transmission: setup service

hosts/poseidon/default.nix

@@ -109,6 +109,12 @@ in
     postgresql-backup = {
       enable = true;
     };
+
+    transmission = {
+      enable = true;
+      username = "alarsyo";
+      password = secrets.transmission-password;
+    };
   };
 
   security.acme.acceptTerms = true;

secrets/default.nix

@@ -11,5 +11,6 @@ with lib;
     shadow-hashed-password-root = lib.fileContents ./shadow-hashed-password-root.secret;
     miniflux-admin-credentials = lib.fileContents ./miniflux-admin-credentials.secret;
     borg-backup-repo = lib.fileContents ./borg-backup-repo.secret;
+    transmission-password = lib.fileContents ./transmission.secret;
   };
 }

services/default.nix

@@ -12,5 +12,6 @@
     ./monitoring.nix
     ./nginx.nix
     ./postgresql-backup.nix
+    ./transmission.nix
   ];
 }

services/media.nix

@@ -2,6 +2,7 @@
 let
   mediaServices = with config.my.services; [
     jellyfin
+    transmission
   ];
   needed = builtins.any (service: service.enable) mediaServices;
 in

services/transmission.nix

@@ -0,0 +1,66 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.transmission;
+
+  domain = config.networking.domain;
+  webuiDomain = "transmission.${domain}";
+
+  transmissionRpcPort = 9091;
+  transmissionPeerPort = 30251;
+
+  downloadBase = "/media/torrents/";
+in
+{
+  options.my.services.transmission = with lib; {
+    enable = mkEnableOption "Transmission torrent client";
+
+    username = mkOption {
+      type = types.str;
+      default = "alarsyo";
+      example = "username";
+      description = "Name of the transmission RPC user";
+    };
+
+    password = mkOption {
+      type = types.str;
+      example = "password";
+      description = "Password of the transmission RPC user";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.transmission = {
+      enable = true;
+      group = "media";
+
+      settings = {
+        download-dir = "${downloadBase}/complete";
+        incomplete-dir = "${downloadBase}/incomplete";
+
+        peer-port = transmissionPeerPort;
+
+        rpc-enabled = true;
+        rpc-port = transmissionRpcPort;
+        rpc-authentication-required = true;
+
+        rpc-username = cfg.username;
+        rpc-password = cfg.password;
+
+        rpc-whitelist-enabled = true;
+        rpc-whitelist = "127.0.0.1";
+      };
+    };
+
+    services.nginx.virtualHosts."${webuiDomain}" = {
+      forceSSL = true;
+      enableACME = true;
+
+      locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [ transmissionPeerPort ];
+      allowedUDPPorts = [ transmissionPeerPort ];
+    };
+  };
+}