BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #92106 from ju1m/transmission

Browse source
This commit is contained in:
Jörg Thalheim 2020-08-07 14:40:17 +01:00 committed by GitHub
commit e879d83e38
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 378 additions and 112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
nixos/doc/manual/release-notes/rl-2009.xml
View file

@ -721,6 +721,37 @@ services.postgresql.dataDir = "/var/db/postgresql";
was removed, as udev gained native support to handle FIDO security tokens. was removed, as udev gained native support to handle FIDO security tokens.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>services.transmission</literal> module
was enhanced with the new options:
<xref linkend="opt-services.transmission.credentialsFile"/>,
<xref linkend="opt-services.transmission.openFirewall"/>,
and <xref linkend="opt-services.transmission.performanceNetParameters"/>.
</para>
<para>
<literal>transmission-daemon</literal> is now started with additional systemd sandbox/hardening options for better security.
Please <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link>
any use case where this is not working well.
In particular, the <literal>RootDirectory</literal> option newly set
forbids uploading or downloading a torrent outside of the default directory
configured at <link linkend="opt-services.transmission.settings">settings.download-dir</link>.
If you really need Transmission to access other directories,
you must include those directories into the <literal>BindPaths</literal> of the service:
<programlisting>
systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
</programlisting>
</para>
<para>
Also, connection to the RPC (Remote Procedure Call) of <literal>transmission-daemon</literal>
is now only available on the local network interface by default.
Use:
<programlisting>
services.transmission.settings.rpc-bind-address = "0.0.0.0";
</programlisting>
to get the previous behavior of listening on all network interfaces.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>)

435
nixos/modules/services/torrent/transmission.nix
View file

@ -1,52 +1,51 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, options, ... }:
with lib; with lib;
let let
cfg = config.services.transmission; cfg = config.services.transmission;
inherit (config.environment) etc;
apparmor = config.security.apparmor.enable; apparmor = config.security.apparmor.enable;
rootDir = "/run/transmission";
homeDir = cfg.home; homeDir = "/var/lib/transmission";
downloadDirPermissions = cfg.downloadDirPermissions; settingsDir = ".config/transmission-daemon";
downloadDir = "${homeDir}/Downloads"; downloadsDir = "Downloads";
incompleteDir = "${homeDir}/.incomplete"; incompleteDir = ".incomplete";
# TODO: switch to configGen.json once RFC0042 is implemented
settingsDir = "${homeDir}/config"; settingsFile = pkgs.writeText "settings.json" (builtins.toJSON cfg.settings);
settingsFile = pkgs.writeText "settings.json" (builtins.toJSON fullSettings);
# for users in group "transmission" to have access to torrents
fullSettings = { umask = 2; download-dir = downloadDir; incomplete-dir = incompleteDir; } // cfg.settings;
preStart = pkgs.writeScript "transmission-pre-start" ''
#!${pkgs.runtimeShell}
set -ex
cp -f ${settingsFile} ${settingsDir}/settings.json
'';
in in
{ {
options = { options = {
services.transmission = { services.transmission = {
enable = mkOption { enable = mkEnableOption ''the headless Transmission BitTorrent daemon.
type = types.bool;
default = false;
description = ''
Whether or not to enable the headless Transmission BitTorrent daemon.
Transmission daemon can be controlled via the RPC interface using Transmission daemon can be controlled via the RPC interface using
transmission-remote or the WebUI (http://localhost:9091/ by default). transmission-remote, the WebUI (http://127.0.0.1:9091/ by default),
or other clients like stig or tremc.
