feat(services): add aria2 downloader (#266)

Author: sunziping2016

.github/workflows/build.yaml

@@ -98,6 +98,7 @@ jobs:
     strategy:
       matrix:
         host: ${{ fromJson(needs.plan.outputs.diff-hosts) }}
+    if: needs.plan.outputs.diff-hosts != '[]'
     permissions:
       pull-requests: write # for updating the PR comment
     steps:

flake/hosts.nix

@@ -116,6 +116,7 @@ let
             ++ suites.domestic
             ++ (with profiles; [
               config.bbr
+              services.aria2
               services.atticd
               services.acme-dns
               services.coredns

nixos/modules/misc/ports.nix

@@ -67,6 +67,8 @@ in
       loki-grpc = 30181;
 
       cloudreve = 30190;
+
+      aria2-rpc = 30200;
     };
   };
 }

nixos/profiles/services/aria2.nix

@@ -0,0 +1,40 @@
+{ config, ... }:
+{
+  ## ---------------------------------------------------------------------------
+  ## SETTINGS
+  ## ---------------------------------------------------------------------------
+  services.aria2 = {
+    enable = true;
+    rpcSecretFile = config.sops.secrets."aria2/rpcSecret".path;
+    serviceUMask = "0002";
+    settings = {
+      continue = true;
+      save-session-interval = 60;
+      rpc-listen-port = config.ports.aria2-rpc;
+    };
+  };
+
+  ## ---------------------------------------------------------------------------
+  ## PERSISTENCE
+  ## ---------------------------------------------------------------------------
+  environment.persistence.default.directories = [
+    {
+      directory = "/var/lib/aria2";
+      mode = "0770";
+      user = "aria2";
+      group = "aria2";
+    }
+  ];
+
+  ## ---------------------------------------------------------------------------
+  ## SECRETS
+  ## ---------------------------------------------------------------------------
+  sops.secrets."aria2/rpcSecret" = { };
+
+  ## ---------------------------------------------------------------------------
+  ## FIREWALL
+  ## ---------------------------------------------------------------------------
+  networking.firewall = {
+    allowedUDPPortRanges = config.services.aria2.settings.listen-port;
+  };
+}

nixos/profiles/services/cloudreve.nix

@@ -33,12 +33,11 @@ in
     wantedBy = [ "multi-user.target" ];
     serviceConfig = {
       ExecStart = [
-        "${lib.getExe package} server -c ${config.sops.templates."cloudreve.ini".path}"
+        "${lib.getExe package} server -c ${config.sops.templates."cloudreve.ini".path} -w ${stateDir}"
       ];
       StateDirectory = "cloudreve";
       User = "cloudreve";
       Group = "cloudreve";
-      DynamicUser = true;
       WorkingDirectory = stateDir;
       Restart = "on-abnormal";
       RestartSec = "5s";
@@ -49,6 +48,7 @@ in
   users.users.cloudreve = {
     isSystemUser = true;
     group = "cloudreve";
+    extraGroups = [ "aria2" ];
     home = stateDir;
   };
   users.groups.cloudreve = { };
@@ -82,7 +82,7 @@ in
   ## ---------------------------------------------------------------------------
   environment.persistence.default.directories = [
     {
-      directory = "/var/lib/private/cloudreve";
+      directory = "/var/lib/cloudreve";
       mode = "0700";
     }
   ];

