From 2644c71aa8e2851b33b75cf76a93d6cfa057c037 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Sun, 20 Mar 2022 23:01:32 +0100
Subject: [PATCH] services: transmission: only expose over Wireguard

---
 hosts/poseidon/default.nix              |   1 -
 hosts/poseidon/secrets.nix              |   4 ----
 modules/secrets/secrets.nix             |   2 --
 modules/secrets/transmission/secret.age | Bin 329 -> 0 bytes
 services/transmission.nix               |  21 ++++++++++++++++++---
 5 files changed, 18 insertions(+), 10 deletions(-)
 delete mode 100644 modules/secrets/transmission/secret.age

diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix
index 58bdee3..e509ac3 100644
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@@ -147,7 +147,6 @@ in
     transmission = {
       enable = true;
       username = "alarsyo";
-      secretConfigFile = config.age.secrets."transmission/secret".path;
     };
   };
 
diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix
index ada3ee4..f9b390b 100644
--- a/hosts/poseidon/secrets.nix
+++ b/hosts/poseidon/secrets.nix
@@ -29,10 +29,6 @@
           "restic-backup/poseidon-credentials" = {};
           "restic-backup/poseidon-password" = {};
 
-          "transmission/secret" = {
-            owner = "transmission";
-          };
-
           "users/alarsyo-hashed-password" = {};
           "users/root-hashed-password" = {};
         };
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 9aa0e53..c8b4056 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -31,8 +31,6 @@ in
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
 
-  "transmission/secret.age".publicKeys = [ poseidon ];
-
   "users/root-hashed-password.age".publicKeys = machines;
   "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }
diff --git a/modules/secrets/transmission/secret.age b/modules/secrets/transmission/secret.age
deleted file mode 100644
index 038526dbf99378a07da0677c4527ac88c101d54f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 329
zcmV-P0k-~OXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LdNxIMI8h*D
zP)|>1aA8Y1XjN}XFJf3!Hg9xvO<`ziZAmvxQ8svHMtMa@a$-|yM0W~LbV6}=GG;<z
zRWe3KXD>BDc|mP@dO1x~Vpd6FXlgTWb8{~=Ry0s#O>YV<J|H_SXL4m>b7cxbWI=Fa
zP)|lUOF?TkMKB62EiE82D|ShFc{VXQPibgYb!2C1GAnO(I5{;nXiHLbaZPh%Pcw2^
zT4hQ`Ph$##RaB?>>8S;27tG?5yoT5pDVLCFipyI?h5<e$DpS(QNOTNeQ22M<38xP#
zf!&Lj+CtE%g%1G7aseyp;-tFECOgx&Mew1a!lyGNE925LH79F=SV7jQ`1$ap->rjG
bAs%oUJ5#M324smYjO#|$ow%gbb?j*?8$Ny_

diff --git a/services/transmission.nix b/services/transmission.nix
index bdc99b5..7fb7f69 100644
--- a/services/transmission.nix
+++ b/services/transmission.nix
@@ -49,12 +49,13 @@ in
 
         rpc-enabled = true;
         rpc-port = transmissionRpcPort;
-        rpc-authentication-required = true;
-
-        rpc-username = cfg.username;
+        rpc-authentication-required = false;
 
         rpc-whitelist-enabled = true;
         rpc-whitelist = "127.0.0.1";
+
+        rpc-host-whitelist-enabled = true;
+        rpc-host-whitelist = webuiDomain;
       };
 
       # automatically allow transmission.settings.peer-port
@@ -68,6 +69,20 @@ in
       useACMEHost = domain;
 
       locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
+
+      listen = [
+        # FIXME: hardcoded tailscale IP
+        {
+          addr = "100.80.61.67";
+          port = 443;
+          ssl = true;
+        }
+        {
+          addr = "100.80.61.67";
+          port = 80;
+          ssl = false;
+        }
+      ];
     };
   };
 }