]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/transmission.nix
security: no longer depend upon upstream's hardening
[sourcephile-nix.git] / machines / losurdo / transmission.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.services) transmission;
4 inherit (config.users) users;
5 inherit (config.security) gnupg;
6 netns = "riseup";
7 in
8 {
9 users.groups.transmission.members = [
10 users."julm".name
11 ];
12 services.netns.namespaces.${netns}.nftables = ''
13 add rule inet filter input tcp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
14 add rule inet filter input udp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
15 add rule inet filter output meta skuid ${transmission.user} counter accept comment "Transmission"
16 '';
17 #users.groups.keys.members = [ transmission.user ];
18 security.gnupg.secrets."transmission/settings.json" = {
19 user = transmission.user;
20 };
21 systemd.services.transmission = {
22 after = [
23 gnupg.secrets."transmission/settings.json".service
24 "netns-${netns}.service"
25 ];
26 requires = [
27 gnupg.secrets."transmission/settings.json".service
28 "netns-${netns}.service"
29 ];
30 serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
31 };
32 services.transmission = {
33 enable = true;
34 performanceNetParameters = true;
35 credentialsFile = gnupg.secrets."transmission/settings.json".path;
36 settings = {
37 message-level = 2;
38 download-dir = "/home/julm/dl/torrents";
39 incomplete-dir = "/home/julm/dl/torrents/.incoming";
40 incomplete-dir-enabled = true;
41 trash-original-torrent-files = false;
42 preallocation = 0;
43 umask = 7; # 007 octal, in decimal!
44 download-queue-enabled = true;
45 download-queue-size = 5;
46 peer-id-ttl-hours = 6;
47 peer-limit-global = 1000;
48 peer-limit-per-torrent = 100;
49
50 peer-port = 6882;
51 peer-port-random-on-start = false;
52 encryption = 1;
53 dht-enabled = true;
54 lpd-enabled = false;
55 pex-enabled = true;
56 port-forwarding-enabled = true;
57 scrape-paused-torrents-enabled = false;
58 peer-socket-tos = "lowcost";
59 queue-stalled-enabled = true;
60 queue-stalled-minutes = 30;
61 speed-limit-down-enabled = false;
62 speed-limit-up = 50;
63 speed-limit-up-enabled = true;
64 alt-speed-enabled = true;
65 alt-speed-time-enabled = true;
66 alt-speed-down = 1000;
67 alt-speed-up = 0;
68 alt-speed-time-day = 127; # all days. 65; # weekend only
69 alt-speed-time-begin = 360; # 06h00 local time
70 alt-speed-time-end = 1320; # 22h00 local time
71 ratio-limit = 4;
72 ratio-limit-enabled = true;
73
74 rpc-enabled = true;
75 rpc-bind-address = "127.0.0.1";
76 rpc-port = 9091;
77 rpc-whitelist = "127.0.0.1";
78 rpc-whitelist-enabled = true;
79 #rpc-authentication-required = true;
80 };
81 };
82 }