transmission: fix permission-related errors

hosts/by-name/servo/fs.nix

@@ -40,6 +40,34 @@
     # TODO: this is overly broad; only need media and share directories to be persisted
     { user = "colin"; group = "users"; path = "/var/lib/uninsane"; }
   ];
+  # force some problematic directories to always get correct permissions:
+  sane.fs."/var/lib/uninsane/media".dir.acl = {
+    user = "colin"; group = "media"; mode = "0775";
+  };
+  sane.fs."/var/lib/uninsane/media/archive".dir = {};
+  sane.fs."/var/lib/uninsane/media/archive/README.md".file.text = ''
+    this directory is for media i wish to remove from my library,
+    but keep for a short time in case i reverse my decision.
+    treat it like a system trash can.
+  '';
+  sane.fs."/var/lib/uninsane/media/Books".dir = {};
+  sane.fs."/var/lib/uninsane/media/Books/Audiobooks".dir = {};
+  sane.fs."/var/lib/uninsane/media/Books/Books".dir = {};
+  sane.fs."/var/lib/uninsane/media/Books/Visual".dir = {};
+  sane.fs."/var/lib/uninsane/media/collections".dir = {};
+  sane.fs."/var/lib/uninsane/media/datasets".dir = {};
+  sane.fs."/var/lib/uninsane/media/freeleech".dir = {};
+  sane.fs."/var/lib/uninsane/media/Music".dir = {};
+  sane.fs."/var/lib/uninsane/media/Pictures".dir = {};
+  sane.fs."/var/lib/uninsane/media/Videos".dir = {};
+  sane.fs."/var/lib/uninsane/media/Videos/Film".dir = {};
+  sane.fs."/var/lib/uninsane/media/Videos/Shows".dir = {};
+  sane.fs."/var/lib/uninsane/media/Videos/Talks".dir = {};
+  sane.fs."/var/lib/uninsane/datasets/README.md".file.text = ''
+    this directory may seem redundant with ../media/datasets. it isn't.
+    this directory exists on SSD, allowing for speedy access to specific datasets when necessary.
+    the contents should be a subset of what's in ../media/datasets.
+  '';
   # make sure large media is stored to the HDD
   sane.persist.sys.ext = [
     {

hosts/by-name/servo/services/transmission.nix

@@ -1,12 +1,27 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "transmission"; group = "transmission"; path = "/var/lib/transmission"; }
+    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; }
   ];
+  users.users.transmission.extraGroups = [ "media" ];
+
   services.transmission.enable = true;
+  services.transmission.package = pkgs.transmission_4;  #< 2023/09/06: nixpkgs `transmission` defaults to old 3.00
+  #v setting `group` this way doesn't tell transmission to `chown` the files it creates
+  #  it's a nixpkgs setting which just runs the transmission daemon as this group
+  services.transmission.group = "media";
+
+  # transmission will by default not allow the world to read its files.
+  services.transmission.downloadDirPermissions = "775";
+  services.transmission.extraFlags = [
+    "--log-level=debug"
+  ];
+
   services.transmission.settings = {
+    # message-level = 3;  #< enable for debug logging. 0-3, default is 2.
+    # 0.0.0.0 => allow rpc from any host: we gate it via firewall and auth requirement
     rpc-bind-address = "0.0.0.0";
     #rpc-host-whitelist = "bt.uninsane.org";
     #rpc-whitelist = "*.*.*.*";
@@ -17,9 +32,8 @@
     rpc-password = "{503fc8928344f495efb8e1f955111ca5c862ce0656SzQnQ5";
     rpc-whitelist-enabled = false;
 
-    # download-dir = "/opt/uninsane/media/";
     # hopefully, make the downloads world-readable
-    umask = 0;
+    # umask = 0;  #< default is 2: i.e. deny writes from world
 
     # force peer connections to be encrypted
     encryption = 2;
@@ -35,17 +49,18 @@
 
     download-dir = "/var/lib/uninsane/media";
     incomplete-dir = "/var/lib/uninsane/media/incomplete";
-
+    # transmission regularly fails to move stuff from the incomplete dir to the main one, so disable:
+    # TODO: uncomment this line!
+    # incomplete-dir-enabled = false;
   };
-  # transmission will by default not allow the world to read its files.
-  services.transmission.downloadDirPermissions = "775";
 
   systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
   systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.transmission.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
-    LogLevelMax = "warning";
+    Restart = "on-failure";
+    RestartSec = "30s";
   };
 
   # service to automatically backup torrents i add to transmission

hosts/common/ids.nix

@@ -46,6 +46,7 @@
   sane.ids.trust-dns.gid = 2411;
   sane.ids.export.gid = 2412;
   sane.ids.nfsuser.uid = 2413;
+  sane.ids.media.gid = 2414;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/users/colin.nix

@@ -19,6 +19,7 @@
       "export"  # to read filesystem exports (servo)
       "feedbackd"
       "input"  # for /dev/input/<xyz>: sxmo
+      "media"  # servo, for /var/lib/uninsane/media
       "networkmanager"
       "nixbuild"
       "transmission"  # servo, to admin /var/lib/uninsane/media

hosts/common/users/default.nix

@@ -7,6 +7,8 @@
     ./root.nix
   ];
 
+  users.groups.media = {};
+
   # Users are exactly these specified here;
   # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
   users.mutableUsers = false;