{ config, pkgs, ... }: let trnsmssnIface = "wg-trnsmssn"; in { imports = [ /etc/nixos/hardware-configuration.nix ./common-headless.nix ]; boot.supportedFilesystems = ["zfs"]; boot.loader.grub = { enable = true; version = 2; zfsSupport = true; mirroredBoots = [ { devices = [ "/dev/sda" ]; path = "/boota"; } { devices = [ "/dev/sdb" ]; path = "/bootb"; } { devices = [ "/dev/sdc" ]; path = "/bootc"; } { devices = [ "/dev/sdd" ]; path = "/bootd"; } { devices = [ "/dev/sde" ]; path = "/boote"; } { devices = [ "/dev/sdf" ]; path = "/bootf"; } ]; }; networking = { hostName = "aplysia"; hostId = "34a820f1"; }; users = { users = { gebner.extraGroups = [ "transmission" "nilotica" ]; nilotica = { group = "nilotica"; }; transmission = { group = "transmission"; uid = config.ids.uids.transmission; }; }; groups = { nilotica = {}; transmission = { gid = config.ids.gids.transmission; }; }; }; boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages; system.stateVersion = "17.03"; fileSystems."/mnt/aplysia" = pkgs.lib.mkOverride 10 { device = "aplysia/export"; fsType = "zfs"; }; fileSystems."/boota".options = [ "nofail" ]; fileSystems."/bootb".options = [ "nofail" ]; fileSystems."/bootc".options = [ "nofail" ]; fileSystems."/bootd".options = [ "nofail" ]; fileSystems."/boote".options = [ "nofail" ]; fileSystems."/bootf".options = [ "nofail" ]; services.samba = { enable = true; extraConfig = '' passdb backend = tdbsam unix password sync = no min protocol = NT1 ''; shares = { export = { "guest ok" = "no"; "read only" = "no"; path = "/mnt/aplysia"; }; }; }; containers.trnsmssn = let homeDir = "/mnt/aplysia/torrents"; in rec { config = { services.transmission = { enable = true; settings = { download-dir = homeDir; incomplete-dir = homeDir; speed-limit-down = 5000; speed-limit-down-enabled = true; speed-limit-up = 800; speed-limit-up-enabled = true; peer-port = 7455; rpc-bind-address = localAddress; rpc-whitelist-enabled = false; }; }; networking.firewall = { enable = true; interfaces.${trnsmssnIface}.allowedTCPPorts = [ config.services.transmission.settings.peer-port ]; interfaces.eth0.allowedTCPPorts = [ 9091 ]; }; networking.nameservers = [ "193.138.218.74" ]; networking.interfaces.${trnsmssnIface} = { ipv4.addresses = [ { address = "10.64.157.93"; prefixLength = 32; } ]; ipv6.addresses = [ { address = "fc00:bbbb:bbbb:bb01::1:9d5c"; prefixLength = 128; } ]; ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; } { address = "128.0.0.0"; prefixLength = 1; } ]; ipv6.routes = [ { address = "::"; prefixLength = 0; } ]; }; environment.systemPackages = with pkgs; [ wireguard ]; }; privateNetwork = true; interfaces = [ trnsmssnIface ]; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; autoStart = true; bindMounts.${homeDir} = { hostPath = homeDir; isReadOnly = false; }; }; networking.wireguard = { enable = true; interfaces.${trnsmssnIface} = { privateKeyFile = "/etc/wgkeys/mullvad"; peers = [ { allowedIPs = ["0.0.0.0/0" "::/0"]; publicKey = "5y66WShsFXqM5K7/4CPEGCWfk7PQyNhVBT2ILjbGm2I="; endpoint = "se15-wireguard.mullvad.net:51820"; } ]; allowedIPsAsRoutes = false; }; }; systemd.services."container@trnsmssn" = { requires = [ "wireguard-${trnsmssnIface}.service" ]; after = [ "wireguard-${trnsmssnIface}.service" ]; }; networking.firewall = { allowedTCPPorts = [ 445 139 # samba config.services.rsyncd.port ]; allowedUDPPorts = [ 137 138 # samba ]; }; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts."transmission-proxy" = { serverName = "localhost"; listen = [ { addr = "localhost"; port = 9091; } ]; locations."/transmission/" = { proxyPass = "http://192.168.100.11:9091"; proxyWebsockets = true; }; }; }; environment.systemPackages = with pkgs; [ transmission samba ]; # hdd spindown powerManagement.powerUpCommands = '' ${pkgs.hdparm}/bin/hdparm -B127 -S100 /dev/sd{a,b,c,d,e,f} ''; services.rsyncd = { enable = true; modules = { lr_mobile = { path = "/mnt/aplysia/fotos/lr_mobile"; "read only" = "yes"; }; }; }; systemd.services.backup-fotos = rec { wants = [ "network.target" "mnt-aplysia.mount" ]; after = wants; serviceConfig = { User = "gebner"; Group = "users"; Type = "oneshot"; }; script = '' ${pkgs.rclone}/bin/rclone sync -v --update --use-server-modtime \ /mnt/aplysia/fotos/lightroom/ \ glacier:gebner-fotos-raw-backup/ ''; }; systemd.timers.backup-fotos = { wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "Mon,Fri 03:00"; Persistent = true; }; }; }