Torrents are downloaded to ${downloadDir} by default and are Torrents are downloaded to ${homeDir}/${downloadsDir} by default and are
accessible to users in the "transmission" group. accessible to users in the "transmission" group'';
'';
};
settings = mkOption { settings = mkOption rec {
# TODO: switch to types.config.json as prescribed by RFC0042 once it's implemented
type = types.attrs; type = types.attrs;
apply = recursiveUpdate default;
default = default =
{ {
download-dir = downloadDir; download-dir = "${cfg.home}/${downloadsDir}";
incomplete-dir = incompleteDir; incomplete-dir = "${cfg.home}/${incompleteDir}";
incomplete-dir-enabled = true; incomplete-dir-enabled = true;
message-level = 1;
peer-port = 51413;
peer-port-random-high = 65535;
peer-port-random-low = 49152;
peer-port-random-on-start = false;
rpc-bind-address = "127.0.0.1";
rpc-port = 9091;
script-torrent-done-enabled = false;
script-torrent-done-filename = "";
umask = 2; # 0o002 in decimal as expected by Transmission
utp-enabled = true;
}; };
example = example =
{ {
@ -56,11 +55,12 @@ in
rpc-whitelist = "127.0.0.1,192.168.*.*"; rpc-whitelist = "127.0.0.1,192.168.*.*";
}; };
description = '' description = ''
Attribute set whos fields overwrites fields in settings.json (each Attribute set whose fields overwrites fields in
time the service starts). String values must be quoted, integer and <literal>.config/transmission-daemon/settings.json</literal>
(each time the service starts). String values must be quoted, integer and
boolean values must not. boolean values must not.
See https://github.com/transmission/transmission/wiki/Editing-Configuration-Files See <link xlink:href="https://github.com/transmission/transmission/wiki/Editing-Configuration-Files">Transmission's Wiki</link>
for documentation. for documentation.
''; '';
}; };
@ -70,22 +70,32 @@ in
default = "770"; default = "770";
example = "775"; example = "775";
description = '' description = ''
The permissions to set for download-dir and incomplete-dir. The permissions set by <literal>systemd.activationScripts.transmission-daemon</literal>
They will be applied on every service start. on the directories <link linkend="opt-services.transmission.settings">settings.download-dir</link>
and <link linkend="opt-services.transmission.settings">settings.incomplete-dir</link>.
Note that you may also want to change
<link linkend="opt-services.transmission.settings">settings.umask</link>.
''; '';
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 9091; description = ''
description = "TCP port number to run the RPC/web interface."; TCP port number to run the RPC/web interface.
If instead you want to change the peer port,
use <link linkend="opt-services.transmission.settings">settings.peer-port</link>
or <link linkend="opt-services.transmission.settings">settings.peer-port-random-on-start</link>.
'';
}; };
home = mkOption { home = mkOption {
type = types.path; type = types.path;
default = "/var/lib/transmission"; default = homeDir;
description = '' description = ''
The directory where transmission will create files. The directory where Transmission will create <literal>${settingsDir}</literal>.
as well as <literal>${downloadsDir}/</literal> unless <link linkend="opt-services.transmission.settings">settings.download-dir</link> is changed,
and <literal>${incompleteDir}/</literal> unless <link linkend="opt-services.transmission.settings">settings.incomplete-dir</link> is changed.
''; '';
}; };
@ -100,32 +110,174 @@ in
default = "transmission"; default = "transmission";
description = "Group account under which Transmission runs."; description = "Group account under which Transmission runs.";
}; };
credentialsFile = mkOption {
type = types.path;
description = ''
Path to a JSON file to be merged with the settings.
Useful to merge a file which is better kept out of the Nix store
because it contains sensible data like <link linkend="opt-services.transmission.settings">settings.rpc-password</link>.
'';
default = "/dev/null";
example = "/var/lib/secrets/transmission/settings.json";
};
openFirewall = mkEnableOption "opening of the peer port(s) in the firewall";
performanceNetParameters = mkEnableOption ''tweaking of kernel parameters
to open many more connections at the same time.
Note that you may also want to increase
<link linkend="opt-services.transmission.settings">settings.peer-limit-global</link>.
And be aware that these settings are quite aggressive
and might not suite your regular desktop use.
For instance, SSH sessions may time out more easily'';
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.tmpfiles.rules = [ # Note that using systemd.tmpfiles would not work here
"d '${homeDir}' 0770 '${cfg.user}' '${cfg.group}' - -" # because it would fail when creating a directory
"d '${settingsDir}' 0700 '${cfg.user}' '${cfg.group}' - -" # with a different owner than its parent directory, by saying:
"d '${fullSettings.download-dir}' '${downloadDirPermissions}' '${cfg.user}' '${cfg.group}' - -" # Detected unsafe path transition /home/foo → /home/foo/Downloads during canonicalization of /home/foo/Downloads
"d '${fullSettings.incomplete-dir}' '${downloadDirPermissions}' '${cfg.user}' '${cfg.group}' - -" # when /home/foo is not owned by cfg.user.
