From 899617266f486b447a503bf056eb6642b4c03ed4 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Tue, 1 Apr 2025 16:22:44 -0500 Subject: [PATCH 1/5] created p2p wireguard interface for defiant --- .../nixos/defiant/configuration.nix | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index 7455812..ae69c26 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -9,6 +9,9 @@ "vpn-keys/tailscale-authkey/defiant" = { sopsFile = "${inputs.secrets}/vpn-keys.yaml"; }; + "vpn-keys/proton-wireguard/defiant-p2p" = { + sopsFile = "${inputs.secrets}/vpn-keys.yaml"; + }; "services/zfs_smtp_token" = { sopsFile = "${inputs.secrets}/defiant-services.yaml"; }; @@ -101,6 +104,24 @@ }; networking = { hostId = "c51763d6"; + + wireguard.interfaces = { + p2p = { + ips = ["10.2.0.2/32"]; + listenPort = 51820; + + privateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path; + + peers = [ + { + publicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0="; + allowedIPs = ["0.0.0.0/0"]; + endpoint = "185.230.126.146:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; }; services = { From 89c8cff8a9e37adde267630a425f658af5259f87 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Tue, 1 Apr 2025 20:47:32 -0500 Subject: [PATCH 2/5] created qbittorrent config --- flake.nix | 2 + modules/nixos-modules/server/default.nix | 1 + modules/nixos-modules/server/qbittorent.nix | 160 ++++++++++++++++++++ modules/nixos-modules/users.nix | 16 ++ 4 files changed, 179 insertions(+) create mode 100644 modules/nixos-modules/server/qbittorent.nix diff --git a/flake.nix b/flake.nix index c5968db..ba10d20 100644 --- a/flake.nix +++ b/flake.nix @@ -147,6 +147,8 @@ nix-inspect # for installing flakes from this repo onto other systems nixos-anywhere + # for updating disko configurations + disko ]; SOPS_AGE_KEY_DIRECTORY = import ./const/sops_age_key_directory.nix; diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix index 6c3ba8e..7beee8b 100644 --- a/modules/nixos-modules/server/default.nix +++ b/modules/nixos-modules/server/default.nix @@ -11,5 +11,6 @@ ./virt-home-assistant.nix ./adguardhome.nix ./immich.nix + ./qbittorent.nix ]; } diff --git a/modules/nixos-modules/server/qbittorent.nix b/modules/nixos-modules/server/qbittorent.nix new file mode 100644 index 0000000..9b7b7e8 --- /dev/null +++ b/modules/nixos-modules/server/qbittorent.nix @@ -0,0 +1,160 @@ +{ + lib, + pkgs, + config, + ... +}: let + qbittorent_data_directory = "/var/lib/qbittorrent"; +in { + options.services.qbittorrent = { + enable = lib.mkEnableOption "should the headless qbittorrent service be enabled"; + + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/qbittorrent"; + description = lib.mdDoc '' + The directory where qBittorrent stores its data files. + ''; + }; + + mediaDir = lib.mkOption { + type = lib.types.path; + description = lib.mdDoc '' + The directory to create to store qbittorrent media. + ''; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "qbittorrent"; + description = lib.mdDoc '' + User account under which qBittorrent runs. + ''; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "qbittorrent"; + description = lib.mdDoc '' + Group under which qBittorrent runs. + ''; + }; + + webPort = lib.mkOption { + type = lib.types.port; + default = 8080; + description = lib.mdDoc '' + qBittorrent web UI port. + ''; + }; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Open services.qBittorrent.webPort to the outside network."; + }; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.qbittorrent-nox; + defaultText = lib.literalExpression "pkgs.qbittorrent-nox"; + description = "The qbittorrent package to use."; + }; + }; + + config = lib.mkIf config.services.qbittorrent.enable (lib.mkMerge [ + { + networking.firewall = lib.mkIf config.services.qbittorrent.openFirewall { + allowedTCPPorts = [config.services.qbittorrent.webPort]; + }; + + systemd.services.qbittorrent = { + # based on the plex.nix service module and + # https://github.com/qbittorrent/qBittorrent/blob/master/dist/unix/systemd/qbittorrent-nox%40.service.in + description = "qBittorrent-nox service"; + documentation = ["man:qbittorrent-nox(1)"]; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + Type = "simple"; + User = config.services.qbittorrent.user; + Group = config.services.qbittorrent.group; + + # Run the pre-start script with full permissions (the "!" prefix) so it + # can create the data directory if necessary. + ExecStartPre = let + preStartScript = pkgs.writeScript "qbittorrent-run-prestart" '' + #!