst-type LOCAL \ - -j REJECT - ${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \ - --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT - ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \ - -j ACCEPT - ''; - postDown = '' - ${pkgs.iptables}/bin/iptables -D OUTPUT \ - ! -o wg0 \ - -m mark ! --mark $(wg show wg0 fwmark) \ - -m addrtype ! --dst-type LOCAL \ - -j REJECT - ${pkgs.iptables}/bin/ip6tables -D OUTPUT \ - ! -o wg0 -m mark \ - ! --mark $(wg show wg0 fwmark) \ - -m addrtype ! --dst-type LOCAL \ - -j REJECT - ''; - - address = ["10.2.0.2/32"]; - dns = ["10.2.0.1"]; - privateKeyFile = "/var/lib/wg/private-key"; - - peers = [ - { - publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo="; - allowedIPs = ["0.0.0.0/0"]; - endpoint = "185.159.158.182:51820"; - persistentKeepalive = 25; - } - ]; - }; - }; - }; + services.aria2 = { + enable = true; + downloadDir = "/var/lib/media"; + rpcListenPort = 6969; }; } diff --git a/nixos/server/package-configs/aria2/container.nix b/nixos/server/package-configs/aria2/container.nix new file mode 100644 index 0000000..6d2fc82 --- /dev/null +++ b/nixos/server/package-configs/aria2/container.nix @@ -0,0 +1,105 @@ +{ + config, + pkgs, + ... +}: { + users.users.aria2.group = "aria2"; + users.groups.aria2 = {}; + users.users.aria2.isSystemUser = true; + + sops.secrets."wg-private".mode = "0440"; + sops.secrets."wg-private".owner = config.users.users.aria2.name; + containers.aria2 = { + forwardPorts = [ + { + containerPort = 6969; + hostPort = 6969; + protocol = "udp"; + } + ]; + bindMounts = { + "/var/lib/media" = { + hostPath = "/var/lib/media"; + isReadOnly = false; + }; + "/var/lib/wg/private-key" = { + hostPath = config.sops.secrets."wg-private".path; + isReadOnly = true; + }; + }; + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::2"; + config = { + config, + pkgs, + ... + }: { + system.stateVersion = "unstable"; + networking.firewall.allowedTCPPorts = [6969]; + networking.firewall.allowedUDPPorts = [6969 51820]; + users.users = { + aria2.extraGroups = ["jellyfin" "nextcloud"]; + }; + services.aria2 = { + enable = true; + downloadDir = "/var/lib/media"; + rpcListenPort = 6969; + }; + networking.wg-quick.interfaces = { + wg0 = { + postUp = '' + # Mark packets on the wg0 interface + wg set wg0 fwmark 51820 + + # Forbid anything else which doesn't go through wireguard VPN on + # ipV4 and ipV6 + ${pkgs.iptables}/bin/iptables -A OUTPUT \ + ! -d 192.168.0.0/16 \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/ip6tables -A OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \ + --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT + ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \ + -j ACCEPT + ''; + postDown = '' + ${pkgs.iptables}/bin/iptables -D OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/ip6tables -D OUTPUT \ + ! -o wg0 -m mark \ + ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ''; + + address = ["10.2.0.2/32"]; + dns = ["10.2.0.1"]; + privateKeyFile = "/var/lib/wg/private-key"; + + peers = [ + { + publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo="; + allowedIPs = ["0.0.0.0/0"]; + endpoint = "185.159.158.182:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + }; +}