Gabe/nix-config
1
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity

inital work on deluge behind a vpn.

Browse source
This commit is contained in:
Gabe Venberg 2025-04-29 20:38:34 +02:00
parent 67eb4264ff
commit 6da142120b
4 changed files with 116 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -192,10 +192,10 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1745413613, "lastModified": 1745947832,
"narHash": "sha256-femjJhcb0KysnKuhMggNpH+2g+Fqp7JFiYC0QXT3+AA=", "narHash": "sha256-7qLta3z89hJPxZ6uWujpSQIhWtuzdX6MLr7wa/A8cuw=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "09d8f1ade2adf2bdee202b50fa7c89be2f819036", "rev": "2b2be5500aa14fb5ac5ac045c3693c31de849f74",
"shallow": true, "shallow": true,
"type": "git", "type": "git",
"url": "ssh://forgejo@git.venberg.xyz/Gabe/nix-secrets.git" "url": "ssh://forgejo@git.venberg.xyz/Gabe/nix-secrets.git"

9
hosts/cirrostratus/default.nix
View file

@ -17,6 +17,7 @@ inputs.nixpkgs.lib.nixosSystem {
./restic.nix ./restic.nix
./nginx.nix ./nginx.nix
./copyparty.nix ./copyparty.nix
./deluge.nix
../../configs/nixos/common.nix ../../configs/nixos/common.nix
../../configs/nixos/tailscale.nix ../../configs/nixos/tailscale.nix
../../configs/nixos/sshd.nix ../../configs/nixos/sshd.nix
@ -49,10 +50,10 @@ inputs.nixpkgs.lib.nixosSystem {
enable = true; enable = true;
networks."eno1" = { networks."eno1" = {
name = "eno1"; name = "eno1";
DHCP = "yes"; # DHCP = "yes";
# address = ["10.10.10.30/24"]; address = ["10.10.10.30/24"];
# gateway = ["10.10.10.1"]; gateway = ["10.10.10.1"];
# dns = ["1.1.1.1"]; dns = ["1.1.1.1"];
}; };
}; };
time.timeZone = "America/Chicago"; time.timeZone = "America/Chicago";

104
hosts/cirrostratus/deluge.nix Normal file
View file

@ -0,0 +1,104 @@
{
inputs,
config,
pkgs,
lib,
...
}: let
webUiPort = "8100";
namespace = "pvpn";
interface-name = "pvpn0";
dnsIP = "DNS = 10.2.0.1";
privateIP = "10.2.0.2/32";
port = 8112;
user = config.host.details.user;
group = "users";
in {
sops.secrets = lib.mkIf (inputs ? nix-secrets) {
wg-config = {
sopsFile = "${inputs.nix-secrets}/cirrostratus-protonvpn.conf";
format = "binary";
owner = config.host.details.user;
};
};
# Id really like to setup the wg network with systemd,
# but its not possible until systemd-networkd can manage network namespaces as well.
systemd.services."netns@" = {
description = "%I network namespace";
before = ["network.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
};
};
environment.etc."netns/${namespace}/resolv.conf".text = "nameserver ${dnsIP}";
systemd.services.${namespace} = {
description = "${namespace} network interface";
bindsTo = ["netns@${namespace}.service"];
requires = ["network-online.target"];
after = ["netns@${namespace}.service"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = with pkgs;
writers.writeBash "wg-up" ''
set -e
${iproute2}/bin/ip link add ${interface-name} type wireguard
${iproute2}/bin/ip link set ${interface-name} netns ${namespace}
${iproute2}/bin/ip -n ${namespace} address add ${privateIP} dev ${interface-name}
${iproute2}/bin/ip netns exec ${namespace} \
${pkgs.wireguard-tools}/bin/wg setconf ${interface-name} ${config.sops.secrets.wg-config.path}
${iproute2}/bin/ip -n ${namespace} link set ${interface-name} up
${iproute2}/bin/ip -n ${namespace} link set lo up
${iproute2}/bin/ip -n ${namespace} route add default dev ${interface-name}
'';
ExecStop = with pkgs;
writers.writeBash "wg-down" ''
set -e
${iproute2}/bin/ip -n ${namespace} route del default dev ${interface-name}
${iproute2}/bin/ip -n ${namespace} link del ${interface-name}
'';
};
};
# now we get to the deluge stuff.
services.deluge = {
enable = true;
user = user;
group = group;
web = {
enable = true;
port = port;
};
};
# binding deluged to network namespace
systemd.services.deluged.bindsTo = ["netns@${namespace}.service"];
systemd.services.deluged.requires = ["network-online.target" "${namespace}.service"];
systemd.services.deluged.serviceConfig.NetworkNamespacePath = ["/var/run/netns/${namespace}"];
# allowing delugeweb to access deluged in network namespace, a socket is necesarry
systemd.sockets."proxy-to-deluged" = {
enable = true;
description = "Socket for Proxy to Deluge Daemon";
listenStreams = ["58846"];
wantedBy = ["sockets.target"];
};
# creating proxy service on socket, which forwards the same port from the root namespace to the isolated namespace
systemd.services."proxy-to-deluged" = {
enable = true;
description = "Proxy to Deluge Daemon in Network Namespace";
requires = ["deluged.service" "proxy-to-deluged.socket"];
after = ["deluged.service" "proxy-to-deluged.socket"];
unitConfig = {JoinsNamespaceOf = "deluged.service";};
serviceConfig = {
User = user;
Group = group;
ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd --exit-idle-time=5min 127.0.0.1:58846";
PrivateNetwork = "yes";
};
};
}

8
hosts/cirrostratus/restic.nix
View file

@ -7,17 +7,17 @@
}: let }: let
port = "8090"; port = "8090";
in { in {
sops = lib.mkIf (inputs ? nix-secrets) { sops.secrets = lib.mkIf (inputs ? nix-secrets) {
secrets.restic-server-credentials = { restic-server-credentials = {
sopsFile = "${inputs.nix-secrets}/restic-server"; sopsFile = "${inputs.nix-secrets}/restic-server";
format = "binary"; format = "binary";
owner = "restic"; owner = "restic";
}; };
secrets.restic-url = { restic-url = {
sopsFile = "${inputs.nix-secrets}/restic-client.yaml"; sopsFile = "${inputs.nix-secrets}/restic-client.yaml";
owner = config.host.details.user; owner = config.host.details.user;
}; };
secrets.restic-password = { restic-password = {
sopsFile = "${inputs.nix-secrets}/restic-client.yaml"; sopsFile = "${inputs.nix-secrets}/restic-client.yaml";
owner = config.host.details.user; owner = config.host.details.user;
}; };