rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-01-18 17:11:39 +01:00
Code Issues Projects Releases Packages Wiki Activity

nuc: configure torrenting in a dedicated network namespace

Browse source
This commit is contained in:
Rouven Seifert 2024-05-04 13:53:26 +02:00
parent 29223b9060
commit 77b3d974c5
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
4 changed files with 121 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/nuc/default.nix
View file

@ -13,6 +13,7 @@
./modules/matrix ./modules/matrix
./modules/mautrix-telegram ./modules/mautrix-telegram
./modules/seafile ./modules/seafile
./modules/torrent
./modules/vaultwarden ./modules/vaultwarden
./modules/nginx ./modules/nginx
]; ];

112
hosts/nuc/modules/torrent/default.nix Normal file
View file

@ -0,0 +1,112 @@
{ config, pkgs, ... }:
let
cfg = {
stateDir = "/var/lib/qbittorrent";
downloadDir = "/var/videos/"; # TODO support other Media Types
port = 8081;
user = "qbittorrent";
};
in
{
age.secrets.mullvad.file = ../../../../secrets/nuc/mullvad.age;
environment.etc."netns/torrent/resolv.conf".text = ''
nameserver 10.64.0.1
'';
systemd.services."netns@" = {
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute}/bin/ip netns add %I";
ExecStartPost = "${pkgs.iproute2}/bin/ip netns exec %I ${pkgs.iproute2}/bin/ip link set dev lo up";
ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
};
};
systemd.services."qbittorrent-portforward@" = {
description = "%I network namespace port mapping";
requires = [ "netns@%i.service" ];
after = [ "netns@%i.service" ];
# wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "on-failure";
TimeoutStopSec = 300;
ExecStart = ''${pkgs.socat}/bin/socat tcp-listen:${toString cfg.port},fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec %I ${pkgs.socat}/bin/socat STDIO "tcp-connect:127.0.0.1:${toString cfg.port}"',nofork'';
# ExecStart = [
# "${pkgs.socat}/bin/socat tcp-listen:%j,fork,reuseaddr"
# ''${pkgs.iproute2}/bin/ip netns exec %I ${pkgs.socat}/bin/socat STDIO "tcp-connect:127.0.0.1:%j",nofork''
# ];
};
};
# scripted wireguard since systemd-networkd doesn't support netns yet
networking.wireguard.interfaces."wg0-mullvad" = {
# Funny Mole
privateKeyFile = config.age.secrets.mullvad.path;
ips = [ "10.67.237.93/32" ];
peers = [
{
publicKey = "QEVIaIycN8p5twXCuZeQTEj9utozakw/MU8H6+/whls=";
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "138.199.34.129:51820";
}
];
interfaceNamespace = "torrent";
};
systemd.services."wireguard-wg0-mullvad" = {
requires = [ "netns@torrent.service" ];
};
users.users.${cfg.user} = {
group = cfg.user;
home = cfg.stateDir;
isSystemUser = true;
extraGroups = [ "media" ];
};
users.groups.${cfg.user} = { };
systemd.services."qbittorrent" = {
description = "qBittorrent Service";
bindsTo = [ "netns@torrent.service" ];
after = [ "netns@torrent.service" ];
requires = [ "qbittorrent-portforward@torrent.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.user;
Restart = "always";
PrivateNetwork = true;
NetworkNamespacePath = "/var/run/netns/torrent";
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=${cfg.stateDir} --webui-port=${toString cfg.port}";
# Increase number of open file descriptors (default: 1024)
# LimitNOFILE = 65536;
# Avoid using nscd (leaks dns)
InaccessiblePaths = [ "/run/nscd" ];
# BindReadOnlyPaths = [
# "/etc/netns/mullvad/resolv.conf:/etc/resolv.conf"
# ];
# systemd-analyze --no-pager security qbittorrent.service
CapabilityBoundingSet = null;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectHome = true;
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
};
};
networking.firewall.allowedTCPPorts = [ cfg.port ];
systemd.tmpfiles.rules = [
# ensure downloads directory is created, set permissions
"d ${cfg.stateDir} - ${cfg.user} ${cfg.user} - -"
"d ${cfg.stateDir}/qBittorrent - ${cfg.user} ${cfg.user} - -"
];
}

1
secrets.nix
View file

@ -20,6 +20,7 @@ in
"secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ]; "secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ];
"secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ]; "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ];
"secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ]; "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
"secrets/nuc/mullvad.age".publicKeys = [ rouven nuc ];
"secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ]; "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
"secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];

7
secrets/nuc/mullvad.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 uWbAHQ mWnXWfwlxVxg+ik61NHqSv9onxa2Lp6GBALkEbVk/TM
uKDbdYg0qp/3YmKTVAkAaywKo0hWhAK/wDKqoGmaS/U
-> ssh-ed25519 2TRdXg TXVYT8yp/mHgmm1um73RRwurbfNLlDmfHw6YTsW08UI
D7x46t9W0JB2ua+mZshaUQm+fWbl8jvuDTYAibiIhIY
--- Q8kMARj3UQyshncV40iuORct23Ajg25pUUIcE8x261w
WX.‡ççZèb ´Ä!¡¤ZH˜ÿ±¨ÿè¬â·ŠX¶b½ƒM¤ÅP¿vGÏÛR½PRÑB÷½v¸,ÐQžSå_‡W^w