servo: transmission: fix service config so my torrent-done script doesnt crash

hosts/by-name/servo/fs.nix

@@ -14,7 +14,7 @@
 # show zfs datasets: `zfs list` (will be empty if haven't imported)
 # show zfs properties (e.g. compression): `zfs get all pool`
 # set zfs properties: `zfs set compression=on pool`
-{ ... }:
+{ lib, pkgs, ... }:
 
 {
   # hostId: not used for anything except zfs guardrail?
@@ -131,6 +131,20 @@
     the contents should be a subset of what's in ../media/datasets.
   '';
 
+  systemd.services.dedupe-media = {
+    description = "transparently de-duplicate /var/media entries by using block-level hardlinks";
+    script = ''
+      ${lib.getExe' pkgs.util-linux "hardlink"} /var/media --reflink=always --ignore-time --verbose
+    '';
+  };
+  systemd.timers.dedupe-media = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig = {
+      OnStartupSec = "23min";
+      OnUnitActiveSec = "720min";
+    };
+  };
+
   # btrfs doesn't easily support swapfiles
   # swapDevices = [
   #   { device = "/nix/persist/swapfile"; size = 4096; }

hosts/by-name/servo/services/transmission/default.nix

@@ -31,7 +31,6 @@ let
       "coreutils"
       "findutils"
       "rsync"
-      "util-linux"
     ];
   };
 in
@@ -107,16 +106,31 @@ in
     script-torrent-done-filename = "${torrent-done}/bin/torrent-done";
   };
 
-  systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.transmission = {
-  systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
+    after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.transmission.serviceConfig = {
+    partOf = [ "wireguard-wg-ovpns.service" ];
+    environment.TR_DEBUG = "1";
     # run this behind the OVPN static VPN
-    NetworkNamespacePath = "/run/netns/ovpns";
+    serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
+    serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
 
-    Restart = "on-failure";
+    serviceConfig.Restart = "on-failure";
-    RestartSec = "30s";
+    serviceConfig.RestartSec = "30s";
-    BindPaths = [ "/var/media" ];  #< so it can move completed torrents into the media library
+    serviceConfig.BindPaths = [ "/var/media" ];  #< so it can move completed torrents into the media library
+    serviceConfig.SystemCallFilter = lib.mkForce [
+      # the torrent-done script does stuff which fails the nixos default syscall filter.
+      # allow a bunch of stuff, speculatively, to hopefully fix that:
+      "@aio"
+      "@basic-io"
+      "@chown"
+      "@file-system"
+      "@io-event"
+      "@process"
+      "@sandbox"
+      "@sync"
+      "@system-service"
+      "quotactl"
+    ];
   };
 
   # service to automatically backup torrents i add to transmission

hosts/by-name/servo/services/transmission/torrent-done

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p acl -p bash -p coreutils -p findutils -p rsync -p util-linux
+#!nix-shell -i bash -p acl -p bash -p coreutils -p findutils -p rsync
 
 # transmission invokes this with no args, and the following env vars:
 # - TR_TORRENT_DIR: full path to the folder i told transmission to download it to.
@@ -7,7 +7,6 @@
 # optionally:
 # - TR_DRY_RUN=1
 # - TR_DEBUG=1
-# - TR_NO_HARDLINK=1
 
 DOWNLOAD_DIR=/var/media/torrents
 
@@ -67,10 +66,3 @@ destructive find "$MEDIA_DIR/" -type f \(\
   -o -iname 'YIFY*.com.txt' \
   -o -iname 'YTS*.com.txt' \
   \) -exec rm {} \;
-
-if ! [ -n "${TR_NO_HARDLINK}" ]; then
-  # dedupe the whole media library.
-  # yeah, a bit excessive: move this to a cron job if that's problematic
-  #   or make it run with only 1/N probability, etc.
-  destructive hardlink /var/media --reflink=always --ignore-time --verbose
-fi