-{ pkgs, lib, config, hostName, ... }:
+{ pkgs, config, inputs, hostName, ... }:
let
inherit (config.services) transmission;
inherit (config.users) users;
- inherit (config.security) gnupg;
- netns = "riseup";
+ netns = "calyx";
+ wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
in
{
-users.groups.transmission.members = [
- users."julm".name
-];
-services.netns.namespaces.${netns}.nftables = ''
- add rule inet filter input tcp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
- add rule inet filter input udp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
- add rule inet filter output meta skuid ${transmission.user} counter accept comment "Transmission"
-'';
-#users.groups.keys.members = [ transmission.user ];
-security.gnupg.secrets."transmission/settings.json" = {
- user = transmission.user;
- systemdConfig.before = [ "transmission.service" ];
- systemdConfig.wantedBy = [ "transmission.service" ];
-};
-fileSystems."/var/lib/transmission" = {
- device = "${hostName}/var/torrents";
- fsType = "zfs";
-};
-systemd.services.transmission = {
- after = [
- "netns-${netns}.service"
- "zfs.target"
+ users.groups.transmission.members = [
+ users."julm".name
+ users."sevy".name
];
- requires = [
- "netns-${netns}.service"
- "zfs.target"
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain input-intra {
+ tcp dport ${toString transmission.settings.rpc-port} \
+ counter accept comment "transmission: rpc"
+ }
+ }
+ '';
+ services.netns.namespaces.${netns}.nftables = ''
+ table inet filter {
+ chain input {
+ meta l4proto { udp, tcp } \
+ th dport ${toString transmission.settings.peer-port} \
+ counter accept comment "transmission"
+ }
+ chain output {
+ skuid ${transmission.user} counter accept comment "transmission"
+ }
+ }
+ '';
+ fileSystems."/var/lib/transmission" = {
+ device = "${hostName}/var/torrents";
+ fsType = "zfs";
+ };
+ systemd.services.transmission = {
+ after = [
+ "netns-${netns}.service"
+ "zfs.target"
+ ];
+ requires = [
+ "netns-${netns}.service"
+ "zfs.target"
+ ];
+ startAt = "20:00:00";
+ unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
+ serviceConfig.BindReadOnlyPaths = [ "/etc/netns/${netns}/resolv.conf:/etc/resolv.conf" ];
+ serviceConfig.PrivateNetwork = true;
+ #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
+ };
+ systemd.sockets.proxy-to-transmission = {
+ wantedBy = [ "sockets.target" ];
+ listenStreams = [ "${wg-intra-peers.${hostName}.ipv4}:9091" ];
+ socketConfig.FreeBind = true;
+ };
+ systemd.services.proxy-to-transmission = {
+ requires = [ "transmission.service" ];
+ after = [ "transmission.service" "proxy-to-transmission.socket" ];
+ unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
+ serviceConfig = {
+ ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
+ PrivateNetwork = true;
+ PrivateTmp = true;
+ };
+ };
+ systemd.services.stop-transmission = {
+ serviceConfig.Type = "oneshot";
+ unitConfig.Conflicts = [ "transmission.service" ];
+ startAt = "06..19:0,15,30,45:00";
+ script = "true";
+ };
+ systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = [
+ "settings.json:${transmission/settings.json.cred}"
];
- serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
- #unitConfig.Conflicts = ["transmission.timer"];
-};
-systemd.timers.transmission = {
- timerConfig.OnCalendar = ["21..23:*:00" "00..05:*:00"];
- wantedBy = [ "timers.target" ];
-};
-systemd.services.stop-transmission = {
- serviceConfig.Type = "oneshot";
- unitConfig.Conflicts = ["transmission.service"];
- script = "true";
-};
-systemd.timers.stop-transmission = {
- timerConfig.OnCalendar = "06..20:*:00";
- wantedBy = [ "timers.target" ];
-};
-services.transmission = {
- enable = true;
- performanceNetParameters = true;
- credentialsFile = gnupg.secrets."transmission/settings.json".path;
- settings = {
- message-level = 2;
- download-dir = "/home/julm/dl/torrents";
- incomplete-dir = "/home/julm/dl/torrents/.incoming";
- incomplete-dir-enabled = true;
- trash-original-torrent-files = false;
- preallocation = 0;
- umask = 7; # 007 octal, in decimal!
