rtorrent downloads, but doesn't upload yet

nix/deployments/nixops.nix

@@ -81,6 +81,54 @@ in
         /export/storage 192.168.1.0/24(insecure)
       '';
 
-      networking.firewall.allowedTCPPorts = [ 2049 ];
+      networking.firewall = {
+        allowedTCPPorts = [ 2049 ]; # NFS port
+        allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport
+      };
+
+      deployment.keys.wireguard.text = builtins.readFile ../../secrets/wireguard/svalbard;
+
+      # Enable WireGuard
+      networking.wg-quick.interfaces = {
+        # "wg0" is the network interface name. You can name the interface arbitrarily.
+        wg0 = {
+          # Determines the IP address and subnet of the client's end of the tunnel interface.
+          address = [ "10.64.168.213/32" "fc00:bbbb:bbbb:bb01::1:a8d4/128" ];
+          dns = [ "10.64.0.1" ];
+          listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+          # Note: The private key can also be included inline via the privateKey option,
+          # but this makes the private key world-readable; thus, using privateKeyFile is
+          # recommended.
+          privateKeyFile = "/run/keys/wireguard";
+
+          # For a client configuration, one peer entry for the server will suffice.
+          peers = [
+            # Sweden, Malmo, se15
+            {
+              # Public key of the server (not a file path).
+              publicKey = "5y66WShsFXqM5K7/4CPEGCWfk7PQyNhVBT2ILjbGm2I=";
+
+              # Forward all the traffic via VPN.
+              allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+
+              # Set this to the server IP and port.
+              endpoint = "193.138.218.80:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+
+              # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+              persistentKeepalive = 25;
+            }
+          ];
+        };
+      };
+
+      systemd.services.my-service = {
+        after = [ "wireguard-key.service" ];
+        wants = [ "wireguard-key.service" ];
+        script = ''
+          export MY_SECRET=$(cat /run/keys/my-secret)
+          run-my-program
+        '';
+      };
     };
 }

nix/home/programs/flood/default.nix

@@ -17,8 +17,10 @@
     };
   };
 
+  users.users.flood.group = "flood";
   users.extraUsers.flood = {
     isNormalUser = true;
+    extraGroups = [ "rtorrent" "users" ];
   };
 
   systemd.services = {
@@ -31,7 +33,7 @@
         Restart = "on-failure";
       };
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
+      after = [ "network.target" "rtorrent.service" ];
     };
   };
 }

nix/home/programs/rtorrent/default.nix

@@ -1,16 +1,34 @@
 { pkgs, finalDir, downloadDir, watchDir }:
+let
+  dhtPort = 40000;
+in
 {
 
+  environment.systemPackages = with pkgs; [ rtorrent ];
+
+  users.extraUsers.rtorrent.extraGroups = [ "users" ];
+
   services.rtorrent = {
     enable = true;
     downloadDir = downloadDir;
-    group = "users";
+    # flood needs to be able to access the datadir
+    dataDir = downloadDir;
     configText =
       builtins.readFile (pkgs.substituteAll {
         src = ./rtorrent.rc;
         watchDir = watchDir;
         finalDir = finalDir;
+        dhtPort = builtins.toString dhtPort;
       });
   };
 
+  networking.firewall = {
+    allowedTCPPorts = [
+      # rtorrent default
+      50000
+    ];
+    allowedUDPPorts = [
+      dhtPort
+    ];
+  };
 }

nix/home/programs/rtorrent/rtorrent.rc

@@ -1,3 +1,17 @@
+# Set an interface with IPv4 address to bind to:
+method.insert = cfg.interface.bind, string|const|private, (cat,"wg0")
+# Get IPv4 address of a given interface
+method.insert = get_interface_ipv4_address, simple|private, "execute.capture=bash,-c,\"$cat=\\\"echo -n \$(ip -o -4 addr show \\\",$argument.0=,\\\" | grep -Po 'inet \\\\\\\\\\K[\\\\\\\\\\d.]+')\\\"\""
+# The IP address the listening socket and outgoing connections is bound to. (bind)
+schedule2 = set_bind_address, 0, 0, \
+    "branch=((cfg.interface.bind)), \
+        ((network.bind_address.set,(get_interface_ipv4_address,(cfg.interface.bind))))"
+
+dht.mode.set = on
+dht.port.set = @dhtPort@
+protocol.pex.set = yes
+trackers.use_udp.set = yes
+
 # Enable the default ratio group.
 ratio.enable=
 

nix/system/svalbard/configuration.nix

@@ -29,6 +29,7 @@
   networking.wireless = {
     enable = true; # Enables wireless support via wpa_supplicant.
   };
+  networking.nat.externalInterface = "wlo1";
 
   services.zfs.trim.enable = true;
 
@@ -79,8 +80,6 @@
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
-  networking.wireguard.enable = true;
-  networking.firewall.checkReversePath = "loose";
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions