aplysia: first version of transmission container

2019-10-15 21:45:01 +02:00 · 2019-10-15 21:45:01 +02:00 · f866389c28
commit f866389c28
parent 20353dde3f
1 changed files with 81 additions and 11 deletions
--- a/aplysia.nix
+++ b/aplysia.nix
@ -1,5 +1,8 @@
 { config, pkgs, ... }:

+let
+  trnsmssnIface = "wg-trnsmssn";
+in
 {
  imports =
    [
@ -59,25 +62,92 @@
    };
  };

-  services.transmission = {
-    # enable = true;
-    settings = {
-      download-dir = "/mnt/aplysia/torrents";
-      incomplete-dir = "/mnt/aplysia/torrents";
+  containers.trnsmssn =
+  let
+    homeDir = "/mnt/aplysia/torrents";
+  in rec {
+    config = {
+      services.transmission = {
+        # enable = true;
+        settings = {
+          download-dir = homeDir;
+          incomplete-dir = homeDir;

-      speed-limit-down = 5000;
-      speed-limit-down-enabled = true;
-      speed-limit-up = 800;
-      speed-limit-up-enabled = true;
+          speed-limit-down = 5000;
+          speed-limit-down-enabled = true;
+          speed-limit-up = 800;
+          speed-limit-up-enabled = true;

-      peer-port = 51415;
+          peer-port = 51415;
+        };
+      };
+
+      networking.firewall = {
+        enable = true;
+        allowedTCPPorts = [
+          config.services.transmission.settings.peer-port
+        ];
+      };
+
+      networking.nameservers = [ "193.138.218.74" ];
+
+      networking.interfaces.${trnsmssnIface} = {
+        ipv4.addresses = [ { address = "10.64.157.93"; prefixLength = 32; } ];
+        ipv6.addresses = [ { address = "fc00:bbbb:bbbb:bb01::1:9d5c"; prefixLength = 128; } ];
+        ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 0; } ];
+        ipv6.routes = [ { address = "::"; prefixLength = 0; } ];
+      };
+
+      environment.systemPackages = with pkgs; [ wireguard ];
+    };
+
+    privateNetwork = true;
+
+    interfaces = [ trnsmssnIface ];
+
+    autoStart = true;
+
+    bindMounts.${homeDir} = {
+      hostPath = homeDir;
+      isReadOnly = false;
    };
  };

+  networking.wireguard = {
+    enable = true;
+    interfaces.${trnsmssnIface} = {
+      privateKeyFile = "/etc/wgkeys/mullvad";
+      peers = [
+        {
+          allowedIPs = ["0.0.0.0/0" "::/0"];
+          publicKey = "pKcMMeC4jMUxSU5pH1orvp4//GrY8is+y9JRfVP3+BY=";
+          endpoint = "se6-wireguard.mullvad.net:51820";
+        }
+      ];
+      allowedIPsAsRoutes = false;
+    };
+  };
+  systemd.services."container@trnsmssn" = {
+    requires = [ "wireguard-${trnsmssnIface}.service" ];
+    after = [ "wireguard-${trnsmssnIface}.service" ];
+  };
+
+  users.users = [
+    { name = "transmission";
+      group = "transmission";
+      uid = config.ids.uids.transmission;
+    }
+  ];
+
+  users.groups = [
+    { name = "transmission";
+      gid = config.ids.gids.transmission;
+    }
+  ];
+
  networking.firewall = {
    allowedTCPPorts = [
      445 139 # samba
-      config.services.transmission.settings.peer-port
    ];
    allowedUDPPorts = [
      137 138 # samba