downloads: add container to tywin.storage
This commit is contained in:
parent
5ec4e6ec6d
commit
a1ff1ba38b
@ -16,6 +16,8 @@
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
custom.locations.autoServe = true;
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/tywin.storage.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
@ -241,6 +243,15 @@
|
||||
};
|
||||
};
|
||||
|
||||
## Downloads
|
||||
custom.services.downloads = {
|
||||
metadataPath = "/data/downloads/metadata";
|
||||
downloadCachePath = "/data/downloads/torrents";
|
||||
filmsPath = "/data/media/films";
|
||||
tvPath = "/data/media/tv";
|
||||
};
|
||||
|
||||
## Firewall
|
||||
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
|
||||
80 # Caddy (restic.tywin.storage.ts.)
|
||||
14002 # Storj Dashboard (zfs.)
|
||||
|
@ -8,11 +8,13 @@
|
||||
./desktop/awesome/default.nix
|
||||
./locations.nix
|
||||
./resilio.nix
|
||||
./services/downloads.nix
|
||||
./services/mastodon/default.nix
|
||||
./services/matrix.nix
|
||||
./services/version_tracker.nix
|
||||
./storj.nix
|
||||
./tailscale.nix
|
||||
./users.nix
|
||||
./www/global.nix
|
||||
./www/www-repo.nix
|
||||
];
|
||||
|
@ -13,15 +13,17 @@ in
|
||||
locations = lib.mkOption {
|
||||
default = {
|
||||
services = {
|
||||
matrix = "vm.strangervm.ts.hillion.co.uk";
|
||||
downloads = "tywin.storage.ts.hillion.co.uk";
|
||||
mastodon = "vm.strangervm.ts.hillion.co.uk";
|
||||
matrix = "vm.strangervm.ts.hillion.co.uk";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.autoServe {
|
||||
custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
|
||||
custom.services.downloads.enable = cfg.locations.services.downloads == config.networking.fqdn;
|
||||
custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn;
|
||||
custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
|
||||
};
|
||||
}
|
||||
|
187
modules/services/downloads.nix
Normal file
187
modules/services/downloads.nix
Normal file
@ -0,0 +1,187 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.downloads;
|
||||
in
|
||||
{
|
||||
options.custom.services.downloads = {
|
||||
enable = lib.mkEnableOption "downloads";
|
||||
|
||||
metadataPath = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/downloads";
|
||||
};
|
||||
downloadCachePath = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/cache/torrents";
|
||||
};
|
||||
filmsPath = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
tvPath = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts = builtins.listToAttrs (builtins.map
|
||||
(x: {
|
||||
name = "http://${x}.downloads.ts.hillion.co.uk";
|
||||
value = {
|
||||
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
|
||||
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
|
||||
};
|
||||
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
