1 { pkgs, lib, config, hostName, inputs, ... }:
3 inherit (config.services) transmission;
4 inherit (config.users) users;
5 inherit (config.security) gnupg;
7 wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
10 users.groups.transmission.members = [
14 networking.nftables.ruleset = ''
17 tcp dport ${toString transmission.settings.rpc-port} \
18 counter accept comment "transmission: rpc"
22 services.netns.namespaces.${netns}.nftables = ''
25 meta l4proto { udp, tcp } \
26 th dport ${toString transmission.settings.peer-port} \
27 counter accept comment "transmission"
30 skuid ${transmission.user} counter accept comment "transmission"
34 #users.groups.keys.members = [ transmission.user ];
35 security.gnupg.secrets."transmission/settings.json" = {
36 user = transmission.user;
37 systemdConfig.before = [ "transmission.service" ];
38 systemdConfig.wantedBy = [ "transmission.service" ];
40 fileSystems."/var/lib/transmission" = {
41 device = "${hostName}/var/torrents";
44 systemd.services.transmission = {
46 "netns-${netns}.service"
50 "netns-${netns}.service"
54 unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
55 serviceConfig.BindReadOnlyPaths = ["/etc/netns/${netns}/resolv.conf:/etc/resolv.conf"];
56 serviceConfig.PrivateNetwork = true;
57 #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
59 systemd.sockets.proxy-to-transmission = {
60 wantedBy = ["sockets.target"];
61 listenStreams = ["${wg-intra-peers.${hostName}.ipv4}:9091"];
62 socketConfig.FreeBind = true;
64 systemd.services.proxy-to-transmission = {
65 requires = ["transmission.service"];
66 after = ["transmission.service" "proxy-to-transmission.socket"];
67 unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
69 ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
70 PrivateNetwork = true;
74 systemd.services.stop-transmission = {
75 serviceConfig.Type = "oneshot";
76 unitConfig.Conflicts = ["transmission.service"];
77 startAt = "06..19:0,15,30,45:00";
80 services.transmission = {
82 performanceNetParameters = true;
83 credentialsFile = gnupg.secrets."transmission/settings.json".path;
86 download-dir = "/var/lib/transmission/downloaded";
87 incomplete-dir = "/var/lib/transmission/.incoming";
88 incomplete-dir-enabled = true;
89 watch-dir = "/var/lib/transmission/.torrents";
90 watch-dir-enabled = true;
91 trash-original-torrent-files = false;
93 umask = 7; # 007 octal, in decimal!
94 download-queue-enabled = true;
95 download-queue-size = 5;
96 peer-id-ttl-hours = 6;
97 peer-limit-global = 1000;
98 peer-limit-per-torrent = 100;
101 peer-port-random-on-start = false;
106 port-forwarding-enabled = true;
107 scrape-paused-torrents-enabled = false;
108 peer-socket-tos = "lowcost";
109 queue-stalled-enabled = true;
110 queue-stalled-minutes = 30;
111 speed-limit-down-enabled = false;
113 speed-limit-up-enabled = true;
114 alt-speed-enabled = true;
115 alt-speed-time-enabled = true;
116 alt-speed-down = 1000;
118 alt-speed-time-day = 127; # all days. 65; # weekend only
119 alt-speed-time-begin = 360; # 06h00 local time
120 alt-speed-time-end = 1260; # 21h00 local time
122 ratio-limit-enabled = true;
125 rpc-bind-address = "127.0.0.1";
127 rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
128 rpc-whitelist-enabled = true;
129 rpc-host-whitelist = "localhost,${hostName}.wg";
130 rpc-host-whitelist-enabled = true;
131 rpc-authentication-required = true;
sourcephile / git / sourcephile-nix.git / blob