# Note also that using an ExecStartPre= wouldn't work either
# because BindPaths= needs these directories before.
system.activationScripts.transmission-daemon = ''
install -d -m 700 '${cfg.home}/${settingsDir}'
chown -R '${cfg.user}:${cfg.group}' ${cfg.home}/${settingsDir}
install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.download-dir}'
'' + optionalString cfg.settings.incomplete-dir-enabled ''
install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.incomplete-dir}'
'';
assertions = [
{ assertion = builtins.match "^/.*" cfg.home != null;
message = "`services.transmission.home' must be an absolute path.";
}
{ assertion = types.path.check cfg.settings.download-dir;
message = "`services.transmission.settings.download-dir' must be an absolute path.";
}
{ assertion = types.path.check cfg.settings.incomplete-dir;
message = "`services.transmission.settings.incomplete-dir' must be an absolute path.";
}
{ assertion = cfg.settings.script-torrent-done-filename == "" || types.path.check cfg.settings.script-torrent-done-filename;
message = "`services.transmission.settings.script-torrent-done-filename' must be an absolute path.";
}
{ assertion = types.port.check cfg.settings.rpc-port;
message = "${toString cfg.settings.rpc-port} is not a valid port number for `services.transmission.settings.rpc-port`.";
}
# In case both port and settings.rpc-port are explicitely defined: they must be the same.
{ assertion = !options.services.transmission.port.isDefined || cfg.port == cfg.settings.rpc-port;
message = "`services.transmission.port' is not equal to `services.transmission.settings.rpc-port'";
}
]; ];
services.transmission.settings =
optionalAttrs options.services.transmission.port.isDefined { rpc-port = cfg.port; };
systemd.services.transmission = { systemd.services.transmission = {
description = "Transmission BitTorrent Service"; description = "Transmission BitTorrent Service";
after = [ "network.target" ] ++ optional apparmor "apparmor.service"; after = [ "network.target" ] ++ optional apparmor "apparmor.service";
requires = mkIf apparmor [ "apparmor.service" ]; requires = optional apparmor "apparmor.service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source;
# 1) Only the "transmission" user and group have access to torrents. serviceConfig = {
# 2) Optionally update/force specific fields into the configuration file. # Use "+" because credentialsFile may not be accessible to User= or Group=.
serviceConfig.ExecStartPre = preStart; ExecStartPre = [("+" + pkgs.writeShellScript "transmission-prestart" ''
serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port} --config-dir ${settingsDir}"; set -eu${lib.optionalString (cfg.settings.message-level >= 3) "x"}
serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ${pkgs.jq}/bin/jq --slurp add ${settingsFile} '${cfg.credentialsFile}' |
serviceConfig.User = cfg.user; install -D -m 600 -o '${cfg.user}' -g '${cfg.group}' /dev/stdin \
serviceConfig.Group = cfg.group; '${cfg.home}/${settingsDir}/settings.json'
# NOTE: transmission has an internal umask that also must be set (in settings.json) '')];
serviceConfig.UMask = "0002"; ExecStart="${pkgs.transmission}/bin/transmission-daemon -f";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = cfg.user;
Group = cfg.group;
# Create rootDir in the host's mount namespace.
RuntimeDirectory = [(baseNameOf rootDir)];
RuntimeDirectoryMode = "755";
# Avoid mounting rootDir in the own rootDir of ExecStart='s mount namespace.
InaccessiblePaths = ["-+${rootDir}"];
# This is for BindPaths= and BindReadOnlyPaths=
# to allow traversal of directories they create in RootDirectory=.
UMask = "0066";