- download-queue-enabled = true;
- download-queue-size = 5;
- peer-id-ttl-hours = 6;
- peer-limit-global = 1000;
- peer-limit-per-torrent = 100;
+ services.transmission = {
+ enable = true;
+ performanceNetParameters = true;
+ # FIXME: need latest systemd to exist in ExecStartPre=
+ credentialsFile = "/run/credentials/transmission.service/settings.json";
+ settings = {
+ message-level = 2;
+ download-dir = "/var/lib/transmission/downloaded";
+ incomplete-dir = "/var/lib/transmission/.incoming";
+ incomplete-dir-enabled = true;
+ watch-dir = "/var/lib/transmission/.torrents";
+ watch-dir-enabled = true;
+ trash-original-torrent-files = false;
+ preallocation = 0;
+ umask = 7; # 007 octal, in decimal!
+ download-queue-enabled = true;
+ download-queue-size = 5;
+ peer-id-ttl-hours = 6;
+ peer-limit-global = 1000;
+ peer-limit-per-torrent = 100;
- peer-port = 6882;
- peer-port-random-on-start = false;
- encryption = 1;
- dht-enabled = true;
- lpd-enabled = false;
- pex-enabled = true;
- port-forwarding-enabled = true;
- scrape-paused-torrents-enabled = false;
- peer-socket-tos = "lowcost";
- queue-stalled-enabled = true;
- queue-stalled-minutes = 30;
- speed-limit-down-enabled = false;
- speed-limit-up = 50;
- speed-limit-up-enabled = true;
- alt-speed-enabled = true;
- alt-speed-time-enabled = true;
- alt-speed-down = 1000;
- alt-speed-up = 0;
- alt-speed-time-day = 127; # all days. 65; # weekend only
- alt-speed-time-begin = 360; # 06h00 local time
- alt-speed-time-end = 1260; # 21h00 local time
- ratio-limit = 4;
- ratio-limit-enabled = true;
+ peer-port = 6882;
+ peer-port-random-on-start = false;
+ encryption = 1;
+ dht-enabled = true;
+ lpd-enabled = false;
+ pex-enabled = true;
+ port-forwarding-enabled = true;
+ scrape-paused-torrents-enabled = false;
+ peer-socket-tos = "lowcost";
+ queue-stalled-enabled = true;
+ queue-stalled-minutes = 30;
+ speed-limit-down-enabled = false;
+ speed-limit-up = 50;
+ speed-limit-up-enabled = true;
+ alt-speed-enabled = true;
+ alt-speed-time-enabled = true;
+ alt-speed-down = 1000;
+ alt-speed-up = 0;
+ alt-speed-time-day = 127; # all days. 65; # weekend only
+ alt-speed-time-begin = 360; # 06h00 local time
+ alt-speed-time-end = 1260; # 21h00 local time
+ ratio-limit = 4;
+ ratio-limit-enabled = true;
- rpc-enabled = true;
- rpc-bind-address = "127.0.0.1";
- rpc-port = 9091;
- rpc-whitelist = "127.0.0.1";
- rpc-whitelist-enabled = true;
- #rpc-authentication-required = true;
+ rpc-enabled = true;
+ rpc-bind-address = "127.0.0.1";
+ rpc-port = 9091;
+ rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
+ rpc-whitelist-enabled = true;
+ rpc-host-whitelist = "localhost,${hostName}.wg";
+ rpc-host-whitelist-enabled = true;
+ rpc-authentication-required = true;
+ };
};
-};
}