|
||||
};
|
||||
|
||||
|
||||
## Wireguard
|
||||
age.secrets."wireguard/downloads".file = ../../secrets/wireguard/downloads.age;
|
||||
age.secrets."deluge/auth" = {
|
||||
file = ../../secrets/deluge/auth.age;
|
||||
owner = "deluge";
|
||||
};
|
||||
|
||||
networking.wireguard.interfaces."downloads" = {
|
||||
privateKeyFile = config.age.secrets."wireguard/downloads".path;
|
||||
ips = [ "10.2.0.2/32" ];
|
||||
peers = [
|
||||
{
|
||||
publicKey = "9nrcUUgwvjNU5Z+EBB0C2cbrhQ3dsCz+zSU83/eqGFY=";
|
||||
endpoint = "138.199.6.177:51820";
|
||||
allowedIPs = [ "0.0.0.0/0" ];
|
||||
}
|
||||
];
|
||||
interfaceNamespace = "downloads";
|
||||
preSetup = "test -f /run/netns/downloads || ip netns add downloads || test -f /run/netns/downloads";
|
||||
};
|
||||
|
||||
## Host User/Directories
|
||||
users.groups = {
|
||||
radarr.gid = config.ids.gids.radarr;
|
||||
deluge.gid = config.ids.gids.deluge;
|
||||
sonarr.gid = config.ids.gids.sonarr;
|
||||
mediaaccess = {
|
||||
gid = config.ids.gids.mediaaccess;
|
||||
members = [ "radarr" "sonarr" "deluge" config.custom.user ];
|
||||
};
|
||||
};
|
||||
users.users =
|
||||
let
|
||||
mkUser = user: {
|
||||
name = user;
|
||||
value = {
|
||||
group = user;
|
||||
home = "${cfg.metadataPath}/${user}";
|
||||
uid = config.ids.uids.${user};
|
||||
createHome = true;
|
||||
};
|
||||
};
|
||||
users = [ "radarr" "deluge" "sonarr" ];
|
||||
in
|
||||
builtins.listToAttrs (builtins.map mkUser users);
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${cfg.downloadCachePath} 0750 deluge mediaaccess - -"
|
||||
"d ${cfg.filmsPath} 0770 radarr mediaaccess - -"
|
||||
"d ${cfg.tvPath} 0770 sonarr mediaaccess - -"
|
||||
];
|
||||
|
||||
## Container
|
||||
containers."downloads" = {
|
||||
autoStart = true;
|
||||
ephemeral = true;
|
||||
extraFlags = [ "--network-namespace-path=/run/netns/downloads" ];
|
||||
|
||||
bindMounts = {
|
||||
"/var/lib/caddy" = { hostPath = "${cfg.metadataPath}/caddy"; isReadOnly = false; };
|
||||
"/var/lib/sonarr" = { hostPath = "${cfg.metadataPath}/sonarr"; isReadOnly = false; };
|
||||
"/var/lib/radarr" = { hostPath = "${cfg.metadataPath}/radarr"; isReadOnly = false; };
|
||||
"/var/lib/deluge" = { hostPath = "${cfg.metadataPath}/deluge"; isReadOnly = false; };
|
||||
"/var/lib/private/prowlarr" = { hostPath = "${cfg.metadataPath}/prowlarr"; isReadOnly = false; };
|
||||
|
||||
"/media/downloads" = { hostPath = cfg.downloadCachePath; isReadOnly = false; };
|
||||
"/media/films" = { hostPath = cfg.filmsPath; isReadOnly = false; };
|
||||
"/media/tv" = { hostPath = cfg.tvPath; isReadOnly = false; };
|
||||
|
||||
"/run/agenix/deluge/auth".hostPath = config.age.secrets."deluge/auth".path;
|
||||
};
|
||||
|
||||
config = (hostConfig: ({ config, pkgs, ... }: {
