From f7cdf7bec9687002671cbabe10d879dd6606b039 Mon Sep 17 00:00:00 2001 From: diniamo Date: Fri, 25 Oct 2024 13:10:01 +0200 Subject: [PATCH] nixos/transmission: improve permission handling and description --- .../modules/services/torrent/transmission.nix | 50 +++++++++++-------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index b16f5c97fe4bb..70cbb2f2b16ff 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -189,6 +189,13 @@ in and [](#opt-services.transmission.settings.watch-dir). Note that you may also want to change [](#opt-services.transmission.settings.umask). + + Keep in mind, that if the default user is used, the `home` directory + is locked behind a `750` permission in the first place, which affects + all subdirectories as well. You can change this by setting + `users.users.transmission.homeMode` to the same value as this option. + However, this isn't recommended, and instead adding users to the + `transmission` group is way more secure. ''; }; @@ -277,17 +284,20 @@ in # when /home/foo is not owned by cfg.user. # Note also that using an ExecStartPre= wouldn't work either # because BindPaths= needs these directories before. - system.activationScripts = mkIf (cfg.downloadDirPermissions != null) - { transmission-daemon = '' - install -d -m 700 '${cfg.home}/${settingsDir}' - chown -R '${cfg.user}:${cfg.group}' ${cfg.home}/${settingsDir} + system.activationScripts.transmission-daemon = + '' + install -d -m 700 -o '${cfg.user}' -g '${cfg.group}' '${cfg.home}/${settingsDir}' + '' + + optionalString (cfg.downloadDirPermissions != null) '' install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.download-dir}' - '' + optionalString cfg.settings.incomplete-dir-enabled '' - install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.incomplete-dir}' - '' + optionalString cfg.settings.watch-dir-enabled '' - install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.watch-dir}' - ''; - }; + + ${optionalString cfg.settings.incomplete-dir-enabled '' + install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.incomplete-dir}' + ''} + ${optionalString cfg.settings.watch-dir-enabled '' + install -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.watch-dir}' + ''} + ''; systemd.services.transmission = { description = "Transmission BitTorrent Service"; @@ -349,14 +359,6 @@ in cfg.settings.script-torrent-done-filename ++ optional (cfg.settings.watch-dir-enabled && !cfg.settings.trash-original-torrent-files) cfg.settings.watch-dir; - StateDirectory = [ - "transmission" - "transmission/${settingsDir}" - "transmission/${incompleteDir}" - "transmission/${downloadsDir}" - "transmission/${watchDir}" - ]; - StateDirectoryMode = mkDefault 750; # The following options are only for optimizing: # systemd-analyze security transmission AmbientCapabilities = ""; @@ -407,20 +409,24 @@ in # It's useful to have transmission in path, e.g. for remote control environment.systemPackages = [ cfg.package ]; - users.users = optionalAttrs (cfg.user == "transmission") ({ + users.users = optionalAttrs (cfg.user == "transmission") { transmission = { group = cfg.group; uid = config.ids.uids.transmission; description = "Transmission BitTorrent user"; + isSystemUser = true; + home = cfg.home; + homeMode = mkDefault "750"; + createHome = true; }; - }); + }; - users.groups = optionalAttrs (cfg.group == "transmission") ({ + users.groups = optionalAttrs (cfg.group == "transmission") { transmission = { gid = config.ids.gids.transmission; }; - }); + }; networking.firewall = mkMerge [ (mkIf cfg.openPeerPorts (