mermet: calibre: enable
[sourcephile-nix.git] / hosts / losurdo / transmission.nix
index 63ed3ef65093472056634977a1ba3f45df698a5c..37f9fe7d28baf6767120bf1aa944dbe7db5d8952 100644 (file)
-{ pkgs, lib, config, hostName, ... }:
+{ pkgs, config, inputs, hostName, ... }:
 let
   inherit (config.services) transmission;
   inherit (config.users) users;
-  inherit (config.security) gnupg;
-  netns = "riseup";
+  netns = "calyx";
+  wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
 in
 {
-users.groups.transmission.members = [
-  users."julm".name
-];
-services.netns.namespaces.${netns}.nftables = ''
-  add rule inet filter input tcp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
-  add rule inet filter input udp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
-  add rule inet filter output meta skuid ${transmission.user} counter accept comment "Transmission"
-'';
-#users.groups.keys.members = [ transmission.user ];
-security.gnupg.secrets."transmission/settings.json" = {
-  user = transmission.user;
-  systemdConfig.before = [ "transmission.service" ];
-  systemdConfig.wantedBy = [ "transmission.service" ];
-};
-fileSystems."/var/lib/transmission" = {
-  device = "${hostName}/var/torrents";
-  fsType = "zfs";
-};
-systemd.services.transmission = {
-  after = [
-    "netns-${netns}.service"
-    "zfs.target"
+  users.groups.transmission.members = [
+    users."julm".name
+    users."sevy".name
   ];
-  requires = [
-    "netns-${netns}.service"
-    "zfs.target"
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain input-intra {
+        tcp dport ${toString transmission.settings.rpc-port} \
+          counter accept comment "transmission: rpc"
+      }
+    }
+  '';
+  services.netns.namespaces.${netns}.nftables = ''
+    table inet filter {
+      chain input {
+        meta l4proto { udp, tcp } \
+          th dport ${toString transmission.settings.peer-port} \
+          counter accept comment "transmission"
+      }
+      chain output {
+        skuid ${transmission.user} counter accept comment "transmission"
+      }
+    }
+  '';
+  fileSystems."/var/lib/transmission" = {
+    device = "${hostName}/var/torrents";
+    fsType = "zfs";
+  };
+  systemd.services.transmission = {
+    after = [
+      "netns-${netns}.service"
+      "zfs.target"
+    ];
+    requires = [
+      "netns-${netns}.service"
+      "zfs.target"
+    ];
+    startAt = "20:00:00";
+    unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
+    serviceConfig.BindReadOnlyPaths = [ "/etc/netns/${netns}/resolv.conf:/etc/resolv.conf" ];
+    serviceConfig.PrivateNetwork = true;
+    #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
+  };
+  systemd.sockets.proxy-to-transmission = {
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "${wg-intra-peers.${hostName}.ipv4}:9091" ];
+    socketConfig.FreeBind = true;
+  };
+  systemd.services.proxy-to-transmission = {
+    requires = [ "transmission.service" ];
+    after = [ "transmission.service" "proxy-to-transmission.socket" ];
+    unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
+      PrivateNetwork = true;
+      PrivateTmp = true;
+    };
+  };
+  systemd.services.stop-transmission = {
+    serviceConfig.Type = "oneshot";
+    unitConfig.Conflicts = [ "transmission.service" ];
+    startAt = "06..19:0,15,30,45:00";
+    script = "true";
+  };
+  systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = [
+    "settings.json:${transmission/settings.json.cred}"
   ];
-  serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
-  #unitConfig.Conflicts = ["transmission.timer"];
-};
-systemd.timers.transmission = {
-  timerConfig.OnCalendar = ["21..23:*:00" "00..05:*:00"];
-  wantedBy = [ "timers.target" ];
-};
-systemd.services.stop-transmission = {
-  serviceConfig.Type = "oneshot";
-  unitConfig.Conflicts = ["transmission.service"];
-  script = "true";
-};
-systemd.timers.stop-transmission = {
-  timerConfig.OnCalendar = "06..20:*:00";
-  wantedBy = [ "timers.target" ];
-};
-services.transmission = {
-  enable = true;
-  performanceNetParameters = true;
-  credentialsFile = gnupg.secrets."transmission/settings.json".path;
-  settings = {
-    message-level = 2;
-    download-dir = "/home/julm/dl/torrents";
-    incomplete-dir = "/home/julm/dl/torrents/.incoming";
-    incomplete-dir-enabled = true;
-    trash-original-torrent-files = false;
-    preallocation = 0;
-    umask = 7; # 007 octal, in decimal!
