From 3bacc817a2048cab500483efc3b7d43a4d7551d5 Mon Sep 17 00:00:00 2001
From: LavaDesu <me@lava.moe>
Date: Mon, 19 May 2025 19:43:57 +1000
Subject: [PATCH] hosts/dandelion: re-init

---
 flake.nix                                  |   2 +
 hosts/dandelion/default.nix                |  32 +++++++++++
 hosts/dandelion/filesystem.nix             |  34 ++++++++++++
 hosts/dandelion/kernel.nix                 |  14 +++++
 hosts/dandelion/networking.nix             |   3 +
 hosts/dandelion/packages.nix               |  14 +++++
 hosts/dandelion/transmission-container.nix |  61 +++++++++++++++++++++
 modules/system/transmission.nix            |   7 ---
 secrets.gcrypt/shared.json                 | Bin 0 -> 154 bytes
 9 files changed, 160 insertions(+), 7 deletions(-)
 create mode 100644 hosts/dandelion/default.nix
 create mode 100644 hosts/dandelion/filesystem.nix
 create mode 100644 hosts/dandelion/kernel.nix
 create mode 100644 hosts/dandelion/networking.nix
 create mode 100644 hosts/dandelion/packages.nix
 create mode 100644 hosts/dandelion/transmission-container.nix
 create mode 100644 secrets.gcrypt/shared.json

diff --git a/flake.nix b/flake.nix
index a65dbc4..207c094 100644
--- a/flake.nix
+++ b/flake.nix
@@ -68,11 +68,13 @@
           specialArgs = {
             inherit inputs;
             modules = import ./modules { lib = nixpkgs.lib; };
+            gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
           };
         };
     in
     {
       nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
+      nixosConfigurations."dandelion" = mkSystem nixpkgs-vicuna "dandelion" "aarch64-linux" [];
       nixosConfigurations."hazel" = mkSystem nixpkgs-vicuna "hazel" "x86_64-linux" [];
       nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
 
diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
new file mode 100644
index 0000000..5f13e44
--- /dev/null
+++ b/hosts/dandelion/default.nix
@@ -0,0 +1,32 @@
+{ modules, modulesPath, ... }: {
+  networking.hostName = "dandelion";
+  system.stateVersion = "23.11";
+  time.timeZone = "Australia/Melbourne";
+
+  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
+  };
+
+  imports = with modules.system; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    home-manager-stable
+
+    base
+    kernel
+    nix-stable
+    packages
+    security
+
+    modules.services.nginx
+    modules.services.postgres
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./transmission-container.nix
+
+    ../../users/hana
+  ];
+
+  me.environment = "headless";
+}
diff --git a/hosts/dandelion/filesystem.nix b/hosts/dandelion/filesystem.nix
new file mode 100644
index 0000000..4dd6a55
--- /dev/null
+++ b/hosts/dandelion/filesystem.nix
@@ -0,0 +1,34 @@
+{ ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+
+  mkLabelMount = label: type: {
+    device = "/dev/disk/by-label/${label}";
+    fsType = type;
+    options = [ "defaults" "relatime" ];
+  };
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
+    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
+  };
+  submount = mkBtrfsMount "DANDELION";
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=12G" "mode=755" ];
+    };
+    "/boot" = mkLabelMount "UEFI" "vfat";
+
+    "/nix" = submount "/@/nix" false;
+    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
+    "/persist/.snapshots" = submount "/snap/persist" false;
+    "/var/log/journal" = bind "/persist/journal";
+  };
+}
diff --git a/hosts/dandelion/kernel.nix b/hosts/dandelion/kernel.nix
new file mode 100644
index 0000000..17e8c13
--- /dev/null
+++ b/hosts/dandelion/kernel.nix
@@ -0,0 +1,14 @@
+{ ... }: {
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+    initrd.kernelModules = [ "nvme" ];
+    kernel.sysctl = {
+      "kernel.core_pattern" = "|/bin/false";
+      "kernel.sysrq" = 1;
+    };
+  };
+}
diff --git a/hosts/dandelion/networking.nix b/hosts/dandelion/networking.nix
new file mode 100644
index 0000000..ee27faf
--- /dev/null
+++ b/hosts/dandelion/networking.nix
@@ -0,0 +1,3 @@
+{ ... }: {
+  networking.useDHCP = true;
+}
diff --git a/hosts/dandelion/packages.nix b/hosts/dandelion/packages.nix
new file mode 100644
index 0000000..2d4bd30
--- /dev/null
+++ b/hosts/dandelion/packages.nix
@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+
+    kitty.terminfo
+  ];
+  environment.variables.EDITOR = "nvim";
+}
diff --git a/hosts/dandelion/transmission-container.nix b/hosts/dandelion/transmission-container.nix
new file mode 100644
index 0000000..93a6639
--- /dev/null
+++ b/hosts/dandelion/transmission-container.nix
@@ -0,0 +1,61 @@
+{ lib, modules, pkgs, gcSecrets, ... }: {
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-+" ];
+    externalInterface = "enp0s6";
+  };
+
+  networking.firewall = {
+    extraCommands = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE
+    '';
+    extraStopCommands = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE || true
+    '';
+  };
+
+  services.nginx.virtualHosts."tr.dandelion.gw.lava.moe" = {
+    locations."/".proxyPass = "http://10.25.0.11:9091";
+  };
+
+  containers.transmission = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "10.25.0.10";
+    localAddress = "10.25.0.11";
+    bindMounts."vpn" = {
+      hostPath = "/persist/aus.conf";
+      mountPoint = "/vpn.conf";
+      isReadOnly = true;
+    };
+    bindMounts."transmission" = {
+      hostPath = "/persist/transmission";
+      mountPoint = "/persist/transmission";
+      isReadOnly = false;
+    };
+    config = {
+      system.stateVersion = "23.11";
+      networking.wg-quick.interfaces.wg0 = {
+        configFile = "/vpn.conf";
+        preUp = ''
+          # Try to access the DNS for up to 300s
+          for i in {1..60}; do
+            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
+            echo "Attempt $i: DNS still not available"
+            sleep 5s
+          done
+        '';
+      };
+
+      networking.firewall.enable = false;
+      systemd.services.transmission.serviceConfig.BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
+      imports = [ modules.services.transmission ];
+      services.transmission.settings = {
+        rpc-host-whitelist-enabled = false;
+        rpc-whitelist = "10.100.0.*,10.0.0.*,10.25.0.*,192.168.100.*";
+        rpc-username = gcSecrets.transmission.username;
+        rpc-password = gcSecrets.transmission.password;
+      };
+    };
+  };
+}
diff --git a/modules/system/transmission.nix b/modules/system/transmission.nix
index 202b5ae..7540d68 100644
--- a/modules/system/transmission.nix
+++ b/modules/system/transmission.nix
@@ -5,13 +5,6 @@
     downloadDirPermissions = "775";
     openFirewall = true;
     settings = {
-      alt-speed-down = 512;
-      alt-speed-enabled = true;
-      alt-speed-time-begin = 360;
-      alt-speed-time-day = 127;
-      alt-speed-time-enabled = true;
-      alt-speed-time-end = 1380;
-      alt-speed-up = 256;
       download-dir = "/persist/transmission/Downloads";
       incomplete-dir = "/persist/transmission/.incomplete";
       ratio-limit-enabled = true;
diff --git a/secrets.gcrypt/shared.json b/secrets.gcrypt/shared.json
new file mode 100644
index 0000000000000000000000000000000000000000..f3f2e36d2778be04f048a6e5eb65f207471e1a6c
GIT binary patch
literal 154
zcmZQ@_Y83kiVO&0h`aFN$gR^?B;?)n_{^gBo_VjOdx}YuSGm+I;+|RNZ^^j~+n;3a
zNttjZJXrJ7sWbPaLT9fla9kff^}<@+FMs`vJVNTP)-BlEWpQ?i-G&=HyAIk#r`7aM
zUiB$|%J2KXUe5F~4C35-)%xrG`i<pwEAMwHMqXMZxAETFI;%6f{pu@hZ1Zm9?u~Wq
Ny1eY)(c<;CyZ}9cO}+pC

literal 0
HcmV?d00001