hosts/losurdo/transmission.nix

   1 { pkgs, config, inputs, hostName, ... }:
   2 let
   3   inherit (config.services) transmission;
   4   inherit (config.users) users;
   5   netns = "calyx";
   6   wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
   7 in
   8 {
   9   users.groups.transmission.members = [
  10     users."julm".name
  11     users."sevy".name
  12   ];
  13   networking.nftables.ruleset = ''
  14     table inet filter {
  15       chain input-intra {
  16         tcp dport ${toString transmission.settings.rpc-port} \
  17           counter accept comment "transmission: rpc"
  18       }
  19     }
  20   '';
  21   services.netns.namespaces.${netns}.nftables = ''
  22     table inet filter {
  23       chain input {
  24         meta l4proto { udp, tcp } \
  25           th dport ${toString transmission.settings.peer-port} \
  26           counter accept comment "transmission"
  27       }
  28       chain output {
  29         skuid ${transmission.user} counter accept comment "transmission"
  30       }
  31     }
  32   '';
  33   fileSystems."/var/lib/transmission" = {
  34     device = "${hostName}/var/torrents";
  35     fsType = "zfs";
  36   };
  37   systemd.services.transmission = {
  38     after = [
  39       "netns-${netns}.service"
  40       "zfs.target"
  41     ];
  42     requires = [
  43       "netns-${netns}.service"
  44       "zfs.target"
  45     ];
  46     startAt = "20:00:00";
  47     unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
  48     serviceConfig.BindReadOnlyPaths = [ "/etc/netns/${netns}/resolv.conf:/etc/resolv.conf" ];
  49     serviceConfig.PrivateNetwork = true;
  50     #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
  51   };
  52   systemd.sockets.proxy-to-transmission = {
  53     wantedBy = [ "sockets.target" ];
  54     listenStreams = [ "${wg-intra-peers.${hostName}.ipv4}:9091" ];
  55     socketConfig.FreeBind = true;
  56   };
  57   systemd.services.proxy-to-transmission = {
  58     requires = [ "transmission.service" ];
  59     after = [ "transmission.service" "proxy-to-transmission.socket" ];
  60     unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
  61     serviceConfig = {
  62       ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
  63       PrivateNetwork = true;
  64       PrivateTmp = true;
  65     };
  66   };
  67   systemd.services.stop-transmission = {
  68     serviceConfig.Type = "oneshot";
  69     unitConfig.Conflicts = [ "transmission.service" ];
  70     startAt = "06..19:0,15,30,45:00";
  71     script = "true";
  72   };
  73   systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = [
  74     "settings.json:${transmission/settings.json.cred}"
  75   ];
  76   services.transmission = {
  77     enable = true;
  78     performanceNetParameters = true;
  79     # FIXME: need latest systemd to exist in ExecStartPre=
  80     credentialsFile = "/run/credentials/transmission.service/settings.json";
  81     settings = {
  82       message-level = 2;
  83       download-dir = "/var/lib/transmission/downloaded";
  84       incomplete-dir = "/var/lib/transmission/.incoming";
  85       incomplete-dir-enabled = true;
  86       watch-dir = "/var/lib/transmission/.torrents";
  87       watch-dir-enabled = true;
  88       trash-original-torrent-files = false;
  89       preallocation = 0;
  90       umask = 7; # 007 octal, in decimal!
  91       download-queue-enabled = true;
  92       download-queue-size = 5;
  93       peer-id-ttl-hours = 6;
  94       peer-limit-global = 1000;
  95       peer-limit-per-torrent = 100;
  96
  97       peer-port = 6882;
  98       peer-port-random-on-start = false;
  99       encryption = 1;
 100       dht-enabled = true;
 101       lpd-enabled = false;
 102       pex-enabled = true;
 103       port-forwarding-enabled = true;
 104       scrape-paused-torrents-enabled = false;
 105       peer-socket-tos = "lowcost";
 106       queue-stalled-enabled = true;
 107       queue-stalled-minutes = 30;
 108       speed-limit-down-enabled = false;
 109       speed-limit-up = 50;
 110       speed-limit-up-enabled = true;
 111       alt-speed-enabled = true;
 112       alt-speed-time-enabled = true;
 113       alt-speed-down = 1000;
 114       alt-speed-up = 0;
 115       alt-speed-time-day = 127; # all days. 65; # weekend only
 116       alt-speed-time-begin = 360; # 06h00 local time
 117       alt-speed-time-end = 1260; # 21h00 local time
 118       ratio-limit = 4;
 119       ratio-limit-enabled = true;
 120
 121       rpc-enabled = true;
 122       rpc-bind-address = "127.0.0.1";
 123       rpc-port = 9091;
 124       rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
 125       rpc-whitelist-enabled = true;
 126       rpc-host-whitelist = "localhost,${hostName}.wg";
 127       rpc-host-whitelist-enabled = true;
 128       rpc-authentication-required = true;
 129     };
 130   };
 131 }