@@ -680,6 +680,37 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
680680 was removed, as udev gained native support to handle FIDO security tokens.
681681 </para >
682682 </listitem >
683+ <listitem >
684+ <para >
685+ The <literal >services.transmission</literal > module
686+ was enhanced with the new options:
687+ <xref linkend =" opt-services.transmission.credentialsFile"
688+ <xref linkend =" opt-services.transmission.openFirewall"
689+ and <xref linkend =" opt-services.transmission.performanceNetParameters"
690+ </para >
691+ <para >
692+ <literal >transmission-daemon</literal > is now started with additional systemd sandbox/hardening options for better security.
693+ Please <link xlink : href =" https://github.com/NixOS/nixpkgs/issues" link >
694+ any use case where this is not working well.
695+ In particular, the <literal >RootDirectory</literal > option newly set
696+ forbids uploading or downloading a torrent outside of the default directory
697+ configured at <link linkend =" opt-services.transmission.settings" link >.
698+ If you really need Transmission to access other directories,
699+ you must include those directories into the <literal >BindPaths</literal > of the service:
700+ <programlisting >
701+ systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
702+ </programlisting >
703+ </para >
704+ <para >
705+ Also, connection to the RPC (Remote Procedure Call) of <literal >transmission-daemon</literal >
706+ is now only available on the local network interface by default.
707+ Use:
708+ <programlisting >
709+ services.transmission.settings.rpc-bind-address = "0.0.0.0";
710+ </programlisting >
711+ to get the previous behavior of listening on all network interfaces.
712+ </para >
713+ </listitem >
683714 <listitem >
684715 <para >
685716 With this release <literal >systemd-networkd</literal > (when enabled through <xref linkend =" opt-networking.useNetworkd"
0 commit comments