${pkgs.bash}/bin/bash + + # Create data directory if it doesn't exist + if ! test -d "$QBT_PROFILE"; then + echo "Creating initial qBittorrent data directory in: $QBT_PROFILE" + install -d -m 0755 -o "${config.services.qbittorrent.user}" -g "${config.services.qbittorrent.group}" "$QBT_PROFILE" + fi + ''; + in "!${preStartScript}"; + + #ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox"; + ExecStart = "${config.services.qbittorrent.package}/bin/qbittorrent-nox"; + # To prevent "Quit & shutdown daemon" from working; we want systemd to + # manage it! + #Restart = "on-success"; + #UMask = "0002"; + #LimitNOFILE = cfg.openFilesLimit; + }; + + environment = { + QBT_PROFILE = config.services.qbittorrent.dataDir; + QBT_WEBUI_PORT = toString config.services.qbittorrent.webPort; + }; + }; + } + (lib.mkIf config.host.impermanence.enable { + fileSystems."/persist/system/qbittorrent".neededForBoot = true; + + host.storage.pool.extraDatasets = { + # sops age key needs to be available to pre persist for user generation + "persist/system/qbittorrent" = { + type = "zfs_fs"; + mountpoint = "/persist/system/qbittorrent"; + options = { + canmount = "on"; + }; + }; + }; + + assertions = [ + { + assertion = config.services.qbittorrent.dataDir == qbittorent_data_directory; + message = "qbittorrent data directory does not match persistence"; + } + ]; + + environment.persistence = { + "/persist/system/root" = { + directories = [ + { + directory = qbittorent_data_directory; + user = "qbittorrent"; + group = "qbittorrent"; + } + ]; + }; + + "/persist/system/qbittorrent" = { + enable = true; + hideMounts = true; + directories = [ + { + directory = config.services.qbittorrent.mediaDir; + user = "qbittorrent"; + group = "qbittorrent"; + mode = "1775"; + } + ]; + }; + }; + }) + ]); +} diff --git a/modules/nixos-modules/users.nix b/modules/nixos-modules/users.nix index 7bdb3dd..18cf06f 100644 --- a/modules/nixos-modules/users.nix +++ b/modules/nixos-modules/users.nix @@ -23,6 +23,7 @@ ollama = 2008; git = 2009; immich = 2010; + qbittorrent = 2011; }; gids = { @@ -38,6 +39,7 @@ ollama = 2008; git = 2009; immich = 2010; + qbittorrent = 2011; }; users = config.users.users; @@ -159,6 +161,12 @@ in { isSystemUser = true; group = config.users.users.immich.name; }; + + qbittorrent = { + uid = lib.mkForce uids.qbittorrent; + isNormalUser = true; + group = config.users.users.qbittorrent.name; + }; }; groups = { @@ -255,6 +263,14 @@ in { # leyla ]; }; + + qbittorrent = { + gid = lib.mkForce gids.qbittorrent; + members = [ + users.qbittorrent.name + leyla + ]; + }; }; }; } From e293c838417da265765183073cf7ced505423122 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Tue, 1 Apr 2025 22:33:18 -0500 Subject: [PATCH 3/5] tried to fix wireguard config --- .../nixos/defiant/configuration.nix | 92 ++++++++++++++++--- .../nixos/defiant/hardware-configuration.nix | 30 +----- 2 files changed, 81 insertions(+), 41 deletions(-) diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index ae69c26..199c1ba 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -11,6 +11,9 @@ }; "vpn-keys/proton-wireguard/defiant-p2p" = { sopsFile = "${inputs.secrets}/vpn-keys.yaml"; + mode = "0640"; + owner = "root"; + group = "systemd-network"; }; "services/zfs_smtp_token" = { sopsFile = "${inputs.secrets}/defiant-services.yaml"; @@ -102,26 +105,84 @@ enable = false; }; }; - networking = { - hostId = "c51763d6"; - wireguard.interfaces = { - p2p = { - ips = ["10.2.0.2/32"]; - listenPort = 51820; + systemd.network = { + enable = true; - privateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path; + config = { + routeTables = { + p2p = 1; + }; + }; - peers = [ + netdevs = { + "10-bond0" = { + netdevConfig = { + Kind = "bond"; + Name = "bond0"; + }; + bondConfig = { + Mode = "802.3ad"; + TransmitHashPolicy = "layer3+4"; + }; + }; + + "15-p2p" = { + netdevConfig = { + Kind = "wireguard"; + Name = "p2p0"; + MTUBytes = "1300"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path; + ListenPort = 51820; + # RouteTable = "p2p"; + }; + wireguardPeers = [ { - publicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0="; - allowedIPs = ["0.0.0.0/0"]; - endpoint = "185.230.126.146:51820"; - persistentKeepalive = 25; + PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0="; + Endpoint = "185.230.126.146:51820"; + AllowedIPs = ["0.0.0.0/0"]; + RouteTable = "off"; } ]; }; }; + networks = { + "40-bond0" = { + matchConfig.Name = "bond0"; + linkConfig = { + RequiredForOnline = "degraded-carrier"; + RequiredFamilyForOnline = "any"; + }; + networkConfig.DHCP = "yes"; + + address = [ + "192.168.1.10/32" + ]; + + gateway = ["192.168.1.1"]; + dns = ["192.168.1.1"]; + }; + + "45-p2p" = { + matchConfig.Name = "p2p0"; + address = [ + "10.2.0.2/32" + ]; + # routingPolicyRules = [ + # { + # From = "10.2.0.2/32"; + # Table = "p2p"; + # } + # { + # To = "10.2.0.2/32"; + # Table = "p2p"; + # } + # ]; + linkConfig.RequiredForOnline = false; + }; + }; }; services = { @@ -205,6 +266,13 @@ networkBridge = "bond0"; hostDevice = "0x10c4:0xea60"; }; + + qbittorrent = { + enable = true; + mediaDir = "/srv/qbittorent"; + openFirewall = true; + webPort = 8084; + }; }; # disable computer sleeping diff --git a/configurations/nixos/defiant/hardware-configuration.nix b/configurations/nixos/defiant/hardware-configuration.nix index 3b3ac45..d4a638b 100644 --- a/configurations/nixos/defiant/hardware-configuration.nix +++ b/configurations/nixos/defiant/hardware-configuration.nix @@ -34,25 +34,13 @@ networking = { hostName = "defiant"; # Define your hostname. + hostId = "c51763d6"; useNetworkd = true; }; systemd.network = { enable = true; - netdevs = { - "10-bond0" = { - netdevConfig = { - Kind = "bond"; - Name = "bond0"; - }; - bondConfig = { - Mode = "802.3ad"; - TransmitHashPolicy = "layer3+4"; - }; - }; - }; - networks = { "30-eno1" = { matchConfig.Name = "eno1"; @@ -62,22 +50,6 @@ matchConfig.Name = "eno2"; networkConfig.Bond = "bond0"; }; - - "40-bond0" = { - matchConfig.Name = "bond0"; - linkConfig = { - RequiredForOnline = "degraded-carrier"; - RequiredFamilyForOnline = "any"; - }; - networkConfig.DHCP = "yes"; - - address = [ - "192.168.1.10" - ]; - - gateway = ["192.168.1.1"]; - dns = ["192.168.1.1"]; - }; }; }; From 669132d67f47b0b8806a56fe1a9990c955e7a089 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Sat, 12 Apr 2025 02:59:28 -0500 Subject: [PATCH 4/5] installed sox --- configurations/home-manager/leyla/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/configurations/home-manager/leyla/packages.nix b/configurations/home-manager/leyla/packages.nix index 449e828..d9f1b32 100644 --- a/configurations/home-manager/leyla/packages.nix +++ b/configurations/home-manager/leyla/packages.nix @@ -21,6 +21,7 @@ in { lib.lists.optionals userConfig.isTerminalUser ( with pkgs; [ # command line tools + sox yt-dlp ffmpeg imagemagick From eb738c14770b626f7e1bd367ee24258c0029658f Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Sat, 12 Apr 2025 03:14:35 -0500 Subject: [PATCH 5/5] cleaned up excluded packages --- .../nixos/defiant/configuration.nix | 25 ++++++------------- modules/nixos-modules/desktop.nix | 20 ++++++++++++++- 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index 199c1ba..ca9a291 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -127,11 +127,11 @@ }; }; - "15-p2p" = { + "15-p2p0" = { netdevConfig = { Kind = "wireguard"; Name = "p2p0"; - MTUBytes = "1300"; + MTUBytes = "1280"; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path; @@ -165,21 +165,16 @@ dns = ["192.168.1.1"]; }; - "45-p2p" = { + "45-p2p0" = { matchConfig.Name = "p2p0"; address = [ "10.2.0.2/32" ]; - # routingPolicyRules = [ - # { - # From = "10.2.0.2/32"; - # Table = "p2p"; - # } - # { - # To = "10.2.0.2/32"; - # Table = "p2p"; - # } - # ]; + routes = [ + { + Destination = "0.0.0.0/0"; + } + ]; linkConfig.RequiredForOnline = false; }; }; @@ -203,11 +198,7 @@ }; desktopManager = { gnome.enable = true; - xterm.enable = false; }; - - # Get rid of xTerm - excludePackages = [pkgs.xterm]; }; ollama = { diff --git a/modules/nixos-modules/desktop.nix b/modules/nixos-modules/desktop.nix index 22a7b65..2182cb2 100644 --- a/modules/nixos-modules/desktop.nix +++ b/modules/nixos-modules/desktop.nix @@ -27,7 +27,25 @@ # Get rid of xTerm desktopManager.xterm.enable = false; - excludePackages = [pkgs.xterm]; + excludePackages = with pkgs; [ + xterm + transmission_4-qt + atomix # puzzle game + cheese # webcam tool + epiphany # web browser + geary # email reader + gedit # text editor + gnome-characters + gnome-music + gnome-photos + gnome-tour + gnome-logs + gnome-maps + hitori # sudoku game + iagno # go game + tali # poker game + yelp # help viewer + ]; }; pipewire = {