{ config, lib, pkgs, ... }:

with config.krebs.lib;

let
  rpc-password = import <secrets/transmission-pw>;
in {

  users.extraUsers = {
    download = {
      name = "download";
      home = "/var/download";
      createHome = true;
      useDefaultShell = true;
      extraGroups = [
        "download"
      ];
      openssh.authorizedKeys.keys = [
        config.krebs.users.lass.pubkey
        config.krebs.users.lass-uriel.pubkey
        config.krebs.users.lass-shodan.pubkey
      ];
    };

    transmission = {
      extraGroups = [
        "download"
      ];
    };
  };

  users.extraGroups = {
    download = {
      members = [
        "download"
        "transmission"
      ];
    };
  };

  services.transmission = {
    enable = true;
    settings = {
      download-dir = "/var/download/finished";
      incomplete-dir = "/var/download/incoming";
      incomplete-dir-enabled = true;

      rpc-authentication-required = true;
      rpc-whitelist-enabled = false;
      rpc-username = "download";
      inherit rpc-password;
      peer-port = 51413;
    };
  };

  krebs.iptables = {
    enable = true;
    tables.filter.INPUT.rules = [
      { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
      { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
      { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
    ];
  };
}