From b8ea365ca8eb801f8c8442f2f9ab439343ed8b8f Mon Sep 17 00:00:00 2001 From: azahi Date: Tue, 14 Jan 2025 13:27:50 +0300 Subject: 2025-01-14 --- modules/beets.nix | 1 + modules/common/nix.nix | 6 +-- modules/common/systemd.nix | 9 ---- modules/piracy/default.nix | 26 ++++++--- modules/wireguard-ng.nix | 24 --------- modules/wireguard.nix | 130 ++++++++++++++++++++++----------------------- 6 files changed, 89 insertions(+), 107 deletions(-) (limited to 'modules') diff --git a/modules/beets.nix b/modules/beets.nix index c25ad53..3141e4d 100644 --- a/modules/beets.nix +++ b/modules/beets.nix @@ -78,6 +78,7 @@ in "AU" "NZ" "US" + "XW" ]; original_year = true; }; diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 2054185..0ce2ae4 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -80,10 +80,10 @@ in trusted-users = [ my.username ]; substituters = [ - "https://cache.garnix.io" - "https://cache.tvl.su" "https://nix-community.cachix.org" - "https://numtide.cachix.org" + # "https://cache.garnix.io" + # "https://cache.tvl.su" + # "https://numtide.cachix.org" ]; trusted-public-keys = [ "cache.tvl.su:kjc6KOMupXc1vHVufJUoDUYeLzbwSr9abcAKdn/U1Jk=" diff --git a/modules/common/systemd.nix b/modules/common/systemd.nix index 996096e..f832518 100644 --- a/modules/common/systemd.nix +++ b/modules/common/systemd.nix @@ -1,6 +1,5 @@ { config, - lib, ... }: { @@ -36,16 +35,8 @@ user = { inherit extraConfig; }; - - suppressedSystemUnits = lib.optionals config.nixfiles.modules.ark.enable [ - "systemd-machine-id-commit.service" - ]; }; - boot.initrd.systemd.suppressedUnits = lib.optionals config.nixfiles.modules.ark.enable [ - "systemd-machine-id-commit.service" - ]; - environment.variables = { SYSTEMD_PAGERSECURE = "1"; SYSTEMD_PAGER = "less"; diff --git a/modules/piracy/default.nix b/modules/piracy/default.nix index be957f0..7682356 100644 --- a/modules/piracy/default.nix +++ b/modules/piracy/default.nix @@ -58,6 +58,9 @@ in rpcSocket = socket; configText = with config.services.rtorrent; + let + pow = x: y: lib.pow x y |> toString; + in lib.mkForce '' directory.default.set = ${files} session.path.set = ${dataDir}/session @@ -72,23 +75,33 @@ in protocol.encryption.set = allow_incoming,try_outgoing,enable_retry - pieces.memory.max.set = ${toString (lib.pow 2 11)}M + pieces.memory.max.set = ${pow 2 11}M pieces.preload.type.set = 2 - network.max_open_files.set = ${toString (lib.pow 2 13)} - network.max_open_sockets.set = ${toString (lib.pow 2 13)} + network.max_open_files.set = ${pow 2 16} + network.max_open_sockets.set = ${pow 2 15} - network.http.max_open.set = ${toString (lib.pow 2 10)} + network.http.max_open.set = ${pow 2 10} + # https://github.com/rakshasa/rtorrent/wiki/Performance-Tuning#peers-and-slots + throttle.max_downloads.global.set = 10 + throttle.max_uploads.global.set = 1000 + throttle.min_peers.seed.set = 99 + throttle.max_peers.seed.set = 100 throttle.global_down.max_rate.set_kb = 0 - throttle.global_up.max_rate.set_kb = 0 + throttle.global_up.max_rate.set_kb = 0 + + pieces.preload.type.set = 2 network.scgi.open_local = ${socket} - network.xmlrpc.size_limit.set = ${toString (lib.pow 2 17)} + network.xmlrpc.size_limit.set = ${pow 2 17} encoding.add = utf8 system.umask.set = 0007 + # https://github.com/rakshasa/rtorrent/wiki/Performance-Tuning#session-save + schedule2 = session_save, 1200, 43200, ((session.save)) + log.open_file = "log", "/var/log/rtorrent/log" log.add_output = "info", "log" ''; @@ -106,6 +119,7 @@ in RuntimeDirectory = "rtorrent"; LogsDirectory = "rtorrent"; ReadWritePaths = [ files ]; + LimitNOFILE = lib.pow 2 17; }; after = [ "rtorrent.socket" ]; requires = [ "rtorrent.socket" ]; diff --git a/modules/wireguard-ng.nix b/modules/wireguard-ng.nix index 5374a71..1d291c9 100644 --- a/modules/wireguard-ng.nix +++ b/modules/wireguard-ng.nix @@ -128,13 +128,6 @@ in "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; networking.firewall.trustedInterfaces = [ cfg.interface ]; - - topology = with cfg; { - nodes.