diff --git a/hosts/by-name/servo/fs.nix b/hosts/by-name/servo/fs.nix index ec0a381b..95ff7144 100644 --- a/hosts/by-name/servo/fs.nix +++ b/hosts/by-name/servo/fs.nix @@ -40,6 +40,34 @@ # TODO: this is overly broad; only need media and share directories to be persisted { user = "colin"; group = "users"; path = "/var/lib/uninsane"; } ]; + # force some problematic directories to always get correct permissions: + sane.fs."/var/lib/uninsane/media".dir.acl = { + user = "colin"; group = "media"; mode = "0775"; + }; + sane.fs."/var/lib/uninsane/media/archive".dir = {}; + sane.fs."/var/lib/uninsane/media/archive/README.md".file.text = '' + this directory is for media i wish to remove from my library, + but keep for a short time in case i reverse my decision. + treat it like a system trash can. + ''; + sane.fs."/var/lib/uninsane/media/Books".dir = {}; + sane.fs."/var/lib/uninsane/media/Books/Audiobooks".dir = {}; + sane.fs."/var/lib/uninsane/media/Books/Books".dir = {}; + sane.fs."/var/lib/uninsane/media/Books/Visual".dir = {}; + sane.fs."/var/lib/uninsane/media/collections".dir = {}; + sane.fs."/var/lib/uninsane/media/datasets".dir = {}; + sane.fs."/var/lib/uninsane/media/freeleech".dir = {}; + sane.fs."/var/lib/uninsane/media/Music".dir = {}; + sane.fs."/var/lib/uninsane/media/Pictures".dir = {}; + sane.fs."/var/lib/uninsane/media/Videos".dir = {}; + sane.fs."/var/lib/uninsane/media/Videos/Film".dir = {}; + sane.fs."/var/lib/uninsane/media/Videos/Shows".dir = {}; + sane.fs."/var/lib/uninsane/media/Videos/Talks".dir = {}; + sane.fs."/var/lib/uninsane/datasets/README.md".file.text = '' + this directory may seem redundant with ../media/datasets. it isn't. + this directory exists on SSD, allowing for speedy access to specific datasets when necessary. + the contents should be a subset of what's in ../media/datasets. + ''; # make sure large media is stored to the HDD sane.persist.sys.ext = [ { diff --git a/hosts/by-name/servo/services/transmission.nix b/hosts/by-name/servo/services/transmission.nix index e28444fc..1574a930 100644 --- a/hosts/by-name/servo/services/transmission.nix +++ b/hosts/by-name/servo/services/transmission.nix @@ -1,12 +1,27 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { sane.persist.sys.plaintext = [ # TODO: mode? we need this specifically for the stats tracking in .config/ - { user = "transmission"; group = "transmission"; path = "/var/lib/transmission"; } + { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; } ]; + users.users.transmission.extraGroups = [ "media" ]; + services.transmission.enable = true; + services.transmission.package = pkgs.transmission_4; #< 2023/09/06: nixpkgs `transmission` defaults to old 3.00 + #v setting `group` this way doesn't tell transmission to `chown` the files it creates + # it's a nixpkgs setting which just runs the transmission daemon as this group + services.transmission.group = "media"; + + # transmission will by default not allow the world to read its files. + services.transmission.downloadDirPermissions = "775"; + services.transmission.extraFlags = [ + "--log-level=debug" + ]; + services.transmission.settings = { + # message-level = 3; #< enable for debug logging. 0-3, default is 2. + # 0.0.0.0 => allow rpc from any host: we gate it via firewall and auth requirement rpc-bind-address = "0.0.0.0"; #rpc-host-whitelist = "bt.uninsane.org"; #rpc-whitelist = "*.*.*.*"; @@ -17,9 +32,8 @@ rpc-password = "{503fc8928344f495efb8e1f955111ca5c862ce0656SzQnQ5"; rpc-whitelist-enabled = false; - # download-dir = "/opt/uninsane/media/"; # hopefully, make the downloads world-readable - umask = 0; + # umask = 0; #< default is 2: i.e. deny writes from world # force peer connections to be encrypted encryption = 2; @@ -35,17 +49,18 @@ download-dir = "/var/lib/uninsane/media"; incomplete-dir = "/var/lib/uninsane/media/incomplete"; - + # transmission regularly fails to move stuff from the incomplete dir to the main one, so disable: + # TODO: uncomment this line! + # incomplete-dir-enabled = false; }; - # transmission will by default not allow the world to read its files. - services.transmission.downloadDirPermissions = "775"; systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ]; systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ]; systemd.services.transmission.serviceConfig = { # run this behind the OVPN static VPN NetworkNamespacePath = "/run/netns/ovpns"; - LogLevelMax = "warning"; + Restart = "on-failure"; + RestartSec = "30s"; }; # service to automatically backup torrents i add to transmission diff --git a/hosts/common/ids.nix b/hosts/common/ids.nix index 5172e073..99a032aa 100644 --- a/hosts/common/ids.nix +++ b/hosts/common/ids.nix @@ -46,6 +46,7 @@ sane.ids.trust-dns.gid = 2411; sane.ids.export.gid = 2412; sane.ids.nfsuser.uid = 2413; + sane.ids.media.gid = 2414; sane.ids.colin.uid = 1000; sane.ids.guest.uid = 1100; diff --git a/hosts/common/users/colin.nix b/hosts/common/users/colin.nix index e559cb28..2ee964f5 100644 --- a/hosts/common/users/colin.nix +++ b/hosts/common/users/colin.nix @@ -19,6 +19,7 @@ "export" # to read filesystem exports (servo) "feedbackd" "input" # for /dev/input/: sxmo + "media" # servo, for /var/lib/uninsane/media "networkmanager" "nixbuild" "transmission" # servo, to admin /var/lib/uninsane/media diff --git a/hosts/common/users/default.nix b/hosts/common/users/default.nix index 7e40e58a..d254e66b 100644 --- a/hosts/common/users/default.nix +++ b/hosts/common/users/default.nix @@ -7,6 +7,8 @@ ./root.nix ]; + users.groups.media = {}; + # Users are exactly these specified here; # old ones will be deleted (from /etc/passwd, etc) upon upgrade. users.mutableUsers = false;