{ pkgs, config, inputs, hostName, ... }: let inherit (config.services) transmission; inherit (config.users) users; netns = "calyx"; wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix"); in { users.groups.transmission.members = [ users."julm".name users."sevy".name ]; networking.nftables.ruleset = '' table inet filter { chain input-intra { tcp dport ${toString transmission.settings.rpc-port} \ counter accept comment "transmission: rpc" } } ''; services.netns.namespaces.${netns}.nftables = '' table inet filter { chain input { meta l4proto { udp, tcp } \ th dport ${toString transmission.settings.peer-port} \ counter accept comment "transmission" } chain output { skuid ${transmission.user} counter accept comment "transmission" } } ''; fileSystems."/var/lib/transmission" = { device = "${hostName}/var/torrents"; fsType = "zfs"; }; systemd.services.transmission = { after = [ "netns-${netns}.service" "zfs.target" ]; requires = [ "netns-${netns}.service" "zfs.target" ]; startAt = "20:00:00"; unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ]; serviceConfig.BindReadOnlyPaths = [ "/etc/netns/${netns}/resolv.conf:/etc/resolv.conf" ]; serviceConfig.PrivateNetwork = true; #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}"; }; systemd.sockets.proxy-to-transmission = { wantedBy = [ "sockets.target" ]; listenStreams = [ "${wg-intra-peers.${hostName}.ipv4}:9091" ]; socketConfig.FreeBind = true; }; systemd.services.proxy-to-transmission = { requires = [ "transmission.service" ]; after = [ "transmission.service" "proxy-to-transmission.socket" ]; unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ]; serviceConfig = { ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091"; PrivateNetwork = true; PrivateTmp = true; }; }; systemd.services.stop-transmission = { serviceConfig.Type = "oneshot"; unitConfig.Conflicts = [ "transmission.service" ]; startAt = "06..19:0,15,30,45:00"; script = "true"; }; systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = [ "settings.json:${transmission/settings.json.cred}" ]; services.transmission = { enable = true; performanceNetParameters = true; # FIXME: need latest systemd to exist in ExecStartPre= credentialsFile = "/run/credentials/transmission.service/settings.json"; settings = { message-level = 2; download-dir = "/var/lib/transmission/downloaded"; incomplete-dir = "/var/lib/transmission/.incoming"; incomplete-dir-enabled = true; watch-dir = "/var/lib/transmission/.torrents"; watch-dir-enabled = true; trash-original-torrent-files = false; preallocation = 0; umask = 7; # 007 octal, in decimal! download-queue-enabled = true; download-queue-size = 5; peer-id-ttl-hours = 6; peer-limit-global = 1000; peer-limit-per-torrent = 100; peer-port = 6882; peer-port-random-on-start = false; encryption = 1; dht-enabled = true; lpd-enabled = false; pex-enabled = true; port-forwarding-enabled = true; scrape-paused-torrents-enabled = false; peer-socket-tos = "lowcost"; queue-stalled-enabled = true; queue-stalled-minutes = 30; speed-limit-down-enabled = false; speed-limit-up = 50; speed-limit-up-enabled = true; alt-speed-enabled = true; alt-speed-time-enabled = true; alt-speed-down = 1000; alt-speed-up = 0; alt-speed-time-day = 127; # all days. 65; # weekend only alt-speed-time-begin = 360; # 06h00 local time alt-speed-time-end = 1260; # 21h00 local time ratio-limit = 4; ratio-limit-enabled = true; rpc-enabled = true; rpc-bind-address = "127.0.0.1"; rpc-port = 9091; rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24"; rpc-whitelist-enabled = true; rpc-host-whitelist = "localhost,${hostName}.wg"; rpc-host-whitelist-enabled = true; rpc-authentication-required = true; }; }; }