From 2850d19f76fbdcd5e856fafd0f55696c4721e8df Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Thu, 11 May 2023 14:34:13 +0200 Subject: [PATCH] Configure transmission and gitea --- flake.nix | 12 +++- hosts/voyager/configuration.nix | 4 +- hosts/voyager/services/gitea.nix | 49 ++++++++++++++++ hosts/voyager/services/postgres.nix | 4 ++ hosts/voyager/services/transmission.nix | 74 +++++++++++++++++++++++++ secrets/voyager/voyager.yaml | 6 +- 6 files changed, 143 insertions(+), 6 deletions(-) create mode 100644 hosts/voyager/services/gitea.nix create mode 100644 hosts/voyager/services/transmission.nix diff --git a/flake.nix b/flake.nix index 2c806a2..30583c8 100644 --- a/flake.nix +++ b/flake.nix @@ -12,21 +12,27 @@ outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs: let system = "x86_64-linux"; + overlay-unstable = final: prev: { + unstable = unstable.legacyPackages.${prev.system}; + }; in { nixosConfigurations = { voyager = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; + inherit system; specialArgs = { inherit inputs; }; modules = [ + # Overlays-module makes "pkgs.unstable" available in configuration.nix + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + ./hosts/voyager/configuration.nix sops-nix.nixosModules.sops ]; }; chapel = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; + inherit system; specialArgs = { inherit inputs; }; @@ -36,7 +42,7 @@ ]; }; redshirt = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; + inherit system; specialArgs = { inherit inputs; }; diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index f735c6e..5559aa7 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -16,8 +16,10 @@ ./services/kanidm.nix ./services/matrix ./services/jellyfin.nix + ./services/transmission.nix ./services/metrics ./services/flame.nix + ./services/gitea.nix ./services/hedgedoc.nix ./services/code-server.nix # TODO: @@ -26,7 +28,7 @@ # x Monitoring server # x Podman # x Flame - # - Transmission + # x Transmission # x Jellyfin # x NFS imports # x NFS exports diff --git a/hosts/voyager/services/gitea.nix b/hosts/voyager/services/gitea.nix new file mode 100644 index 0000000..bb2f8c4 --- /dev/null +++ b/hosts/voyager/services/gitea.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: +let + cfg = config.services.gitea; +in { + services.gitea = { + enable = true; + package = pkgs.unstable.gitea; + appName = "felixalbs Gitea"; + database = { + type = "postgres"; + #passwordFile = "/var/gitea/passwdfile"; + }; + domain = "git.feal.no"; + rootUrl = "https://git.feal.no"; + httpPort = 3004; + + + settings = { + server.LANDING_PAGE=''"/felixalb"''; + service.DISABLE_REGISTRATION = true; + session.COOKIE_SECURE = true; + + packages.ENABLED = false; + + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + OPENID_CONNECT_SCOPES = "email profile openid"; + UPDATE_AVATAR = true; + ACCOUNT_LINKING = "auto"; + USERNAME = "email"; + }; + + log.LEVEL = "Info"; + + database.LOG_SQL = false; + + ui = { + THEMES="gitea,arc-green,nord"; + DEFAULT_THEME="nord"; + }; + }; + + # TODO: + # - dump (automatic backups) + # - configure mailer + }; + + networking.firewall.allowedTCPPorts = [ cfg.httpPort ]; +} diff --git a/hosts/voyager/services/postgres.nix b/hosts/voyager/services/postgres.nix index 4501175..8f50842 100644 --- a/hosts/voyager/services/postgres.nix +++ b/hosts/voyager/services/postgres.nix @@ -4,10 +4,14 @@ enable = true; /* enableTCPIP = true; # Expose on the network */ authentication = pkgs.lib.mkOverride 10 '' + local gitea all ident map=gitea-users local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust ''; + identMap = '' + gitea-users gitea gitea + ''; }; services.postgresqlBackup = { diff --git a/hosts/voyager/services/transmission.nix b/hosts/voyager/services/transmission.nix new file mode 100644 index 0000000..6bfbb6c --- /dev/null +++ b/hosts/voyager/services/transmission.nix @@ -0,0 +1,74 @@ +{ config, pkgs, lib, ... }: +let + host = "127.0.1.2"; + port = "5003"; + uid = 778; + gid = 778; +in { + sops.secrets."transmission/vpncreds" = { + owner = "transmission"; + group = "transmission"; + }; + + users.users.transmission = { + inherit uid; + group = "transmission"; + isSystemUser = true; + useDefaultShell = true; + description = "Transmission torrent service"; + }; + + users.groups.transmission = { + inherit gid; + }; + + # Transmission+PIA: Torrent client, Integrated VPN, Web interface + virtualisation.oci-containers.containers.transmission = { + image = "haugene/transmission-openvpn"; + ports = [ "${host}:${port}:9091" ]; + volumes = [ + "/var/lib/transmission/config:/config" + "/tank/media/transmission:/data" + ]; + environment = { + OPENVPN_PROVIDER = "PIA"; + OPENVPN_CONFIG = "norway,sweden,de_frankfurt"; + LOCAL_NETWORK = "192.168.10.0/24"; + PUID = toString uid; + PGID = toString gid; + }; + environmentFiles = [ + # OPENVPN_USERNAME and password is set here + # and optionally TRANSMISSION_RPC_USERNAME and password + config.sops.secrets."transmission/vpncreds".path + ]; + extraOptions = [ + "--cap-add=net_admin,net_raw,mknod" + "--device=/dev/net/tun" + ]; + }; + services.nginx.virtualHosts."transmission.home.feal.no" = { + locations."/" = { + proxyPass = "http://${host}:${port}"; + }; + }; + + fileSystems = { + "/tank/media/transmission/jellyfin" = { + device = "/tank/media/jellyfin"; + options = [ "bind" ]; + }; + "/tank/media/transmission/music" = { + device = "/tank/media/music"; + options = [ "bind" ]; + }; + "/tank/media/transmission/inbox" = { + device = "/tank/inbox"; + options = [ "bind" ]; + }; + "/tank/media/transmission/other" = { + device = "/tank/media/other"; + options = [ "bind" ]; + }; + }; +} diff --git a/secrets/voyager/voyager.yaml b/secrets/voyager/voyager.yaml index 2d79893..510a485 100644 --- a/secrets/voyager/voyager.yaml +++ b/secrets/voyager/voyager.yaml @@ -10,6 +10,8 @@ #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment] hedgedoc: env: ENC[AES256_GCM,data:okkj5V0veAwWwdmhjhsd4seAHiBOjdk7m80C3iVi78LNeHlNuGL2zdvKV5b4ClUR3awabotR/QwdvSvCUxZiFRpXwyeETxHPRRTtR4VDL1L4MifJ0LS27A5DAzAdjCjc799ckgDyBn5L3+T6P1136X0PnaXQT1KyRegizC1DFQ15/3fvlIe05tonDwDVAsPkV8ZEtmGuseB87yoFBxs=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:6bDyl7c23uAWMzVrJ5/YYQ==,type:str] +transmission: + vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str] matrix: synapse: registrationsecret: ENC[AES256_GCM,data:lrj4itbDdfwSJYlvgYbWy2bcgNj69DJA2gzLUiN2AINRfoprsZI7kbNvJO0E2FVPWrfcB6HSHqomgIi6G+77NoyPOSTzzI6aHMvt4Ups6/KpQFpR2QV3VykzADoagWs=,iv:GiuT4lAD8/ZPgTVwXUaHmjSvzHqnGPzAuwxFBlzU8O0=,tag:79tuTluST8E6gigm9Z7nEQ==,type:str] @@ -37,8 +39,8 @@ sops: THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-09T21:06:32Z" - mac: ENC[AES256_GCM,data:C/vZmn+jVNaakJxv6XjtMaXDO0CLhTEG8ZSpFBkobd8IKRnsn3OwNySQN0RvIzYL3kaDaS2twEOKN2h3eTcDbX6nNa3m4Eagv7fwXw8yTY2T6pVBni9qudZzlzPpxXSmR7sZYqtay05NdwgSEuu8qIP+S4ECtiSo0JHMdyP1YpQ=,iv:iJsKgA/YjYQ9gVO8ET70+0SdjMTIkbzh2yIkgiFQ+4Y=,tag:ytHaCBJxO1J60lfRQBKplw==,type:str] + lastmodified: "2023-05-11T22:37:33Z" + mac: ENC[AES256_GCM,data:05Q2/Don1WbgncRQhS1XXJ/l+sH+YJQSUkDPJip798OiFwp/5/C19dS8Z9vXPtCp/96iisfsxfSY3OK/AhaXhhKKze1GQ5oqJnfp8ECE4N70SVy302eRF0rAR8XQQOGiur+JUP4KWYs4rNPAlMJYcppeSu3TeO+yGw+O7CGZuBs=,iv:k1Ab086i4Rur0bt8J5HY35rUax9LXpTnuw+TUoQCrI8=,tag:k9ar+YV2cIHRKdJj2dqdgA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3