]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/transmission.nix
syncoid: fix localTargetAllow
[sourcephile-nix.git] / hosts / losurdo / transmission.nix
1 { pkgs, lib, config, hostName, inputs, ... }:
2 let
3 inherit (config.services) transmission;
4 inherit (config.users) users;
5 inherit (config.security) gnupg;
6 netns = "riseup";
7 wg-intra-hosts = import (inputs.julm-nix + "/networking/wireguard/wg-intra/hosts.nix");
8 in
9 {
10 users.groups.transmission.members = [
11 users."julm".name
12 ];
13 services.netns.namespaces.${netns}.nftables = ''
14 add rule inet filter input tcp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
15 add rule inet filter input udp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
16 add rule inet filter output meta skuid ${transmission.user} counter accept comment "Transmission"
17 '';
18 #users.groups.keys.members = [ transmission.user ];
19 security.gnupg.secrets."transmission/settings.json" = {
20 user = transmission.user;
21 systemdConfig.before = [ "transmission.service" ];
22 systemdConfig.wantedBy = [ "transmission.service" ];
23 };
24 fileSystems."/var/lib/transmission" = {
25 device = "${hostName}/var/torrents";
26 fsType = "zfs";
27 };
28 systemd.services.transmission = {
29 after = [
30 "netns-${netns}.service"
31 "zfs.target"
32 ];
33 requires = [
34 "netns-${netns}.service"
35 "zfs.target"
36 ];
37 startAt = "20:00:00";
38 serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
39 };
40 systemd.sockets.proxy-to-transmission = {
41 wantedBy = ["sockets.target"];
42 listenStreams = ["${wg-intra-hosts.${hostName}.ipv4}:9091"];
43 socketConfig.FreeBind = true;
44 };
45 systemd.services.proxy-to-transmission = {
46 requires = ["transmission.service"];
47 after = ["transmission.service" "proxy-to-transmission.socket"];
48 unitConfig.JoinsNamespaceOf = ["transmission.service"];
49 serviceConfig = {
50 ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
51 PrivateNetwork = true;
52 PrivateTmp = true;
53 };
54 };
55 systemd.services.stop-transmission = {
56 serviceConfig.Type = "oneshot";
57 unitConfig.Conflicts = ["transmission.service"];
58 startAt = "06..19:0,15,30,45:00";
59 script = "true";
60 };
61 services.transmission = {
62 enable = true;
63 performanceNetParameters = true;
64 credentialsFile = gnupg.secrets."transmission/settings.json".path;
65 settings = {
66 message-level = 2;
67 download-dir = "/var/lib/transmission/downloaded";
68 incomplete-dir = "/var/lib/transmission/.incoming";
69 incomplete-dir-enabled = true;
70 watch-dir = "/var/lib/transmission/.torrents";
71 watch-dir-enabled = true;
72 trash-original-torrent-files = false;
73 preallocation = 0;
74 umask = 7; # 007 octal, in decimal!
75 download-queue-enabled = true;
76 download-queue-size = 5;
77 peer-id-ttl-hours = 6;
78 peer-limit-global = 1000;
79 peer-limit-per-torrent = 100;
80
81 peer-port = 6882;
82 peer-port-random-on-start = false;
83 encryption = 1;
84 dht-enabled = true;
85 lpd-enabled = false;
86 pex-enabled = true;
87 port-forwarding-enabled = true;
88 scrape-paused-torrents-enabled = false;
89 peer-socket-tos = "lowcost";
90 queue-stalled-enabled = true;
91 queue-stalled-minutes = 30;
92 speed-limit-down-enabled = false;
93 speed-limit-up = 50;
94 speed-limit-up-enabled = true;
95 alt-speed-enabled = true;
96 alt-speed-time-enabled = true;
97 alt-speed-down = 1000;
98 alt-speed-up = 0;
99 alt-speed-time-day = 127; # all days. 65; # weekend only
100 alt-speed-time-begin = 360; # 06h00 local time
101 alt-speed-time-end = 1260; # 21h00 local time
102 ratio-limit = 4;
103 ratio-limit-enabled = true;
104
105 rpc-enabled = true;
106 rpc-bind-address = "127.0.0.1";
107 rpc-port = 9091;
108 rpc-whitelist = "127.0.0.1,${wg-intra-hosts.${hostName}.ipv4}/24";
109 rpc-whitelist-enabled = true;
110 rpc-host-whitelist = "localhost,${hostName}.wg";
111 rpc-host-whitelist-enabled = true;
112 rpc-authentication-required = true;
113 };
114 };
115 }