zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:39009cbc18e875106b36cd178f5ac2922f87b4c5
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:pia-vpn-v2 zuckerberg:kexec_luks2
..
compare: zuckerberg:pia-vpn-v2
Branches Tags
zuckerberg:stage zuckerberg:pia-vpn-v2 zuckerberg:master zuckerberg:kexec_luks2

2 Commits
39009cbc18 ... pia-vpn-v2

Author SHA1 Message Date
Zuckerberg
3b71f4b1fd dedupe
All checks were successful
Check Flake / check-flake (push) Successful in 6m4s
Details
2026-02-26 19:42:38 -08:00
Zuckerberg
dc3c2194ab use port 8080 instead
All checks were successful
Check Flake / check-flake (push) Successful in 3m21s
Details
2026-02-26 00:26:49 -08:00
4 changed files with 21 additions and 24 deletions
Expand all files Collapse all files

4
common/network/pia-vpn/default.nix
View File

@@ -56,8 +56,8 @@ let
default = null; default = null;
description = '' description = ''
Target port to forward to. If null, forwards to the same PIA-assigned port. Target port to forward to. If null, forwards to the same PIA-assigned port.
PIA-assigned ports below 1000 are rejected to avoid accidentally PIA-assigned ports below 10000 are rejected to avoid accidentally
forwarding traffic to privileged services. forwarding traffic to other services.
''; '';
}; };
protocol = mkOption { protocol = mkOption {

11
common/network/pia-vpn/scripts.nix
View File

@@ -135,6 +135,17 @@ in
echo "Loaded server info from $serverFile: $WG_HOSTNAME ($WG_SERVER_IP:$WG_SERVER_PORT)" echo "Loaded server info from $serverFile: $WG_HOSTNAME ($WG_SERVER_IP:$WG_SERVER_PORT)"
} }
# Reset WG interface and tear down NAT/forwarding rules.
# Called on startup (clear stale state) and on exit via trap.
cleanupVpn() {
local interfaceName=$1
wg set "$interfaceName" listen-port 0 2>/dev/null || true
ip -4 address flush dev "$interfaceName" 2>/dev/null || true
ip route del default dev "$interfaceName" 2>/dev/null || true
iptables -t nat -F 2>/dev/null || true
iptables -F FORWARD 2>/dev/null || true
}
connectToServer() { connectToServer() {
local wgFile=$1 local wgFile=$1
local interfaceName=$2 local interfaceName=$2

22
common/network/pia-vpn/vpn-container.nix
View File

@@ -44,8 +44,8 @@ let
''; '';
in in
'' ''
if [ "$PORT" -lt 1000 ]; then if [ "$PORT" -lt 10000 ]; then
echo "ERROR: PIA assigned privileged port $PORT (< 1000), refusing to set up DNAT" >&2 echo "ERROR: PIA assigned low port $PORT (< 10000), refusing to set up DNAT" >&2
else else
${tcpRules} ${tcpRules}
${udpRules} ${udpRules}
@@ -141,12 +141,8 @@ in
set -euo pipefail set -euo pipefail
${scripts.scriptCommon} ${scripts.scriptCommon}
# Clean up stale state from previous attempts trap 'cleanupVpn ${cfg.interfaceName}' EXIT
wg set ${cfg.interfaceName} listen-port 0 2>/dev/null || true cleanupVpn ${cfg.interfaceName}
ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true
ip route del default dev ${cfg.interfaceName} 2>/dev/null || true
iptables -t nat -F 2>/dev/null || true
iptables -F FORWARD 2>/dev/null || true
proxy="${proxy}" proxy="${proxy}"
@@ -200,16 +196,6 @@ in
exec sleep infinity exec sleep infinity
''; '';
preStop = ''
echo "Tearing down PIA VPN..."
ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true
ip route del default dev ${cfg.interfaceName} 2>/dev/null || true
iptables -t nat -F POSTROUTING 2>/dev/null || true
iptables -F FORWARD 2>/dev/null || true
${optionalString portForwarding ''
iptables -t nat -F PREROUTING 2>/dev/null || true
''}
'';
}; };
# Port refresh timer (every 10 min) — keeps PIA port forwarding alive # Port refresh timer (every 10 min) — keeps PIA port forwarding alive

8
machines/storage/s0/default.nix
View File

@@ -67,13 +67,13 @@
onPortForwarded = '' onPortForwarded = ''
# Notify Transmission of the PIA-assigned peer port via RPC # Notify Transmission of the PIA-assigned peer port via RPC
for i in $(seq 1 30); do for i in $(seq 1 30); do
curlout=$(curl -s "http://transmission.containers:80/transmission/rpc" 2>/dev/null) && break curlout=$(curl -s "http://transmission.containers:8080/transmission/rpc" 2>/dev/null) && break
sleep 2 sleep 2
done done
regex='X-Transmission-Session-Id: (\w*)' regex='X-Transmission-Session-Id: (\w*)'
if [[ $curlout =~ $regex ]]; then if [[ $curlout =~ $regex ]]; then
sessionId=''${BASH_REMATCH[1]} sessionId=''${BASH_REMATCH[1]}
curl -s "http://transmission.containers:80/transmission/rpc" \ curl -s "http://transmission.containers:8080/transmission/rpc" \
-d "{\"method\":\"session-set\",\"arguments\":{\"peer-port\":$PORT}}" \ -d "{\"method\":\"session-set\",\"arguments\":{\"peer-port\":$PORT}}" \
-H "X-Transmission-Session-Id: $sessionId" -H "X-Transmission-Session-Id: $sessionId"
fi fi
@@ -91,7 +91,7 @@
"incomplete-dir-enabled" = true; "incomplete-dir-enabled" = true;
"rpc-enabled" = true; "rpc-enabled" = true;
"rpc-port" = 80; "rpc-port" = 8080;
"rpc-bind-address" = "0.0.0.0"; "rpc-bind-address" = "0.0.0.0";
"rpc-whitelist" = "127.0.0.1,10.100.*.*,192.168.*.*"; "rpc-whitelist" = "127.0.0.1,10.100.*.*,192.168.*.*";
"rpc-host-whitelist-enabled" = false; "rpc-host-whitelist-enabled" = false;
@@ -232,7 +232,7 @@
(mkVirtualHost "lidarr.s0.neet.dev" "http://servarr.containers:8686") (mkVirtualHost "lidarr.s0.neet.dev" "http://servarr.containers:8686")
(mkVirtualHost "sonarr.s0.neet.dev" "http://servarr.containers:8989") (mkVirtualHost "sonarr.s0.neet.dev" "http://servarr.containers:8989")
(mkVirtualHost "prowlarr.s0.neet.dev" "http://servarr.containers:9696") (mkVirtualHost "prowlarr.s0.neet.dev" "http://servarr.containers:9696")
(mkVirtualHost "transmission.s0.neet.dev" "http://transmission.containers:80") (mkVirtualHost "transmission.s0.neet.dev" "http://transmission.containers:8080")
(mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443") (mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
(mkVirtualHost "music.s0.neet.dev" "http://localhost:4533") (mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
(mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096") (mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")