Skip to content

Commit

Permalink
nixos/transmission: improve permission handling and description
Browse files Browse the repository at this point in the history
  • Loading branch information
@diniamo
diniamo committed Oct 26, 2024
1 parent 99add84 commit f7cdf7b
Showing 1 changed file with 28 additions and 22 deletions.
50 changes: 28 additions & 22 deletions nixos/modules/services/torrent/transmission.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,13 @@ in
and [](#opt-services.transmission.settings.watch-dir).
Note that you may also want to change
[](#opt-services.transmission.settings.umask).
Keep in mind, that if the default user is used, the `home` directory
is locked behind a `750` permission in the first place, which affects
all subdirectories as well. You can change this by setting
`users.users.transmission.homeMode` to the same value as this option.
However, this isn't recommended, and instead adding users to the
`transmission` group is way more secure.
'';
};

Expand Down Expand Up @@ -277,17 +284,20 @@ in
# when /home/foo is not owned by cfg.user.
# Note also that using an ExecStartPre= wouldn't work either
# because BindPaths= needs these directories before.
system.activationScripts = mkIf (cfg.downloadDirPermissions != null)
{ transmission-daemon = ''
install -d -m 700 '${cfg.home}/${settingsDir}'
chown -R '${cfg.user}:${cfg.group}' ${cfg.home}/${settingsDir}
system.activationScripts.transmission-daemon =
''
install -d -m 700 -o '${cfg.user}' -g '${cfg.group}' '${cfg.home}/${settingsDir}'
''
+ optionalString (cfg.downloadDirPermissions != null) ''
install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.download-dir}'
'' + optionalString cfg.settings.incomplete-dir-enabled ''
install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.incomplete-dir}'
'' + optionalString cfg.settings.watch-dir-enabled ''
install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.watch-dir}'
'';
};
${optionalString cfg.settings.incomplete-dir-enabled ''
install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.incomplete-dir}'
''}
${optionalString cfg.settings.watch-dir-enabled ''
install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.watch-dir}'
''}
'';

systemd.services.transmission = {
description = "Transmission BitTorrent Service";
Expand Down Expand Up @@ -349,14 +359,6 @@ in
cfg.settings.script-torrent-done-filename ++
optional (cfg.settings.watch-dir-enabled && !cfg.settings.trash-original-torrent-files)
cfg.settings.watch-dir;
StateDirectory = [
"transmission"
"transmission/${settingsDir}"
"transmission/${incompleteDir}"
"transmission/${downloadsDir}"
"transmission/${watchDir}"
];
StateDirectoryMode = mkDefault 750;
# The following options are only for optimizing:
# systemd-analyze security transmission
AmbientCapabilities = "";
Expand Down Expand Up @@ -407,20 +409,24 @@ in
# It's useful to have transmission in path, e.g. for remote control
environment.systemPackages = [ cfg.package ];

users.users = optionalAttrs (cfg.user == "transmission") ({
users.users = optionalAttrs (cfg.user == "transmission") {
transmission = {
group = cfg.group;
uid = config.ids.uids.transmission;
description = "Transmission BitTorrent user";
isSystemUser = true;

home = cfg.home;
homeMode = mkDefault "750";
createHome = true;
};
});
};

users.groups = optionalAttrs (cfg.group == "transmission") ({
users.groups = optionalAttrs (cfg.group == "transmission") {
transmission = {
gid = config.ids.gids.transmission;
};
});
};

networking.firewall = mkMerge [
(mkIf cfg.openPeerPorts (
Expand Down

0 comments on commit f7cdf7b

Please sign in to comment.