Merge branch 'main' into main

configurations/nixos/defiant/configuration.nix

@@ -132,23 +132,24 @@
         };
       };
 
-      # "20-wg0" = {
-      #   netdevConfig = {
-      #     Kind = "wireguard";
-      #     Name = "wg0";
-      #   };
-      #   wireguardConfig = {
-      #     PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
-      #     ListenPort = 51820;
-      #   };
-      #   wireguardPeers = [
-      #     {
-      #       PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
-      #       Endpoint = "185.230.126.146:51820";
-      #       AllowedIPs = ["0.0.0.0/0"];
-      #     }
-      #   ];
-      # };
+      "20-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
+          ListenPort = 51820;
+        };
+        wireguardPeers = [
+          {
+            PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
+            Endpoint = "185.230.126.146:51820";
+            # Allow all traffic but use policy routing to prevent system-wide VPN
+            AllowedIPs = ["0.0.0.0/0"];
+          }
+        ];
+      };
     };
     networks = {
       "40-bond0" = {
@@ -163,36 +164,67 @@
           "192.168.1.10/32"
         ];
 
-        gateway = ["192.168.1.1"];
+        # Set lower priority for default gateway to allow WireGuard interface binding
+        routes = [
+          {
+            Destination = "0.0.0.0/0";
+            Gateway = "192.168.1.1";
+            Metric = 100;
+          }
+        ];
         dns = ["192.168.1.1"];
       };
 
-      # For some reason this isn't working. It looks like traffic goes out and comes back but doesn't get correctly routed back to the wg interface on the return trip
-      # debugging steps:
-      # try sending data on the interface `ping -I wg0 8.8.8.8`
-      # view all traffic on the interface `sudo tshark -i wg0`
-      # see what applications are listening to port 14666 (thats what we currently have qbittorent set up to use) `ss -tuln | grep 14666`
-      # "50-wg0" = {
-      #   matchConfig.Name = "wg0";
-      #   networkConfig = {
-      #     DHCP = "no";
-      #   };
-      #   address = [
-      #     "10.2.0.2/32"
-      #   ];
-      #   # routes = [
-      #   #   {
-      #   #     Destination = "10.2.0.2/32";
-      #   #     Gateway = "10.2.0.1";
-      #   #   }
-      #   # ];
-      # };
+      "50-wg0" = {
+        matchConfig.Name = "wg0";
+        networkConfig = {
+          DHCP = "no";
+        };
+        address = [
+          "10.2.0.2/32"
+        ];
+        # Configure routing for application binding
+        routingPolicyRules = [
+          {
+            # Route traffic from VPN interface through VPN table
+            From = "10.2.0.2/32";
+            Table = 200;
+            Priority = 100;
+          }
+        ];
+        routes = [
+          {
+            # Direct route to VPN gateway
+            Destination = "10.2.0.1/32";
+            Scope = "link";
+          }
+          {
+            # Route VPN subnet through VPN gateway in custom table
+            Destination = "10.2.0.0/16";
+            Gateway = "10.2.0.1";
+            Table = 200;
+          }
+          {
+            # Route all traffic through VPN gateway in custom table
+            Destination = "0.0.0.0/0";
+            Gateway = "10.2.0.1";
+            Table = 200;
+          }
+        ];
+      };
     };
   };
 
   # limit arc usage to 50gb because ollama doesn't play nice with zfs using up all of the memory
   boot.kernelParams = ["zfs.zfs_arc_max=53687091200"];
 
+  # Enable policy routing and source routing for application-specific VPN binding
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.rp_filter" = 2;
+    "net.ipv4.conf.default.rp_filter" = 2;
+    "net.ipv4.conf.wg0.rp_filter" = 2;
+  };
+
   services = {
     # temp enable desktop environment for setup
     # Enable the X11 windowing system.
@@ -306,12 +338,35 @@
       passwordFile = config.sops.secrets."services/paperless_password".path;
     };
 
+    panoramax = {
+      enable = false;
+      openFirewall = true;
+    };
+
     qbittorrent = {
       enable = true;
       mediaDir = "/srv/qbittorent";
       openFirewall = true;
       webuiPort = 8084;
     };
+
+    filebot-cleanup = {
+      enable = true;
+      licenseFile = "/srv/jellyfin/filebot_license.psm";
+    };
+
+    sonarr = {
+      enable = false;
+      openFirewall = true;
+    };
+    radarr = {
+      enable = false;
+      openFirewall = true;
+    };
+    bazarr = {
+      enable = false;
+      openFirewall = true;
+    };
   };
 
   # disable computer sleeping

configurations/nixos/defiant/default.nix

@@ -3,5 +3,7 @@
   imports = [
     ./hardware-configuration.nix
     ./configuration.nix
+    ./packages.nix
+    ./filebot.nix
   ];
 }

configurations/nixos/defiant/filebot.nix

@@ -0,0 +1,82 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.services.filebot-cleanup;
+in {
+  options.services.filebot-cleanup = {
+    enable = mkEnableOption "Filebot cleanup service";
+
+    licenseFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = "Path to the Filebot license file";
+    };
+
+    cleanupDirectory = mkOption {
+      type = types.str;
+      default = "/srv/jellyfin/filebot_cleanup";
+      description = "Directory where cleaned up media files are stored";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.groups.filebot_cleanup = {};
+    users.users.filebot_cleanup = {
+      isSystemUser = true;
+      group = "filebot_cleanup";
+      extraGroups = ["jellyfin_media"];
+      home = cfg.cleanupDirectory;
+      createHome = true;
+    };
+
+    nixpkgs.config.allowUnfreePredicate = pkg:
+      builtins.elem (lib.getName pkg) [
+        "filebot"
+      ];
+
+    environment.systemPackages = with pkgs; [
+      filebot
+    ];
+
+    systemd.services.filebot-cleanup = {
+      description = "Filebot media cleanup service";
+      serviceConfig = {
+        Type = "simple";
+        User = "filebot_cleanup";
+        Group = "filebot_cleanup";
+        ExecStart = pkgs.writeShellScript "filebot-cleanup" ''
+          ${optionalString (cfg.licenseFile != null) ''
+            ${pkgs.filebot}/bin/filebot --license "${cfg.licenseFile}"
+          ''}
+          ${pkgs.filebot}/bin/filebot -rename -r "/srv/jellyfin/media/Movies/" --output "${cfg.cleanupDirectory}/" --format "{jellyfin}" -non-strict --action duplicate
+          ${pkgs.filebot}/bin/filebot -rename -r "/srv/jellyfin/media/Shows/" --output "${cfg.cleanupDirectory}/" --format "{jellyfin}" -non-strict --action duplicate
+        '';
+        StandardOutput = "journal";
+        StandardError = "journal";
+      };
+      wantedBy = ["multi-user.target"];
+    };
+
+    environment.persistence = lib.mkIf config.host.impermanence.enable {
+      "/persist/system/jellyfin" = {
+        enable = true;
+        hideMounts = true;
+        files = [
+          cfg.licenseFile
+        ];
+        directories = [
+          {
+            directory = cfg.cleanupDirectory;
+            user = "filebot_cleanup";
+            group = "filebot_cleanup";
+            mode = "1770";
+          }
+        ];
+      };
+    };
+  };
+}

configurations/nixos/defiant/packages.nix

@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    ffsubsync
+    sox
+    yt-dlp
+    ffmpeg
+    imagemagick
+  ];
+}

configurations/nixos/horizon/configuration.nix

@@ -32,6 +32,7 @@
         isPrincipleUser = true;
       };
       eve.isDesktopUser = true;
+      ivy.isDesktopUser = true;
     };
 
     hardware = {