servo: transmission: be extra strict about requiring VPN

2024-04-17 19:52:11 +00:00 · 2024-04-17 19:52:11 +00:00 · e2b58e1b77
parent b7e5bc5972
commit e2b58e1b77
1 changed files with 6 additions and 2 deletions
--- a/hosts/by-name/servo/services/transmission.nix
+++ b/hosts/by-name/servo/services/transmission.nix
@ -95,8 +95,8 @@ in
    # DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>

    # message-level = 3;  #< enable for debug logging. 0-3, default is 2.
-    # 0.0.0.0 => allow rpc from any host: we gate it via firewall and auth requirement
-    rpc-bind-address = "0.0.0.0";
+    # 10.0.1.6 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
+    rpc-bind-address = "10.0.1.6";
    #rpc-host-whitelist = "bt.uninsane.org";
    #rpc-whitelist = "*.*.*.*";
    rpc-authentication-required = true;
@ -106,6 +106,10 @@ in
    rpc-password = "{503fc8928344f495efb8e1f955111ca5c862ce0656SzQnQ5";
    rpc-whitelist-enabled = false;

+    # force behind ovpns in case the NetworkNamespace fails somehow
+    bind-address-ipv4 = "185.157.162.178";
+    port-forwarding-enabled = false;
+
    # hopefully, make the downloads world-readable
    # umask = 0;  #< default is 2: i.e. deny writes from world