|
||||
config = {
|
||||
system.stateVersion = "23.05";
|
||||
|
||||
ids = hostConfig.ids;
|
||||
|
||||
users.groups.mediaaccess = {
|
||||
gid = config.ids.gids.mediaaccess;
|
||||
members = [ "radarr" "sonarr" "deluge" ];
|
||||
};
|
||||
|
||||
systemd.services.setup-loopback = {
|
||||
description = "Setup container loopback adapter.";
|
||||
|
||||
after = [ "network-pre.target" ];
|
||||
before = [ "network.target" ];
|
||||
|
||||
script = with pkgs; "${iproute2}/bin/ip link set up lo";
|
||||
};
|
||||
networking.hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
|
||||
|
||||
services = {
|
||||
prowlarr.enable = true;
|
||||
|
||||
sonarr = {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/sonarr";
|
||||
};
|
||||
radarr = {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/radarr";
|
||||
};
|
||||
|
||||
deluge = {
|
||||
enable = true;
|
||||
web.enable = true;
|
||||
|
||||
dataDir = "/var/lib/deluge";
|
||||
authFile = "/run/agenix/deluge/auth";
|
||||
|
||||
declarative = true;
|
||||
config = {
|
||||
download_location = "/media/downloads";
|
||||
max_connections_global = 1024;
|
||||
max_upload_speed = 12500;
|
||||
max_download_speed = 25000;
|
||||
dont_count_slow_torrents = true;
|
||||
stop_seed_ratio = 2;
|
||||
share_ratio_limit = 2;
|
||||
enabled_plugins = [ "Label" ];
|
||||
};
|
||||
};
|
||||
|
||||
caddy = {
|
||||
enable = true;
|
||||
virtualHosts = builtins.listToAttrs (builtins.map
|
||||
(x: {
|
||||
name = "http://${x.name}.downloads.ts.hillion.co.uk";
|
||||
value = {
|
||||
listenAddresses = [ "127.0.0.1" "unix///var/lib/caddy/caddy.sock" ];
|
||||
extraConfig = "reverse_proxy http://localhost:${toString x.port}";
|
||||
};
|
||||
}) [
|
||||
{ name = "radarr"; port = 7878; }
|
||||
{ name = "sonarr"; port = 8989; }
|
||||
{ name = "prowlarr"; port = 9696; }
|
||||
{ name = "deluge"; port = config.services.deluge.web.port; }
|
||||
]);
|
||||
};
|
||||
};
|
||||
};
|
||||
})) config;
|
||||
};
|
||||
};
|
||||
}
|
19
modules/users.nix
Normal file
19
modules/users.nix
Normal file
@ -0,0 +1,19 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
ids.uids = {
|
||||
## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
|
||||
|
||||
## Consistent People
|
||||
jake = 1000;
|
||||
joseph = 1001;
|
||||
};
|
||||
ids.gids = {
|
||||
## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
|
||||
|
||||
## Consistent Groups
|
||||
mediaaccess = 1200;
|
||||
};
|
||||
};
|
||||
}
|
23
secrets/deluge/auth.age
Normal file
23
secrets/deluge/auth.age
Normal file
@ -0,0 +1,23 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
F1+/Im3cdSzHDBn2W5LAV+ezO23nrjzaeVLQ0pFNYMt6v8XTA/WHHTPsImg/Nebi
|
||||
noLNcxgjPu3fSnubXJuhsL5kQ6qHWvjQlQ0cRVSnMvV4UvrrPyp0066q1iMBL3PA
|
||||
