nixos-config/services/transmission.nix
Antoine Martin 2725d66646 services: use subdomain for ACME cert
Avoids conflicts now that I have multiple servers sharing the config
2022-06-12 17:18:58 +02:00

101 lines
2.2 KiB
Nix

{
config,
lib,
...
}: let
inherit
(lib)
mkEnableOption
mkIf
mkOption
optionalAttrs
;
cfg = config.my.services.transmission;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
webuiDomain = "transmission.${domain}";
transmissionRpcPort = 9091;
transmissionPeerPort = 30251;
downloadBase = "/media/torrents/";
in {
options.my.services.transmission = let
inherit (lib) types;
in {
enable = mkEnableOption "Transmission torrent client";
username = mkOption {
type = types.str;
default = "alarsyo";
example = "username";
description = "Name of the transmission RPC user";
};
secretConfigFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/run/secrets/transmission-secrets";
description = "Path to secrets file to append to configuration";
};
};
config = mkIf cfg.enable {
services.transmission =
{
enable = true;
group = "media";
settings = {
download-dir = "${downloadBase}/complete";
incomplete-dir = "${downloadBase}/incomplete";
peer-port = transmissionPeerPort;
rpc-enabled = true;
rpc-port = transmissionRpcPort;
rpc-authentication-required = false;
rpc-whitelist-enabled = true;
rpc-whitelist = "127.0.0.1";
rpc-host-whitelist-enabled = true;
rpc-host-whitelist = webuiDomain;
};
# automatically allow transmission.settings.peer-port
openFirewall = true;
}
// (optionalAttrs (cfg.secretConfigFile != null) {
credentialsFile = cfg.secretConfigFile;
});
services.nginx.virtualHosts."${webuiDomain}" = {
forceSSL = true;
useACMEHost = fqdn;
locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
listen = [
# FIXME: hardcoded tailscale IP
{
addr = "100.80.61.67";
port = 443;
ssl = true;
}
{
addr = "100.80.61.67";
port = 80;
ssl = false;
}
];
};
security.acme.certs.${fqdn}.extraDomainNames = [webuiDomain];
};
}