From 59d975065314f54560f1b7fbfb4281c7f2482c52 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Fri, 10 Dec 2021 03:02:34 +0100 Subject: [PATCH] Migrate torrents --- dns.tf | 40 +++++++++++ modules/stb.nix | 2 + modules/torrents.nix | 154 +++++++++++++++++++++++++++++++++++++++++++ profiles/storage.nix | 12 ++++ secrets.enc.yml | 8 ++- 5 files changed, 214 insertions(+), 2 deletions(-) create mode 100644 modules/torrents.nix diff --git a/dns.tf b/dns.tf index 3e1c8e8..bd1bbbd 100644 --- a/dns.tf +++ b/dns.tf @@ -39,6 +39,46 @@ resource "hetznerdns_record" "jellyfin_a" { ttl = 600 } +resource "hetznerdns_record" "transmission_a" { + zone_id = data.hetznerdns_zone.banditlair_zone.id + name = "transmission" + value = local.storage1_ip + type = "A" + ttl = 600 +} + +resource "hetznerdns_record" "jackett_a" { + zone_id = data.hetznerdns_zone.banditlair_zone.id + name = "jackett" + value = local.storage1_ip + type = "A" + ttl = 600 +} + +resource "hetznerdns_record" "sonarr_a" { + zone_id = data.hetznerdns_zone.banditlair_zone.id + name = "sonarr" + value = local.storage1_ip + type = "A" + ttl = 600 +} + +resource "hetznerdns_record" "radarr_a" { + zone_id = data.hetznerdns_zone.banditlair_zone.id + name = "radarr" + value = local.storage1_ip + type = "A" + ttl = 600 +} + +resource "hetznerdns_record" "headphones_a" { + zone_id = data.hetznerdns_zone.banditlair_zone.id + name = "headphones" + value = local.storage1_ip + type = "A" + ttl = 600 +} + resource "hetznerdns_record" "monero_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "monero" diff --git a/modules/stb.nix b/modules/stb.nix index e918768..d101e4e 100644 --- a/modules/stb.nix +++ b/modules/stb.nix @@ -41,6 +41,7 @@ in }; volumes = [ "/var/lib/mariadb/stb:/var/lib/mysql" ]; extraOptions = [ "--network=stb-br" ]; + autoStart = true; }; "stb-wordpress" = { @@ -51,6 +52,7 @@ in ]; ports = [ "8080:80" ]; extraOptions = [ "--network=stb-br" ]; + autoStart = true; }; }; diff --git a/modules/torrents.nix b/modules/torrents.nix new file mode 100644 index 0000000..6b5f381 --- /dev/null +++ b/modules/torrents.nix @@ -0,0 +1,154 @@ +{ config, lib, pkgs, ... }: +let + vpnServer = "89.249.65.115"; + vpnConfig = builtins.fetchurl { + url = "https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/de948.nordvpn.com.udp.ovpn"; + sha256 = "07z4xxs4nxg44c3d19rnqg6iq2f7i8yjy28rwbz312z4axqgkcxn"; + }; +in +{ + + sops.secrets = { + vpnCredentials = { + key = "openvpn/credentials"; + }; + transmissionRpcCredentials = { + key = "transmission/rpc_config.json"; + }; + }; + + containers.torrents = { + ephemeral = true; + autoStart = true; + enableTun = true; + + privateNetwork = true; + hostAddress = "192.168.1.1"; + localAddress = "192.168.1.2"; + + bindMounts = { + "${config.sops.secrets.vpnCredentials.path}" = { + hostPath = config.sops.secrets.vpnCredentials.path; + }; + "${config.sops.secrets.transmissionRpcCredentials.path}" = { + hostPath = config.sops.secrets.transmissionRpcCredentials.path; + }; + "/nix/var/data/media" = { + hostPath = "/nix/var/data/media"; + isReadOnly = false; + }; + "/nix/var/data/jackett" = { + hostPath = "/nix/var/data/jackett"; + isReadOnly = false; + }; + "/nix/var/data/sonarr" = { + hostPath = "/nix/var/data/sonarr"; + isReadOnly = false; + }; + "/nix/var/data/radarr" = { + hostPath = "/nix/var/data/radarr"; + isReadOnly = false; + }; + "/nix/var/data/transmission" = { + hostPath = "/nix/var/data/transmission"; + isReadOnly = false; + }; + }; + + config = { + time.timeZone = "Europe/Amsterdam"; + users.users.www-data = { + uid = 993; + isSystemUser = true; + group = config.users.groups.www-data.name; + }; + users.groups.www-data = { gid = 991; }; + services.openvpn.servers.client = { + updateResolvConf = true; + config = '' + config ${vpnConfig} + auth-user-pass ${config.sops.secrets.vpnCredentials.path} + ''; + }; + services.transmission = { + enable = true; + openRPCPort = true; + user = config.users.users.www-data.name; + group = config.users.groups.www-data.name; + credentialsFile = config.sops.secrets.transmissionRpcCredentials.path; + home = "/nix/var/data/transmission"; + settings = { + rpc-bind-address = "0.0.0.0"; + rpc-whitelist = "127.0.0.1,192.168.1.1"; + rpc-authentication-required = true; + rpc-host-whitelist-enabled = false; + incomplete-dir = "/nix/var/data/transmission/.incomplete"; + watch-dir = "/nix/var/data/transmission/watchdir"; + download-dir = "/nix/var/data/transmission/downloads"; + }; + }; + services.jackett = { + enable = true; + openFirewall = true; + user = config.users.users.www-data.name; + group = config.users.groups.www-data.name; + dataDir = "/nix/var/data/jackett"; + }; + services.sonarr = { + enable = true; + openFirewall = true; + user = config.users.users.www-data.name; + group = config.users.groups.www-data.name; + dataDir = "/nix/var/data/sonarr"; + }; + services.radarr = { + enable = true; + openFirewall = true; + user = config.users.users.www-data.name; + group = config.users.groups.www-data.name; + dataDir = "/nix/var/data/radarr"; + }; + + system.stateVersion = "21.11"; + }; + }; + + virtualisation.oci-containers.containers.flaresolverr = { + image = "ghcr.io/flaresolverr/flaresolverr:v2.0.2"; + environment = { + "LOG_LEVEL" = "debug"; + "CAPTCHA_SOLVER" = "hcaptcha-solver"; + }; + ports = [ "192.168.1.1:8191:8191" ]; + autoStart = true; + }; + + services.nginx.virtualHosts."transmission.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.2:9091"; + }; + }; + services.nginx.virtualHosts."jackett.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.2:9117"; + }; + }; + services.nginx.virtualHosts."sonarr.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.2:8989"; + }; + }; + services.nginx.virtualHosts."radarr.