chore: Replace Transmission NixOS module deployment with container

Author: nikitawootten

flake.lock

@@ -39,10 +39,6 @@
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    vpnconfinement = {
-      url = "github:Maroka-chan/VPN-Confinement";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     nix-topology = {
       url = "github:oddlama/nix-topology";
       inputs.nixpkgs.follows = "nixpkgs";

flake.nix

@@ -8,7 +8,6 @@ in {
     ./acme.nix
     ./homepage.nix
     ./ntfs.nix
-    ./vpn.nix
     inputs.nix-topology.nixosModules.default
   ];
 

hostModules/homelab/default.nix

@@ -30,6 +30,7 @@ in {
     };
 
     topology.self.services.readarr = {
+      name = "Readarr";
       details.listen.text = lib.mkForce cfg.domain;
     };
   };

hostModules/homelab/media/readarr.nix

@@ -2,37 +2,39 @@
 let cfg = config.homelab.media.transmission;
 in {
   options.homelab.media.transmission =
-    config.lib.homelab.mkServiceOptionSet "Transmission" "transmission" cfg;
+    (config.lib.homelab.mkServiceOptionSet "Transmission" "transmission" cfg)
+    // {
+      transmissionEnvFile = lib.mkOption {
+        type = lib.types.path;
+        description = "Path to the Transmission env file";
+      };
+    };
 
   config = lib.mkIf cfg.enable {
-    services.transmission = {
-      enable = true;
-      group = config.homelab.media.group;
-      settings = {
-        download-dir = "${config.homelab.media.storageRoot}/torrents/completed";
-        incomplete-dir-enabled = true;
-        incomplete-dir =
-          "${config.homelab.media.storageRoot}/torrents/incomplete";
-        watch-dir-enabled = true;
-        watch-dir = "${config.homelab.media.storageRoot}/torrents/watch";
-
-        rpc-whitelist = "127.*,192.168.*,10.*";
-        rpc-whitelist-enabled = true;
-        rpc-host-whitelist-enabled = true;
-        rpc-host-whitelist = cfg.domain;
-        rpc-bind-address = "192.168.15.1"; # Bind RPC/WebUI to bridge address
-
-        rpc-authentication-required = false;
+    virtualisation.oci-containers.containers.transmission = {
+      image = "haugene/transmission-openvpn";
+      environment = {
+        # TODO: Set up a user for Transmission
+        PUID = "1000";
+        PGID = toString config.users.groups.${config.homelab.media.group}.gid;
+        LOCAL_NETWORK = "10.69.0.0/24";
+        OPENVPN_OPTS = "--inactive 3600 --ping 10 --ping-exit 60";
       };
+      environmentFiles = [ cfg.transmissionEnvFile ];
+      ports = [ "9091:9091" ];
+      volumes = [
+        "${config.homelab.media.storageRoot}/torrents:/data"
+        "${config.homelab.media.storageRoot}/config/transmission:/config"
+      ];
+      extraOptions =
+        [ "--cap-add=NET_ADMIN,NET_RAW,mknod" "--device" "/dev/net/tun" ];
     };
 
     services.nginx.virtualHosts.${cfg.domain} = {
       forceSSL = true;
       useACMEHost = config.homelab.domain;
       locations."/" = {
-        proxyPass = "http://192.168.15.1:${
-            toString config.services.transmission.settings.rpc-port
-          }";
+        proxyPass = "http://127.0.0.1:9091";
         recommendedProxySettings = true;
         extraConfig = ''
           proxy_pass_header X-Transmission-Session-Id;
@@ -44,23 +46,6 @@ in {
       };
     };
 
-    systemd.services.transmission.vpnconfinement = {
-      enable = true;
-      vpnnamespace = config.homelab.vpn.namespace;
-    };
-
-    vpnnamespaces.${config.homelab.vpn.namespace} = {
-      portMappings = let port = config.services.transmission.settings.rpc-port;
-      in [{
-        from = port;
-        to = port;
-      }];
-      openVPNPorts = [{
-        port = config.services.transmission.settings.peer-port;
-        protocol = "both";
-      }];
-    };
-
     homelab.media.homepageConfig.Transmission = {
       priority = lib.mkDefault 2;
       config = {
@@ -71,6 +56,8 @@ in {
     };
 
     topology.self.services.transmission = {
+      name = "Transmission";
+      icon = "services.transmission";
       details.listen.text = lib.mkForce cfg.domain;
     };
   };

hostModules/homelab/media/transmission.nix

@@ -30,16 +30,13 @@
   homelab.observability.enable = true;
 
   # Media
-  age.secrets."wg.conf".file = secrets."wg.conf";
+  age.secrets."transmission".file = secrets."transmission";
   homelab.media = {
     enable = true;
     storageRoot = "/storage2/media";
+    transmission.transmissionEnvFile = config.age.secrets."transmission".path;
   };
-  homelab.vpn = {
-    enable = true;
-    wireguardConfigFile = config.age.secrets."wg.conf".path;
-    accessibleFrom = "10.69.0.0/24";
-  };
+  users.groups.media.gid = 993;
 
   # Auth
   age.secrets.keycloak-db-pw.file = secrets.keycloak-db-pw;

hostModules/homelab/vpn.nix

@@ -45,6 +45,8 @@
     home.packages = with pkgs; [ tor-browser-bundle-bin ];
   };
 
+  programs.nix-ld.enable = true;
+
   networking.hostName = "voyager";
 
   # Bootloader.

hosts/hades/default.nix

@@ -1,5 +1,5 @@
 {
   traefik = ./traefik.env.age;
   keycloak-db-pw = ./keycloak-db-pw.age;
-  "wg.conf" = ./wg.conf.age;
+  transmission = ./transmission.env.age;
 }

hosts/voyager/default.nix

@@ -5,5 +5,5 @@ let
 in {
   "traefik.env.age".publicKeys = [ keys.hades keys.iris ] ++ keys.trusted_users;
   "keycloak-db-pw.age".publicKeys = hades_keyset;
-  "wg.conf.age".publicKeys = hades_keyset;
+  "transmission.env.age".publicKeys = hades_keyset;
 }