nix: update inputs.julm-nix
[sourcephile-nix.git] / hosts / losurdo / transmission.nix
index 53b7eb6d3ed96f45eef0ebc11067769f18c5fc0b..facbaa6ee2c9ee600718e35a995f081c63201e77 100644 (file)
-{ pkgs, lib, config, hostName, inputs, ... }:
+{ pkgs, config, inputs, hostName, ... }:
 let
   inherit (config.services) transmission;
   inherit (config.users) users;
-  inherit (config.security) gnupg;
-  netns = "calyx";
-  wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
+  netns = "riseup";
 in
 {
-users.groups.transmission.members = [
-  users."julm".name
-  users."sevy".name
-];
-services.netns.namespaces.${netns}.nftables = ''
-  table inet filter {
-    chain input {
-      meta l4proto { udp, tcp } \
-        th dport ${toString transmission.settings.peer-port} \
-        counter accept comment "transmission"
+  users.groups.transmission.members = [
+    users."julm".name
+    users."sevy".name
+  ];
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain input-neb-sourcephile {
+        tcp dport ${toString transmission.settings.rpc-port} \
+          counter accept comment "transmission: rpc"
+      }
     }
-    chain output {
-      skuid ${transmission.user} counter accept comment "transmission"
+  '';
+  services.netns.namespaces.${netns}.nftables = ''
+    table inet filter {
+      chain input {
+        meta l4proto { udp, tcp } \
+          th dport ${toString transmission.settings.peer-port} \
+          counter accept comment "transmission"
+      }
+      chain output {
+        skuid ${transmission.user} counter accept comment "transmission"
+      }
     }
-  }
-'';
-#users.groups.keys.members = [ transmission.user ];
-security.gnupg.secrets."transmission/settings.json" = {
-  user = transmission.user;
-  systemdConfig.before = [ "transmission.service" ];
-  systemdConfig.wantedBy = [ "transmission.service" ];
-};
-fileSystems."/var/lib/transmission" = {
-  device = "${hostName}/var/torrents";
-  fsType = "zfs";
-};
-systemd.services.transmission = {
-  after = [
-    "netns-${netns}.service"
-    "zfs.target"
-  ];
-  requires = [
-    "netns-${netns}.service"
-    "zfs.target"
-  ];
-  startAt = "20:00:00";
-  unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
-  serviceConfig.BindReadOnlyPaths = ["/etc/netns/${netns}/resolv.conf:/etc/resolv.conf"];
-  serviceConfig.PrivateNetwork = true;
-  #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
-};
-systemd.sockets.proxy-to-transmission = {
-  wantedBy = ["sockets.target"];
-  listenStreams = ["${wg-intra-peers.${hostName}.ipv4}:9091"];
-  socketConfig.FreeBind = true;
-};
-systemd.services.proxy-to-transmission = {
-  requires = ["transmission.service"];
-  after = ["transmission.service" "proxy-to-transmission.socket"];
-  unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
-  serviceConfig = {
-    ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
-    PrivateNetwork = true;
-    PrivateTmp = true;
+  '';
+  fileSystems."/var/lib/transmission" = {
+    device = "${hostName}/var/torrents";
+    fsType = "zfs";
+  };
+  systemd.services.transmission = {
+    after = [
+      "netns-${netns}.service"
+      "zfs.target"
+    ];
+    requires = [
+      "netns-${netns}.service"
+      "zfs.target"
+    ];
+    startAt = "20:00:00";
+    unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
+    serviceConfig.BindReadOnlyPaths = [ "/etc/netns/${netns}/resolv.conf:/etc/resolv.conf" ];
+    serviceConfig.PrivateNetwork = true;
+    #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
   };
-};
-systemd.services.stop-transmission = {
-  serviceConfig.Type = "oneshot";
-  unitConfig.Conflicts = ["transmission.service"];
-  startAt = "06..19:0,15,30,45:00";
-  script = "true";
-};
-services.transmission = {
-  enable = true;
-  performanceNetParameters = true;
-  credentialsFile = gnupg.secrets."transmission/settings.json".path;
-  settings = {
-    message-level = 2;
-    download-dir = "/var/lib/transmission/downloaded";
-    incomplete-dir = "/var/lib/transmission/.incoming";
-    incomplete-dir-enabled = true;
-    watch-dir = "/var/lib/transmission/.torrents";
-    watch-dir-enabled = true;
-    trash-original-torrent-files = false;
-    preallocation = 0;
-    umask = 7; # 007 octal, in decimal!
