qbittorrent #68
4 changed files with 195 additions and 28 deletions
11
.vscode/settings.json
vendored
11
.vscode/settings.json
vendored
|
|
@ -11,16 +11,17 @@
|
|||
"files.trimTrailingWhitespace": true,
|
||||
"sops.defaults.ageKeyFile": "age.key",
|
||||
"nix.enableLanguageServer": true,
|
||||
"nix.serverPath": "/run/current-system/sw/bin/nil",
|
||||
"nix.serverPath": "/run/current-system/sw/bin/nixd",
|
||||
"nix.formatterPath": "/run/current-system/sw/bin/nixfmt",
|
||||
"nix.serverSettings": {
|
||||
"nil": {
|
||||
"nixd": {
|
||||
"formatting": {
|
||||
"command": ["nixfmt"]
|
||||
},
|
||||
"diagnostics": {
|
||||
"ignored": [],
|
||||
"excludedFiles": []
|
||||
"options": {
|
||||
"nixos": {
|
||||
"expr": "(builtins.getFlake \"/home/jahanson/projects/mochi\").nixosConfigurations.shadowfax.options"
|
||||
}
|
||||
}
|
||||
},
|
||||
"nix": {
|
||||
|
|
|
|||
|
|
@ -4,13 +4,11 @@
|
|||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
}: let
|
||||
sanoidConfig = import ./config/sanoid.nix {};
|
||||
disks = import ./config/disks.nix;
|
||||
smartdDevices = map (device: {inherit device;}) disks;
|
||||
in
|
||||
{
|
||||
in {
|
||||
imports = [
|
||||
inputs.disko.nixosModules.disko
|
||||
(import ../../profiles/disko-nixos.nix {
|
||||
|
|
@ -103,7 +101,6 @@ in
|
|||
# Minio
|
||||
9000 # console web interface
|
||||
9001 # api interface
|
||||
|
||||
];
|
||||
};
|
||||
|
||||
|
|
@ -229,6 +226,19 @@ in
|
|||
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
|
||||
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
|
||||
};
|
||||
# qBittorrent
|
||||
qbittorrent = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.qbittorrent.override {guiSupport = false;};
|
||||
user = "qbittorrent";
|
||||
group = "qbittorrent";
|
||||
dataDir = "/nahar/qbittorrent";
|
||||
downloadsDir = "/eru/media/qb/downloads/complete";
|
||||
webuiPort = 8456;
|
||||
openFirewall = true;
|
||||
hardening = true;
|
||||
qbittorrentPort = 50413;
|
||||
};
|
||||
# ZFS nightly snapshot of container volumes
|
||||
zfs-nightly-snap = {
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
./nix-index-daily
|
||||
./onepassword-connect
|
||||
./podman
|
||||
./qbittorrent
|
||||
./reboot-required-check.nix
|
||||
./sanoid
|
||||
./syncthing
|
||||
|
|
|
|||
155
nixos/modules/nixos/services/qbittorrent/default.nix
Normal file
155
nixos/modules/nixos/services/qbittorrent/default.nix
Normal file
|
|
@ -0,0 +1,155 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.qbittorrent;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.qbittorrent = {
|
||||
enable = mkEnableOption "qBittorrent";
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.qbittorrent;
|
||||
description = "qBittorrent package to use";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "qbittorrent";
|
||||
description = "User account under which qBittorrent runs";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "qbittorrent";
|
||||
description = "Group under which qBittorrent runs";
|
||||
};
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/qbittorrent";
|
||||
description = "Storage directory for qBittorrent data";
|
||||
};
|
||||
|
||||
downloadsDir = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/qbittorrent/downloads";
|
||||
description = "Location to store the downloads";
|
||||
};
|
||||
|
||||
webuiPort = mkOption {
|
||||
type = types.port;
|
||||
default = 8080;
|
||||
description = "Port for qBittorrent web interface";
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Open firewall ports for qBittorrent";
|
||||
};
|
||||
|
||||
hardening = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable security hardening features";
|
||||
};
|
||||
|
||||
qbittorrentPort = mkOption {
|
||||
type = types.port;
|
||||
default = 6881;
|
||||
description = "Port used for peer connections";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.groups.${cfg.group} = { };
|
||||
users.users = mkIf (cfg.user == "qbittorrent") {
|
||||
qbittorrent = {
|
||||
inherit (cfg) group;
|
||||
isSystemUser = true;
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
cfg.package
|
||||
];
|
||||
|
||||
systemd.services.qbittorrent = {
|
||||
environment = {
|
||||
QBT_CONFIRM_LEGAL_NOTICE = "1";
|
||||
QBT_WEBUI_PORT = toString cfg.webuiPort;
|
||||
QBT_TORRENTING_PORT = toString cfg.qbittorrentPort;
|
||||
QBT_DOWNLOADS_PATH = "${cfg.downloadsDir}";
|
||||
XDG_CONFIG_HOME = cfg.dataDir;
|
||||
XDG_DATA_HOME = cfg.dataDir;
|
||||
CONFIG_DIR = "${cfg.dataDir}/qBittorrent";
|
||||
CONFIG_FILE = "${cfg.dataDir}/qBittorrent/config/qBittorrent.conf";
|
||||
LOG_DIR = "${cfg.dataDir}/logs";
|
||||
LOG_FILE = "${cfg.dataDir}/logs/qbittorrent.log";
|
||||
};
|
||||
|
||||
serviceConfig = lib.mkMerge [
|
||||
{
|
||||
ExecStart = "${cfg.package}/bin/qbittorrent-nox --profile=${cfg.dataDir}";
|
||||
ReadWritePaths = [
|
||||
cfg.dataDir
|
||||
cfg.downloadsDir
|
||||
];
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
}
|
||||
(lib.mkIf cfg.hardening {
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DeviceAllow = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = "read-only";
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
];
|
||||
RestrictNamespaces = [
|
||||
"uts"
|
||||
"ipc"
|
||||
"pid"
|
||||
"user"
|
||||
"cgroup"
|
||||
"net"
|
||||
];
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
"~@resources"
|
||||
];
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
networking.firewall = mkIf cfg.openFirewall {
|
||||
allowedTCPPorts = [
|
||||
cfg.webuiPort
|
||||
cfg.qbittorrentPort
|
||||
];
|
||||
allowedUDPPorts = [ cfg.qbittorrentPort ];
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Reference in a new issue