diff --git a/LICENSE b/LICENSE index 195c851..1f934b7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2025 Henri Dohmen +Copyright (c) 2025, 2026 Henri Dohmen Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/host/roam/default.nix b/host/roam/default.nix index 7e6d692..0a9682a 100644 --- a/host/roam/default.nix +++ b/host/roam/default.nix @@ -16,6 +16,7 @@ ./nextcloud.nix ./services.nix ./syncthing.nix + ./torrent.nix ]; boot = { @@ -28,10 +29,16 @@ }; }; + enableContainers = true; + kernelPackages = pkgs.linuxPackages_6_12; initrd.systemd.network.wait-online.enable = false; }; + virtualisation = { + containers.enable = true; + }; + security = { acme = { acceptTerms = true; diff --git a/host/roam/networking.nix b/host/roam/networking.nix index 0ed210d..8b780e8 100644 --- a/host/roam/networking.nix +++ b/host/roam/networking.nix @@ -35,6 +35,7 @@ in firewall = { enable = true; + checkReversePath = "loose"; interfaces."wg0" = { allowedTCPPorts = [ 25565 ]; }; @@ -46,12 +47,17 @@ in nat = { enable = true; + enableIPv6 = true; externalInterface = "ens3"; internalInterfaces = [ "wg0" ]; }; firewall.allowedUDPPorts = [ wireguard-port ]; + localCommands = '' + ip route add default dev mullvad table 1000 + ''; + wireguard = { enable = true; interfaces."wg0" = { @@ -65,12 +71,16 @@ in "10.69.173.41/32" "fc00:bbbb:bbbb:bb01::6:ad28/128" ]; # free cat + table = "1000"; privateKeyFile = config.age.secrets.mullvad-vpn-key.path; peers = [ { name = "de-fra-wg-007"; publicKey = "mTmrSuXmTnIC9l2Ur3/QgodGrVEhhIE3pRwOHZpiYys="; - allowedIPs = [ ]; + allowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; endpoint = "de-fra-wg-007.relays.mullvad.net:51820"; } ]; diff --git a/host/roam/torrent.nix b/host/roam/torrent.nix new file mode 100644 index 0000000..35e28df --- /dev/null +++ b/host/roam/torrent.nix @@ -0,0 +1,76 @@ +{ ... }: +let + containerIp = "192.168.100.11"; +in +{ + networking = { + localCommands = '' + # Route outgoing traffic over mullvad + ip rule add from ${containerIp} table 1000 priority 1000 + ip route add blackhole default table 1000 metric 999 + + ip rule add from ${containerIp} to 192.168.1.0/24 table main priority 999 + ''; + + nat = { + extraCommands = '' + iptables -t nat -A POSTROUTING -s ${containerIp} -o mullvad -j MASQUERADE + + iptables -A PREROUTING -t mangle -i mullvad -s 192.168.100.0/24 -j DROP + iptables -A PREROUTING -t mangle -i mullvad -s 192.168.1.0/24 -j DROP + ''; + }; + }; + + services.nginx.privateVirtualHosts."qbt.lan" = { + locations."/" = { + proxyPass = "http://192.168.100.11:8080"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /data/torrent 0755 root root -" + ]; + + containers.torrent = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = containerIp; + + bindMounts = { + "/var/lib/qBittorrent/qBittorrent/downloads" = { + hostPath = "/data/torrent"; + isReadOnly = false; + }; + }; + + config = + { ... }: + { + boot.isContainer = true; + # networking.nameservers = [ "10.64.0.1" ]; + environment.etc."resolv.conf".text = '' + nameserver 10.64.0.1 + options edns0 trust-ad + ''; + services.resolved.enable = false; + networking.resolvconf.enable = false; + services.qbittorrent = { + enable = true; + openFirewall = true; + serverConfig = { + LegalNotice.Accepted = true; + Preferences = { + General.Locale = "en"; + WebUI = { + Username = "admin"; + Password_PBKDF2 = "nNQGvR+niYyKVaT5SQ+Kpw==:0lzflYcsj6d3p5B50ceOS9tZBbxnlkdY5hkK5Ki8ZE4zMI8ZfyJYfWDThjCOULPFNPkUnOWGKhnSPaOibzaNGw=="; + }; + }; + }; + }; + system.stateVersion = "25.04"; + }; + }; +} diff --git a/var/lan-dns.nix b/var/lan-dns.nix index f2b5e49..a0adfc2 100644 --- a/var/lan-dns.nix +++ b/var/lan-dns.nix @@ -8,6 +8,7 @@ let custom-hosts = with var.wg.ips; { "git.lan" = roam; "syncthing.roam.lan" = roam; + "qbt.lan" = roam; }; in rec {