diff --git a/configurations/home-manager/leyla/packages.nix b/configurations/home-manager/leyla/packages.nix index 449e828..d9f1b32 100644 --- a/configurations/home-manager/leyla/packages.nix +++ b/configurations/home-manager/leyla/packages.nix @@ -21,6 +21,7 @@ in { lib.lists.optionals userConfig.isTerminalUser ( with pkgs; [ # command line tools + sox yt-dlp ffmpeg imagemagick diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index 7455812..ca9a291 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -9,6 +9,12 @@ "vpn-keys/tailscale-authkey/defiant" = { sopsFile = "${inputs.secrets}/vpn-keys.yaml"; }; + "vpn-keys/proton-wireguard/defiant-p2p" = { + sopsFile = "${inputs.secrets}/vpn-keys.yaml"; + mode = "0640"; + owner = "root"; + group = "systemd-network"; + }; "services/zfs_smtp_token" = { sopsFile = "${inputs.secrets}/defiant-services.yaml"; }; @@ -99,8 +105,79 @@ enable = false; }; }; - networking = { - hostId = "c51763d6"; + + systemd.network = { + enable = true; + + config = { + routeTables = { + p2p = 1; + }; + }; + + netdevs = { + "10-bond0" = { + netdevConfig = { + Kind = "bond"; + Name = "bond0"; + }; + bondConfig = { + Mode = "802.3ad"; + TransmitHashPolicy = "layer3+4"; + }; + }; + + "15-p2p0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "p2p0"; + MTUBytes = "1280"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path; + ListenPort = 51820; + # RouteTable = "p2p"; + }; + wireguardPeers = [ + { + PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0="; + Endpoint = "185.230.126.146:51820"; + AllowedIPs = ["0.0.0.0/0"]; + RouteTable = "off"; + } + ]; + }; + }; + networks = { + "40-bond0" = { + matchConfig.Name = "bond0"; + linkConfig = { + RequiredForOnline = "degraded-carrier"; + RequiredFamilyForOnline = "any"; + }; + networkConfig.DHCP = "yes"; + + address = [ + "192.168.1.10/32" + ]; + + gateway = ["192.168.1.1"]; + dns = ["192.168.1.1"]; + }; + + "45-p2p0" = { + matchConfig.Name = "p2p0"; + address = [ + "10.2.0.2/32" + ]; + routes = [ + { + Destination = "0.0.0.0/0"; + } + ]; + linkConfig.RequiredForOnline = false; + }; + }; }; services = { @@ -121,11 +198,7 @@ }; desktopManager = { gnome.enable = true; - xterm.enable = false; }; - - # Get rid of xTerm - excludePackages = [pkgs.xterm]; }; ollama = { @@ -184,6 +257,13 @@ networkBridge = "bond0"; hostDevice = "0x10c4:0xea60"; }; + + qbittorrent = { + enable = true; + mediaDir = "/srv/qbittorent"; + openFirewall = true; + webPort = 8084; + }; }; # disable computer sleeping diff --git a/configurations/nixos/defiant/hardware-configuration.nix b/configurations/nixos/defiant/hardware-configuration.nix index 3b3ac45..d4a638b 100644 --- a/configurations/nixos/defiant/hardware-configuration.nix +++ b/configurations/nixos/defiant/hardware-configuration.nix @@ -34,25 +34,13 @@ networking = { hostName = "defiant"; # Define your hostname. + hostId = "c51763d6"; useNetworkd = true; }; systemd.network = { enable = true; - netdevs = { - "10-bond0" = { - netdevConfig = { - Kind = "bond"; - Name = "bond0"; - }; - bondConfig = { - Mode = "802.3ad"; - TransmitHashPolicy = "layer3+4"; - }; - }; - }; - networks = { "30-eno1" = { matchConfig.Name = "eno1"; @@ -62,22 +50,6 @@ matchConfig.Name = "eno2"; networkConfig.Bond = "bond0"; }; - - "40-bond0" = { - matchConfig.Name = "bond0"; - linkConfig = { - RequiredForOnline = "degraded-carrier"; - RequiredFamilyForOnline = "any"; - }; - networkConfig.DHCP = "yes"; - - address = [ - "192.168.1.10" - ]; - - gateway = ["192.168.1.1"]; - dns = ["192.168.1.1"]; - }; }; }; diff --git a/flake.nix b/flake.nix index c5968db..ba10d20 100644 --- a/flake.nix +++ b/flake.nix @@ -147,6 +147,8 @@ nix-inspect # for installing flakes from this repo onto other systems nixos-anywhere + # for updating disko configurations + disko ]; SOPS_AGE_KEY_DIRECTORY = import ./const/sops_age_key_directory.nix; diff --git a/modules/nixos-modules/desktop.nix b/modules/nixos-modules/desktop.nix index 22a7b65..2182cb2 100644 --- a/modules/nixos-modules/desktop.nix +++ b/modules/nixos-modules/desktop.nix @@ -27,7 +27,25 @@ # Get rid of xTerm desktopManager.xterm.enable = false; - excludePackages = [pkgs.xterm]; + excludePackages = with pkgs; [ + xterm + transmission_4-qt + atomix # puzzle game + cheese # webcam tool + epiphany # web browser + geary # email reader + gedit # text editor + gnome-characters + gnome-music + gnome-photos + gnome-tour + gnome-logs + gnome-maps + hitori # sudoku game + iagno # go game + tali # poker game + yelp # help viewer + ]; }; pipewire = { diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix index 6c3ba8e..7beee8b 100644 --- a/modules/nixos-modules/server/default.nix +++ b/modules/nixos-modules/server/default.nix @@ -11,5 +11,6 @@ ./virt-home-assistant.nix ./adguardhome.nix ./immich.nix + ./qbittorent.nix ]; } diff --git a/modules/nixos-modules/server/qbittorent.nix