jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

add qbittorrent (#68)

Browse source 
Reviewed-on: #68
This commit is contained in:
Joseph Hanson 2025-01-24 10:29:19 -06:00
parent 0c778e5994
commit e83d3dc743
4 changed files with 195 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
.vscode/settings.json vendored
View file

@ -11,16 +11,17 @@
"files.trimTrailingWhitespace": true, "files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "age.key", "sops.defaults.ageKeyFile": "age.key",
"nix.enableLanguageServer": true, "nix.enableLanguageServer": true,
"nix.serverPath": "/run/current-system/sw/bin/nil", "nix.serverPath": "/run/current-system/sw/bin/nixd",
"nix.formatterPath": "/run/current-system/sw/bin/nixfmt", "nix.formatterPath": "/run/current-system/sw/bin/nixfmt",
"nix.serverSettings": { "nix.serverSettings": {
"nil": { "nixd": {
"formatting": { "formatting": {
"command": ["nixfmt"] "command": ["nixfmt"]
}, },
"diagnostics": { "options": {
"ignored": [], "nixos": {
"excludedFiles": [] "expr": "(builtins.getFlake \"/home/jahanson/projects/mochi\").nixosConfigurations.shadowfax.options"
}
} }
}, },
"nix": { "nix": {

56
nixos/hosts/shadowfax/default.nix
View file

@ -4,28 +4,26 @@
inputs, inputs,
pkgs, pkgs,
... ...
}: }: let
let sanoidConfig = import ./config/sanoid.nix {};
sanoidConfig = import ./config/sanoid.nix { };
disks = import ./config/disks.nix; disks = import ./config/disks.nix;
smartdDevices = map (device: { inherit device; }) disks; smartdDevices = map (device: {inherit device;}) disks;
in in {
{
imports = [ imports = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { (import ../../profiles/disko-nixos.nix {
disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ]; disks = ["/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"];
}) })
inputs.nix-minecraft.nixosModules.minecraft-servers inputs.nix-minecraft.nixosModules.minecraft-servers
]; ];
boot = { boot = {
initrd = { initrd = {
kernelModules = [ "nfs" ]; kernelModules = ["nfs"];
supportedFilesystems = [ "nfs" ]; supportedFilesystems = ["nfs"];
}; };
binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for arm compilation binfmt.emulatedSystems = ["aarch64-linux"]; # Enabled for arm compilation
kernelModules = [ kernelModules = [
"vfio" "vfio"
@ -33,11 +31,11 @@ in
"vfio_pci" "vfio_pci"
"vfio_virqfd" "vfio_virqfd"
]; ];
extraModulePackages = [ ]; extraModulePackages = [];
kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB kernelParams = ["zfs.zfs_arc_max=107374182400"]; # 100GB
}; };
swapDevices = [ ]; swapDevices = [];
hardware = { hardware = {
cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
@ -47,7 +45,7 @@ in
nvidia-container-toolkit.enable = true; nvidia-container-toolkit.enable = true;
}; };
users.users.root.openssh.authorizedKeys.keys = [ ]; users.users.root.openssh.authorizedKeys.keys = [];
# Network settings # Network settings
networking = { networking = {
@ -103,7 +101,6 @@ in
# Minio # Minio
9000 # console web interface 9000 # console web interface
9001 # api interface 9001 # api interface
]; ];
}; };
@ -120,7 +117,7 @@ in
# Minio # Minio
minio = { minio = {
enable = true; enable = true;
dataDir = [ "/eru/minio" ]; dataDir = ["/eru/minio"];
rootCredentialsFile = config.sops.secrets."minio".path; rootCredentialsFile = config.sops.secrets."minio".path;
}; };
@ -147,7 +144,7 @@ in
# Soft Serve - SSH git server # Soft Serve - SSH git server
soft-serve = { soft-serve = {
enable = true; enable = true;
settings = import ./config/soft-serve.nix { }; settings = import ./config/soft-serve.nix {};
}; };
# Tailscale # Tailscale
@ -159,7 +156,7 @@ in
# VSCode Compatibility Settings # VSCode Compatibility Settings
vscode-server.enable = true; vscode-server.enable = true;
xserver.videoDrivers = [ "nvidia" ]; xserver.videoDrivers = ["nvidia"];
}; };
# sops # sops
@ -169,19 +166,19 @@ in
owner = "minio"; owner = "minio";
group = "minio"; group = "minio";
mode = "400"; mode = "400";
restartUnits = [ "minio.service" ]; restartUnits = ["minio.service"];
}; };
"syncthing/publicCert" = { "syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml; sopsFile = ./secrets.sops.yaml;
owner = "jahanson"; owner = "jahanson";
mode = "400"; mode = "400";
restartUnits = [ "syncthing.service" ]; restartUnits = ["syncthing.service"];
}; };
"syncthing/privateKey" = { "syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml; sopsFile = ./secrets.sops.yaml;
owner = "jahanson"; owner = "jahanson";
mode = "400"; mode = "400";
restartUnits = [ "syncthing.service" ]; restartUnits = ["syncthing.service"];
}; };
# "caddy/env" = { # "caddy/env" = {
# sopsFile = ./secrets.sops.yaml; # sopsFile = ./secrets.sops.yaml;
@ -229,6 +226,19 @@ in
publicCertPath = config.sops.secrets."syncthing/publicCert".path; publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path; privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
}; };
# qBittorrent
qbittorrent = {
enable = true;
package = pkgs.unstable.qbittorrent.override {guiSupport = false;};
user = "qbittorrent";
group = "qbittorrent";
dataDir = "/nahar/qbittorrent";
downloadsDir = "/eru/media/qb/downloads/complete";
webuiPort = 8456;
openFirewall = true;
hardening = true;
qbittorrentPort = 50413;
};
# ZFS nightly snapshot of container volumes # ZFS nightly snapshot of container volumes
zfs-nightly-snap = { zfs-nightly-snap = {
enable = true; enable = true;
@ -242,9 +252,9 @@ in
system = { system = {
incus = { incus = {
enable = true; enable = true;
preseed = import ./config/incus-preseed.nix { }; preseed = import ./config/incus-preseed.nix {};
}; };
motd.networkInterfaces = [ "bond0" ]; motd.networkInterfaces = ["bond0"];
nfs.enable = true; nfs.enable = true;
zfs.enable = true; zfs.enable = true;
zfs.mountPoolsAtBoot = [ zfs.mountPoolsAtBoot = [

