jacopo, mikey, andrew wg clients. transmission added

2021-11-05 20:16:08 +01:00 · 2021-11-05 20:16:08 +01:00 · 77931ab71a
commit 77931ab71a
parent f58b776a3d
8 changed files with 87 additions and 8 deletions
--- a/flake.lock
+++ b/flake.lock
@ -23,11 +23,11 @@
    },
    "nixos-unstable": {
      "locked": {
-        "lastModified": 1634515797,
-        "narHash": "sha256-elgCUC2khtBkOSpE4gDymNvthTZAI4hGI2iNu3YEUkA=",
+        "lastModified": 1635702959,
+        "narHash": "sha256-ZKxX9DjJJGJqq20pE4dIj1G4ssCLVXXRFerM6lNuF0k=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5f0194220f2402b06f7f79bba6351895facb5acb",
+        "rev": "e544ee88fa4590df75e221e645a03fe157a99e5b",
        "type": "github"
      },
      "original": {
@ -39,11 +39,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1634661806,
-        "narHash": "sha256-fBuR7EZ67UOdNt3gEwhoyWJ6zJtXh4kuupIALRcx/7I=",
+        "lastModified": 1635719588,
+        "narHash": "sha256-pWjdy0NheM97NsPE6+jUnr5LYyeA0sBGTdw4mfXMGZQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8fe3b97ef4527ac88d03ea33e0789f3512e01adc",
+        "rev": "f0869b1a2c0b150aac26e10bb5c2364ffb2e804f",
        "type": "github"
      },
      "original": {
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -26,6 +26,7 @@ in
      ./minecraft.nix
      ./prowlarr.nix
      ./plex.nix
+      ./transmission.nix
    ];

    time.timeZone                                  = "Europe/Rome";
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -9,10 +9,12 @@ let
    443   # https
    8448  # matrix
    10022 # gitea
+    51413 # transmission
  ];
  open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
    1194  # wireguard
    3478  # turn
+    51413 # transmission
  ];
 in {
  networking = {
@ -134,6 +136,7 @@ in {
            
            # gdevices talking to everyone in VPN
            ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept
+            ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
            
            # nat to wan
            oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@ -41,6 +41,10 @@ rec {
  alain-wg         = "10.3.0.22";
  dima-wg          = "10.3.0.23";
  mikey-wg         = "10.3.0.24";
+  andrew-wg        = "10.3.0.25";
+  mikeylaptop-wg   = "10.3.0.26";
+  andrewdesktop-wg = "10.3.0.27";
+  jacopo-wg        = "10.3.0.28";
  eleonora-wg      = "10.3.0.100";
  angellane-wg     = "10.3.0.200";
  hotpottino-wg    = "10.3.0.201";
@ -52,6 +56,7 @@ rec {
  routers-wg       = [ hotpottino-wg angellane-wg dodino-wg ];
  c2c-wg           = [ ] ++ gdevices-wg;
  towan-wg         = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg;
+  gamenet-wg       = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg ];

  # domains
  sonarrdomain = "htson.giugl.io";
--- a/hosts/architect/plex.nix
+++ b/hosts/architect/plex.nix
@ -16,6 +16,10 @@ with import ./network.nix;
      enableACME = true;
      http2 = true;
      extraConfig = ''
+        allow 10.3.0.0/24;
+        allow 10.0.0.0/24;
+        deny all;
+
      #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
        send_timeout 100m;

--- a/hosts/architect/transmission.nix
+++ b/hosts/architect/transmission.nix
@ -0,0 +1,41 @@
+with import ./network.nix;
+
+let
+  domain = "httra.giugl.io";
+in {
+  services = {
+    transmission = {
+      enable = true;
+      settings = {
+        download-dir = "/media/transmission";
+        incomplete-dir = "/media/transmission/.incomplete";
+        rpc-host-whitelist = "${domain}";
+        encryption = 2;
+        speed-limit-up = 10;
+        speed-limit-up-enabled = true;
+        peer-port = 51413;
+      };
+      performanceNetParameters = true;
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:9091";
+        extraConfig = ''
+          allow 10.0.0.0/24;
+          allow 10.3.0.0/24;
+          deny all;
+        '';
+      };
+    };
+  };
+
+  networking.extraHosts = ''
+    ${architect-lan} ${domain}
+    ${architect-wg} ${domain}
+  '';
+
+  users.groups.media.members = ["transmission"];
+}
--- a/hosts/architect/wireguard.nix
+++ b/hosts/architect/wireguard.nix
@ -29,6 +29,8 @@ with import ./network.nix;
      ${dima-wg}            dima.devs.giugl.io
      ${boogino-wg}         boogino.devs.giugl.io
      ${mikey-wg}           mikey.devs.giugl.io
+      ${andrew-wg}          andrew.devs.giugl.io
+      ${mikeylaptop-wg}     mikeylaptop.devs.giugl.io
    '';

    wireguard = {
@ -231,6 +233,30 @@ with import ./network.nix;
          allowedIPs = [mikey-wg];
          publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
        }
+
+        {
+          # andrew
+          allowedIPs = [andrew-wg];
+          publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
+        }
+
+        {
+          # mikey laptop
+          allowedIPs = [mikeylaptop-wg];
+          publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
+        }
+
+        {
+          # andrew desktop
+          allowedIPs = [andrewdesktop-wg];
+          publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
+        }
+
+        {
+          # laptop desktop
+          allowedIPs = [jacopo-wg];
+          publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
+        }
      ];
    };
  };
--- a/roles/home/common.nix
+++ b/roles/home/common.nix
@ -1,7 +1,7 @@
 { config, pkgs, ... }:

 {
-  imports = [ ./zsh.nix ];
+  imports = [ ./zsh.nix ./git.nix ];

  home = {
    stateVersion     = "21.05";
@ -19,7 +19,6 @@

  programs.neovim = {
    enable      = true;
-    #package = pkgs.unstable.neovim-unwrapped;

    extraConfig = ''
      " syntax