services: transmission: only expose over Wireguard

hosts/poseidon/default.nix

@@ -147,7 +147,6 @@ in
     transmission = {
       enable = true;
       username = "alarsyo";
-      secretConfigFile = config.age.secrets."transmission/secret".path;
     };
   };
 

hosts/poseidon/secrets.nix

@@ -29,10 +29,6 @@
           "restic-backup/poseidon-credentials" = {};
           "restic-backup/poseidon-password" = {};
 
-          "transmission/secret" = {
-            owner = "transmission";
-          };
-
           "users/alarsyo-hashed-password" = {};
           "users/root-hashed-password" = {};
         };

modules/secrets/secrets.nix

@@ -31,8 +31,6 @@ in
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
 
-  "transmission/secret.age".publicKeys = [ poseidon ];
-
   "users/root-hashed-password.age".publicKeys = machines;
   "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }

services/transmission.nix

@@ -49,12 +49,13 @@ in
 
         rpc-enabled = true;
         rpc-port = transmissionRpcPort;
-        rpc-authentication-required = true;
-
-        rpc-username = cfg.username;
+        rpc-authentication-required = false;
 
         rpc-whitelist-enabled = true;
         rpc-whitelist = "127.0.0.1";
+
+        rpc-host-whitelist-enabled = true;
+        rpc-host-whitelist = webuiDomain;
       };
 
       # automatically allow transmission.settings.peer-port
@@ -68,6 +69,20 @@ in
       useACMEHost = domain;
 
       locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
+
+      listen = [
+        # FIXME: hardcoded tailscale IP
+        {
+          addr = "100.80.61.67";
+          port = 443;
+          ssl = true;
+        }
+        {
+          addr = "100.80.61.67";
+          port = 80;
+          ssl = false;
+        }
+      ];
     };
   };
 }