# Using RootDirectory= makes it possible
# to use the same paths download-dir/incomplete-dir
# (which appear in user's interfaces) without requiring cfg.user
# to have access to their parent directories,
# by using BindPaths=/BindReadOnlyPaths=.
# Note that TemporaryFileSystem= could have been used instead
# but not without adding some BindPaths=/BindReadOnlyPaths=
# that would only be needed for ExecStartPre=,
# because RootDirectoryStartOnly=true would not help.
RootDirectory = rootDir;
RootDirectoryStartOnly = true;
MountAPIVFS = true;
BindPaths =
[ "${cfg.home}/${settingsDir}"
cfg.settings.download-dir
] ++
optional cfg.settings.incomplete-dir-enabled
cfg.settings.incomplete-dir;
BindReadOnlyPaths = [
# No confinement done of /nix/store here like in systemd-confinement.nix,
# an AppArmor profile is provided to get a confinement based upon paths and rights.
builtins.storeDir
"-/etc/hosts"
"-/etc/ld-nix.so.preload"
"-/etc/localtime"
] ++
optional (cfg.settings.script-torrent-done-enabled &&
cfg.settings.script-torrent-done-filename != "")
cfg.settings.script-torrent-done-filename;
# The following options are only for optimizing:
# systemd-analyze security transmission
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateNetwork = mkDefault false;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
# ProtectHome=true would not allow BindPaths= to work accross /home,
# and ProtectHome=tmpfs would break statfs(),
# preventing transmission-daemon to report the available free space.
# However, RootDirectory= is used, so this is not a security concern
# since there would be nothing in /home but any BindPaths= wanted by the user.
ProtectHome = "read-only";
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
# AF_UNIX may become usable one day:
# https://github.com/transmission/transmission/issues/441
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallFilter = [
"@system-service"
# Groups in @system-service which do not contain a syscall
# listed by perf stat -e 'syscalls:sys_enter_*' transmission-daemon -f
# in tests, and seem likely not necessary for transmission-daemon.
"~@aio" "~@chown" "~@keyring" "~@memlock" "~@resources" "~@setuid" "~@timer"
# In the @privileged group, but reached when querying infos through RPC (eg. with stig).
"quotactl"
];
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
};
}; };
# It's useful to have transmission in path, e.g. for remote control # It's useful to have transmission in path, e.g. for remote control
@ -133,70 +285,153 @@ in
users.users = optionalAttrs (cfg.user == "transmission") ({ users.users = optionalAttrs (cfg.user == "transmission") ({
transmission = { transmission = {
name = "transmission";
group = cfg.group; group = cfg.group;
uid = config.ids.uids.transmission; uid = config.ids.uids.transmission;
description = "Transmission BitTorrent user"; description = "Transmission BitTorrent user";
home = homeDir; home = cfg.home;
createHome = true;
}; };
}); });
users.groups = optionalAttrs (cfg.group == "transmission") ({ users.groups = optionalAttrs (cfg.group == "transmission") ({
transmission = { transmission = {
name = "transmission";
gid = config.ids.gids.transmission; gid = config.ids.gids.transmission;
}; };
}); });
# AppArmor profile networking.firewall = mkIf cfg.openFirewall (
if cfg.settings.peer-port-random-on-start
then
{ allowedTCPPortRanges =
[ { from = cfg.settings.peer-port-random-low;
to = cfg.settings.peer-port-random-high;
}
];
allowedUDPPortRanges =
[ { from = cfg.settings.peer-port-random-low;
to = cfg.settings.peer-port-random-high;
}
];
}
else
{ allowedTCPPorts = [ cfg.settings.peer-port ];
allowedUDPPorts = [ cfg.settings.peer-port ];
}
);
boot.kernel.sysctl = mkMerge [
# Transmission uses a single UDP socket in order to implement multiple uTP sockets,
# and thus expects large kernel buffers for the UDP socket,
# https://trac.transmissionbt.com/browser/trunk/libtransmission/tr-udp.c?rev=11956.
# at least up to the values hardcoded here:
(mkIf cfg.settings.utp-enabled {
"net.core.rmem_max" = mkDefault "4194304"; # 4MB
"net.core.wmem_max" = mkDefault "1048576"; # 1MB
})
(mkIf cfg.performanceNetParameters {
# Increase the number of available source (local) TCP and UDP ports to 49151.
# Usual default is 32768 60999, ie. 28231 ports.
# Find out your current usage with: ss -s
"net.ipv4.ip_local_port_range" = "16384 65535";
# Timeout faster generic TCP states.
# Usual default is 600.
# Find out your current usage with: watch -n 1 netstat -nptuo
"net.netfilter.nf_conntrack_generic_timeout" = 60;
