jackett/transmission/slskd: validate public IP address before starting

2024-04-18 20:01:19 +00:00
parent c668a895d4
commit f59f13588f
3 changed files with 14 additions and 10 deletions
--- a/hosts/by-name/servo/services/jackett.nix
+++ b/hosts/by-name/servo/services/jackett.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, pkgs, ... }:

 {
  sane.persist.sys.byStore.plaintext = [
@@ -12,6 +12,8 @@
  systemd.services.jackett.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+
    # patch jackett to listen on the public interfaces
    # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
  };
--- a/hosts/by-name/servo/services/slskd.nix
+++ b/hosts/by-name/servo/services/slskd.nix
@@ -7,9 +7,9 @@
 # debugging:
 # - soulseek is just *flaky*. if you see e.g. DNS errors, even though you can't replicate them via `dig` or `getent ahostsv4`, just give it 10 minutes to work out:
 #   - "Soulseek.AddressException: Failed to resolve address 'vps.slsknet.org': Resource temporarily unavailable"
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:

-# TODO: disabled until i can ensure sandboxing (i.e. use `sane-ip-check` in pre-start)
+# TODO: re-enable once i'm satisfied this isn't escaping the net sandbox
 lib.mkIf false
 {
  sane.persist.sys.byStore.plaintext = [
@@ -71,12 +71,12 @@ lib.mkIf false
    # flags.volatile = true;  # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs
  };

-  systemd.services.slskd = {
-    serviceConfig = {
-      # run this behind the OVPN static VPN
-      NetworkNamespacePath = "/run/netns/ovpns";
-      Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
-      RestartSec = "60s";
-    };
+  systemd.services.slskd.serviceConfig = {
+    # run this behind the OVPN static VPN
+    NetworkNamespacePath = "/run/netns/ovpns";
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+
+    Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
+    RestartSec = "60s";
  };
 }
--- a/hosts/by-name/servo/services/transmission.nix
+++ b/hosts/by-name/servo/services/transmission.nix
@@ -159,6 +159,8 @@ in
  systemd.services.transmission.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+
    Restart = "on-failure";
    RestartSec = "30s";
    BindPaths = [ "/var/media" ];  #< so it can move completed torrents into the media library