diff --git a/modules/nixos/services/aria/default.nix b/modules/nixos/services/aria/default.nix new file mode 100644 index 0000000..2d1b3e2 --- /dev/null +++ b/modules/nixos/services/aria/default.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.my.services.aria; +in +{ + options.my.services.aria = with lib; { + enable = mkEnableOption ""; + + rpcSecretFile = mkOption { + type = types.str; + example = "/run/secrets/aria-secret.txt"; + description = '' + File containing the RPC secret. + ''; + }; + + rpcPort = mkOption { + type = types.port; + default = 6800; + example = 8080; + description = "RPC port"; + }; + + downloadDir = mkOption { + type = types.str; + default = "/data/downloads"; + example = "/var/lib/transmission/download"; + description = "Download directory"; + }; + }; + + config = lib.mkIf cfg.enable { + services.aria2 = { + enable = true; + + inherit (cfg) downloadDir rpcSecretFile; + + rpcListenPort = cfg.rpcPort; + openPorts = false; # I don't want to expose the RPC port + }; + + # Expose DHT ports + networking.firewall = { + # FIXME: check for overlap? + allowedUDPPortRanges = config.services.aria2.listenPortRange; + }; + + # Set-up media group + users.groups.media = { }; + + systemd.services.aria2 = { + serviceConfig = { + Group = lib.mkForce "media"; # Use 'media' group + }; + }; + + my.services.nginx.virtualHosts = { + aria = { + root = "${pkgs.ariang}/share/ariang"; + # For paranoia, don't allow anybody to use the UI unauthenticated + sso = { + enable = true; + }; + }; + aria-rpc = { + port = cfg.rpcPort; + # Proxy websockets for RPC + extraConfig = { + locations."/".proxyWebsockets = true; + }; + }; + }; + + # NOTE: unfortunately aria2 does not log connection failures for fail2ban + }; +} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index b27570d..3e2b3c8 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -3,6 +3,7 @@ { imports = [ ./adblock + ./aria ./backup ./blog ./calibre-web