diff --git a/hosts/iron/configuration.nix b/hosts/iron/configuration.nix index 3c47261..99560b7 100644 --- a/hosts/iron/configuration.nix +++ b/hosts/iron/configuration.nix @@ -18,8 +18,8 @@ let "rpool/nixos/home" = "/home"; "rpool/nixos/root" = "/"; "rpool/nixos/var/lib" = "/var/lib"; - "rpool/nixos/var/lib/qbittorrent" = "/var/lib/qbittorrent"; - "rpool/nixos/var/lib/qbittorrent/downloads" = "/var/lib/qbittorrent/downloads"; + "rpool/nixos/var/lib/qBittorrent" = "/var/lib/qBittorrent"; + "rpool/nixos/var/lib/qBittorrent/downloads" = "/var/lib/qBittorrent/downloads"; "rpool/nixos/var/log" = "/var/log"; }; partitionScheme = { diff --git a/hosts/iron/services/jellyfin.nix b/hosts/iron/services/jellyfin.nix index ad5e9a0..f5d642f 100644 --- a/hosts/iron/services/jellyfin.nix +++ b/hosts/iron/services/jellyfin.nix @@ -17,7 +17,7 @@ in "/nix/store" "/filebitch/pub/Filme" "/filebitch/pub/Serien" - "/var/lib/qbittorrent/downloads" + "/var/lib/qBittorrent/downloads" ]; CapabilityBoundingSet = ""; #IPAddressAllow = "localhost"; diff --git a/hosts/iron/services/sturzbach.nix b/hosts/iron/services/sturzbach.nix index 4f02a9a..7498fe0 100644 --- a/hosts/iron/services/sturzbach.nix +++ b/hosts/iron/services/sturzbach.nix @@ -2,15 +2,72 @@ let inherit (config.networking) ports; + interfaces = import ../interfaces.nix; + domain = "sturzbach.jalr.de"; + cfg = config.services.qbittorrent; in { - jalr.qbittorrent = { - enable = true; - downloadDir = "/sturzbach"; - fqdn = "sturzbach.jalr.de"; - webuiPort = ports.qbittorrent-webui.tcp; + sops.secrets.sturzbach-htpasswd = { + owner = "nginx"; }; + networking.firewall = { allowedTCPPorts = [ ports.qbittorrent-torrent.tcp ]; }; + + systemd.services.qbittorrent.serviceConfig = { + # Increase number of open file descriptors (default: 1024) + LimitNOFILE = 65536; + }; + + services = { + qbittorrent = { + enable = true; + torrentingPort = ports.qbittorrent-torrent.tcp; + webuiPort = ports.qbittorrent-webui.tcp; + serverConfig = { + Network.PortForwardingEnabled = false; + Preferences.WebUI = { + Address = "127.0.0.1"; + LocalHostAuth = false; + SecureCookie = true; + ServerDomains = domain; + SessionTimeout = 24 * 60 * 60; + UseUPnP = false; + }; + BitTorrent.Session = { + DHTEnabled = false; + LSDEnabled = false; + PeXEnabled = false; + MaxActiveDownloads = 5; + MaxActiveTorrents = 10000; + MaxActiveUploads = 10000; + TempPath = "${cfg.profileDir}/downloads/incomplete"; + TorrentContentLayout = "Subfolder"; + AddTorrentStopped = false; + AnnounceToAllTiers = false; + DefaultSavePath = "${cfg.profileDir}/downloads"; + DisableAutoTMMByDefault = false; + Interface = interfaces.wan; + InterfaceAddress = "0.0.0.0"; + InterfaceName = interfaces.wan; + QueueingSystemEnabled = true; + ReannounceWhenAddressChanged = false; + }; + }; + }; + nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + + basicAuthFile = config.sops.secrets.sturzbach-htpasswd.path; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString config.services.qbittorrent.webuiPort}"; + proxyWebsockets = true; + }; + }; + }; + }; } diff --git a/modules/default.nix b/modules/default.nix index 7e5f2aa..49b9b9d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -42,7 +42,6 @@ ./pipewire.nix ./podman.nix ./printers - ./qbittorrent ./remarkable.nix ./sdr.nix ./sshd.nix diff --git a/modules/qbittorrent/default.nix b/modules/qbittorrent/default.nix deleted file mode 100644 index 1c20e70..0000000 --- a/modules/qbittorrent/default.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.jalr.qbittorrent; -in -{ - options.jalr.qbittorrent = { - enable = lib.mkEnableOption "the qbittorrent service"; - homeDir = lib.mkOption { - type = lib.types.path; - default = "/var/lib/qbittorrent"; - }; - configDir = lib.mkOption { - type = lib.types.path; - default = "${cfg.homeDir}/config"; - }; - downloadDir = lib.mkOption { - type = lib.types.path; - default = "${cfg.homeDir}/download"; - }; - webuiPort = lib.mkOption { - type = lib.types.int; - default = 8099; - }; - sopsFile = lib.mkOption { - type = lib.types.path; - default = ../../hosts/${config.networking.hostName}/secrets.yaml; - description = '' - The sops secret file that includes the htpasswd file. - ''; - }; - fqdn = lib.mkOption { - type = lib.types.str; - description = "The fqdn nginx should listen on. It must not be used for anything else."; - }; - }; - - config = lib.mkIf cfg.enable - { - users.users.qbittorrent = { - group = "qbittorrent"; - home = cfg.homeDir; - isSystemUser = true; - }; - users.groups.qbittorrent = { }; - - systemd.tmpfiles.rules = [ - "d '${cfg.downloadDir}' 0775 qbittorrent users - -" - "d '${cfg.homeDir}' 0771 qbittorrent qbittorrent - -" - ]; - - sops.secrets.sturzbach-htpasswd = { - inherit (cfg) sopsFile; - owner = "nginx"; - }; - - systemd.services.qbittorrent = { - description = "qBittorrent Service"; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Restart = "always"; - ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=${cfg.configDir} --webui-port=${toString cfg.webuiPort}"; - User = "qbittorrent"; - Group = "qbittorrent"; - - # Increase number of open file descriptors (default: 1024) - LimitNOFILE = 65536; - - # systemd-analyze --no-pager security qbittorrent.service - CapabilityBoundingSet = null; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectHome = true; - RestrictNamespaces = true; - SystemCallFilter = "@system-service"; - }; - }; - - services.nginx.virtualHosts."${cfg.fqdn}" = { - enableACME = lib.mkDefault true; - forceSSL = lib.mkDefault true; - - basicAuthFile = config.sops.secrets.sturzbach-htpasswd.path; - - locations = { - "/" = { - proxyPass = "http://127.0.0.1:${toString cfg.webuiPort}"; - proxyWebsockets = true; - }; - }; - }; - }; -}