enable transmission, protected behind rpc auth

net-configuration.nix

@@ -10,6 +10,12 @@
   # DLNA ports: https://jellyfin.org/docs/general/networking/index.html
   networking.firewall.allowedUDPPorts = [ 1900 7359 ];
 
+  # we need to use externally-visible nameservers in order for VPNs to be able to resolve hosts.
+  networking.nameservers = [
+    "1.1.1.1"
+    "9.9.9.9"
+  ];
+
   # OVPN CONFIG:
   # DOCS: https://nixos.wiki/wiki/WireGuard
   networking.wireguard.enable = true;

services-conf/nginx-configuration.nix

@@ -94,9 +94,7 @@
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      # created with htpasswd -c bt.htpasswd <user>
+      proxyPass = "http://ovpns.uninsane.org:9091";
-      basicAuthFile = "/etc/nixos/services-conf/bt.htpasswd";
-      proxyPass = "http://127.0.0.1:9091";
     };
   };
 

services-conf/transmission-configuration.nix

@@ -1,11 +1,24 @@
 { config, pkgs, lib, ... }:
 
 {
-  # services.transmission.enable = true;
+  services.transmission.enable = true;
   services.transmission.settings = {
     rpc-bind-address = "0.0.0.0";
-    rpc-host-whitelist = "bt.uninsane.org";
+    #rpc-host-whitelist = "bt.uninsane.org";
-    # rpc-whitelist = "*.*.*.*";
+    #rpc-whitelist = "*.*.*.*";
+    rpc-authentication-required = true;
+    rpc-username = "colin";
+    # salted pw. to regenerate, set this plaintext, run nixos-rebuild, and then find the salted pw in:
+    # /var/lib/transmission/.config/transmission-daemon/settings.json
+    rpc-password = "{503fc8928344f495efb8e1f955111ca5c862ce0656SzQnQ5";
+    rpc-whitelist-enabled = false;
+
+    download-dir = "/mnt/storage/opt/uninsane/media/";
+  };
+
+  systemd.services.transmission.serviceConfig = {
+    # run this behind the OVPN static VPN
+    NetworkNamespacePath = "/run/netns/ovpns";
   };
 }