colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

jackett/transmission/slskd: validate public IP address before starting

Browse Source
This commit is contained in:
Colin
2024-04-18 20:01:19 +00:00
parent c668a895d4
commit f59f13588f
3 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/by-name/servo/services/jackett.nix
View File

@@ -1,4 +1,4 @@
{ ... }: { lib, pkgs, ... }:
{ {
sane.persist.sys.byStore.plaintext = [ sane.persist.sys.byStore.plaintext = [
@@ -12,6 +12,8 @@
systemd.services.jackett.serviceConfig = { systemd.services.jackett.serviceConfig = {
# run this behind the OVPN static VPN # run this behind the OVPN static VPN
NetworkNamespacePath = "/run/netns/ovpns"; NetworkNamespacePath = "/run/netns/ovpns";
ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected
# patch jackett to listen on the public interfaces # patch jackett to listen on the public interfaces
# ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic"; # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
}; };

18
hosts/by-name/servo/services/slskd.nix
View File

@@ -7,9 +7,9 @@
# debugging: # debugging:
# - soulseek is just *flaky*. if you see e.g. DNS errors, even though you can't replicate them via `dig` or `getent ahostsv4`, just give it 10 minutes to work out: # - soulseek is just *flaky*. if you see e.g. DNS errors, even though you can't replicate them via `dig` or `getent ahostsv4`, just give it 10 minutes to work out:
# - "Soulseek.AddressException: Failed to resolve address 'vps.slsknet.org': Resource temporarily unavailable" # - "Soulseek.AddressException: Failed to resolve address 'vps.slsknet.org': Resource temporarily unavailable"
{ config, lib, ... }: { config, lib, pkgs, ... }:
# TODO: disabled until i can ensure sandboxing (i.e. use `sane-ip-check` in pre-start) # TODO: re-enable once i'm satisfied this isn't escaping the net sandbox
lib.mkIf false lib.mkIf false
{ {
sane.persist.sys.byStore.plaintext = [ sane.persist.sys.byStore.plaintext = [
@@ -71,12 +71,12 @@ lib.mkIf false
# flags.volatile = true; # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs # flags.volatile = true; # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs
}; };
systemd.services.slskd = { systemd.services.slskd.serviceConfig = {
serviceConfig = { # run this behind the OVPN static VPN
# run this behind the OVPN static VPN NetworkNamespacePath = "/run/netns/ovpns";
NetworkNamespacePath = "/run/netns/ovpns"; ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected
Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
RestartSec = "60s"; Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
}; RestartSec = "60s";
}; };
} }

2
hosts/by-name/servo/services/transmission.nix
View File

@@ -159,6 +159,8 @@ in
systemd.services.transmission.serviceConfig = { systemd.services.transmission.serviceConfig = {
# run this behind the OVPN static VPN # run this behind the OVPN static VPN
NetworkNamespacePath = "/run/netns/ovpns"; NetworkNamespacePath = "/run/netns/ovpns";
ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "30s"; RestartSec = "30s";
BindPaths = [ "/var/media" ]; #< so it can move completed torrents into the media library BindPaths = [ "/var/media" ]; #< so it can move completed torrents into the media library