jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

moreclean up and more hardening

Browse source
This commit is contained in:
Joseph Hanson 2025-01-24 10:19:55 -06:00
parent 611bde18b2
commit 619a00618d
2 changed files with 32 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
nixos/hosts/shadowfax/default.nix
View file

@ -4,13 +4,11 @@
inputs, inputs,
pkgs, pkgs,
... ...
}: }: let
let
sanoidConfig = import ./config/sanoid.nix {}; sanoidConfig = import ./config/sanoid.nix {};
disks = import ./config/disks.nix; disks = import ./config/disks.nix;
smartdDevices = map (device: {inherit device;}) disks; smartdDevices = map (device: {inherit device;}) disks;
in in {
{
imports = [ imports = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { (import ../../profiles/disko-nixos.nix {
@ -73,11 +71,6 @@ in
}; };
}; };
# Programs
environment.systemPackages = with pkgs; [
# Headless qBittorrent - qbittorrent-nox
];
programs = { programs = {
# 1Password cli # 1Password cli
_1password.enable = true; _1password.enable = true;

40
nixos/modules/nixos/services/qbittorrent/default.nix
View file

@ -78,6 +78,7 @@ in
}; };
environment.systemPackages = [ environment.systemPackages = [
cfg.package
]; ];
systemd.services.qbittorrent = { systemd.services.qbittorrent = {
@ -88,34 +89,13 @@ in
QBT_DOWNLOADS_PATH = "${cfg.dataDir}/downloads"; QBT_DOWNLOADS_PATH = "${cfg.dataDir}/downloads";
XDG_CONFIG_HOME = cfg.dataDir; XDG_CONFIG_HOME = cfg.dataDir;
XDG_DATA_HOME = cfg.dataDir; XDG_DATA_HOME = cfg.dataDir;
CONFIG_DIR = "${cfg.dataDir}"; CONFIG_DIR = "${cfg.dataDir}/qBittorrent";
CONFIG_FILE = "${cfg.dataDir}/qBittorrent.conf"; CONFIG_FILE = "${cfg.dataDir}/qBittorrent/config/qBittorrent.conf";
LOG_DIR = "${cfg.dataDir}/logs"; LOG_DIR = "${cfg.dataDir}/logs";
LOG_FILE = "${cfg.dataDir}/logs/qbittorrent.log"; LOG_FILE = "${cfg.dataDir}/logs/qbittorrent.log";
}; };
preStart = '' serviceConfig = lib.mkMerge [
# Ensure config directory exists
mkdir -p "$CONFIG_DIR"
# Set up log directory and file
mkdir -p "$LOG_DIR"
# Copy default config if it doesn't exist
if [[ ! -f "$CONFIG_FILE" ]]; then
cat > "$CONFIG_FILE" << EOF
[BitTorrent]
Session\DefaultSavePath=${cfg.downloadsDir}
Session\Port=${toString cfg.qbittorrentPort}
Session\TempPath=${cfg.downloadsDir}/temp
EOF
fi
# Ensure correct permissions
chown -R ${cfg.user}:${cfg.group} "$CONFIG_DIR"
'';
serviceConfig =
{ {
ExecStart = "${cfg.package}/bin/qbittorrent-nox --profile=${cfg.dataDir}"; ExecStart = "${cfg.package}/bin/qbittorrent-nox --profile=${cfg.dataDir}";
ReadWritePaths = [ ReadWritePaths = [
@ -124,9 +104,12 @@ in
]; ];
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 5; RestartSec = 5;
User = cfg.user;
Group = cfg.group;
} }
// lib.mkIf cfg.hardening { (lib.mkIf cfg.hardening {
CapabilityBoundingSet = [ ]; CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
@ -141,8 +124,6 @@ in
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
"AF_NETLINK"
"AF_UNIX"
]; ];
RestrictNamespaces = [ RestrictNamespaces = [
"uts" "uts"
@ -159,7 +140,8 @@ in
"~@privileged" "~@privileged"
"~@resources" "~@resources"
]; ];
}; })
];
}; };
networking.firewall = mkIf cfg.openFirewall { networking.firewall = mkIf cfg.openFirewall {