kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

nixos: transmission improvements

Browse Source 
This mostly upgrades transmission, and does some very minor touchups on
AppArmor support.

In particular, there is now no need to ever specify the umask as part of
the settings, as it will be mixed in by default (which is essentially
always what you want). Also, the default configuration is now more
sensible: Downloads are put in /var/lib/transmission/Downloads, and
incomplete files are put in /var/lib/transmission/.incomplete - this
also allows easy use of file syncing probrams, like BitTorrent Sync.

Finally, this unconditionally enables the AppArmor profiles for the
daemon, if AppArmor is enabled - rather than letting the user specify
profile support, it's best to default to supporting profiles for daemons
transparently in all places.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
wip/yesman
Austin Seipp 10 years ago
parent 253f83ea2d
commit da6bc44dd7
2 changed files with 38 additions and 78 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 43
      nixos/modules/security/apparmor.nix
  2. 73
      nixos/modules/services/torrent/transmission.nix

43
nixos/modules/security/apparmor.nix
Unescape View File

@ -1,55 +1,39 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.apparmor;
in
with lib;
{
###### interface
options = {
security.apparmor = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable AppArmor application security system. Enable only if
you want to further improve AppArmor.
'';
description = "Enable the AppArmor Mandatory Access Control system.";
};
profiles = mkOption {
type = types.listOf types.path;
default = [];
description = ''
List of file names of AppArmor profiles.
'';
description = "List of files containing AppArmor profiles.";
};
};
};
###### implementation
config = mkIf (cfg.enable) {
assertions = [ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
&& config.boot.kernelPackages.kernel.features.apparmor;
message = "AppArmor is enabled, but the kernel doesn't have AppArmor support"; }
];
config = mkIf cfg.enable {
assertions =
[ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
&& config.boot.kernelPackages.kernel.features.apparmor;
message = "Your selected kernel does not have AppArmor support";
}
];
environment.systemPackages = [ pkgs.apparmor ];
systemd.services.apparmor = {
#wantedBy = [ "basic.target" ];
wantedBy = [ "local-fs.target" ];
path = [ pkgs.apparmor ];
path = [ pkgs.apparmor ];
serviceConfig = {
Type = "oneshot";
@ -61,9 +45,6 @@ with lib;
''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
) cfg.profiles;
};
};
};
}

73
nixos/modules/services/torrent/transmission.nix
Unescape View File

@ -1,13 +1,14 @@
# NixOS module for Transmission BitTorrent daemon
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.transmission;
apparmor = config.security.apparmor.enable;
homeDir = "/var/lib/transmission";
downloadDir = "${homeDir}/Downloads";
incompleteDir = "${homeDir}/.incomplete";
settingsDir = "${homeDir}/.config/transmission-daemon";
settingsFile = "${settingsDir}/settings.json";
@ -31,16 +32,12 @@ let
(if isList value then value else [value]))
as));
# for users in group "transmission" to have access to torrents
fullSettings = cfg.settings // { umask = 2; };
in
{
### configuration
options = {
services.transmission = {
enable = mkOption {
type = types.uniq types.bool;
default = false;
@ -59,65 +56,48 @@ in
type = types.attrs;
default =
{
# for users in group "transmission" to have access to torrents
umask = 2;
}
;
download-dir = downloadDir;
incomplete-dir = incompleteDir;
incomplete-dir-enabled = true;
};
example =
{
download-dir = "/srv/torrents/";
incomplete-dir = "/srv/torrents/.incomplete/";
incomplete-dir-enabled = true;
rpc-whitelist = "127.0.0.1,192.168.*.*";
# for users in group "transmission" to have access to torrents
umask = 2;
}
;
};
description = ''
Attribute set whos fields overwrites fields in settings.json (each
time the service starts). String values must be quoted, integer and
boolean values must not.
See https://trac.transmissionbt.com/wiki/EditConfigFiles for documentation
and/or look at ${settingsFile}."
See https://trac.transmissionbt.com/wiki/EditConfigFiles for
documentation and/or look at ${settingsFile}.
'';
};
rpc_port = mkOption {
port = mkOption {
type = types.uniq types.int;
default = 9091;
description = "TCP port number to run the RPC/web interface.";
};
apparmor = mkOption {
type = types.uniq types.bool;
default = true;
description = "Generate apparmor profile for transmission-daemon.";
};
};
};
### implementation
config = mkIf cfg.enable {
systemd.services.transmission = {
description = "Transmission BitTorrent Daemon";
after = [ "network.target" ] ++ optional (config.security.apparmor.enable && cfg.apparmor) "apparmor.service";
requires = mkIf (config.security.apparmor.enable && cfg.apparmor) [ "apparmor.service" ];
description = "Transmission BitTorrent Service";
after = [ "network.target" ] ++ optional apparmor "apparmor.service";
requires = mkIf apparmor [ "apparmor.service" ];
wantedBy = [ "multi-user.target" ];
# 1) Only the "transmission" user and group have access to torrents.
# 2) Optionally update/force specific fields into the configuration file.
serviceConfig.ExecStartPre =
if cfg.settings != {} then ''
${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs cfg.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}"
''
else ''
${pkgs.stdenv.shell} -c "chmod 770 ${homeDir}"
'';
serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.rpc_port}";
serviceConfig.ExecStartPre = ''
${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} ${downloadDir} ${incompleteDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs fullSettings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}"
'';
serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port}";
serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
serviceConfig.User = "transmission";
# NOTE: transmission has an internal umask that also must be set (in settings.json)
@ -127,6 +107,7 @@ in
# It's useful to have transmission in path, e.g. for remote control
environment.systemPackages = [ pkgs.transmission ];
users.extraGroups.transmission.gid = config.ids.gids.transmission;
users.extraUsers.transmission = {
group = "transmission";
uid = config.ids.uids.transmission;
@ -135,10 +116,8 @@ in
createHome = true;
};
users.extraGroups.transmission.gid = config.ids.gids.transmission;
# AppArmor profile
security.apparmor.profiles = mkIf (config.security.apparmor.enable && cfg.apparmor) [
security.apparmor.profiles = mkIf apparmor [
(pkgs.writeText "apparmor-transmission-daemon" ''
#include <tunables/global>
@ -161,9 +140,9 @@ in
owner ${settingsDir}/** rw,
${cfg.settings.download-dir}/** rw,
${optionalString cfg.settings.incomplete-dir-enabled ''
${cfg.settings.incomplete-dir}/** rw,
${fullSettings.download-dir}/** rw,
${optionalString fullSettings.incomplete-dir-enabled ''
${fullSettings.incomplete-dir}/** rw,
''}
}
'')

Write Preview
Loading…
Cancel
Save