# Timeout faster established but inactive connections.
# Usual default is 432000.
"net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
# Clear immediately TCP states after timeout.
# Usual default is 120.
"net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
# Increase the number of trackable connections.
# Usual default is 262144.
# Find out your current usage with: conntrack -C
"net.netfilter.nf_conntrack_max" = 1048576;
})
];
security.apparmor.profiles = mkIf apparmor [ security.apparmor.profiles = mkIf apparmor [
(pkgs.writeText "apparmor-transmission-daemon" '' (pkgs.writeText "apparmor-transmission-daemon" ''
#include <tunables/global> include <tunables/global>
${pkgs.transmission}/bin/transmission-daemon { ${pkgs.transmission}/bin/transmission-daemon {
#include <abstractions/base> include <abstractions/base>
#include <abstractions/nameservice> include <abstractions/nameservice>
${getLib pkgs.glibc}/lib/*.so mr, # NOTE: https://github.com/NixOS/nixpkgs/pull/93457
${getLib pkgs.libevent}/lib/libevent*.so* mr, # will remove the need for these by fixing <abstractions/base>
${getLib pkgs.curl}/lib/libcurl*.so* mr, r ${etc."hosts".source},
${getLib pkgs.openssl}/lib/libssl*.so* mr, r /etc/ld-nix.so.preload,
${getLib pkgs.openssl}/lib/libcrypto*.so* mr, ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) ''
${getLib pkgs.zlib}/lib/libz*.so* mr, r ${etc."ld-nix.so.preload".source},
${getLib pkgs.libssh2}/lib/libssh2*.so* mr, ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n"))
${getLib pkgs.systemd}/lib/libsystemd*.so* mr, (splitString "\n" config.environment.etc."ld-nix.so.preload".text)}
${getLib pkgs.xz}/lib/liblzma*.so* mr,
${getLib pkgs.libgcrypt}/lib/libgcrypt*.so* mr,
${getLib pkgs.libgpgerror}/lib/libgpg-error*.so* mr,
${getLib pkgs.nghttp2}/lib/libnghttp2*.so* mr,
${getLib pkgs.c-ares}/lib/libcares*.so* mr,
${getLib pkgs.libcap}/lib/libcap*.so* mr,
${getLib pkgs.attr}/lib/libattr*.so* mr,
${getLib pkgs.lz4}/lib/liblz4*.so* mr,
${getLib pkgs.libkrb5}/lib/lib*.so* mr,
${getLib pkgs.keyutils}/lib/libkeyutils*.so* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so.* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so.* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so.* mr,
${getLib pkgs.gcc.cc.lib}/lib/libstdc++.so.* mr,
${getLib pkgs.gcc.cc.lib}/lib/libgcc_s.so.* mr,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/vm/overcommit_memory r,
${pkgs.openssl.out}/etc/** r,
${pkgs.transmission}/share/transmission/** r,
owner ${settingsDir}/** rw,
${fullSettings.download-dir}/** rw,
${optionalString fullSettings.incomplete-dir-enabled ''
${fullSettings.incomplete-dir}/** rw,
''} ''}
r ${etc."ssl/certs/ca-certificates.crt".source},
r ${pkgs.tzdata}/share/zoneinfo/**,
r ${pkgs.stdenv.cc.libc}/share/i18n/**,
r ${pkgs.stdenv.cc.libc}/share/locale/**,
mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*,
mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*,
mr ${getLib pkgs.attr}/lib/libattr*.so*,
mr ${getLib pkgs.c-ares}/lib/libcares*.so*,
mr ${getLib pkgs.curl}/lib/libcurl*.so*,
mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*,
mr ${getLib pkgs.libcap}/lib/libcap*.so*,
mr ${getLib pkgs.libevent}/lib/libevent*.so*,
mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*,
mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*,
mr ${getLib pkgs.libkrb5}/lib/lib*.so*,
mr ${getLib pkgs.libssh2}/lib/libssh2*.so*,
mr ${getLib pkgs.lz4}/lib/liblz4*.so*,
mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*,
mr ${getLib pkgs.openssl}/lib/libcrypto*.so*,
mr ${getLib pkgs.openssl}/lib/libssl*.so*,
mr ${getLib pkgs.systemd}/lib/libsystemd*.so*,
mr ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so*,
mr ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so*,
mr ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so*,
mr ${getLib pkgs.xz}/lib/liblzma*.so*,
mr ${getLib pkgs.zlib}/lib/libz*.so*,
r @{PROC}/sys/kernel/random/uuid,
r @{PROC}/sys/vm/overcommit_memory,
# @{pid} is not a kernel variable yet but a regexp
#r @{PROC}/@{pid}/environ,
