{ pkgs, lib, config, inputs, hostName, ... }:
let
inherit (config.services) transmission;
inherit (config.users) users;
netns = "riseup";
in
{
users.groups.transmission.members = [
users."julm".name
users."sevy".name
];
networking.nftables.ruleset = lib.mkIf config.services.nebula.networks."sourcephile.fr".enable ''
table inet filter {
chain input-neb-sourcephile {
tcp dport ${toString transmission.settings.rpc-port} \
counter accept comment "transmission: rpc"
}
}
'';
services.netns.namespaces.${netns}.nftables = ''
table inet filter {
chain input {
meta l4proto { udp, tcp } \
th dport ${toString transmission.settings.peer-port} \
counter accept comment "transmission"
}
chain output {
skuid ${transmission.user} counter accept comment "transmission"
}
}
'';
fileSystems."/var/lib/transmission" = {
device = "${hostName}/var/torrents";
fsType = "zfs";
};
systemd.services.transmission = {
after = [
"netns-${netns}.service"
"zfs.target"
];
requires = [
"netns-${netns}.service"
"zfs.target"
];
startAt = "20:00:00";
unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
serviceConfig.BindReadOnlyPaths = [ "/etc/netns/${netns}/resolv.conf:/etc/resolv.conf" ];
serviceConfig.PrivateNetwork = true;
#serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
};
systemd.sockets.proxy-to-transmission = {
wantedBy = [ "sockets.target" ];
listenStreams = [ "10.0.0.2:9091" ];
socketConfig.FreeBind = true;
};
systemd.services.proxy-to-transmission = {
requires = [ "transmission.service" ];
after = [ "transmission.service" "proxy-to-transmission.socket" ];
unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
serviceConfig = {
ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
PrivateNetwork = true;
PrivateTmp = true;
};
};
systemd.services.stop-transmission = {
serviceConfig.Type = "oneshot";
unitConfig.Conflicts = [ "transmission.service" ];
startAt = "06..19:0,15,30,45:00";
script = "true";
};
systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = [
"settings.json:${transmission/settings.json.cred}"
];
services.transmission = {
enable = true;
performanceNetParameters = true;
# FIXME: need latest systemd to exist in ExecStartPre=
credentialsFile = "/run/credentials/transmission.service/settings.json";
settings = {
message-level = 2;
download-dir = "/var/lib/transmission/downloaded";
incomplete-dir = "/var/lib/transmission/.incoming";
incomplete-dir-enabled = true;
watch-dir = "/var/lib/transmission/.torrents";
watch-dir-enabled = true;
trash-original-torrent-files = false;
preallocation = 0;
umask = 7; # 007 octal, in decimal!
download-queue-enabled = true;
download-queue-size = 5;
peer-id-ttl-hours = 6;
peer-limit-global = 1000;
peer-limit-per-torrent = 100;
peer-port = 6882;
peer-port-random-on-start = false;
encryption = 1;
dht-enabled = true;
lpd-enabled = false;
pex-enabled = true;
port-forwarding-enabled = true;
scrape-paused-torrents-enabled = false;
peer-socket-tos = "lowcost";
queue-stalled-enabled = true;
queue-stalled-minutes = 30;
speed-limit-down-enabled = false;
speed-limit-up = 50;
speed-limit-up-enabled = true;
alt-speed-enabled = true;
alt-speed-time-enabled = true;
alt-speed-down = 1000;
alt-speed-up = 0;
alt-speed-time-day = 127; # all days. 65; # weekend only
alt-speed-time-begin = 360; # 06h00 local time
alt-speed-time-end = 1260; # 21h00 local time
ratio-limit = 4;
ratio-limit-enabled = true;
rpc-enabled = true;
rpc-bind-address = "127.0.0.1";
rpc-port = 9091;
rpc-whitelist = "127.0.0.1,${hostName}.sp,oignon.sp";
rpc-whitelist-enabled = true;
rpc-host-whitelist = "localhost,${hostName}.sp";
rpc-host-whitelist-enabled = true;
rpc-authentication-required = true;
};
};
}