diff options
Diffstat (limited to 'hosts/ahmed/torrenting/default.nix')
| -rw-r--r-- | hosts/ahmed/torrenting/default.nix | 155 |
1 files changed, 11 insertions, 144 deletions
diff --git a/hosts/ahmed/torrenting/default.nix b/hosts/ahmed/torrenting/default.nix index 9b7a9c5..9fc3fb1 100644 --- a/hosts/ahmed/torrenting/default.nix +++ b/hosts/ahmed/torrenting/default.nix @@ -1,4 +1,5 @@ # This module configures the my torrenting setup. It uses qBittorrent over a VPN. + { pkgs, options, @@ -6,174 +7,40 @@ ... }: let downloadPath = "/srv/media/"; - - qbWebUiPort = 8082; - qbListeningPort = 52916; - - wgInterface = "wg0"; - wgPort = 51820; - - qbDomain = "qbittorrent.ulovlighacker.download"; - jellyfinDomain = "ulovlighacker.download"; - useACME = true; in { + imports = [ + ./wireguard.nix + ./reverse-proxy.nix + ]; + # Configure the actual qBittorrent service. services.qbittorrent = { enable = true; - # We will use a reverse proxy in front of qBittorrent. - openFirewall = false; - port = qbWebUiPort; - settings = { BitTorrent = { # Use the specified download path for finished torrents. "Session\\DefaultSavePath" = downloadPath; "Session\\TempPath" = "${config.services.qbittorrent.profile}/qBittorrent/temp"; "Session\\TempPathEnabled" = true; - - # Instruct qBittorrent to only use VPN interface. - "Session\\Interface" = wgInterface; - "Session\\InterfaceName" = wgInterface; - - "Session\\Port" = qbListeningPort; }; Preferences = { + # Again?? "Downloads\\SavePath" = downloadPath; - "General\\Locale" = "da"; - - # Used in conjunction with the --webui-port flag (via services.qbittorrent.port) - # since we'll be using a reverse proxy. - "WebUI\\UseUPnP" = false; }; }; }; - systemd.services.qbittorrent.unitConfig.After = ["wireguard-${wgInterface}.target"]; + # WARNING: Jellyfin has been manually configured to serve from the correct download path. + services.jellyfin.enable = true; - # Create the directory to which media will be downloaded. - # This is also used by Jellyfin to serve the files. + # Create the directory to which media will be downloaded. This will be used + # by qBittorent to hold files and Jellyfin will serve from it. systemd.tmpfiles.rules = let user = config.services.qbittorrent.user; group = config.services.qbittorrent.group; in [ "d ${downloadPath} 0755 ${user} ${group}" ]; - - # Create a connection to Mullvad's WireGuard server. - networking.wireguard.interfaces = { - ${wgInterface} = { - # The port to use for communication. This should also be opened in the firewall. - ips = ["10.70.101.133/32" "fc00:bbbb:bbbb:bb01::7:6584/128"]; - privateKeyFile = config.age.secrets.mullvad-wg-key.path; - allowedIPsAsRoutes = false; - listenPort = wgPort; - - # Create a differente networking namespace to isolate the qBittorent - # process. I decided not to do this because connecting the WebUI to NGINX - # becomes a bit tricky then. I will keep it around just in case I take up - # this issue again sometime later. - # - # Remember, you would also need to set NetworkNamespacePath= on - # qBittorrent [0]. The network namespace would when be located under - # /run/netns/${wgNamespace}. - # - # [0]: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#NetworkNamespacePath= - # - # interfaceNamespace = wgNamespace; - # preSetup = '' - # echo "Setting up namespace: ${wgNamespace}" - # ${pkgs.iproute2}/bin/ip netns add ${wgNamespace} - # ${pkgs.iproute2}/bin/ip -n ${wgNamespace} link set lo up - # ''; - # postShutdown = '' - # echo "Tearing down namespace: ${wgNamespace}" - # ${pkgs.iproute2}/bin/ip netns del "${wgNamespace}" - # ''; - - # Since this is a client configuration, we only need a single peer: the Mullvad server. - peers = [ - { - # The public key of the server. - publicKey = "/iivwlyqWqxQ0BVWmJRhcXIFdJeo0WbHQ/hZwuXaN3g="; - - # The location of the server. - endpoint = "193.32.127.66:${toString wgPort}"; - - # Which destination IPs should be directed to this ip/pubkey pair. In - # this case, we send all packets to our only peer. - # - # NOTE: It is important the we either use a network namespace or set - # `allowedIPsAsRoutes = false` as otherwise we run into the loop - # routing problem. - # - # See: https://wiki.archlinux.org/title/WireGuard#Loop_routing - # See: https://cohost.org/linuwus/post/5040530-an-unexpected-soluti - allowedIPs = ["0.0.0.0/0" "::/0"]; - - # Send keepalives messages. Important to keep NAT tables alive. - persistentKeepalive = 25; - } - ]; - }; - }; - - # Here we load the secret file containing this clients private key. It is - # defined in the configuration file from Mullvad's website. - age.secrets.mullvad-wg-key.file = ../../../secrets/mullvad-wg.key.age; - - # TODO: Use Peer as DNS server: https://arc.net/l/quote/axlprdca - - services.jellyfin = { - enable = true; - # We use a reverse proxy. - openFirewall = false; - }; - - # Use NGINX as a reverse proxy for the various services that present web UIs. - services.nginx = { - virtualHosts.${qbDomain} = { - enableACME = useACME; - forceSSL = useACME; - - locations."/" = { - proxyPass = "http://localhost:${toString qbWebUiPort}"; - recommendedProxySettings = true; - }; - }; - - virtualHosts.${jellyfinDomain} = { - enableACME = useACME; - forceSSL = useACME; - - locations."/" = { - # This is the "static port" of the HTTP web interface. - # - # See: https://jellyfin.org/docs/general/networking/#port-bindings - proxyPass = "http://localhost:8096"; - recommendedProxySettings = true; - }; - }; - }; - - services.cloudflare-dyndns.domains = [ - qbDomain - jellyfinDomain - ]; - - networking.firewall = { - # Clients and peers use the same port. I'm actually not sure we need to - # accept incomming connections as clients participating in the wireguard - # protocol. - allowedUDPPorts = [wgPort]; - - # This is a weird fix. Apparently the rpfilter set up as part of - # nixos-rpfilter in the 'mangle' table will block WireGuard traffic. - # Setting this to "loose" somehow fixes that. - # - # See: https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577/2?u=linnnus - # See: https://github.com/NixOS/nixpkgs/issues/51258#issuecomment-448005659 - checkReversePath = "loose"; - }; } |