-    download-queue-enabled = true;
-    download-queue-size = 5;
-    peer-id-ttl-hours = 6;
-    peer-limit-global = 1000;
-    peer-limit-per-torrent = 100;
+  systemd.sockets.proxy-to-transmission = {
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "10.0.0.2:9091" ];
+    socketConfig.FreeBind = true;
+  };
+  systemd.services.proxy-to-transmission = {
+    requires = [ "transmission.service" ];
+    after = [ "transmission.service" "proxy-to-transmission.socket" ];
+    unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
+      PrivateNetwork = true;
+      PrivateTmp = true;
+    };
+  };
+  systemd.services.stop-transmission = {
+    serviceConfig.Type = "oneshot";
+    unitConfig.Conflicts = [ "transmission.service" ];
+    startAt = "06..19:0,15,30,45:00";
+    script = "true";
+  };
+  systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = [
+    "settings.json:${transmission/settings.json.cred}"
+  ];
+  services.transmission = {
+    enable = true;
+    performanceNetParameters = true;
+    # FIXME: need latest systemd to exist in ExecStartPre=
+    credentialsFile = "/run/credentials/transmission.service/settings.json";
+    settings = {
+      message-level = 2;
+      download-dir = "/var/lib/transmission/downloaded";
+      incomplete-dir = "/var/lib/transmission/.incoming";
+      incomplete-dir-enabled = true;
+      watch-dir = "/var/lib/transmission/.torrents";
+      watch-dir-enabled = true;
+      trash-original-torrent-files = false;
+      preallocation = 0;
+      umask = 7; # 007 octal, in decimal!
+      download-queue-enabled = true;
+      download-queue-size = 5;
+      peer-id-ttl-hours = 6;
+      peer-limit-global = 1000;
+      peer-limit-per-torrent = 100;
 
-    peer-port = 6882;
-    peer-port-random-on-start = false;
-    encryption = 1;
-    dht-enabled = true;
-    lpd-enabled = false;
-    pex-enabled = true;
-    port-forwarding-enabled = true;
-    scrape-paused-torrents-enabled = false;
-    peer-socket-tos = "lowcost";
-    queue-stalled-enabled = true;
-    queue-stalled-minutes = 30;
-    speed-limit-down-enabled = false;
-    speed-limit-up = 50;
-    speed-limit-up-enabled = true;
-    alt-speed-enabled = true;
-    alt-speed-time-enabled = true;
-    alt-speed-down = 1000;
-    alt-speed-up = 0;
-    alt-speed-time-day = 127; # all days. 65; # weekend only
-    alt-speed-time-begin = 360; # 06h00 local time
-    alt-speed-time-end = 1260; # 21h00 local time
-    ratio-limit = 4;
-    ratio-limit-enabled = true;
+      peer-port = 6882;
+      peer-port-random-on-start = false;
+      encryption = 1;
+      dht-enabled = true;
+      lpd-enabled = false;
+      pex-enabled = true;
+      port-forwarding-enabled = true;
+      scrape-paused-torrents-enabled = false;
+      peer-socket-tos = "lowcost";
+      queue-stalled-enabled = true;
+      queue-stalled-minutes = 30;
+      speed-limit-down-enabled = false;
+      speed-limit-up = 50;
+      speed-limit-up-enabled = true;
+      alt-speed-enabled = true;
+      alt-speed-time-enabled = true;
+      alt-speed-down = 1000;
+      alt-speed-up = 0;
+      alt-speed-time-day = 127; # all days. 65; # weekend only
+      alt-speed-time-begin = 360; # 06h00 local time
+      alt-speed-time-end = 1260; # 21h00 local time
+      ratio-limit = 4;
+      ratio-limit-enabled = true;
 
-    rpc-enabled = true;
-    rpc-bind-address = "127.0.0.1";
-    rpc-port = 9091;
-    rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
-    rpc-whitelist-enabled = true;
-    rpc-host-whitelist = "localhost,${hostName}.wg";
-    rpc-host-whitelist-enabled = true;
-    rpc-authentication-required = true;
+      rpc-enabled = true;
+      rpc-bind-address = "127.0.0.1";
+      rpc-port = 9091;
+      rpc-whitelist = "127.0.0.1,${hostName}.sp,oignon.sp";
+      rpc-whitelist-enabled = true;
+      rpc-host-whitelist = "localhost,${hostName}.sp";
+      rpc-host-whitelist-enabled = true;
+      rpc-authentication-required = true;
+    };
   };
-};
 }