secrets/nodes/hgh0.yaml

@@ -0,0 +1,23 @@
+rpcSecret: ENC[AES256_GCM,data:zWYBfYDqT9hZye2MrwX6AtvXC2dKW5D/,iv:MNAaBXg+j5jlf8HX6cA8SQjfrEVhhK9qJdKMAz5APbw=,tag:C6JKMcgKfcU/QrxmhA0JkQ==,type:str]
+sops:
+    kms:
+        - arn: arn:aws:kms:ap-southeast-1:137927498482:alias/sops-key
+          created_at: "2025-05-05T15:03:45Z"
+          enc: AQICAHiwVAd0L3aX3i1XRZXzZwmA7aymY8xieE6T9IsJQGsJFgGfSm8608QQnmc/zlHtAv09AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM5yGCK42CUf3gYbNPAgEQgDsHuVbDQqHeaOEI/3PGNO2rVxkgaW/VXPENCDtSCcB9Dawg6NndixDZsEfgdYi+GELDVPGb0wTPekBU/w==
+          aws_profile: ""
+    lastmodified: "2025-05-05T15:04:03Z"
+    mac: ENC[AES256_GCM,data:DiEPCeHII7KkfpduogN7ppaMsLs7WlgavojRdYsaIGbWx5d/G6NtiexiOUflD4cUfDDNpbce0kCCAAnTa92GuJO6/ROh4FSy+Lq6zFCyvC4k8cTlWGspuF9ASo9MUNwgRdoI0z6lUI+Rn6nZF7m5DpCTIfO/sSTsjClm2j9K054=,iv:KHp2ghJPP8nwPvQ+3DXGG++MyzRwpXUmRam7i3zlIyI=,tag:60yLZ7mw2qG4v8ZqdGln9A==,type:str]
+    pgp:
+        - created_at: "2025-05-05T15:03:45Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DZSODbPSZIlESAQdAw0DdwUPqDZPWxbhwOpEJzcKmV5/pET3n3OJ4wSCLgX0w
+            8ceXubprzZtF+VE4OvOQ/19EFVPJgo9zSXzGGFyFKTOxm2nCaIomr55Dbsu9W1pP
+            0l4BZPQOJGgCYayaMkD31sI0DonMaRVk73Jm7upLLLZb1OwRzxwO8tfw0AcdZhvh
+            0PtvSB1EdKHx4kndjnD6spajV9uDr4yEY0pdSW5t/FkwFBr1zOGc8reuzk/X4cRv
+            =6hyI
+            -----END PGP MESSAGE-----
+          fp: 8CC5C91F72DB57DA20BD848C6523836CF4992251
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

secrets/sources/aria2.yaml

@@ -56,12 +56,15 @@ module "sg" {
     {
       protocol = "tcp"
       cidrs    = ["0.0.0.0/0", "::/0"]
-      ports    = [22, 80, 443, 25565]
+      ports    = [22, 80, 443]
     },
     {
       protocol = "udp"
       cidrs    = ["0.0.0.0/0", "::/0"]
-      ports    = [3478]
+      ports    = [3478, 41641]
+      port_ranges = [
+        [6881, 6999]
+      ]
     }
   ]
 }

terraform/aliyun/main.tf

@@ -10,24 +10,32 @@ locals {
   ingress_rules = {
     for rule in flatten([
       for rule in var.ingress_rules : [
-        for cidr in rule.cidrs : [
+        for cidr in rule.cidrs : concat([
           for port in rule.ports : {
-            protocol = rule.protocol
-            port     = port
-            cidr     = cidr
+            protocol  = rule.protocol
+            from_port = port
+            to_port   = port
+            cidr      = cidr
           }
-        ]
+          ], [
+          for port in rule.port_ranges : {
+            protocol  = rule.protocol
+            from_port = port[0]
+            to_port   = port[1]
+            cidr      = cidr
+          }
+        ])
       ]
     ]) :
-    "${rule.protocol}:${rule.cidr}:${rule.port}" => rule
+    "${rule.protocol}:${rule.cidr}:${rule.from_port}:${rule.to_port}" => rule
   }
 }
 
 resource "alicloud_security_group_rule" "this" {
   for_each          = local.ingress_rules
   type              = "ingress"
   ip_protocol       = each.value.protocol
-  port_range        = "${each.value.port}/${each.value.port}"
+  port_range        = "${each.value.from_port}/${each.value.to_port}"
   cidr_ip           = strcontains(each.value.cidr, ".") ? each.value.cidr : null
   ipv6_cidr_ip      = strcontains(each.value.cidr, ":") ? each.value.cidr : null
   nic_type          = "intranet"

terraform/modules/aliyun_security_group/main.tf

@@ -20,9 +20,10 @@ variable "tags" {
 
 variable "ingress_rules" {
   type = list(object({
-    protocol = string
-    cidrs    = list(string)
-    ports    = list(number)
+    protocol    = string
+    cidrs       = list(string)
+    ports       = optional(list(number), [])
+    port_ranges = optional(list(tuple([number, number])), [])
   }))
   default = []
 }