{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.services.transmission;
inherit (config.environment) etc;
apparmor = config.security.apparmor.enable;
stateDir = "/var/lib/transmission";
# TODO: switch to configGen.json once RFC0042 is implemented
settingsFile = pkgs.writeText "settings.json" (builtins.toJSON (cfg.settings // {
download-dir = "${stateDir}/Downloads";
incomplete-dir = "${stateDir}/.incomplete";
}));
settingsDir = ".config/transmission-daemon";
makeAbsolute = base: path:
if builtins.match "^/.*" path == null
then base+"/"+path else path;
in
{
options = {
services.transmission = {
enable = mkEnableOption ''
Whether or not to enable the headless Transmission BitTorrent daemon.
Transmission daemon can be controlled via the RPC interface using
transmission-remote, the WebUI (http://${cfg.settings.rpc-bind-address}:${toString cfg.settings.rpc-port}/ by default),
or other clients like stig or tremc.
Torrents are downloaded to ${cfg.settings.download-dir} by default and are
accessible to users in the "transmission" group.
'';
settings = mkOption rec {
# TODO: switch to types.config.json as prescribed by RFC0042 once it's implemented
type = types.attrs;
apply = attrs:
let super = recursiveUpdate default attrs; in
super // {
download-dir = makeAbsolute cfg.home super.download-dir;
incomplete-dir = makeAbsolute cfg.home super.incomplete-dir;
};
default =
{
download-dir = "${cfg.home}/Downloads";
incomplete-dir = "${cfg.home}/.incomplete";
incomplete-dir-enabled = true;
peer-port = 51413;
peer-port-random-high = 65535;
peer-port-random-low = 49152;
peer-port-random-on-start = false;
rpc-bind-address = "127.0.0.1";
rpc-port = 9091;
umask = 18; # 0o022 in decimal as expected by Transmission, obtained with: echo $((8#022))
utp-enabled = true;
};
example =
{
download-dir = "/srv/torrents/";
incomplete-dir = "/srv/torrents/.incomplete/";
incomplete-dir-enabled = true;
rpc-whitelist = "127.0.0.1,192.168.*.*";
};
description = ''
Attribute set whose fields overwrites fields in
.config/transmission-daemon/settings.json
(each time the service starts). String values must be quoted, integer and
boolean values must not.
See https://github.com/transmission/transmission/wiki/Editing-Configuration-Files
for documentation.
'';
};
downloadDirPermissions = mkOption {
type = types.str;
default = "770";
example = "775";
description = ''
The permissions set by the systemd-tmpfiles-setup service
on settings.download-dir
and settings.incomplete-dir.
'';
};
port = mkOption {
type = types.port;
description = ''
TCP port number to run the RPC/web interface.
If instead you want to change the peer port,
use settings.peer-port
or settings.peer-port-random-on-start.
'';
};
home = mkOption {
type = types.path;
default = stateDir;
description = ''
The directory where Transmission will create .config/transmission-daemon/.
as well as Downloads/ unless settings.download-dir is changed,
and .incomplete/ unless settings.incomplete-dir is changed.
'';
};
user = mkOption {
type = types.str;
default = "transmission";
description = "User account under which Transmission runs.";
};
group = mkOption {
type = types.str;
default = "transmission";
description = "Group account under which Transmission runs.";
};
credentialsFile = mkOption {
type = types.path;
description = ''
Path to a JSON file to be merged with the settings.
Useful to merge a file which is better kept out of the Nix store
because it contains sensible data like settings.rpc-password.
'';
default = "/dev/null";
example = "/var/lib/secrets/transmission/settings.json";
};
openFirewall = mkEnableOption "Whether to automatically open the peer port(s) in the firewall.";
};
};
config = mkIf cfg.enable {
systemd.tmpfiles.rules =
optional (cfg.home != stateDir) "d '${cfg.home}/${settingsDir}' 700 '${cfg.user}' '${cfg.group}' - -"
++ [ "d '${cfg.settings.download-dir}' '${cfg.downloadDirPermissions}' '${cfg.user}' '${cfg.group}' - -" ]
++ optional cfg.settings.incomplete-dir-enabled
"d '${cfg.settings.incomplete-dir}' '${cfg.downloadDirPermissions}' '${cfg.user}' '${cfg.group}' - -";
assertions = [
{ assertion = builtins.match "^/.*" cfg.home != null;
message = "`services.transmission.home' must be an absolute path.";
}
{ assertion = types.port.check cfg.settings.rpc-port;
message = "${toString cfg.settings.rpc-port} is not a valid port number for `services.transmission.settings.rpc-port`.";
