hosts/losurdo/transmission.nix

   1 { pkgs, lib, config, hostName, inputs, ... }:
   2 let
   3   inherit (config.services) transmission;
   4   inherit (config.users) users;
   5   netns = "calyx";
   6   wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
   7 in
   8 {
   9 users.groups.transmission.members = [
  10   users."julm".name
  11   users."sevy".name
  12 ];
  13 networking.nftables.ruleset = ''
  14   table inet filter {
  15     chain input-intra {
  16       tcp dport ${toString transmission.settings.rpc-port} \
  17         counter accept comment "transmission: rpc"
  18     }
  19   }
  20 '';
  21 services.netns.namespaces.${netns}.nftables = ''
  22   table inet filter {
  23     chain input {
  24       meta l4proto { udp, tcp } \
  25         th dport ${toString transmission.settings.peer-port} \
  26         counter accept comment "transmission"
  27     }
  28     chain output {
  29       skuid ${transmission.user} counter accept comment "transmission"
  30     }
  31   }
  32 '';
  33 fileSystems."/var/lib/transmission" = {
  34   device = "${hostName}/var/torrents";
  35   fsType = "zfs";
  36 };
  37 systemd.services.transmission = {
  38   after = [
  39     "netns-${netns}.service"
  40     "zfs.target"
  41   ];
  42   requires = [
  43     "netns-${netns}.service"
  44     "zfs.target"
  45   ];
  46   startAt = "20:00:00";
  47   unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
  48   serviceConfig.BindReadOnlyPaths = ["/etc/netns/${netns}/resolv.conf:/etc/resolv.conf"];
  49   serviceConfig.PrivateNetwork = true;
  50   #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
  51 };
  52 systemd.sockets.proxy-to-transmission = {
  53   wantedBy = ["sockets.target"];
  54   listenStreams = ["${wg-intra-peers.${hostName}.ipv4}:9091"];
  55   socketConfig.FreeBind = true;
  56 };
  57 systemd.services.proxy-to-transmission = {
  58   requires = ["transmission.service"];
  59   after = ["transmission.service" "proxy-to-transmission.socket"];
  60   unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
  61   serviceConfig = {
  62     ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
  63     PrivateNetwork = true;
  64     PrivateTmp = true;
  65   };
  66 };
  67 systemd.services.stop-transmission = {
  68   serviceConfig.Type = "oneshot";
  69   unitConfig.Conflicts = ["transmission.service"];
  70   startAt = "06..19:0,15,30,45:00";
  71   script = "true";
  72 };
  73 systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = "settings.json:" + transmission/settings.json.cred;
  74 services.transmission = {
  75   enable = true;
  76   performanceNetParameters = true;
  77   credentialsFile = "/run/credentials/transmission.service/settings.json";
  78   settings = {
  79     message-level = 2;
  80     download-dir = "/var/lib/transmission/downloaded";
  81     incomplete-dir = "/var/lib/transmission/.incoming";
  82     incomplete-dir-enabled = true;
  83     watch-dir = "/var/lib/transmission/.torrents";
  84     watch-dir-enabled = true;
  85     trash-original-torrent-files = false;
  86     preallocation = 0;
  87     umask = 7; # 007 octal, in decimal!
  88     download-queue-enabled = true;
  89     download-queue-size = 5;
  90     peer-id-ttl-hours = 6;
  91     peer-limit-global = 1000;
  92     peer-limit-per-torrent = 100;
  93
  94     peer-port = 6882;
  95     peer-port-random-on-start = false;
  96     encryption = 1;
  97     dht-enabled = true;
  98     lpd-enabled = false;
  99     pex-enabled = true;
 100     port-forwarding-enabled = true;
 101     scrape-paused-torrents-enabled = false;
 102     peer-socket-tos = "lowcost";
 103     queue-stalled-enabled = true;
 104     queue-stalled-minutes = 30;
 105     speed-limit-down-enabled = false;
 106     speed-limit-up = 50;
 107     speed-limit-up-enabled = true;
 108     alt-speed-enabled = true;
 109     alt-speed-time-enabled = true;
 110     alt-speed-down = 1000;
 111     alt-speed-up = 0;
 112     alt-speed-time-day = 127; # all days. 65; # weekend only
 113     alt-speed-time-begin = 360; # 06h00 local time
 114     alt-speed-time-end = 1260; # 21h00 local time
 115     ratio-limit = 4;
 116     ratio-limit-enabled = true;
 117
 118     rpc-enabled = true;
 119     rpc-bind-address = "127.0.0.1";
 120     rpc-port = 9091;
 121     rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
 122     rpc-whitelist-enabled = true;
 123     rpc-host-whitelist = "localhost,${hostName}.wg";
 124     rpc-host-whitelist-enabled = true;
 125     rpc-authentication-required = true;
 126   };
 127 };
 128 }