From f59f13588f2f68c0f7f6a321ae7449d74a6b1af6 Mon Sep 17 00:00:00 2001 From: Colin Date: Thu, 18 Apr 2024 20:01:19 +0000 Subject: [PATCH] jackett/transmission/slskd: validate public IP address before starting --- hosts/by-name/servo/services/jackett.nix | 4 +++- hosts/by-name/servo/services/slskd.nix | 18 +++++++++--------- hosts/by-name/servo/services/transmission.nix | 2 ++ 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/hosts/by-name/servo/services/jackett.nix b/hosts/by-name/servo/services/jackett.nix index acf5d1e67..55f157e39 100644 --- a/hosts/by-name/servo/services/jackett.nix +++ b/hosts/by-name/servo/services/jackett.nix @@ -1,4 +1,4 @@ -{ ... }: +{ lib, pkgs, ... }: { sane.persist.sys.byStore.plaintext = [ @@ -12,6 +12,8 @@ systemd.services.jackett.serviceConfig = { # run this behind the OVPN static VPN NetworkNamespacePath = "/run/netns/ovpns"; + ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected + # patch jackett to listen on the public interfaces # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic"; }; diff --git a/hosts/by-name/servo/services/slskd.nix b/hosts/by-name/servo/services/slskd.nix index 583303af7..f443d255e 100644 --- a/hosts/by-name/servo/services/slskd.nix +++ b/hosts/by-name/servo/services/slskd.nix @@ -7,9 +7,9 @@ # debugging: # - soulseek is just *flaky*. if you see e.g. DNS errors, even though you can't replicate them via `dig` or `getent ahostsv4`, just give it 10 minutes to work out: # - "Soulseek.AddressException: Failed to resolve address 'vps.slsknet.org': Resource temporarily unavailable" -{ config, lib, ... }: +{ config, lib, pkgs, ... }: -# TODO: disabled until i can ensure sandboxing (i.e. use `sane-ip-check` in pre-start) +# TODO: re-enable once i'm satisfied this isn't escaping the net sandbox lib.mkIf false { sane.persist.sys.byStore.plaintext = [ @@ -71,12 +71,12 @@ lib.mkIf false # flags.volatile = true; # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs }; - systemd.services.slskd = { - serviceConfig = { - # run this behind the OVPN static VPN - NetworkNamespacePath = "/run/netns/ovpns"; - Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server - RestartSec = "60s"; - }; + systemd.services.slskd.serviceConfig = { + # run this behind the OVPN static VPN + NetworkNamespacePath = "/run/netns/ovpns"; + ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected + + Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server + RestartSec = "60s"; }; } diff --git a/hosts/by-name/servo/services/transmission.nix b/hosts/by-name/servo/services/transmission.nix index f1a33d3fe..99a6e3865 100644 --- a/hosts/by-name/servo/services/transmission.nix +++ b/hosts/by-name/servo/services/transmission.nix @@ -159,6 +159,8 @@ in systemd.services.transmission.serviceConfig = { # run this behind the OVPN static VPN NetworkNamespacePath = "/run/netns/ovpns"; + ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected + Restart = "on-failure"; RestartSec = "30s"; BindPaths = [ "/var/media" ]; #< so it can move completed torrents into the media library