hosts/dandelion: re-init

flake.nix

@@ -68,11 +68,13 @@
           specialArgs = {
             inherit inputs;
             modules = import ./modules { lib = nixpkgs.lib; };
+            gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
           };
         };
     in
     {
       nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
+      nixosConfigurations."dandelion" = mkSystem nixpkgs-vicuna "dandelion" "aarch64-linux" [];
       nixosConfigurations."hazel" = mkSystem nixpkgs-vicuna "hazel" "x86_64-linux" [];
       nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
 

hosts/dandelion/default.nix

@@ -0,0 +1,32 @@
+{ modules, modulesPath, ... }: {
+  networking.hostName = "dandelion";
+  system.stateVersion = "23.11";
+  time.timeZone = "Australia/Melbourne";
+
+  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
+  };
+
+  imports = with modules.system; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    home-manager-stable
+
+    base
+    kernel
+    nix-stable
+    packages
+    security
+
+    modules.services.nginx
+    modules.services.postgres
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./transmission-container.nix
+
+    ../../users/hana
+  ];
+
+  me.environment = "headless";
+}

hosts/dandelion/filesystem.nix

@@ -0,0 +1,34 @@
+{ ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+
+  mkLabelMount = label: type: {
+    device = "/dev/disk/by-label/${label}";
+    fsType = type;
+    options = [ "defaults" "relatime" ];
+  };
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
+    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
+  };
+  submount = mkBtrfsMount "DANDELION";
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=12G" "mode=755" ];
+    };
+    "/boot" = mkLabelMount "UEFI" "vfat";
+
+    "/nix" = submount "/@/nix" false;
+    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
+    "/persist/.snapshots" = submount "/snap/persist" false;
+    "/var/log/journal" = bind "/persist/journal";
+  };
+}

hosts/dandelion/kernel.nix

@@ -0,0 +1,14 @@
+{ ... }: {
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+    initrd.kernelModules = [ "nvme" ];
+    kernel.sysctl = {
+      "kernel.core_pattern" = "|/bin/false";
+      "kernel.sysrq" = 1;
+    };
+  };
+}

hosts/dandelion/networking.nix

@@ -0,0 +1,3 @@
+{ ... }: {
+  networking.useDHCP = true;
+}

hosts/dandelion/packages.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+
+    kitty.terminfo
+  ];
+  environment.variables.EDITOR = "nvim";
+}

hosts/dandelion/transmission-container.nix

@@ -0,0 +1,61 @@
+{ lib, modules, pkgs, gcSecrets, ... }: {
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-+" ];
+    externalInterface = "enp0s6";
+  };
+
+  networking.firewall = {
+    extraCommands = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE
+    '';
+    extraStopCommands = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE || true
+    '';
+  };
+
+  services.nginx.virtualHosts."tr.dandelion.gw.lava.moe" = {
+    locations."/".proxyPass = "http://10.25.0.11:9091";
+  };
+
+  containers.transmission = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "10.25.0.10";
+    localAddress = "10.25.0.11";
+    bindMounts."vpn" = {
+      hostPath = "/persist/aus.conf";
+      mountPoint = "/vpn.conf";
+      isReadOnly = true;
+    };
+    bindMounts."transmission" = {
+      hostPath = "/persist/transmission";
+      mountPoint = "/persist/transmission";
+      isReadOnly = false;
+    };
+    config = {
+      system.stateVersion = "23.11";
+      networking.wg-quick.interfaces.wg0 = {
+        configFile = "/vpn.conf";
+        preUp = ''
+          # Try to access the DNS for up to 300s
+          for i in {1..60}; do
+            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
+            echo "Attempt $i: DNS still not available"
+            sleep 5s
+          done
+        '';
+      };
+
+      networking.firewall.enable = false;
+      systemd.services.transmission.serviceConfig.BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
+      imports = [ modules.services.transmission ];
+      services.transmission.settings = {
+        rpc-host-whitelist-enabled = false;
+        rpc-whitelist = "10.100.0.*,10.0.0.*,10.25.0.*,192.168.100.*";
+        rpc-username = gcSecrets.transmission.username;
+        rpc-password = gcSecrets.transmission.password;
+      };
+    };
+  };
+}

modules/system/transmission.nix

@@ -5,13 +5,6 @@
     downloadDirPermissions = "775";
     openFirewall = true;
     settings = {
-      alt-speed-down = 512;
-      alt-speed-enabled = true;
-      alt-speed-time-begin = 360;
-      alt-speed-time-day = 127;
-      alt-speed-time-enabled = true;
-      alt-speed-time-end = 1380;
-      alt-speed-up = 256;
       download-dir = "/persist/transmission/Downloads";
       incomplete-dir = "/persist/transmission/.incomplete";
       ratio-limit-enabled = true;