From aed18e9a93d490f49a4e3b4a22518d0a6f1a8162 Mon Sep 17 00:00:00 2001 From: Haak Saxberg Date: Thu, 11 Aug 2022 08:39:56 -0700 Subject: [PATCH] rtorrent downloads, but doesn't upload yet --- nix/deployments/nixops.nix | 50 +++++++++++++++++++++++++- nix/home/programs/flood/default.nix | 4 ++- nix/home/programs/rtorrent/default.nix | 20 ++++++++++- nix/home/programs/rtorrent/rtorrent.rc | 14 ++++++++ nix/system/svalbard/configuration.nix | 3 +- 5 files changed, 86 insertions(+), 5 deletions(-) diff --git a/nix/deployments/nixops.nix b/nix/deployments/nixops.nix index 76d4c18..3662f51 100644 --- a/nix/deployments/nixops.nix +++ b/nix/deployments/nixops.nix @@ -81,6 +81,54 @@ in /export/storage 192.168.1.0/24(insecure) ''; - networking.firewall.allowedTCPPorts = [ 2049 ]; + networking.firewall = { + allowedTCPPorts = [ 2049 ]; # NFS port + allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport + }; + + deployment.keys.wireguard.text = builtins.readFile ../../secrets/wireguard/svalbard; + + # Enable WireGuard + networking.wg-quick.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + address = [ "10.64.168.213/32" "fc00:bbbb:bbbb:bb01::1:a8d4/128" ]; + dns = [ "10.64.0.1" ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/run/keys/wireguard"; + + # For a client configuration, one peer entry for the server will suffice. + peers = [ + # Sweden, Malmo, se15 + { + # Public key of the server (not a file path). + publicKey = "5y66WShsFXqM5K7/4CPEGCWfk7PQyNhVBT2ILjbGm2I="; + + # Forward all the traffic via VPN. + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + + # Set this to the server IP and port. + endpoint = "193.138.218.80:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; + + systemd.services.my-service = { + after = [ "wireguard-key.service" ]; + wants = [ "wireguard-key.service" ]; + script = '' + export MY_SECRET=$(cat /run/keys/my-secret) + run-my-program + ''; + }; }; } diff --git a/nix/home/programs/flood/default.nix b/nix/home/programs/flood/default.nix index 35216e3..ebfb3fd 100644 --- a/nix/home/programs/flood/default.nix +++ b/nix/home/programs/flood/default.nix @@ -17,8 +17,10 @@ }; }; + users.users.flood.group = "flood"; users.extraUsers.flood = { isNormalUser = true; + extraGroups = [ "rtorrent" "users" ]; }; systemd.services = { @@ -31,7 +33,7 @@ Restart = "on-failure"; }; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + after = [ "network.target" "rtorrent.service" ]; }; }; } diff --git a/nix/home/programs/rtorrent/default.nix b/nix/home/programs/rtorrent/default.nix index f36777d..1322248 100644 --- a/nix/home/programs/rtorrent/default.nix +++ b/nix/home/programs/rtorrent/default.nix @@ -1,16 +1,34 @@ { pkgs, finalDir, downloadDir, watchDir }: +let + dhtPort = 40000; +in { + environment.systemPackages = with pkgs; [ rtorrent ]; + + users.extraUsers.rtorrent.extraGroups = [ "users" ]; + services.rtorrent = { enable = true; downloadDir = downloadDir; - group = "users"; + # flood needs to be able to access the datadir + dataDir = downloadDir; configText = builtins.readFile (pkgs.substituteAll { src = ./rtorrent.rc; watchDir = watchDir; finalDir = finalDir; + dhtPort = builtins.toString dhtPort; }); }; + networking.firewall = { + allowedTCPPorts = [ + # rtorrent default + 50000 + ]; + allowedUDPPorts = [ + dhtPort + ]; + }; } diff --git a/nix/home/programs/rtorrent/rtorrent.rc b/nix/home/programs/rtorrent/rtorrent.rc index 9eb2193..12274bd 100644 --- a/nix/home/programs/rtorrent/rtorrent.rc +++ b/nix/home/programs/rtorrent/rtorrent.rc @@ -1,3 +1,17 @@ +# Set an interface with IPv4 address to bind to: +method.insert = cfg.interface.bind, string|const|private, (cat,"wg0") +# Get IPv4 address of a given interface +method.insert = get_interface_ipv4_address, simple|private, "execute.capture=bash,-c,\"$cat=\\\"echo -n \$(ip -o -4 addr show \\\",$argument.0=,\\\" | grep -Po 'inet \\\\\\\\\\K[\\\\\\\\\\d.]+')\\\"\"" +# The IP address the listening socket and outgoing connections is bound to. (bind) +schedule2 = set_bind_address, 0, 0, \ + "branch=((cfg.interface.bind)), \ + ((network.bind_address.set,(get_interface_ipv4_address,(cfg.interface.bind))))" + +dht.mode.set = on +dht.port.set = @dhtPort@ +protocol.pex.set = yes +trackers.use_udp.set = yes + # Enable the default ratio group. ratio.enable= diff --git a/nix/system/svalbard/configuration.nix b/nix/system/svalbard/configuration.nix index a143877..913755d 100644 --- a/nix/system/svalbard/configuration.nix +++ b/nix/system/svalbard/configuration.nix @@ -29,6 +29,7 @@ networking.wireless = { enable = true; # Enables wireless support via wpa_supplicant. }; + networking.nat.externalInterface = "wlo1"; services.zfs.trim.enable = true; @@ -79,8 +80,6 @@ # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; - networking.wireguard.enable = true; - networking.firewall.checkReversePath = "loose"; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions