public-inbox: update to latest config
[sourcephile-nix.git] / hosts / losurdo / transmission.nix
index 59f86b9b9eebf8046aca4d8a9ee424ae1f05264d..840b38b486ef06c797aa05de8d4c51ec99ab3cdc 100644 (file)
@@ -1,13 +1,15 @@
-{ pkgs, lib, config, hostName, ... }:
+{ pkgs, lib, config, hostName, inputs, ... }:
 let
   inherit (config.services) transmission;
   inherit (config.users) users;
   inherit (config.security) gnupg;
   netns = "riseup";
+  wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
 in
 {
 users.groups.transmission.members = [
   users."julm".name
+  users."sevy".name
 ];
 services.netns.namespaces.${netns}.nftables = ''
   add rule inet filter input tcp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
@@ -33,31 +35,44 @@ systemd.services.transmission = {
     "netns-${netns}.service"
     "zfs.target"
   ];
-  serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
+  startAt = "20:00:00";
+  unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
+  serviceConfig.BindReadOnlyPaths = ["/etc/netns/${netns}/resolv.conf:/etc/resolv.conf"];
+  serviceConfig.PrivateNetwork = true;
+  #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
 };
-systemd.timers.transmission = {
-  timerConfig.OnCalendar = ["20:00:00"];
-  timerConfig.Persistent = true;
-  wantedBy = [ "timers.target" ];
+systemd.sockets.proxy-to-transmission = {
+  wantedBy = ["sockets.target"];
+  listenStreams = ["${wg-intra-peers.${hostName}.ipv4}:9091"];
+  socketConfig.FreeBind = true;
+};
+systemd.services.proxy-to-transmission = {
+  requires = ["transmission.service"];
+  after = ["transmission.service" "proxy-to-transmission.socket"];
+  unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
+  serviceConfig = {
+    ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
+    PrivateNetwork = true;
+    PrivateTmp = true;
+  };
 };
 systemd.services.stop-transmission = {
   serviceConfig.Type = "oneshot";
   unitConfig.Conflicts = ["transmission.service"];
+  startAt = "06..19:0,15,30,45:00";
   script = "true";
 };
-systemd.timers.stop-transmission = {
-  timerConfig.OnCalendar = "06..19:*:00";
-  wantedBy = [ "timers.target" ];
-};
 services.transmission = {
   enable = true;
   performanceNetParameters = true;
   credentialsFile = gnupg.secrets."transmission/settings.json".path;
   settings = {
     message-level = 2;
-    download-dir = "/home/julm/dl/torrents";
-    incomplete-dir = "/home/julm/dl/torrents/.incoming";
+    download-dir = "/var/lib/transmission/downloaded";
+    incomplete-dir = "/var/lib/transmission/.incoming";
     incomplete-dir-enabled = true;
+    watch-dir = "/var/lib/transmission/.torrents";
+    watch-dir-enabled = true;
     trash-original-torrent-files = false;
     preallocation = 0;
     umask = 7; # 007 octal, in decimal!
@@ -94,9 +109,11 @@ services.transmission = {
     rpc-enabled = true;
     rpc-bind-address = "127.0.0.1";
     rpc-port = 9091;
-    rpc-whitelist = "127.0.0.1";
+    rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
     rpc-whitelist-enabled = true;
-    #rpc-authentication-required = true;
+    rpc-host-whitelist = "localhost,${hostName}.wg";
+    rpc-host-whitelist-enabled = true;
+    rpc-authentication-required = true;
   };
 };
 }