diff --git a/aplysia.nix b/aplysia.nix index bea162d..9fb9b23 100644 --- a/aplysia.nix +++ b/aplysia.nix @@ -1,5 +1,8 @@ { config, pkgs, ... }: +let + trnsmssnIface = "wg-trnsmssn"; +in { imports = [ @@ -59,25 +62,92 @@ }; }; - services.transmission = { - # enable = true; - settings = { - download-dir = "/mnt/aplysia/torrents"; - incomplete-dir = "/mnt/aplysia/torrents"; + containers.trnsmssn = + let + homeDir = "/mnt/aplysia/torrents"; + in rec { + config = { + services.transmission = { + # enable = true; + settings = { + download-dir = homeDir; + incomplete-dir = homeDir; - speed-limit-down = 5000; - speed-limit-down-enabled = true; - speed-limit-up = 800; - speed-limit-up-enabled = true; + speed-limit-down = 5000; + speed-limit-down-enabled = true; + speed-limit-up = 800; + speed-limit-up-enabled = true; - peer-port = 51415; + peer-port = 51415; + }; + }; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ + config.services.transmission.settings.peer-port + ]; + }; + + networking.nameservers = [ "193.138.218.74" ]; + + networking.interfaces.${trnsmssnIface} = { + ipv4.addresses = [ { address = "10.64.157.93"; prefixLength = 32; } ]; + ipv6.addresses = [ { address = "fc00:bbbb:bbbb:bb01::1:9d5c"; prefixLength = 128; } ]; + ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 0; } ]; + ipv6.routes = [ { address = "::"; prefixLength = 0; } ]; + }; + + environment.systemPackages = with pkgs; [ wireguard ]; + }; + + privateNetwork = true; + + interfaces = [ trnsmssnIface ]; + + autoStart = true; + + bindMounts.${homeDir} = { + hostPath = homeDir; + isReadOnly = false; }; }; + networking.wireguard = { + enable = true; + interfaces.${trnsmssnIface} = { + privateKeyFile = "/etc/wgkeys/mullvad"; + peers = [ + { + allowedIPs = ["0.0.0.0/0" "::/0"]; + publicKey = "pKcMMeC4jMUxSU5pH1orvp4//GrY8is+y9JRfVP3+BY="; + endpoint = "se6-wireguard.mullvad.net:51820"; + } + ]; + allowedIPsAsRoutes = false; + }; + }; + systemd.services."container@trnsmssn" = { + requires = [ "wireguard-${trnsmssnIface}.service" ]; + after = [ "wireguard-${trnsmssnIface}.service" ]; + }; + + users.users = [ + { name = "transmission"; + group = "transmission"; + uid = config.ids.uids.transmission; + } + ]; + + users.groups = [ + { name = "transmission"; + gid = config.ids.gids.transmission; + } + ]; + networking.firewall = { allowedTCPPorts = [ 445 139 # samba - config.services.transmission.settings.peer-port ]; allowedUDPPorts = [ 137 138 # samba