-    download-queue-enabled = true;
-    download-queue-size = 5;
-    peer-id-ttl-hours = 6;
-    peer-limit-global = 1000;
-    peer-limit-per-torrent = 100;
+  services.transmission = {
+    enable = true;
+    performanceNetParameters = true;
+    # FIXME: need latest systemd to exist in ExecStartPre=
+    credentialsFile = "/run/credentials/transmission.service/settings.json";
+    settings = {
+      message-level = 2;
+      download-dir = "/var/lib/transmission/downloaded";
+      incomplete-dir = "/var/lib/transmission/.incoming";
+      incomplete-dir-enabled = true;
+      watch-dir = "/var/lib/transmission/.torrents";
+      watch-dir-enabled = true;
+      trash-original-torrent-files = false;
+      preallocation = 0;
+      umask = 7; # 007 octal, in decimal!
+      download-queue-enabled = true;
+      download-queue-size = 5;
+      peer-id-ttl-hours = 6;
+      peer-limit-global = 1000;
+      peer-limit-per-torrent = 100;
 
-    peer-port = 6882;
-    peer-port-random-on-start = false;
-    encryption = 1;
-    dht-enabled = true;
-    lpd-enabled = false;
-    pex-enabled = true;
-    port-forwarding-enabled = true;
-    scrape-paused-torrents-enabled = false;
-    peer-socket-tos = "lowcost";
-    queue-stalled-enabled = true;
-    queue-stalled-minutes = 30;
-    speed-limit-down-enabled = false;
-    speed-limit-up = 50;
-    speed-limit-up-enabled = true;
-    alt-speed-enabled = true;
-    alt-speed-time-enabled = true;
-    alt-speed-down = 1000;
-    alt-speed-up = 0;
-    alt-speed-time-day = 127; # all days. 65; # weekend only
-    alt-speed-time-begin = 360; # 06h00 local time
-    alt-speed-time-end = 1260; # 21h00 local time
-    ratio-limit = 4;
-    ratio-limit-enabled = true;
+      peer-port = 6882;
+      peer-port-random-on-start = false;
+      encryption = 1;
+      dht-enabled = true;
+      lpd-enabled = false;
+      pex-enabled = true;
+      port-forwarding-enabled = true;
+      scrape-paused-torrents-enabled = false;
+      peer-socket-tos = "lowcost";
+      queue-stalled-enabled = true;
+      queue-stalled-minutes = 30;
+      speed-limit-down-enabled = false;
+      speed-limit-up = 50;
+      speed-limit-up-enabled = true;
+      alt-speed-enabled = true;
+      alt-speed-time-enabled = true;
+      alt-speed-down = 1000;
+      alt-speed-up = 0;
+      alt-speed-time-day = 127; # all days. 65; # weekend only
+      alt-speed-time-begin = 360; # 06h00 local time
+      alt-speed-time-end = 1260; # 21h00 local time
+      ratio-limit = 4;
+      ratio-limit-enabled = true;
 
-    rpc-enabled = true;
-    rpc-bind-address = "127.0.0.1";
-    rpc-port = 9091;
-    rpc-whitelist = "127.0.0.1";
-    rpc-whitelist-enabled = true;
-    #rpc-authentication-required = true;
+      rpc-enabled = true;
+      rpc-bind-address = "127.0.0.1";
+      rpc-port = 9091;
+      rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
+      rpc-whitelist-enabled = true;
+      rpc-host-whitelist = "localhost,${hostName}.wg";
+      rpc-host-whitelist-enabled = true;
+      rpc-authentication-required = true;
+    };
   };
-};
 }