rh4hQ7sF4sHz3pm9jtxfdnWamGxqsowE793AjtNEvSU/i9/ZkFrKRj0LLAhHeIHJ
|
||||
dWdYpnlZIrRjXFo6y+jdYpK0gyGQopy4SwoRwvDmQ/5paBRhpiXYUPtwRckiz/KE
|
||||
iHA0WJhDO9a5OHLN9WPnKVRIutH/YHviy4twyPDjhHCDeJBQE02Lykd6wvJg9cWT
|
||||
BkCeYhVdGp7VpWZEbLCtnw
|
||||
-> ssh-rsa K9mW1w
|
||||
Pm7esUbyDOoLdzxxrRkOXYxodhfKdK+X41nAT2AOR0bBcNHqGt8BSvL+HOK1vbOW
|
||||
AquzA7+S91aNF7noV3JPIDrWZxDquqBp4z89YYyWNjpH9EIOYa2Sbp5xNFdgyAJw
|
||||
C0uS3B/XKJcQi2np39szNzuR2h7uTKkKW5wMan+YUK1ODxmTJVibo0c0JUybMjXA
|
||||
VS31BrkDb0LKRgvp/kNfn9aEaI7d78oca+6X0BDHk2zYRPwL1Q/MGw4tkx3pqI+x
|
||||
i6frCSHlo715tHaYvxRQyimWthmUft/1etMasFINhLidx4ufdawLR6sbR09sCrMj
|
||||
5NMeB1wc1XrGxwMumNDWyg
|
||||
-> ssh-ed25519 nWv9MA CxCjLfbIfEn1voAr3jX+dRGnHmdAyylNuPn/2QfuphM
|
||||
PS2cpu13uyPlo9PJIT+dybq4P2juNpiZY61sJq7DepQ
|
||||
-> )ei-grease ,jk Bw
|
||||
IucfaHwBWhzdMcTDXxOUyTy1kCUnSlsfAwVw8YKimsxHyvJS+wkyPXUzepHMZYId
|
||||
SvebFA
|
||||
--- q53LwYLjQ6p0yHStpDma4DYMpfFTpv7+MAzaHjM7Kaw
|
||||
¹§—?0šîÕº9S>íƒÊìhàÛ(Æ Qå>8;þÓz°Øø¿L‰úPYhJÞsÛ@¥dÕÒ‘œC׌<C397>9Ú¿{r|±t¶¡aNv3'o•
|
||||
ôÖ±¹d= ’í¦àZ<C3A0>`T62(€÷$ÓH°ŸZ:œQhµú<C2B5>
|
@ -90,4 +90,10 @@ in
|
||||
|
||||
# Home Automation secrets
|
||||
"mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.microserver ];
|
||||
|
||||
# Wireguard Secrets
|
||||
"wireguard/downloads.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
||||
|
||||
# Deluge Secrets
|
||||
"deluge/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
||||
}
|
||||
|
21
secrets/wireguard/downloads.age
Normal file
21
secrets/wireguard/downloads.age
Normal file
@ -0,0 +1,21 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
qvr3798lXYpFKMBj6Kgt35E9FQFiTbNN6yGKvWO7Bm/2veZymVjW7zI/JZ6//WMi
|
||||
OunOsnwCAINAB/30+ua40dvc8KaV/Mp2wLWrmm2H+8OgN9vxpwfe/PdBI8IQGyBa
|
||||
8fR1YZU5W34CypwMczpzELede9ayhhKCadB+KbqYq4pFAMVpWa4noE8b9g9foNCQ
|
||||
BdwrbQxp+iJVGx01Z5CRVsZ9q6YeuL7/rBzXKn59Ga6kfPzKVbXusJeAyR6K9hK1
|
||||
Nz5EKrKmfXjMsSGCckv64rPpOlJMfZX37Vtqf2B3K1VqDykh33yAjaOHDJjmRvkQ
|
||||
K6r6/Us3L98/LsVZ20HMbw
|
||||
-> ssh-rsa K9mW1w
|
||||
IHp/1LLLavXAigGpU3kmflj9ijLBuskLM4gadTJ49S3iYQcbwtpoDEQVr9K52W3c
|
||||
Sd71l4xLRw0AnlP2EV7DiUsdeQcRgJO2hq/hXhmy3KXzYaMCaBpHz/Y6y7+vmdHL
|
||||
/b6lFwCWhxLLRVBA7tSlia7oneUEa9rjy9dHlbryL/yO4epB+kP5m0whe7zyPaNe
|
||||
2wbfwnNpkcTeyqye6UQTGM/nBJJSTpBbU2xoPwCrhFf/TJAHOuh9AV6+U8+NkV04
|
||||
oZpC86fWPwWAWgdsA4jHuGidKpqlVrI30h8haZW7qbuFny90xUlOdqLQcPVHB8Ux
|
||||
t9ZXKy6eN4gPHsbqWo5H+g
|
||||
-> ssh-ed25519 nWv9MA zB9wtm2ydzVDrLuoHJUCFj0e6X+vr7lPKME4dRXbPTg
|
||||
6XWXniYAW5+doJvSU0A3wiFIeZFF8nRkMO+qIbvOGMs
|
||||
-> LZw/kad#-grease ^M+k i-~[#2]v
|
||||
v/8FOljENf9K166hovY3DSO88KTIHmxUmU2fW+MSn8ZD
|
||||
--- ythVTik09YoysBPv6MFuNgbHl70b9tCm4K97xxKXFWA
|
||||
<EFBFBD>&0ËGX”A| ¿Ú_Xrž`éÂO·0™oßo@>äãÅ?Óa9ñãu|H¸£Ô>‚ ï‰<C3AF>Á%]ب›6ñw„œUF<Bí°€†<E282AC>oV
|
Loading…
Reference in New Issue
Block a user