2025-01-06 HEAD master

1 files changed, 177 insertions, 0 deletions

diff --git a/modules/piracy/default.nix b/modules/piracy/default.nix
new file mode 100644
index 0000000..be957f0
--- /dev/null
+++ b/modules/piracy/default.nix
@@ -0,0 +1,177 @@
+{
+  config,
+  lib,
+  libNginx,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.nixfiles.modules.piracy;
+in
+{
+  imports = lib.attrValues (lib.modulesIn ./.);
+
+  options.nixfiles.modules.piracy = {
+    enable = lib.mkEnableOption "tools for working with the BitTorrent protocol";
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "piracy";
+    };
+    gid = lib.mkOption {
+      type = lib.types.int;
+      default = 210; # Unused UID from Nixpkgs.
+    };
+
+    flood = {
+      enable = lib.mkEnableOption "Flood" // {
+        default = cfg.enable;
+      };
+
+      domain = lib.mkOption {
+        description = "Domain name sans protocol scheme.";
+        type = lib.types.str;
+        default = "flood.${config.networking.domain}";
+      };
+    };
+  };
+
+  config =
+    let
+      files = "/export/rtorrent";
+      socket = "/run/rtorrent/rpc.sock";
+    in
+    lib.mkIf cfg.enable (
+      lib.mkMerge [
+        {
+          ark.directories = [
+            config.services.rtorrent.dataDir
+            files
+          ];
+
+          services.rtorrent = {
+            enable = true;
+
+            user = "rtorrent";
+            inherit (cfg) group;
+
+            rpcSocket = socket;
+            configText =
+              with config.services.rtorrent;
+              lib.mkForce ''
+                directory.default.set = ${files}
+                session.path.set = ${dataDir}/session
+
+                network.port_range.set = ${toString port}-${toString port}
+                network.port_random.set = no
+
+                dht.mode.set = disable
+                protocol.pex.set = no
+
+                trackers.use_udp.set = no
+
+                protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
+
+                pieces.memory.max.set = ${toString (lib.pow 2 11)}M
+                pieces.preload.type.set = 2
+
+                network.max_open_files.set   = ${toString (lib.pow 2 13)}
+                network.max_open_sockets.set = ${toString (lib.pow 2 13)}
+
+                network.http.max_open.set = ${toString (lib.pow 2 10)}
+
+                throttle.global_down.max_rate.set_kb = 0
+                throttle.global_up.max_rate.set_kb   = 0
+
+                network.scgi.open_local = ${socket}
+                network.xmlrpc.size_limit.set = ${toString (lib.pow 2 17)}
+
+                encoding.add = utf8
+                system.umask.set = 0007
+
+                log.open_file = "log", "/var/log/rtorrent/log"
+                log.add_output = "info", "log"
+              '';
+          };
+
+          systemd = {
+            sockets.rtorrent = {
+              socketConfig.ListenStream = socket;
+              wantedBy = [ "sockets.target" ];
+            };
+
+            services.rtorrent = {
+              serviceConfig = {
+                UMask = "0007";
+                RuntimeDirectory = "rtorrent";
+                LogsDirectory = "rtorrent";
+                ReadWritePaths = [ files ];
+              };
+              after = [ "rtorrent.socket" ];
+              requires = [ "rtorrent.socket" ];
+            };
+
+            tmpfiles.rules = with config.services.rtorrent; [
+              "d '${files}' 0750 ${user} ${cfg.group} -"
+            ];
+          };
+
+          users = {
+            users.${config.services.rtorrent.user}.uid = cfg.gid;
+            groups.${config.services.rtorrent.group}.gid = cfg.gid;
+          };
+          my.extraGroups = [ cfg.group ];
+
+          boot.kernel.sysctl = {
+            "net.core.rmem_max" = lib.mkOverride 500 (lib.pow 2 24);
+            "net.core.wmem_max" = lib.mkOverride 500 (lib.pow 2 24);
+            "net.ipv4.tcp_fin_timeout" = lib.mkOverride 500 30;
+            "net.ipv4.tcp_rmem" = lib.mkOverride 500 (lib.mkTcpMem 12 23 24);
+            "net.ipv4.tcp_slow_start_after_idle" = 0;
+            "net.ipv4.tcp_tw_recycle" = lib.mkOverride 500 1;
+            "net.ipv4.tcp_tw_reuse" = lib.mkOverride 500 1;
+            "net.ipv4.tcp_wmem" = lib.mkOverride 500 (lib.mkTcpMem 12 23 24);
+          };
+        }
+        (lib.mkIf cfg.flood.enable {
+          ark.directories = [ "/var/lib/private/flood" ];
+
+          nixfiles.modules.nginx = with config.services.flood; {
+            enable = true;
+            upstreams.flood.servers."${host}:${toString port}" = { };
+            virtualHosts.${cfg.flood.domain} = {
+              root = "${package}/lib/node_modules/flood/dist/assets";
+              locations = {
+                "/".tryFiles = "$uri /index.html";
+                "/api" = {
+                  proxyPass = "http://flood";
+                  extraConfig = libNginx.config.noProxyBuffering;
+                };
+              };
+              extraConfig = libNginx.config.internalOnly;
+            };
+          };
+
+          services.flood = {
+            enable = true;
+            extraArgs = [
+              "--auth=none"
+              "--assets=false"
+              "--allowedpath=${files}"
+              "--rtsocket=${socket}"
+            ];
+          };
+
+          systemd.services.flood = {
+            path = [ pkgs.mediainfo ];
+            serviceConfig = {
+              Group = cfg.group;
+              ReadOnlyPaths = [ files ];
+            };
+            after = [ "rtorrent.socket" ];
+            requires = [ "rtorrent.socket" ];
+          };
+        })
+      ]
+    );
+}