Set up Transmission + Jellyfin

2024-11-22 17:33:01 +01:00 · 2024-11-22 17:33:01 +01:00 · 957a138ef6
parent 6318113c76
commit 957a138ef6
4 changed files with 232 additions and 0 deletions
--- a/common/fragments/bittorrent/default.nix
+++ b/common/fragments/bittorrent/default.nix
@ -0,0 +1,118 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [ ./netns.nix ];
+
+  system.fsPackages = with pkgs; [
+    gocryptfs
+    cifs-utils
+  ];
+  systemd.mounts = [
+    {
+      after = [ "network.target" ];
+      what = "//library.technogothic.net/backup";
+      where = "/mnt/library-raw";
+      type = "cifs";
+      options = "gid=users,file_mode=0664,dir_mode=0775";
+      mountConfig.EnvironmentFile = "/var/lib/secrets/hetzner-env";
+    }
+    {
+      what = "/mnt/library-raw";
+      where = "/mnt/library";
+      type = "fuse.gocryptfs";
+      options = "allow_other,passfile=/var/lib/secrets/gocryptfs-pass";
+      wantedBy = [ "multi-user.target" ];
+    }
+  ];
+
+  systemd.services."container@transmission" = {
+    bindsTo = [ "ve-transmission.service" ];
+    after = [
+      "ve-transmission.service"
+      "mnt-library.mount"
+    ];
+  };
+
+  containers.transmission = {
+    autoStart = true;
+
+    extraFlags = [ "--network-namespace-path=/run/netns/transmission" ];
+
+    bindMounts = {
+      "/var/lib/transmission" = {
+        hostPath = "/var/lib/transmission";
+        isReadOnly = false;
+      };
+      "/mnt/library" = {
+        hostPath = "/mnt/library";
+        isReadOnly = false;
+      };
+      "/etc/resolv.conf" = {
+        hostPath = toString (pkgs.writeText "resolv.conf" "nameserver 74.82.42.42");
+      };
+    };
+
+    config = {
+      services.transmission = {
+        enable = true;
+
+        package = pkgs.transmission_4;
+        webHome = pkgs.flood-for-transmission;
+
+        settings = {
+          rpc-bind-address = "::";
+          rpc-whitelist-enabled = false;
+          rpc-host-whitelist-enabled = false;
+
+          download-dir = "/mnt/library/Downloads";
+          incomplete-dir = "/mnt/library/.incomplete";
+          watch-dir = "/mnt/library/watchdir";
+        };
+        openRPCPort = true;
+        openPeerPorts = true;
+      };
+
+      users.users.transmission.extraGroups = [ "users" ];
+
+      # https://github.com/NixOS/nixpkgs/issues/258793
+      systemd.services.transmission.serviceConfig = {
+        RootDirectoryStartOnly = lib.mkForce (lib.mkForce false);
+        RootDirectory = lib.mkForce (lib.mkForce "");
+      };
+
+      system.stateVersion = config.system.stateVersion;
+    };
+  };
+
+  # Jellyfin
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+  ];
+
+  # SMB Share
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    extraConfig = ''
+      server string = Watchtower
+      guest account = nobody
+      map to guest = bad user
+    '';
+    shares.Library = {
+      path = "/mnt/library";
+      browseable = "yes";
+      "read only" = "no";
+      "guest ok" = "yes";
+    };
+  };
+}
--- a/common/fragments/bittorrent/netns.nix
+++ b/common/fragments/bittorrent/netns.nix
@ -0,0 +1,96 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+# Collectivized from https://gist.github.com/c0deaddict/53aedbb69c8cbfebfec8f4428dc03102 ☭
+let
+  veth = "ve-transmission";
+  hostIp = "10.0.0.1/24";
+  guestIp = "10.0.0.2/24";
+in
+{
+  # https://mth.st/blog/nixos-wireguard-netns/
+  systemd.services."netns@" = {
+    description = "%I network namespace";
+    before = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      PrivateNetwork = true;
+      ExecStart = "${pkgs.writers.writeDash "netns-up" ''
+        ${pkgs.iproute}/bin/ip netns add $1
+        ${pkgs.utillinux}/bin/umount /var/run/netns/$1
+        ${pkgs.utillinux}/bin/mount --bind /proc/self/ns/net /var/run/netns/$1
+      ''} %I";
+      ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
+    };
+  };
+
+  systemd.services."wireguard-ccvpn-fr" = {
+    bindsTo = [ "netns@transmission.service" ];
+    after = [ "netns@transmission.service" ];
+  };
+
+  networking.wireguard.interfaces.ccvpn-fr = {
+    ips = [
+      "10.128.4.199/32"
+      "fd64:e20:68a3::4c7/128"
+    ];
+    privateKeyFile = "/var/lib/secrets/ccvpn-fr-key";
+    socketNamespace = "init";
+    interfaceNamespace = "transmission";
+    peers = [
+      {
+        publicKey = "QFbr19X11tqUZRerZgItb25FnBsNsd7NyJvAkWTRU1U=";
+        # Forward all traffic via VPN.
+        allowedIPs = [
+          "0.0.0.0/0"
+          "::/0"
+        ];
+        endpoint = "fr.204vpn.net:51820";
+        persistentKeepalive = 15;
+      }
+    ];
+  };
+
+  # https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfaces-for-virtual-networking#veth
+  systemd.services.${veth} =
+    let
+      ns = "transmission";
+      ipHost = "${pkgs.iproute}/bin/ip";
+      ipGuest = "${ipHost} netns exec ${ns} ${pkgs.iproute}/bin/ip";
+    in
+    {
+      description = "Veth interface for download";
+      bindsTo = [ "netns@${ns}.service" ];
+      after = [ "netns@${ns}.service" ];
+      wantedBy = [ "network.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = pkgs.writers.writeDash "veth-up" ''
+          ${ipHost} link add ${veth} type veth peer name veth1 netns ${ns}
+          ${ipHost} addr add ${hostIp} dev ${veth}
+          ${ipHost} link set dev ${veth} up
+          ${ipGuest} addr add ${guestIp} dev veth1
+          ${ipGuest} link set dev veth1 up
+        '';
+        ExecStop = pkgs.writers.writeDash "veth-down" ''
+          ${ipHost} link del ${veth}
+        '';
+      };
+    };
+
+  networking.firewall.allowedTCPPorts = [ 9091 ];
+
+  services.nginx.enable = true;
+  # TODO: change when headscale updates
+  services.nginx.virtualHosts."watchtower.agatha.thorns.home.arpa" = {
+    locations."/transmission" = {
+      proxyPass = "http://10.0.0.2:9091/transmission";
+      proxyWebsockets = true;
+    };
+  };
+}
--- a/flake.nix
+++ b/flake.nix
@ -228,6 +228,23 @@
            targetHost = "watchtower";

            tags = [ "prod" ];
+
+            keys = {
+              "hetzner-env" = {
+                keyCommand = [
+                  "cat"
+                  "./secrets/hetzner-env"
+                ];
+                destDir = "/var/lib/secrets/";
+              };
+              "gocryptfs-pass" = {
+                keyCommand = [
+                  "cat"
+                  "./secrets/gocryptfs-pass"
+                ];
+                destDir = "/var/lib/secrets/";
+              };
+            };
          };
        };

--- a/hosts/watchtower/configuration.nix
+++ b/hosts/watchtower/configuration.nix
@ -2,6 +2,7 @@
  imports = [
    ./hardware-configuration.nix
    ../../common/home_manager/common.nix
+    ../../common/fragments/bittorrent
    ../../common/fragments/home-assistant.nix
    ../../common/fragments/sponsorblock.nix
  ];