rasmus-kirk / nixarr Goto Github PK

Would be nice to support a few DDNS sites

• Njalla

The import of Maroka's VPN submodule broke the documentation, since nixarr/default.nix is now a function, not a module

systemd-tmpfiles is busting my balls, need to do some testing/research to figure out what to do.

I have updated the documentation describing the issue.

Tempoary fix: Don't set mediaDir and stateDir to home! If in doubt, just don't set them at all, that works perfectly fine ATM

So far, DNS seems safe, the vpn-test-service seems to work, but it would be nice to have the firewall catch and block requests to unsafe DNS servers (any ips not set in the wg.conf).

Any fix should be upstream: Maroka-chan/VPN-Confinement#4

Using buildarr would allow setup services to integrate with each other upon
activation with no user input, definitely nice.

Doesn't have support for all the *Arrs, not even the upcoming SonarrV4, and it hasn't been updated for some months.

Needs to be added to nixpkgs, not too hard, but is not worth it if the
project is abandoned.

• Package with nix
• Add to nixpkgs

In the ideal case, buildarr would run only once after initial build to
avoid overwriting user configuration. Otherwise overwriting should be okay,
as the buildarr configuration is designed to be lean. I would possibly also
like to expose the buildarr configuration using extraSettings, but the
setup is the main desired feature here.

• Sonarr
  • Setup media directory
  • Add Transmission
  • Set hard linking
• Readarr
  • Setup media directory
  • Add Transmission
  • Set hard linking
• Lidarr
  • Setup media directory
  • Add Transmission
  • Set hard linking
• Readarr
  • Setup media directory
  • Add Transmission
  • Set hard linking
• Prowlarr
  • Setup integration with enabled "*Arrs"
  • Set hard linking

Shouldn't be hard to fix, just haven't had the time to look at this yet. Just start the wg.service and restart VPN-proxied services, for the moment.

Will allow users to host services (jellyfin only atm, the others are sketchy to expose at all). Something like jellyfin.vpn.exposeWebOnPort with type port

Prevent DNS leaks without using containerization, as is currently done. No
idea how this could be done, but would simplify things a lot.

The VPN submodule is very messy. Clean it up.

Currently, there is very little error handling on "obvious" invalid configurations. For example if nixarr.vpn.enable is set and nixarr.vpn.wgConf is unset, a clear error message should be shown to the user.

Is your feature request related to a problem? Please describe.
Certain VPNs, in my case Private Internet Access, randomly choose the port forwarded everytime you connect. It would be cool if there was some way to automatically configure a service (at least transmission) and open the port in the firewall to use this port upon connection.

Describe the solution you'd like
I doubt the port could be written into the configuration file at runtime. I am not sure if transmission provides a method of changing the port while it is running (with the rest of the configuration file being untouched).

Describe alternatives you've considered
None

Additional context
Private internet access provides custom scripts which set up wg-quick configs. You must leave the script running to keep the forwarded port active. See here: https://github.com/pia-foss/manual-connections

There is no firewall for the services running in the VPN-namespace. I would expect something where all ports are blocked, except those where it is explicitly opened.

Is your feature request related to a problem? Please describe.
I would like to use this single solution to manage my media server, but since I am not a torrent but a usenet user, I need to configure additional packages within nix.

Describe the solution you'd like
Since the transmission module is already part of this module, an option for usenet users would be appreciated. I'm not opinionated on any particular downloader, but there are options like sabnzbd or nzbget

Describe alternatives you've considered

Additional context

It would be nice to add a wiki to the site that answers most questions of new users. This is postponed until there are enough early users, so that I can grasp what people struggle with.

Some ideas:

• Secrets management
• Setup domains/DDNS
• Exposing services
• Setup on network without access to port forwarding Example 2 is good enough
• Get the wg.conf file from VPN provider Nah
• Setting up the *Arrs to communicate together after installation (referring to the servarr wiki instead)

The Transmission submodule doesn't have an RPC-whitelist enabled by default, as this breaks ssh-tunneling for some reason. This is considered a bug, as I would really like for both to work.

If you don't use SSH-tunneling, and you want the extra security, a tempoary workaround is to set nixarr.transmission.extraSettings to:

nixarr.transmission.extraSettings = {
  rpc-whitelist-enabled = false;
  rpc-whitelist = "192.168.15.1,127.0.0.1,192.168.1.*,192.168.0.*";

Replace with your allowed IP's. The 192.168.15.1 IP is the VPN-namespace.

The state of all services must be handled in a simple centralized location. This already works for most usecases.

• Jellyfin: Works
• Prowlarr: Works
• Sonarr: Works
• Radarr: Works
• Lidarr: Works
• Readarr: Works
• Transmission: Works for VPN, get weird bug, if
  services.transmission.dataDir is set. Fixed in b2ff3bb

If I build with the wgConf set and without the --impure flag for nixos-rebuild I get the following error:

error: access to absolute path '/run/agenix/airvpn-wg' is forbidden in pure eval mode (use '--impure' to override)

Hard to do without fixing #1

A common usecase is to allow SSH access to the server from remote locations, an easy way to do this, if you're already running a VPN anyways is to simply run the sshd service through the VPN and port forward through your VPN provider. Something like:

nixarr.sshd.vpn.enable = true;

Is your feature request related to a problem? Please describe.

Not a problem, but a convenience.

Describe the solution you'd like

nixarr.jellyseerr.enable = true;
# other networking options

Describe alternatives you've considered

Overseerr, but it's not as well integrated with Jellyfin.

Additional context

It's a popular addition to Jellyfin.

Create support for the cross-seed service.

• Package with nix
• Create nix service daemon
• Testing
• Add to nixpkgs