101 lines
		
	
	
	
		
			3 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			101 lines
		
	
	
	
		
			3 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| {config, ...}: {
 | |
|   users.users.aria2.group = "aria2";
 | |
|   users.groups.aria2 = {};
 | |
|   users.users.aria2.isSystemUser = true;
 | |
| 
 | |
|   sops.secrets."wg-private".mode = "0440";
 | |
|   sops.secrets."wg-private".owner = config.users.users.aria2.name;
 | |
|   containers.aria2 = {
 | |
|     forwardPorts = [
 | |
|       {
 | |
|         containerPort = 6969;
 | |
|         hostPort = 6969;
 | |
|         protocol = "udp";
 | |
|       }
 | |
|     ];
 | |
|     bindMounts = {
 | |
|       "/var/lib/media" = {
 | |
|         hostPath = "/var/lib/media";
 | |
|         isReadOnly = false;
 | |
|       };
 | |
|       "/var/lib/wg/private-key" = {
 | |
|         hostPath = config.sops.secrets."wg-private".path;
 | |
|         isReadOnly = true;
 | |
|       };
 | |
|     };
 | |
|     autoStart = true;
 | |
|     privateNetwork = true;
 | |
|     hostAddress = "192.168.100.10";
 | |
|     localAddress = "192.168.100.11";
 | |
|     hostAddress6 = "fc00::1";
 | |
|     localAddress6 = "fc00::2";
 | |
|     config = {
 | |
|       config,
 | |
|       pkgs,
 | |
|       ...
 | |
|     }: {
 | |
|       system.stateVersion = "unstable";
 | |
|       networking.firewall.allowedTCPPorts = [6969];
 | |
|       networking.firewall.allowedUDPPorts = [6969 51820];
 | |
|       users.users = {
 | |
|         aria2.extraGroups = ["jellyfin" "nextcloud"];
 | |
|       };
 | |
|       services.aria2 = {
 | |
|         enable = true;
 | |
|         downloadDir = "/var/lib/media";
 | |
|         rpcListenPort = 6969;
 | |
|       };
 | |
|       networking.wg-quick.interfaces = {
 | |
|         wg0 = {
 | |
|           postUp = ''
 | |
|             # Mark packets on the wg0 interface
 | |
|             wg set wg0 fwmark 51820
 | |
| 
 | |
|             # Forbid anything else which doesn't go through wireguard VPN on
 | |
|             # ipV4 and ipV6
 | |
|             ${pkgs.iptables}/bin/iptables -A OUTPUT \
 | |
|               ! -d 192.168.0.0/16 \
 | |
|               ! -o wg0 \
 | |
|               -m mark ! --mark $(wg show wg0 fwmark) \
 | |
|               -m addrtype ! --dst-type LOCAL \
 | |
|               -j REJECT
 | |
|             ${pkgs.iptables}/bin/ip6tables -A OUTPUT \
 | |
|               ! -o wg0 \
 | |
|               -m mark ! --mark $(wg show wg0 fwmark) \
 | |
|               -m addrtype ! --dst-type LOCAL \
 | |
|               -j REJECT
 | |
|             ${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \
 | |
|               --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT
 | |
|             ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \
 | |
|               -j ACCEPT
 | |
|           '';
 | |
|           postDown = ''
 | |
|             ${pkgs.iptables}/bin/iptables -D OUTPUT \
 | |
|               ! -o wg0 \
 | |
|               -m mark ! --mark $(wg show wg0 fwmark) \
 | |
|               -m addrtype ! --dst-type LOCAL \
 | |
|               -j REJECT
 | |
|             ${pkgs.iptables}/bin/ip6tables -D OUTPUT \
 | |
|               ! -o wg0 -m mark \
 | |
|               ! --mark $(wg show wg0 fwmark) \
 | |
|               -m addrtype ! --dst-type LOCAL \
 | |
|               -j REJECT
 | |
|           '';
 | |
| 
 | |
|           address = ["10.2.0.2/32"];
 | |
|           dns = ["10.2.0.1"];
 | |
|           privateKeyFile = "/var/lib/wg/private-key";
 | |
| 
 | |
|           peers = [
 | |
|             {
 | |
|               publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo=";
 | |
|               allowedIPs = ["0.0.0.0/0"];
 | |
|               endpoint = "185.159.158.182:51820";
 | |
|               persistentKeepalive = 25;
 | |
|             }
 | |
|           ];
 | |
|         };
 | |
|       };
 | |
|     };
 | |
|   };
 | |
| }
 |