fix transmission port forwarding

common/network/pia-vpn/default.nix

@@ -51,10 +51,6 @@ let
       receiveForwardedPort = mkOption {
         type = types.nullOr (types.submodule {
           options = {
-            port = mkOption {
-              type = types.port;
-              description = "Target port to forward PIA-assigned port to";
-            };
             protocol = mkOption {
               type = types.enum [ "tcp" "udp" "both" ];
               default = "both";

common/network/pia-vpn/vpn-container.nix

@@ -24,16 +24,15 @@ let
     let
       fwd = forwardingContainer.receiveForwardedPort;
       targetIp = forwardingContainer.ip;
-      targetPort = toString fwd.port;
       tcpRules = optionalString (fwd.protocol == "tcp" || fwd.protocol == "both") ''
-        echo "Setting up TCP DNAT: port $PORT → ${targetIp}:${targetPort}"
+        echo "Setting up TCP DNAT: port $PORT → ${targetIp}:$PORT"
-        iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p tcp --dport $PORT -j DNAT --to ${targetIp}:${targetPort}
+        iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p tcp --dport $PORT -j DNAT --to ${targetIp}
-        iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p tcp --dport ${targetPort} -j ACCEPT
+        iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p tcp --dport $PORT -j ACCEPT
       '';
       udpRules = optionalString (fwd.protocol == "udp" || fwd.protocol == "both") ''
-        echo "Setting up UDP DNAT: port $PORT → ${targetIp}:${targetPort}"
+        echo "Setting up UDP DNAT: port $PORT → ${targetIp}:$PORT"
-        iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p udp --dport $PORT -j DNAT --to ${targetIp}:${targetPort}
+        iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p udp --dport $PORT -j DNAT --to ${targetIp}
-        iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p udp --dport ${targetPort} -j ACCEPT
+        iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p udp --dport $PORT -j ACCEPT
       '';
       onPortForwarded = optionalString (forwardingContainer.onPortForwarded != null) ''
         TARGET_IP="${targetIp}"
@@ -43,9 +42,13 @@ let
       '';
     in
     ''
-      ${tcpRules}
+      if [ "$PORT" -lt 1000 ]; then
-      ${udpRules}
+        echo "ERROR: PIA assigned privileged port $PORT (< 1000), refusing to set up DNAT" >&2
-      ${onPortForwarded}
+      else
+        ${tcpRules}
+        ${udpRules}
+        ${onPortForwarded}
+      fi
     ''
   );
 in

machines/storage/s0/default.nix

@@ -63,17 +63,17 @@
       ip = "10.100.0.10";
       mounts."/var/lib".hostPath = "/var/lib";
       mounts."/data/samba/Public".hostPath = "/data/samba/Public";
-      receiveForwardedPort = { port = 51413; protocol = "both"; };
+      receiveForwardedPort = { protocol = "both"; };
       onPortForwarded = ''
         # Notify Transmission of the PIA-assigned peer port via RPC
         for i in $(seq 1 30); do
-          curlout=$(curl -s "http://$TARGET_IP:9091/transmission/rpc" 2>/dev/null) && break
+          curlout=$(curl -s "http://$TARGET_IP:80/transmission/rpc" 2>/dev/null) && break
           sleep 2
         done
         regex='X-Transmission-Session-Id: (\w*)'
         if [[ $curlout =~ $regex ]]; then
           sessionId=''${BASH_REMATCH[1]}
-          curl -s "http://$TARGET_IP:9091/transmission/rpc" \
+          curl -s "http://$TARGET_IP:80/transmission/rpc" \
             -d "{\"method\":\"session-set\",\"arguments\":{\"peer-port\":$PORT}}" \
             -H "X-Transmission-Session-Id: $sessionId"
         fi
@@ -91,6 +91,7 @@
             "incomplete-dir-enabled" = true;
 
             "rpc-enabled" = true;
+            "rpc-port" = 80;
             "rpc-bind-address" = "0.0.0.0";
             "rpc-whitelist" = "127.0.0.1,10.100.*.*,192.168.*.*";
             "rpc-host-whitelist-enabled" = false;
@@ -231,7 +232,7 @@
         (mkVirtualHost "lidarr.s0.neet.dev" "http://servarr.containers:8686")
         (mkVirtualHost "sonarr.s0.neet.dev" "http://servarr.containers:8989")
         (mkVirtualHost "prowlarr.s0.neet.dev" "http://servarr.containers:9696")
-        (mkVirtualHost "transmission.s0.neet.dev" "http://transmission.containers:9091")
+        (mkVirtualHost "transmission.s0.neet.dev" "http://transmission.containers:80")
         (mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
         (mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
         (mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")