r @{PROC}/@{pid}/mounts,
rwk /tmp/tr_session_id_*,
r ${pkgs.openssl.out}/etc/**,
r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
r ${pkgs.transmission}/share/transmission/**,
owner rw ${cfg.home}/${settingsDir}/**,
rw ${cfg.settings.download-dir}/**,
${optionalString cfg.settings.incomplete-dir-enabled ''
rw ${cfg.settings.incomplete-dir}/**,
''}
profile dirs {
rw ${cfg.settings.download-dir}/**,
${optionalString cfg.settings.incomplete-dir-enabled ''
rw ${cfg.settings.incomplete-dir}/**,
''}
}
${optionalString (cfg.settings.script-torrent-done-enabled &&
cfg.settings.script-torrent-done-filename != "") ''
# Stack transmission_directories profile on top of
# any existing profile for script-torrent-done-filename
# FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=
# https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
''}
# FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457
# include <local/transmission-daemon>
} }
'') '')
]; ];
}; };
meta.maintainers = with lib.maintainers; [ julm ];
} }

24
nixos/tests/bittorrent.nix
View file

@ -19,6 +19,7 @@ let
externalClient2Address = "80.100.100.2"; externalClient2Address = "80.100.100.2";
externalTrackerAddress = "80.100.100.3"; externalTrackerAddress = "80.100.100.3";
download-dir = "/var/lib/transmission/Downloads";
transmissionConfig = { ... }: { transmissionConfig = { ... }: {
environment.systemPackages = [ pkgs.transmission ]; environment.systemPackages = [ pkgs.transmission ];
services.transmission = { services.transmission = {
@ -26,6 +27,7 @@ let
settings = { settings = {
dht-enabled = false; dht-enabled = false;
message-level = 3; message-level = 3;
inherit download-dir;
}; };
}; };
}; };
@ -117,12 +119,12 @@ in
router.wait_for_unit("miniupnpd") router.wait_for_unit("miniupnpd")
# Create the torrent. # Create the torrent.
tracker.succeed("mkdir /tmp/data") tracker.succeed("mkdir ${download-dir}/data")
tracker.succeed( tracker.succeed(
"cp ${file} /tmp/data/test.tar.bz2" "cp ${file} ${download-dir}/data/test.tar.bz2"
) )
tracker.succeed( tracker.succeed(
"transmission-create /tmp/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent" "transmission-create ${download-dir}/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent"
) )
tracker.succeed("chmod 644 /tmp/test.torrent") tracker.succeed("chmod 644 /tmp/test.torrent")
@ -133,18 +135,16 @@ in
# Start the initial seeder. # Start the initial seeder.
tracker.succeed( tracker.succeed(
"transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir /tmp/data" "transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir ${download-dir}/data"
) )
# Now we should be able to download from the client behind the NAT. # Now we should be able to download from the client behind the NAT.
tracker.wait_for_unit("httpd") tracker.wait_for_unit("httpd")
client1.wait_for_unit("network-online.target") client1.wait_for_unit("network-online.target")
client1.succeed("transmission-remote --add http://${externalTrackerAddress}/test.torrent >&2 &")
client1.wait_for_file("${download-dir}/test.tar.bz2")
client1.succeed( client1.succeed(
"transmission-remote --add http://${externalTrackerAddress}/test.torrent --download-dir /tmp >&2 &" "cmp ${download-dir}/test.tar.bz2 ${file}"
)
client1.wait_for_file("/tmp/test.tar.bz2")
client1.succeed(
"cmp /tmp/test.tar.bz2 ${file}"
) )
# Bring down the initial seeder. # Bring down the initial seeder.
@ -154,11 +154,11 @@ in
# the first client created a NAT hole in the router. # the first client created a NAT hole in the router.
client2.wait_for_unit("network-online.target") client2.wait_for_unit("network-online.target")
client2.succeed( client2.succeed(
"transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht --download-dir /tmp >&2 &" "transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht >&2 &"
) )
client2.wait_for_file("/tmp/test.tar.bz2") client2.wait_for_file("${download-dir}/test.tar.bz2")
client2.succeed( client2.succeed(
"cmp /tmp/test.tar.bz2 ${file}" "cmp ${download-dir}/test.tar.bz2 ${file}"
) )
''; '';
}) })