hosts: nixos: porthos: secrets: add aria RPC token

nixos: services: add aria
nixos: services: nextcloud: fix renamed option
2024-01-30 14:03:36 +01:00 · 2024-01-30 14:03:36 +01:00 · 2024-01-30 13:27:55 +01:00 · 2024-01-30 13:27:55 +01:00 · 2024-01-30 13:27:55 +01:00
7 changed files with 106 additions and 17 deletions
--- a/flake.lock
+++ b/flake.lock
@ -73,11 +73,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704982712,
-        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "lastModified": 1706569497,
+        "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "rev": "60c614008eed1d0383d21daac177a3e036192ed8",
        "type": "github"
      },
      "original": {
@ -136,11 +136,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705879479,
-        "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
+        "lastModified": 1706473109,
+        "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
+        "rev": "d634c3abafa454551f2083b054cd95c3f287be61",
        "type": "github"
      },
      "original": {
@ -152,11 +152,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1705856552,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "lastModified": 1706371002,
+        "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006",
        "type": "github"
      },
      "original": {
@ -168,11 +168,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1705927265,
-        "narHash": "sha256-eUUIBb3qYMrQB0ONGEj2kzKN8yzqwDmR4+Ct5/dvJcs=",
+        "lastModified": 1706613454,
+        "narHash": "sha256-oekBAKlWhNgs4MCORSrZnswYTwD5h7HQkDDFf6INAZs=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "a29c6f71063d0ce903e927fa7885651c00abd33b",
+        "rev": "ce9c09fbd09d8cccb7353fe32bdfbd39ff3cb7be",
        "type": "github"
      },
      "original": {
@ -197,11 +197,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705757126,
-        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
+        "lastModified": 1706424699,
+        "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
+        "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
        "type": "github"
      },
      "original": {
--- a/hosts/nixos/porthos/secrets/aria/rpc-token.age
+++ b/hosts/nixos/porthos/secrets/aria/rpc-token.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg fpiyZo1AR5hCfk/KtbgWCTzz+05/VOUnnaHhWgXQRwc
+d2w9IX/kq/T6OwQ1zImsCmzIX2yfFD8hQDbs0IW3ZIA
+-> ssh-ed25519 jPowng E9R7p9NCubUQrymjnrNfEjSNIIAXrBQLogNkWsOx8xc
+MrWEE5LNtOqAjnwA6byfSa1udnbUtqBy4FhdxipuA+g
+--- fKgerjgGs+brvNKnrWdpmOadl34LipMT6Msqse2g3E0
+Œ¡E9³ï¬‚KYRL-‡„°¡Ç·\E–ŸK{ÃÜ7âço»ïò²XÂGx<0E>ÍT’Î)Ëœôä<C3B4>6°%ˆLO€Tðÿ*‰™*8\£É@G
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@ -12,6 +12,8 @@ in
 {
  "acme/dns-key.age".publicKeys = all;

+  "aria/rpc-token.age".publicKeys = all;
+
  "backup/password.age".publicKeys = all;
  "backup/credentials.age".publicKeys = all;

--- a/modules/nixos/services/aria/default.nix
+++ b/modules/nixos/services/aria/default.nix
@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.aria;
+in
+{
+  options.my.services.aria = with lib; {
+    enable = mkEnableOption "";
+
+    rpcSecretFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/aria-secret.txt";
+      description = ''
+        File containing the RPC secret.
+      '';
+    };
+
+    rpcPort = mkOption {
+      type = types.port;
+      default = 6800;
+      example = 8080;
+      description = "RPC port";
+    };
+
+    downloadDir = mkOption {
+      type = types.str;
+      default = "/data/downloads";
+      example = "/var/lib/transmission/download";
+      description = "Download directory";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.aria2 = {
+      enable = true;
+
+      inherit (cfg) downloadDir rpcSecretFile;
+
+      rpcListenPort = cfg.rpcPort;
+      openPorts = false; # I don't want to expose the RPC port
+    };
+
+    # Expose DHT ports
+    networking.firewall = {
+      # FIXME: check for overlap?
+      allowedUDPPortRanges = config.services.aria2.listenPortRange;
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    systemd.services.aria2 = {
+      serviceConfig = {
+        Group = lib.mkForce "media"; # Use 'media' group
+      };
+    };
+
+    my.services.nginx.virtualHosts = {
+      aria = {
+        root = "${pkgs.ariang}/share/ariang";
+        # For paranoia, don't allow anybody to use the UI unauthenticated
+        sso = {
+          enable = true;
+        };
+      };
+      aria-rpc = {
+        port = cfg.rpcPort;
+        # Proxy websockets for RPC
+        extraConfig = {
+          locations."/".proxyWebsockets = true;
+        };
+      };
+    };
+
+    # NOTE: unfortunately aria2 does not log connection failures for fail2ban
+  };
+}
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@ -3,6 +3,7 @@
 {
  imports = [
    ./adblock
+    ./aria
    ./backup
    ./blog
    ./calibre-web
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@ -45,7 +45,7 @@ in

      https = true;

-      extraOptions = {
+      settings = {
        overwriteprotocol = "https"; # Nginx only allows SSL
      };

--- a/modules/nixos/services/paperless/default.nix
+++ b/modules/nixos/services/paperless/default.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  cfg = config.my.services.paperless;
 in
@ -80,6 +80,9 @@ in
          # Misc
          PAPERLESS_TIME_ZONE = config.time.timeZone;
          PAPERLESS_ADMIN_USER = cfg.username;
+
+          # Fix classifier hangs
+          LD_LIBRARY_PATH = "${lib.getLib pkgs.lapack-reference}/lib";
        };

      # Admin password
Author	SHA1	Message	Date
Bruno BELANYI	07fbdfd519	hosts: nixos: porthos: secrets: add aria RPC token All checks were successful ci/woodpecker/push/check Pipeline was successful Details	2024-01-30 14:03:36 +01:00
Bruno BELANYI	60ad815d48	nixos: services: add aria	2024-01-30 14:03:36 +01:00
Bruno BELANYI	0290dcdca7	nixos: services: nextcloud: fix renamed option	2024-01-30 13:27:55 +01:00
Bruno BELANYI	caa4cf6b12	flake: bump inputs	2024-01-30 13:27:55 +01:00
Bruno BELANYI	dec853d164	nixos: services: paperless: fix classifier hangs This is an experimental fix to try and get around an issue with the default BLAS/LAPACK implementation. See [1] for more details. [1]: https://github.com/NixOS/nixpkgs/issues/240591	2024-01-30 13:27:55 +01:00