syncoid: fix localTargetAllow

[sourcephile-nix.git] / hosts / losurdo / transmission.nix

{ pkgs, lib, config, hostName, inputs, ... }:
let
  inherit (config.services) transmission;
  inherit (config.users) users;
  inherit (config.security) gnupg;
  netns = "riseup";
  wg-intra-hosts = import (inputs.julm-nix + "/networking/wireguard/wg-intra/hosts.nix");
in
{
users.groups.transmission.members = [
  users."julm".name
];
services.netns.namespaces.${netns}.nftables = ''
  add rule inet filter input tcp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
  add rule inet filter input udp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
  add rule inet filter output meta skuid ${transmission.user} counter accept comment "Transmission"
'';
#users.groups.keys.members = [ transmission.user ];
security.gnupg.secrets."transmission/settings.json" = {
  user = transmission.user;
  systemdConfig.before = [ "transmission.service" ];
  systemdConfig.wantedBy = [ "transmission.service" ];
};
fileSystems."/var/lib/transmission" = {
  device = "${hostName}/var/torrents";
  fsType = "zfs";
};
systemd.services.transmission = {
  after = [
    "netns-${netns}.service"
    "zfs.target"
  ];
  requires = [
    "netns-${netns}.service"
    "zfs.target"
  ];
  startAt = "20:00:00";
  serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
};
systemd.sockets.proxy-to-transmission = {
  wantedBy = ["sockets.target"];
  listenStreams = ["${wg-intra-hosts.${hostName}.ipv4}:9091"];
  socketConfig.FreeBind = true;
};
systemd.services.proxy-to-transmission = {
  requires = ["transmission.service"];
  after = ["transmission.service" "proxy-to-transmission.socket"];
  unitConfig.JoinsNamespaceOf = ["transmission.service"];
  serviceConfig = {
    ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
    PrivateNetwork = true;
    PrivateTmp = true;
  };
};
systemd.services.stop-transmission = {
  serviceConfig.Type = "oneshot";
  unitConfig.Conflicts = ["transmission.service"];
  startAt = "06..19:0,15,30,45:00";
  script = "true";
};
services.transmission = {
  enable = true;
  performanceNetParameters = true;
  credentialsFile = gnupg.secrets."transmission/settings.json".path;
  settings = {
    message-level = 2;
    download-dir = "/var/lib/transmission/downloaded";
    incomplete-dir = "/var/lib/transmission/.incoming";
    incomplete-dir-enabled = true;
    watch-dir = "/var/lib/transmission/.torrents";
    watch-dir-enabled = true;
    trash-original-torrent-files = false;
    preallocation = 0;
    umask = 7; # 007 octal, in decimal!
    download-queue-enabled = true;
    download-queue-size = 5;
    peer-id-ttl-hours = 6;
    peer-limit-global = 1000;
    peer-limit-per-torrent = 100;

    peer-port = 6882;
    peer-port-random-on-start = false;
    encryption = 1;
    dht-enabled = true;
    lpd-enabled = false;
    pex-enabled = true;
    port-forwarding-enabled = true;
    scrape-paused-torrents-enabled = false;
    peer-socket-tos = "lowcost";
    queue-stalled-enabled = true;
    queue-stalled-minutes = 30;
    speed-limit-down-enabled = false;
    speed-limit-up = 50;
    speed-limit-up-enabled = true;
    alt-speed-enabled = true;
    alt-speed-time-enabled = true;
    alt-speed-down = 1000;
    alt-speed-up = 0;
    alt-speed-time-day = 127; # all days. 65; # weekend only
    alt-speed-time-begin = 360; # 06h00 local time
    alt-speed-time-end = 1260; # 21h00 local time
    ratio-limit = 4;
    ratio-limit-enabled = true;

    rpc-enabled = true;
    rpc-bind-address = "127.0.0.1";
    rpc-port = 9091;
    rpc-whitelist = "127.0.0.1,${wg-intra-hosts.${hostName}.ipv4}/24";
    rpc-whitelist-enabled = true;
    rpc-host-whitelist = "localhost,${hostName}.wg";
    rpc-host-whitelist-enabled = true;
    rpc-authentication-required = true;
  };
};
}