${this.hostname}.interfaces.${interface} = { - network = interface; - icon = "interfaces.wireguard"; - }; - }; }) (mkIf cfg.client.enable { networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ @@ -233,23 +226,6 @@ in withRemoteIp = true; port = 9586; }; - - topology = with cfg; { - networks = { - ${interface} = { - name = interface; - cidrv4 = ipv4.subnet; - cidrv6 = ipv6.subnet; - icon = "interfaces.wireguard"; - }; - }; - - nodes.${this.hostname}.interfaces.${interface}.physicalConnections = - mapAttrsToList (name: _: config.lib.topology.mkConnection name interface) - ( - filterAttrs (n: v: !v.isOther && n != this.hostname && hasAttr "wireguard-ng" v) my.configurations - ); - }; }) ]; } diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 633ec5b..92497e1 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -6,17 +6,16 @@ this, ... }: -with lib; let cfg = config.nixfiles.modules.wireguard; - DNSSetup = optionalString config.services.resolved.enable ( + DNSSetup = lib.optionalString config.services.resolved.enable ( let resolvectl = "${config.systemd.package}/bin/resolvectl"; in '' ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address} - ${resolvectl} domain ${cfg.interface} local ${my.domain.shire} + ${resolvectl} domain ${cfg.interface} local ${lib.my.domain.shire} ${resolvectl} dnssec ${cfg.interface} no ${resolvectl} dnsovertls ${cfg.interface} no '' @@ -46,83 +45,81 @@ in options.nixfiles.modules.wireguard = { client = { - enable = mkEnableOption "WireGuard client"; + enable = lib.mkEnableOption "WireGuard client"; - enableTrafficRouting = mkOption { + enableTrafficRouting = lib.mkOption { description = "Whether to enable traffic routing through the sever."; - type = with types; bool; + type = lib.types.bool; default = !this.isHeadless; }; }; server = { - enable = mkEnableOption "WireGuard server"; + enable = lib.mkEnableOption "WireGuard server"; - ipv4.address = mkOption { + ipv4.address = lib.mkOption { description = "IPv4 address to bind to."; - type = with types; str; - default = my.configurations.manwe.wireguard.ipv4.address; + type = lib.types.str; + default = lib.my.configurations.manwe.wireguard.ipv4.address; }; - ipv6.address = mkOption { + ipv6.address = lib.mkOption { description = "IPv4 address to bind to."; - type = with types; str; - default = my.configurations.manwe.wireguard.ipv6.address; + type = lib.types.str; + default = lib.my.configurations.manwe.wireguard.ipv6.address; }; - address = mkOption { + address = lib.mkOption { description = "Endpoint address to use"; - type = with types; str; - default = my.configurations.manwe.ipv4.address; + type = lib.types.str; + default = lib.my.configurations.manwe.ipv4.address; }; - port = mkOption { + port = lib.mkOption { description = "Endpoint port to use."; - type = with types; int; + type = lib.types.int; default = 6969; }; - publicKey = mkOption { + publicKey = lib.mkOption { description = "Server's public key."; - type = with types; str; - default = my.configurations.manwe.wireguard.publicKey; + type = lib.types.str; + default = lib.my.configurations.manwe.wireguard.publicKey; }; - peers = mkOption { + peers = lib.mkOption { description = "List of peers."; - type = with types; listOf attrs; + type = with lib.types; listOf attrs; default = - mapAttrsToList - ( - _: attr: with attr; { - inherit (wireguard) publicKey; - allowedIPs = with wireguard; [ - "${ipv6.address}/128" - "${ipv4.address}/32" - ]; - } - ) - ( - filterAttrs (_: attr: attr.hostname != this.hostname && hasAttr "wireguard" attr) my.configurations - ); + lib.my.configurations + |> lib.filterAttrs (_: v: v.hostname != this.hostname && lib.hasAttr "wireguard" v) + |> lib.mapAttrsToList ( + _: v: { + inherit (v.wireguard) publicKey; + allowedIPs = with v.wireguard; [ + "${ipv6.address}/128" + "${ipv4.address}/32" + ]; + } + ); }; }; - interface = mkOption { + interface = lib.mkOption { description = "Name of the interface to use WireGuard with."; - type = with types; str; + type = lib.types.str; default = "wg69"; }; - ipv4.subnet = mkOption { + ipv4.subnet = lib.mkOption { description = "CIDR notation for the IPv4 subnet to use over WireGuard."; - type = with types; str; + type = lib.types.str; default = "10.69.0.0/16"; }; - ipv6.subnet = mkOption { + ipv6.subnet = lib.mkOption { description = "CIDR notation for the IPv6 subnet to use over WireGuard."; - type = with types; str; + type = lib.types.str; default = "fd69::/16"; }; }; @@ -135,27 +132,27 @@ in message = "Sudo is not enabled."; } { - assertion = any (x: x == "wheel") config.my.extraGroups; + assertion = lib.any (x: x == "wheel") config.my.extraGroups; message = ''User is not in the "wheel" group.''; } ]; } - // mkMerge [ - (mkIf (cfg.client.enable || cfg.server.enable) { + // lib.mkMerge [ + (lib.mkIf (cfg.client.enable || cfg.server.enable) { secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; networking.firewall.trustedInterfaces = [ cfg.interface ]; - topology = with cfg; { - nodes.${this.hostname}.interfaces.${interface} = { - network = interface; + topology = { + nodes.${this.hostname}.interfaces.${cfg.interface} = { + network = cfg.interface; icon = "interfaces.wireguard"; }; }; }) - (mkIf cfg.client.enable { - networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ + (lib.mkIf cfg.client.enable { + networking.wg-quick.interfaces.${cfg.interface} = lib.mkMerge [ (with this.wireguard; { type = "amneziawg"; privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; @@ -169,7 +166,7 @@ in peers = [ { inherit publicKey; - endpoint = "${address}:${toString port}"; + endpoint = "${address}:${port |> toString}"; allowedIPs = if cfg.client.enableTrafficRouting then [ @@ -217,7 +214,7 @@ in }) ]; }) - (mkIf cfg.server.enable { + (lib.mkIf cfg.server.enable { networking = { wireguard = { enable = true; @@ -239,7 +236,7 @@ in enable = true; enableIPv6 = true; - externalInterface = mkDefault "eth0"; + externalInterface = lib.mkDefault "eth0"; internalInterfaces = [ cfg.interface ]; internalIPs = [ cfg.ipv4.subnet ]; @@ -251,24 +248,27 @@ in services.prometheus.exporters.wireguard = { enable = false; # TODO Doesn't work with amneziawg-tools. - listenAddress = mkDefault this.wireguard.ipv4.address; + listenAddress = lib.mkDefault this.wireguard.ipv4.address; withRemoteIp = true; port = 9586; }; - topology = with cfg; { - networks = { - ${interface} = { - name = interface; - cidrv4 = ipv4.subnet; - cidrv6 = ipv6.subnet; - icon = "interfaces.wireguard"; - }; + topology = { + networks.${cfg.interface} = { + name = cfg.interface; + cidrv4 = cfg.ipv4.subnet; + cidrv6 = cfg.ipv6.subnet; + icon = "interfaces.wireguard"; + style.pattern = "dotted"; }; - nodes.${this.hostname}.interfaces.${interface}.physicalConnections = mapAttrsToList ( - name: _: config.lib.topology.mkConnection name interface - ) (filterAttrs (n: v: !v.isOther && n != this.hostname && hasAttr "wireguard" v) my.configurations); + nodes.${this.hostname}.interfaces.${cfg.interface} = { + network = cfg.interface; + physicalConnections = + lib.my.configurations + |> lib.filterAttrs (n: v: !v.isOther && n != this.hostname && lib.hasAttr "wireguard" v) + |> lib.mapAttrsToList (n: _: config.lib.topology.mkConnection n cfg.interface); + }; }; }) ]; -- cgit 1.4.1