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.2:7878"; + }; + }; +} diff --git a/profiles/storage.nix b/profiles/storage.nix index a4422c9..9805328 100644 --- a/profiles/storage.nix +++ b/profiles/storage.nix @@ -9,7 +9,19 @@ ../modules/jellyfin.nix ../modules/stb.nix ../modules/monero.nix + ../modules/torrents.nix ]; networking.firewall.allowedTCPPorts = [ 80 443 18080 ]; + + networking.nat.enable = true; + networking.nat.internalInterfaces = [ "ve-+" ]; + networking.nat.externalInterface = "enp2s0"; + + users.users.www-data = { + uid = 993; + isSystemUser = true; + group = config.users.groups.www-data.name; + }; + users.groups.www-data = { gid = 991; }; } diff --git a/secrets.enc.yml b/secrets.enc.yml index af82a2b..52a4529 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -5,6 +5,8 @@ nextcloud: db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str] admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str] murmur.env: ENC[AES256_GCM,data:bErJrzpPRrBhUeW113qt9xbJWsrxiI8YIibZ3l0=,iv:2dIlmdLKB+nktQ4/O1W3xtfcCRowW9MkxncDiDpZyck=,tag:3UkSGVKV00385iZ66rHOpw==,type:str] +transmission: + rpc_config.json: ENC[AES256_GCM,data:2dXn4De3RilQpOOtqjZQILJ7+/t8ipQHLiNuYdbQQRZC4fya0l9MLyGRuqfqeBu1B07VYSDMImV/5BZ+5ygCLk2JjhLn8NzbM3IRWg==,iv:SWqUCobb1+MzISjOTF9BySeAGXHMEbX/27MxIl5tPIE=,tag:4tat0yvkE/4njWYyr/IRfA==,type:str] email: accounts_passwords: paultrial: ENC[AES256_GCM,data:fDGYNdu9DQcfheOkc5aixUGmHPrVh4/6JGAECwhl64zpxXqPQ/jqYoaOMz3o3wozF1g+ZOKdBd2daBm0,iv:nyz37z1gmKbdpBDRvEe/4l36+evh89kpgowNxd+KdE0=,tag:j6JWAXglSPtKqN0v7akrSg==,type:str] @@ -13,6 +15,8 @@ wiki: users_file: ENC[AES256_GCM,data:Zx5QTmtqqrRwbHUMiVFfvMnvzaLSlKiouOg57H+4RYS/5Zavl4y3Awswuiz9y7iRDGZhsxba6Ki3jEg/sSwlmB/hICQikQlRfsnx1ibAKeTv9A==,iv:R7vQBU/4thmBVcydHPNiwUOavkhl6OGEVL9WdexJzAw=,tag:FQ/9LjQ6c+ErAhH3erzOBQ==,type:str] arkadia: users_file: ENC[AES256_GCM,data:glllwv0+KnPOeJ4eFNXECZPZvL6k5RODxIJNfWjQgo8EUKF7UsVyRvHcL2g9TAEpXKT8RGLekZim+Q467eKKGPpdj2LlrI/XYPyMvk2ShaTBO2ivx+6e9zowpdJNclBMmtKGgggK+r7LeXGunCl06oq86LpKq9ddiX2zZnOfxU1b0ZAG+tmqSVfkgi7cOs5DGagSaco+2+SkCOGThahGquWMrPmVULO0Dz2w98+7uSbmFmXlJOOZjKCk/q0ou4Bi0gK6lQ8/fKleNJLJ0x8Vx0WPYZgz6109RkTYznMl2HSIZEcNp81PxQvr66Vumc8ZO+OXWbNyY064/LXFJB7sEA57r4ccHHkH5+FCKFQJzCA=,iv:Ki0MCTJ8jwogDNL71kiMY4EGrfBorxB2rpBJAid6QOQ=,tag:q/mfK3Dm0KFnK4AHjzsP7g==,type:str] +openvpn: + credentials: ENC[AES256_GCM,data:nAA+4lB8fh64AQaG1CJyNIUSvn9mIGfIKHSFbImPzAdFRQPDnKOEQFe+/qXNswXYWHU0DdvnPA==,iv:sLZRPrDtSnx0AvKcC/DTces/Il+l0Nl1kRrnXj8X4WQ=,tag:RHenD6WATKuibxMj2LFPWw==,type:str] borg: passphrase: ENC[AES256_GCM,data:RNUTb29sOdsg4KnB/0nIFGJFV/2nlMH4pxGFlgXdtTgDe2opT/moUg==,iv:6kdBeq+qFWnPB+N+zpKNdFkmkskOVMabdj8Uxk9QeQI=,tag:MxNqn5p9P0JpsjkNm9iYEQ==,type:str] client_keys: @@ -31,8 +35,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-12-09T16:20:53Z" - mac: ENC[AES256_GCM,data:B52chrVaJle4mxgZEhH0ZFBXr305F8k07qRoyh6W9dPpJOzPaJ3jfhSyYCojV+AUYywgHPUTiXeG+RW6P0v/FLeeP0OldhHdepRzmACHglLflYQwmUZSXf9wlmQPsN4/Uy7Z0h6zTComJXUCwKe4W0FMn+szgkxa+qvQgnZhneI=,iv:ZNzXQncWR0Hnd8+kAABTVl2/jIH4nOUPXhfCFgXhjho=,tag:KDZShClqYbDpGB5hKYUsqQ==,type:str] + lastmodified: "2021-12-09T21:02:06Z" + mac: ENC[AES256_GCM,data:UTQgCoVA38k/D2kt1EVEq5mNhQAyuPcyNJnCpSZ9drRa9Nslr4GYSKTetz3HMdqkEy7H4EBYF5PrBttwJ8HSa7VcJZ3ct3WfW7qeCAd1O3ZDlmeLhII4o4+XG49HoQ5jpVJs5Dve8eJn7DOtVrluXblbahFZlQmN1m7mSlGdt20=,iv:34Br9UV6YOI6/4OBYeJDorlkj2lPSblHy429dWd2UIY=,tag:HfH06ZqikXZDGaeGxoeGvg==,type:str] pgp: - created_at: "2021-11-29T00:57:34Z" enc: |