server/fili/services/media/torrent.nix

{
  config,
  pkgs,
  secrets,
  ...
}:
{
  sops.secrets.mullvad = {
    sopsFile = "${secrets}/mullvad.yaml";
    owner = "root";
    format = "yaml";
  };

  vpnNamespaces.mullvad = {
    enable = true;
    wireguardConfigFile = config.sops.secrets.mullvad.path;
    accessibleFrom = [
      "192.168.0.0/16"
    ];
    portMappings = [
      {
        from = 9091;
        to = 9091;
      } # UI Port.
      {
        from = 5432;
        to = 5432;
      } # DB Port.
    ];
    openVPNPorts = [
      {
        port = 50901;
        protocol = "both";
      }
      {
        port = 50902;
        protocol = "both";
      }
      {
        port = 50903;
        protocol = "both";
      }
      {
        port = 50904;
        protocol = "both";
      }
      {
        port = 50905;
        protocol = "both";
      }
      {
        port = 50906;
        protocol = "both";
      }
      {
        port = 50907;
        protocol = "both";
      }
      {
        port = 50908;
        protocol = "both";
      }
      {
        port = 50909;
        protocol = "both";
      }
    ];
  };

  services.nginx = {
    virtualHosts."dl.donsz.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;

      locations."/" = {
        proxyPass = "http://192.168.15.1:9091";
      };
    };
  };
  services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = { };

  systemd.services.transmission.vpnConfinement = {
    enable = true;
    vpnNamespace = "mullvad";
  };

  services.transmission = {
    enable = true;
    package = pkgs.transmission_4;
    webHome = pkgs.stdenv.mkDerivation {
      name = "flood-modified";
      version = "1.0";
      src = pkgs.flood-for-transmission;
      installPhase = ''
        mkdir -p $out
        cp -r ./* $out
        cp ./config.json.defaults $out/config.json
      '';
    };
    home = "/var/lib/transmission";
    user = "jellyfin";
    group = "jellyfin";

    settings = {
      download-dir = "/storage/storage/torrents";
      incomplete-dir-enabled = false;
      # incomplete-dir = "/storage/storage/torrents";

      rpc-bind-address = "192.168.15.1";
      rpc-host-whitelist-enabled = false;
      rpc-whitelist-enabled = false;

      rpc-port = 9091;

      peer-port = 50909;
      cache-size-mb = 2048;
      preallocation = 1;
    };
  };
}