]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/transmission.nix
f3: uninstall because broken
[sourcephile-nix.git] / hosts / losurdo / transmission.nix
1 { pkgs, lib, config, hostName, inputs, ... }:
2 let
3 inherit (config.services) transmission;
4 inherit (config.users) users;
5 netns = "calyx";
6 wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
7 in
8 {
9 users.groups.transmission.members = [
10 users."julm".name
11 users."sevy".name
12 ];
13 networking.nftables.ruleset = ''
14 table inet filter {
15 chain input-intra {
16 tcp dport ${toString transmission.settings.rpc-port} \
17 counter accept comment "transmission: rpc"
18 }
19 }
20 '';
21 services.netns.namespaces.${netns}.nftables = ''
22 table inet filter {
23 chain input {
24 meta l4proto { udp, tcp } \
25 th dport ${toString transmission.settings.peer-port} \
26 counter accept comment "transmission"
27 }
28 chain output {
29 skuid ${transmission.user} counter accept comment "transmission"
30 }
31 }
32 '';
33 fileSystems."/var/lib/transmission" = {
34 device = "${hostName}/var/torrents";
35 fsType = "zfs";
36 };
37 systemd.services.transmission = {
38 after = [
39 "netns-${netns}.service"
40 "zfs.target"
41 ];
42 requires = [
43 "netns-${netns}.service"
44 "zfs.target"
45 ];
46 startAt = "20:00:00";
47 unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
48 serviceConfig.BindReadOnlyPaths = ["/etc/netns/${netns}/resolv.conf:/etc/resolv.conf"];
49 serviceConfig.PrivateNetwork = true;
50 #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
51 };
52 systemd.sockets.proxy-to-transmission = {
53 wantedBy = ["sockets.target"];
54 listenStreams = ["${wg-intra-peers.${hostName}.ipv4}:9091"];
55 socketConfig.FreeBind = true;
56 };
57 systemd.services.proxy-to-transmission = {
58 requires = ["transmission.service"];
59 after = ["transmission.service" "proxy-to-transmission.socket"];
60 unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
61 serviceConfig = {
62 ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
63 PrivateNetwork = true;
64 PrivateTmp = true;
65 };
66 };
67 systemd.services.stop-transmission = {
68 serviceConfig.Type = "oneshot";
69 unitConfig.Conflicts = ["transmission.service"];
70 startAt = "06..19:0,15,30,45:00";
71 script = "true";
72 };
73 systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = "settings.json:" + transmission/settings.json.cred;
74 services.transmission = {
75 enable = true;
76 performanceNetParameters = true;
77 credentialsFile = "/run/credentials/transmission.service/settings.json";
78 settings = {
79 message-level = 2;
80 download-dir = "/var/lib/transmission/downloaded";
81 incomplete-dir = "/var/lib/transmission/.incoming";
82 incomplete-dir-enabled = true;
83 watch-dir = "/var/lib/transmission/.torrents";
84 watch-dir-enabled = true;
85 trash-original-torrent-files = false;
86 preallocation = 0;
87 umask = 7; # 007 octal, in decimal!
88 download-queue-enabled = true;
89 download-queue-size = 5;
90 peer-id-ttl-hours = 6;
91 peer-limit-global = 1000;
92 peer-limit-per-torrent = 100;
93
94 peer-port = 6882;
95 peer-port-random-on-start = false;
96 encryption = 1;
97 dht-enabled = true;
98 lpd-enabled = false;
99 pex-enabled = true;
100 port-forwarding-enabled = true;
101 scrape-paused-torrents-enabled = false;
102 peer-socket-tos = "lowcost";
103 queue-stalled-enabled = true;
104 queue-stalled-minutes = 30;
105 speed-limit-down-enabled = false;
106 speed-limit-up = 50;
107 speed-limit-up-enabled = true;
108 alt-speed-enabled = true;
109 alt-speed-time-enabled = true;
110 alt-speed-down = 1000;
111 alt-speed-up = 0;
112 alt-speed-time-day = 127; # all days. 65; # weekend only
113 alt-speed-time-begin = 360; # 06h00 local time
114 alt-speed-time-end = 1260; # 21h00 local time
115 ratio-limit = 4;
116 ratio-limit-enabled = true;
117
118 rpc-enabled = true;
119 rpc-bind-address = "127.0.0.1";
120 rpc-port = 9091;
121 rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
122 rpc-whitelist-enabled = true;
123 rpc-host-whitelist = "localhost,${hostName}.wg";
124 rpc-host-whitelist-enabled = true;
125 rpc-authentication-required = true;
126 };
127 };
128 }