}
# In case both port and settings.rpc-port are explicitely defined: they must be the same.
{ assertion = !options.services.transmission.port.isDefined || cfg.port == cfg.settings.rpc-port;
message = "`services.transmission.port' is not equal to `services.transmission.settings.rpc-port'";
}
];
services.transmission.settings =
optionalAttrs options.services.transmission.port.isDefined { rpc-port = cfg.port; };
systemd.services.transmission = {
description = "Transmission BitTorrent Service";
after = [ "network.target" ] ++ optional apparmor "apparmor.service";
requires = optional apparmor "apparmor.service";
wantedBy = [ "multi-user.target" ];
environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source;
preStart = ''
set -eux
${pkgs.jq}/bin/jq --slurp add ${settingsFile} '${cfg.credentialsFile}' >'${stateDir}/${settingsDir}/settings.json'
'';
serviceConfig = {
WorkingDirectory = stateDir;
ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = cfg.user;
Group = cfg.group;
StateDirectory = removePrefix "/var/lib/" stateDir + "/" + settingsDir;
StateDirectoryMode = "0700";
BindPaths =
optional (cfg.home != stateDir) "${cfg.home}/${settingsDir}:${stateDir}/${settingsDir}"
++ [ "${cfg.settings.download-dir}:${stateDir}/Downloads" ]
++ optional cfg.settings.incomplete-dir-enabled "${cfg.settings.incomplete-dir}:${stateDir}/.incomplete";
# The following options give:
# systemd-analyze security transmission
# → Overall exposure level for transmission.service: 1.5 OK
AmbientCapabilities = "";
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateNetwork = false;
PrivateTmp = true;
PrivateUsers = false;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = mkDefault true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = mkDefault "strict";
ReadWritePaths = [ stateDir ];
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
# In case transmission crashes with status=31/SYS,
# having systemd.coredump.enable = true
# and environment.enableDebugInfo = true
# enables to use coredumpctl debug to find the denied syscall.
SystemCallFilter = [
"@default"
"@aio"
"@basic-io"
#"@chown"
#"@clock"
#"@cpu-emulation"
#"@debug"
"@file-system"
"@io-event"
#"@ipc"
#"@keyring"
#"@memlock"
#"@module"
#"@mount"
"@network-io"
#"@obsolete"
#"@pkey"
#"@privileged"
# Reached when querying infos through RPC (eg. with stig)
"quotactl"
"@process"
#"@raw-io"
#"@reboot"
#"@resources"
#"@setuid"
"@signal"
#"@swap"
"@sync"
"@system-service"
"@timer"
];
SystemCallArchitectures = "native";
UMask = "0077";
};
};
# It's useful to have transmission in path, e.g. for remote control
environment.systemPackages = [ pkgs.transmission ];
users.users = optionalAttrs (cfg.user == "transmission") ({
transmission = {
group = cfg.group;
uid = config.ids.uids.transmission;
description = "Transmission BitTorrent user";
home = stateDir;
createHome = false;
};
});
users.groups = optionalAttrs (cfg.group == "transmission") ({
transmission = {
gid = config.ids.gids.transmission;
};
});
networking.firewall = mkIf cfg.openFirewall (
if cfg.settings.peer-port-random-on-start
then
{ allowedTCPPortRanges =
[ { from = cfg.settings.peer-port-random-low;
to = cfg.settings.peer-port-random-high;
}
];
allowedUDPPortRanges =
[ { from = cfg.settings.peer-port-random-low;
to = cfg.settings.peer-port-random-high;
}
];
}
else
{ allowedTCPPorts = [ cfg.settings.peer-port ];
allowedUDPPorts = [ cfg.settings.peer-port ];
}
);
boot.kernel.sysctl = mkIf cfg.settings.utp-enabled {
"net.core.rmem_max" = mkDefault "4194304";
"net.core.wmem_max" = mkDefault "1048576";
};
security.apparmor.policies."bin/transmission-daemon".profile = ''
#include
${pkgs.transmission}/bin/transmission-daemon {
#include
#include
${getLib pkgs.stdenv.cc.cc}/lib/*.so* mr,
${getLib pkgs.stdenv.cc.libc}/lib/*.so* mr,
${getLib pkgs.libevent}/lib/libevent*.so* mr,
${getLib pkgs.curl}/lib/libcurl*.so* mr,
${getLib pkgs.openssl}/lib/libssl*.so* mr,
${getLib pkgs.openssl}/lib/libcrypto*.so* mr,
${getLib pkgs.zlib}/lib/libz*.so* mr,
${getLib pkgs.libssh2}/lib/libssh2*.so* mr,
${getLib pkgs.systemd}/lib/libsystemd*.so* mr,
${getLib pkgs.xz}/lib/liblzma*.so* mr,
${getLib pkgs.libgcrypt}/lib/libgcrypt*.so* mr,
${getLib pkgs.libgpgerror}/lib/libgpg-error*.so* mr,
${getLib pkgs.nghttp2}/lib/libnghttp2*.so* mr,
${getLib pkgs.c-ares}/lib/libcares*.so* mr,
${getLib pkgs.libcap}/lib/libcap*.so* mr,
${getLib pkgs.attr}/lib/libattr*.so* mr,
${getLib pkgs.lz4}/lib/liblz4*.so* mr,
${getLib pkgs.libkrb5}/lib/lib*.so* mr,
${getLib pkgs.keyutils}/lib/libkeyutils*.so* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so* mr,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/vm/overcommit_memory r,
#@{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/mounts r,
/tmp/tr_session_id_* rwk,
${pkgs.openssl.out}/etc/** r,
${config.systemd.services.transmission.environment.CURL_CA_BUNDLE} r,
${pkgs.transmission}/share/transmission/** r,
owner ${stateDir}/${settingsDir}/** rw,
${stateDir}/Downloads/** rw,
${optionalString cfg.settings.incomplete-dir-enabled ''
${stateDir}/.incomplete/** rw,
''}
}
'';
};
meta.maintainers = with lib.maintainers; [ julm ];
}