b/modules/nixos-modules/server/qbittorent.nix new file mode 100644 index 0000000..9b7b7e8 --- /dev/null +++ b/modules/nixos-modules/server/qbittorent.nix @@ -0,0 +1,160 @@ +{ + lib, + pkgs, + config, + ... +}: let + qbittorent_data_directory = "/var/lib/qbittorrent"; +in { + options.services.qbittorrent = { + enable = lib.mkEnableOption "should the headless qbittorrent service be enabled"; + + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/qbittorrent"; + description = lib.mdDoc '' + The directory where qBittorrent stores its data files. + ''; + }; + + mediaDir = lib.mkOption { + type = lib.types.path; + description = lib.mdDoc '' + The directory to create to store qbittorrent media. + ''; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "qbittorrent"; + description = lib.mdDoc '' + User account under which qBittorrent runs. + ''; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "qbittorrent"; + description = lib.mdDoc '' + Group under which qBittorrent runs. + ''; + }; + + webPort = lib.mkOption { + type = lib.types.port; + default = 8080; + description = lib.mdDoc '' + qBittorrent web UI port. + ''; + }; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Open services.qBittorrent.webPort to the outside network."; + }; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.qbittorrent-nox; + defaultText = lib.literalExpression "pkgs.qbittorrent-nox"; + description = "The qbittorrent package to use."; + }; + }; + + config = lib.mkIf config.services.qbittorrent.enable (lib.mkMerge [ + { + networking.firewall = lib.mkIf config.services.qbittorrent.openFirewall { + allowedTCPPorts = [config.services.qbittorrent.webPort]; + }; + + systemd.services.qbittorrent = { + # based on the plex.nix service module and + # https://github.com/qbittorrent/qBittorrent/blob/master/dist/unix/systemd/qbittorrent-nox%40.service.in + description = "qBittorrent-nox service"; + documentation = ["man:qbittorrent-nox(1)"]; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + Type = "simple"; + User = config.services.qbittorrent.user; + Group = config.services.qbittorrent.group; + + # Run the pre-start script with full permissions (the "!" prefix) so it + # can create the data directory if necessary. + ExecStartPre = let + preStartScript = pkgs.writeScript "qbittorrent-run-prestart" '' + #!${pkgs.bash}/bin/bash + + # Create data directory if it doesn't exist + if ! test -d "$QBT_PROFILE"; then + echo "Creating initial qBittorrent data directory in: $QBT_PROFILE" + install -d -m 0755 -o "${config.services.qbittorrent.user}" -g "${config.services.qbittorrent.group}" "$QBT_PROFILE" + fi + ''; + in "!${preStartScript}"; + + #ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox"; + ExecStart = "${config.services.qbittorrent.package}/bin/qbittorrent-nox"; + # To prevent "Quit & shutdown daemon" from working; we want systemd to + # manage it! + #Restart = "on-success"; + #UMask = "0002"; + #LimitNOFILE = cfg.openFilesLimit; + }; + + environment = { + QBT_PROFILE = config.services.qbittorrent.dataDir; + QBT_WEBUI_PORT = toString config.services.qbittorrent.webPort; + }; + }; + } + (lib.mkIf config.host.impermanence.enable { + fileSystems."/persist/system/qbittorrent".neededForBoot = true; + + host.storage.pool.extraDatasets = { + # sops age key needs to be available to pre persist for user generation + "persist/system/qbittorrent" = { + type = "zfs_fs"; + mountpoint = "/persist/system/qbittorrent"; + options = { + canmount = "on"; + }; + }; + }; + + assertions = [ + { + assertion = config.services.qbittorrent.dataDir == qbittorent_data_directory; + message = "qbittorrent data directory does not match persistence"; + } + ]; + + environment.persistence = { + "/persist/system/root" = { + directories = [ + { + directory = qbittorent_data_directory; + user = "qbittorrent"; + group = "qbittorrent"; + } + ]; + }; + + "/persist/system/qbittorrent" = { + enable = true; + hideMounts = true; + directories = [ + { + directory = config.services.qbittorrent.mediaDir; + user = "qbittorrent"; + group = "qbittorrent"; + mode = "1775"; + } + ]; + }; + }; + }) + ]); +} diff --git a/modules/nixos-modules/users.nix b/modules/nixos-modules/users.nix index 7bdb3dd..18cf06f 100644 --- a/modules/nixos-modules/users.nix +++ b/modules/nixos-modules/users.nix @@ -23,6 +23,7 @@ ollama = 2008; git = 2009; immich = 2010; + qbittorrent = 2011; }; gids = { @@ -38,6 +39,7 @@ ollama = 2008; git = 2009; immich = 2010; + qbittorrent = 2011; }; users = config.users.users; @@ -159,6 +161,12 @@ in { isSystemUser = true; group = config.users.users.immich.name; }; + + qbittorrent = { + uid = lib.mkForce uids.qbittorrent; + isNormalUser = true; + group = config.users.users.qbittorrent.name; + }; }; groups = { @@ -255,6 +263,14 @@ in { # leyla ]; }; + + qbittorrent = { + gid = lib.mkForce gids.qbittorrent; + members = [ + users.qbittorrent.name + leyla + ]; + }; }; }; }