nixos-config/aplysia.nix

{ config, pkgs, ... }:

let
  trnsmssnIface = "wg-trnsmssn";
in
{
  imports =
    [
      ./common-headless.nix
    ];

  boot.supportedFilesystems = ["zfs"];
  boot.loader.grub = {
    enable = true;
    version = 2;
    zfsSupport = true;
    mirroredBoots = [
      { devices = [ "/dev/sda" ]; path = "/boota"; }
      { devices = [ "/dev/sdb" ]; path = "/bootb"; }
      { devices = [ "/dev/sdc" ]; path = "/bootc"; }
      { devices = [ "/dev/sdd" ]; path = "/bootd"; }
      { devices = [ "/dev/sde" ]; path = "/boote"; }
      { devices = [ "/dev/sdf" ]; path = "/bootf"; }
    ];
  };

  networking = {
    hostName = "aplysia";
    hostId = "34a820f1";
  };

  users = {
    users = {
      gebner.extraGroups = [
        "transmission"
        "nilotica"
      ];

      nilotica = {
        group = "nilotica";
      };

      transmission = {
        group = "transmission";
        uid = config.ids.uids.transmission;
      };
    };

    groups = {
      nilotica = {};

      transmission = {
        gid = config.ids.gids.transmission;
      };
    };
  };

  boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages;

  system.stateVersion = "17.03";

  fileSystems."/mnt/aplysia" = pkgs.lib.mkOverride 10 {
    device = "aplysia/export";
    fsType = "zfs";
  };

  fileSystems."/boota".options = [ "nofail" ];
  fileSystems."/bootb".options = [ "nofail" ];
  fileSystems."/bootc".options = [ "nofail" ];
  fileSystems."/bootd".options = [ "nofail" ];
  fileSystems."/boote".options = [ "nofail" ];
  fileSystems."/bootf".options = [ "nofail" ];

  services.samba = {
    enable = true;
    extraConfig = ''
      passdb backend = tdbsam
      unix password sync = no
      min protocol = NT1
    '';
    shares = {
      export = {
        "guest ok" = "no";
        "read only" = "no";
        path = "/mnt/aplysia";
      };
    };
  };

  containers.trnsmssn =
  let
    homeDir = "/mnt/aplysia/torrents";
  in rec {
    config = {
      services.transmission = {
        enable = true;
        settings = {
          download-dir = homeDir;
          incomplete-dir = homeDir;

          speed-limit-down = 5000;
          speed-limit-down-enabled = true;
          speed-limit-up = 800;
          speed-limit-up-enabled = true;

          peer-port = 7455;

          rpc-bind-address = localAddress;
          rpc-whitelist-enabled = false;
        };
      };

      networking.firewall = {
        enable = true;
        interfaces.${trnsmssnIface}.allowedTCPPorts = [
          config.services.transmission.settings.peer-port
        ];
        interfaces.eth0.allowedTCPPorts = [
          9091
        ];
      };

      networking.nameservers = [ "193.138.218.74" ];

      networking.interfaces.${trnsmssnIface} = {
        ipv4.addresses = [ { address = "10.64.157.93"; prefixLength = 32; } ];
        ipv6.addresses = [ { address = "fc00:bbbb:bbbb:bb01::1:9d5c"; prefixLength = 128; } ];
        ipv4.routes = [
          { address = "0.0.0.0"; prefixLength = 1; }
          { address = "128.0.0.0"; prefixLength = 1; }
        ];
        ipv6.routes = [ { address = "::"; prefixLength = 0; } ];
      };

      environment.systemPackages = with pkgs; [ wireguard ];
    };

    privateNetwork = true;
    interfaces = [ trnsmssnIface ];

    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";

    autoStart = true;

    bindMounts.${homeDir} = {
      hostPath = homeDir;
      isReadOnly = false;
    };
  };

  networking.wireguard = {
    enable = true;
    interfaces.${trnsmssnIface} = {
      privateKeyFile = "/etc/wgkeys/mullvad";
      peers = [
        {
          allowedIPs = ["0.0.0.0/0" "::/0"];
          publicKey = "pKcMMeC4jMUxSU5pH1orvp4//GrY8is+y9JRfVP3+BY=";
          endpoint = "se6-wireguard.mullvad.net:51820";
        }
      ];
      allowedIPsAsRoutes = false;
    };
  };
  systemd.services."container@trnsmssn" = {
    requires = [ "wireguard-${trnsmssnIface}.service" ];
    after = [ "wireguard-${trnsmssnIface}.service" ];
  };

  networking.firewall = {
    allowedTCPPorts = [
      445 139 # samba
      config.services.rsyncd.port
    ];
    allowedUDPPorts = [
      137 138 # samba
    ];
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts."transmission-proxy" = {
      serverName = "localhost";
      listen = [
        { addr = "localhost"; port = 9091; }
      ];
      locations."/transmission/" = {
        proxyPass = "http://192.168.100.11:9091";
        proxyWebsockets = true;
      };
    };
  };

  environment.systemPackages = with pkgs; [
    transmission
    samba
  ];

  # hdd spindown
  powerManagement.powerUpCommands = ''
    ${pkgs.hdparm}/bin/hdparm -B127 -S100 /dev/sd{a,b,c,d,e,f}
  '';

  services.rsyncd = {
    enable = true;
    modules = {
      lr_mobile = {
        path = "/mnt/aplysia/fotos/lr_mobile";
        "read only" = "yes";
      };
    };
  };

  systemd.services.backup-fotos = rec {
    wants = [ "network.target" "mnt-aplysia.mount" ];
    after = wants;

    serviceConfig = {
      User = "gebner";
      Group = "users";
      Type = "oneshot";
    };

    script = ''
      ${pkgs.rclone}/bin/rclone sync -v --update --use-server-modtime \
        /mnt/aplysia/fotos/lightroom/ \
        glacier:gebner-fotos-raw-backup/
    '';
  };
  systemd.timers.backup-fotos = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "Mon,Fri 03:00";
      Persistent = true;
    };
  };

}