1
nixos/modules/nixos/services/default.nix
View file

@ -10,6 +10,7 @@
./nix-index-daily ./nix-index-daily
./onepassword-connect ./onepassword-connect
./podman ./podman
./qbittorrent
./reboot-required-check.nix ./reboot-required-check.nix
./sanoid ./sanoid
./syncthing ./syncthing

155
nixos/modules/nixos/services/qbittorrent/default.nix Normal file
View file

@ -0,0 +1,155 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.services.qbittorrent;
in
{
options.mySystem.services.qbittorrent = {
enable = mkEnableOption "qBittorrent";
package = mkOption {
type = types.package;
default = pkgs.qbittorrent;
description = "qBittorrent package to use";
};
user = mkOption {
type = types.str;
default = "qbittorrent";
description = "User account under which qBittorrent runs";
};
group = mkOption {
type = types.str;
default = "qbittorrent";
description = "Group under which qBittorrent runs";
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/qbittorrent";
description = "Storage directory for qBittorrent data";
};
downloadsDir = mkOption {
type = types.path;
default = "/var/lib/qbittorrent/downloads";
description = "Location to store the downloads";
};
webuiPort = mkOption {
type = types.port;
default = 8080;
description = "Port for qBittorrent web interface";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = "Open firewall ports for qBittorrent";
};
hardening = mkOption {
type = types.bool;
default = true;
description = "Enable security hardening features";
};
qbittorrentPort = mkOption {
type = types.port;
default = 6881;
description = "Port used for peer connections";
};
};
config = mkIf cfg.enable {
users.groups.${cfg.group} = { };
users.users = mkIf (cfg.user == "qbittorrent") {
qbittorrent = {
inherit (cfg) group;
isSystemUser = true;
home = cfg.dataDir;
};
};
environment.systemPackages = [
cfg.package
];
systemd.services.qbittorrent = {
environment = {
QBT_CONFIRM_LEGAL_NOTICE = "1";
QBT_WEBUI_PORT = toString cfg.webuiPort;
QBT_TORRENTING_PORT = toString cfg.qbittorrentPort;
QBT_DOWNLOADS_PATH = "${cfg.downloadsDir}";
XDG_CONFIG_HOME = cfg.dataDir;
XDG_DATA_HOME = cfg.dataDir;
CONFIG_DIR = "${cfg.dataDir}/qBittorrent";
CONFIG_FILE = "${cfg.dataDir}/qBittorrent/config/qBittorrent.conf";
LOG_DIR = "${cfg.dataDir}/logs";
LOG_FILE = "${cfg.dataDir}/logs/qbittorrent.log";
};
serviceConfig = lib.mkMerge [
{
ExecStart = "${cfg.package}/bin/qbittorrent-nox --profile=${cfg.dataDir}";
ReadWritePaths = [
cfg.dataDir
cfg.downloadsDir
];
Restart = "on-failure";
RestartSec = 5;
User = cfg.user;
Group = cfg.group;
}
(lib.mkIf cfg.hardening {
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHome = "read-only";
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = [
"uts"
"ipc"
"pid"
"user"
"cgroup"
"net"
];
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
})
];
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
cfg.webuiPort
cfg.qbittorrentPort
];
allowedUDPPorts = [ cfg.qbittorrentPort ];
};
};
}