transmission: move apparmor profile to Nixpkgs

nixos/modules/services/torrent/transmission.nix

@@ -359,55 +359,38 @@ in
     ];
 
     security.apparmor.policies."bin.transmission-daemon".profile = ''
-        include <tunables/global>
+      include "${pkgs.transmission.apparmor}/bin.transmission-daemon"
-        ${pkgs.transmission}/bin/transmission-daemon {
+    '';
-          include <abstractions/base>
+    security.apparmor.includes."local/bin.transmission-daemon" = ''
-          include <abstractions/nameservice>
+      r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
-          include <abstractions/ssl_certs>
+
-          include "${pkgs.apparmorRulesFromClosure
+      owner rw ${cfg.home}/${settingsDir}/**,
-            { name = "transmission-daemon"; }
+      rw ${cfg.settings.download-dir}/**,
-            [ pkgs.transmission ]}"
+      ${optionalString cfg.settings.incomplete-dir-enabled ''
-          include <local/bin.transmission-daemon>
+        rw ${cfg.settings.incomplete-dir}/**,
-
+      ''}
-          r @{PROC}/sys/kernel/random/uuid,
+      ${optionalString cfg.settings.watch-dir-enabled ''
-          r @{PROC}/sys/vm/overcommit_memory,
+        rw ${cfg.settings.watch-dir}/**,
-          r @{PROC}/@{pid}/environ,
+      ''}
-          r @{PROC}/@{pid}/mounts,
+      profile dirs {
-          rwk /tmp/tr_session_id_*,
+        rw ${cfg.settings.download-dir}/**,
-          r /run/systemd/resolve/stub-resolv.conf,
+        ${optionalString cfg.settings.incomplete-dir-enabled ''
-
+          rw ${cfg.settings.incomplete-dir}/**,
-          r ${pkgs.openssl.out}/etc/**,
+        ''}
-          r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
+        ${optionalString cfg.settings.watch-dir-enabled ''
-
+          rw ${cfg.settings.watch-dir}/**,
-          owner rw ${cfg.home}/${settingsDir}/**,
+        ''}
-          rw ${cfg.settings.download-dir}/**,
+      }
-          ${optionalString cfg.settings.incomplete-dir-enabled ''
+
-            rw ${cfg.settings.incomplete-dir}/**,
+      ${optionalString (cfg.settings.script-torrent-done-enabled &&
-          ''}
+                        cfg.settings.script-torrent-done-filename != "") ''
-          ${optionalString cfg.settings.watch-dir-enabled ''
+        # Stack transmission_directories profile on top of
-            rw ${cfg.settings.watch-dir}/**,
+        # any existing profile for script-torrent-done-filename
-          ''}
+        # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=
-          profile dirs {
+        # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
-            rw ${cfg.settings.download-dir}/**,
+        px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
-            ${optionalString cfg.settings.incomplete-dir-enabled ''
+      ''}
-              rw ${cfg.settings.incomplete-dir}/**,
-            ''}
-            ${optionalString cfg.settings.watch-dir-enabled ''
-              rw ${cfg.settings.watch-dir}/**,
-            ''}
-          }
-
-          ${optionalString (cfg.settings.script-torrent-done-enabled &&
-                            cfg.settings.script-torrent-done-filename != "") ''
-            # Stack transmission_directories profile on top of
-            # any existing profile for script-torrent-done-filename
-            # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=
-            # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
-            px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
-          ''}
-        }
     '';
-    security.apparmor.includes."local/bin.transmission-daemon" = "";
   };
 
   meta.maintainers = with lib.maintainers; [ julm ];

pkgs/applications/networking/p2p/transmission/default.nix

@@ -21,6 +21,7 @@
 , enableDaemon ? true
 , enableCli ? true
 , installLib ? false
+, apparmorRulesFromClosure
 }:
 
 let
@@ -38,6 +39,8 @@ in stdenv.mkDerivation {
     fetchSubmodules = true;
   };
 
+  outputs = [ "out" "apparmor" ];
+
   cmakeFlags =
     let
       mkFlag = opt: if opt then "ON" else "OFF";
@@ -74,6 +77,30 @@ in stdenv.mkDerivation {
 
   NIX_LDFLAGS = lib.optionalString stdenv.isDarwin "-framework CoreFoundation";
 
+  postInstall = ''
+    install -D -m 644 /dev/stdin $apparmor/bin.transmission-daemon <<EOF
+    include <tunables/global>
+    $out/bin/transmission-daemon {
+      include <abstractions/base>
+      include <abstractions/nameservice>
+      include <abstractions/ssl_certs>
+      include "${apparmorRulesFromClosure { name = "transmission-daemon"; } ([
+        curl libevent openssl pcre zlib
+      ] ++ lib.optionals enableSystemd [ systemd ]
+        ++ lib.optionals stdenv.isLinux [ inotify-tools ]
+      )}"
+      r @{PROC}/sys/kernel/random/uuid,
+      r @{PROC}/sys/vm/overcommit_memory,
+      r @{PROC}/@{pid}/environ,
+      r @{PROC}/@{pid}/mounts,
+      rwk /tmp/tr_session_id_*,
+      r /run/systemd/resolve/stub-resolv.conf,
+
+      include <local/bin.transmission-daemon>
+    }
+    EOF
+  '';
+
   meta = {
     description = "A fast, easy and free BitTorrent client";
     longDescription = ''