-{ pkgs, lib, config, hostName, ... }:
+{ pkgs, lib, config, hostName, inputs, ... }:
let
inherit (config.services) transmission;
inherit (config.users) users;
inherit (config.security) gnupg;
netns = "riseup";
+ wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
in
{
users.groups.transmission.members = [
users."julm".name
+ users."sevy".name
];
services.netns.namespaces.${netns}.nftables = ''
add rule inet filter input tcp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
"netns-${netns}.service"
"zfs.target"
];
- serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
+ startAt = "20:00:00";
+ unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
+ serviceConfig.BindReadOnlyPaths = ["/etc/netns/${netns}/resolv.conf:/etc/resolv.conf"];
+ serviceConfig.PrivateNetwork = true;
+ #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
};
-systemd.timers.transmission = {
- timerConfig.OnCalendar = ["20:00:00"];
- timerConfig.Persistent = true;
- wantedBy = [ "timers.target" ];
+systemd.sockets.proxy-to-transmission = {
+ wantedBy = ["sockets.target"];
+ listenStreams = ["${wg-intra-peers.${hostName}.ipv4}:9091"];
+ socketConfig.FreeBind = true;
+};
+systemd.services.proxy-to-transmission = {
+ requires = ["transmission.service"];
+ after = ["transmission.service" "proxy-to-transmission.socket"];
+ unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
+ serviceConfig = {
+ ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
+ PrivateNetwork = true;
+ PrivateTmp = true;
+ };
};
systemd.services.stop-transmission = {
serviceConfig.Type = "oneshot";
unitConfig.Conflicts = ["transmission.service"];
+ startAt = "06..19:0,15,30,45:00";
script = "true";
};
-systemd.timers.stop-transmission = {
- timerConfig.OnCalendar = "06..19:*:00";
- wantedBy = [ "timers.target" ];
-};
services.transmission = {
enable = true;
performanceNetParameters = true;
credentialsFile = gnupg.secrets."transmission/settings.json".path;
settings = {
message-level = 2;
- download-dir = "/home/julm/dl/torrents";
- incomplete-dir = "/home/julm/dl/torrents/.incoming";
+ download-dir = "/var/lib/transmission/downloaded";
+ incomplete-dir = "/var/lib/transmission/.incoming";
incomplete-dir-enabled = true;
+ watch-dir = "/var/lib/transmission/.torrents";
+ watch-dir-enabled = true;
trash-original-torrent-files = false;
preallocation = 0;
umask = 7; # 007 octal, in decimal!
rpc-enabled = true;
rpc-bind-address = "127.0.0.1";
rpc-port = 9091;
- rpc-whitelist = "127.0.0.1";
+ rpc-whitelist = "127.0.0.1,${wg-intra-peers.${hostName}.ipv4}/24";
rpc-whitelist-enabled = true;
- #rpc-authentication-required = true;
+ rpc-host-whitelist = "localhost,${hostName}.wg";
+ rpc-host-whitelist-enabled = true;
+ rpc-authentication-required = true;
};
};
}