aboutsummaryrefslogtreecommitdiffstats
path: root/hosts/arrakis/default.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/arrakis/default.nix134
1 files changed, 108 insertions, 26 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index 1e9641f..6461c94 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -207,34 +207,116 @@
system.stateVersion = "23.11";
- systemd.services."nftables-extra" = {
- description = "nftables extra firewall rules";
- script = ''
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard'
- ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
- '';
- serviceConfig = {
- RemainAfterExit = true;
- Type = "oneshot";
+ systemd.services = {
+ "nftables-extra" = {
+ description = "nftables extra firewall rules";
+ script = ''
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard'
+ ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
+ '';
+ serviceConfig = {
+ RemainAfterExit = true;
+ Type = "oneshot";
+ };
+ unitConfig = {
+ ConditionPathExists = [
+ config.sops.secrets."nftables/ssh".path
+ ];
+ };
+ wantedBy = [ "multi-user.target" ];
+ after = [ "nftables.service" ];
+ partOf = [ "nftables.service" ];
};
- unitConfig = {
- ConditionPathExists = [
- config.sops.secrets."nftables/ssh".path
- ];
+ "lidarr" = {
+ after = [ "network.target" ];
+ description = "Lidarr Daemon";
+ serviceConfig = {
+ User = "nipsy";
+ Group = "nipsy";
+ Restart = "always";
+ RestartSec= 5;
+ Type = "simple";
+ ExecStart = "/home/nipsy/Lidarr/Lidarr -nobrowser";
+ TimeoutStopSec = 20;
+ PIDFile = "/home/nipsy/.config/Lidarr/lidarr.pid";
+ NetworkNamespacePath = "/run/netns/vpn";
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ "prowlarr" = {
+ after = [ "network.target" ];
+ description = "Prowlarr Daemon";
+ serviceConfig = {
+ User = "nipsy";
+ Group = "nipsy";
+ Restart = "always";
+ RestartSec= 5;
+ Type = "simple";
+ ExecStart = "/home/nipsy/Prowlarr/Prowlarr -nobrowser";
+ TimeoutStopSec = 20;
+ PIDFile = "/home/nipsy/.config/Prowlarr/prowlarr.pid";
+ NetworkNamespacePath = "/run/netns/vpn";
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ "radarr" = {
+ after = [ "network.target" ];
+ description = "Radarr Daemon";
+ serviceConfig = {
+ User = "nipsy";
+ Group = "nipsy";
+ Restart = "always";
+ RestartSec= 5;
+ Type = "simple";
+ ExecStart = "/home/nipsy/Radarr/Radarr -nobrowser";
+ TimeoutStopSec = 20;
+ PIDFile = "/home/nipsy/.config/Radarr/radarr.pid";
+ NetworkNamespacePath = "/run/netns/vpn";
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ "readarr" = {
+ after = [ "network.target" ];
+ description = "Readarr Daemon";
+ serviceConfig = {
+ User = "nipsy";
+ Group = "nipsy";
+ Restart = "always";
+ RestartSec= 5;
+ Type = "simple";
+ ExecStart = "/home/nipsy/Readarr/Readarr -nobrowser";
+ TimeoutStopSec = 20;
+ PIDFile = "/home/nipsy/.config/Readarr/readarr.pid";
+ NetworkNamespacePath = "/run/netns/vpn";
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ "sonarr" = {
+ after = [ "network.target" ];
+ description = "Sonarr Daemon";
+ serviceConfig = {
+ User = "nipsy";
+ Group = "nipsy";
+ Restart = "always";
+ RestartSec= 5;
+ Type = "simple";
+ ExecStart = "/home/nipsy/Sonarr/Sonarr -nobrowser";
+ TimeoutStopSec = 20;
+ PIDFile = "/home/nipsy/.config/Sonarr/sonarr.pid";
+ NetworkNamespacePath = "/run/netns/vpn";
+ };
+ wantedBy = [ "multi-user.target" ];
};
- wantedBy = [ "multi-user.target" ];
- after = [ "nftables.service" ];
- partOf = [ "nftables.service" ];
};
systemd.paths."nftables-extra" = {
pathConfig = {