jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rework sturzbach service

Browse source
This commit is contained in:
Jakob Lechner 2025-09-02 00:31:38 +02:00
parent 8cec9745da
commit 23222c0c34
5 changed files with 65 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hosts/iron/configuration.nix
View file

@ -18,8 +18,8 @@ let
"rpool/nixos/home" = "/home"; "rpool/nixos/home" = "/home";
"rpool/nixos/root" = "/"; "rpool/nixos/root" = "/";
"rpool/nixos/var/lib" = "/var/lib"; "rpool/nixos/var/lib" = "/var/lib";
"rpool/nixos/var/lib/qbittorrent" = "/var/lib/qbittorrent"; "rpool/nixos/var/lib/qBittorrent" = "/var/lib/qBittorrent";
"rpool/nixos/var/lib/qbittorrent/downloads" = "/var/lib/qbittorrent/downloads"; "rpool/nixos/var/lib/qBittorrent/downloads" = "/var/lib/qBittorrent/downloads";
"rpool/nixos/var/log" = "/var/log"; "rpool/nixos/var/log" = "/var/log";
}; };
partitionScheme = { partitionScheme = {

2
hosts/iron/services/jellyfin.nix
View file

@ -17,7 +17,7 @@ in
"/nix/store" "/nix/store"
"/filebitch/pub/Filme" "/filebitch/pub/Filme"
"/filebitch/pub/Serien" "/filebitch/pub/Serien"
"/var/lib/qbittorrent/downloads" "/var/lib/qBittorrent/downloads"
]; ];
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
#IPAddressAllow = "localhost"; #IPAddressAllow = "localhost";

67
hosts/iron/services/sturzbach.nix
View file

@ -2,15 +2,72 @@
let let
inherit (config.networking) ports; inherit (config.networking) ports;
interfaces = import ../interfaces.nix;
domain = "sturzbach.jalr.de";
cfg = config.services.qbittorrent;
in in
{ {
jalr.qbittorrent = { sops.secrets.sturzbach-htpasswd = {
enable = true; owner = "nginx";
downloadDir = "/sturzbach";
fqdn = "sturzbach.jalr.de";
webuiPort = ports.qbittorrent-webui.tcp;
}; };
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ ports.qbittorrent-torrent.tcp ]; allowedTCPPorts = [ ports.qbittorrent-torrent.tcp ];
}; };
systemd.services.qbittorrent.serviceConfig = {
# Increase number of open file descriptors (default: 1024)
LimitNOFILE = 65536;
};
services = {
qbittorrent = {
enable = true;
torrentingPort = ports.qbittorrent-torrent.tcp;
webuiPort = ports.qbittorrent-webui.tcp;
serverConfig = {
Network.PortForwardingEnabled = false;
Preferences.WebUI = {
Address = "127.0.0.1";
LocalHostAuth = false;
SecureCookie = true;
ServerDomains = domain;
SessionTimeout = 24 * 60 * 60;
UseUPnP = false;
};
BitTorrent.Session = {
DHTEnabled = false;
LSDEnabled = false;
PeXEnabled = false;
MaxActiveDownloads = 5;
MaxActiveTorrents = 10000;
MaxActiveUploads = 10000;
TempPath = "${cfg.profileDir}/downloads/incomplete";
TorrentContentLayout = "Subfolder";
AddTorrentStopped = false;
AnnounceToAllTiers = false;
DefaultSavePath = "${cfg.profileDir}/downloads";
DisableAutoTMMByDefault = false;
Interface = interfaces.wan;
InterfaceAddress = "0.0.0.0";
InterfaceName = interfaces.wan;
QueueingSystemEnabled = true;
ReannounceWhenAddressChanged = false;
};
};
};
nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.sturzbach-htpasswd.path;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString config.services.qbittorrent.webuiPort}";
proxyWebsockets = true;
};
};
};
};
} }

1
modules/default.nix
View file

@ -42,7 +42,6 @@
./pipewire.nix ./pipewire.nix
./podman.nix ./podman.nix
./printers ./printers
./qbittorrent
./remarkable.nix ./remarkable.nix
./sdr.nix ./sdr.nix
./sshd.nix ./sshd.nix

94
modules/qbittorrent/default.nix
View file

@ -1,94 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.jalr.qbittorrent;
in
{
options.jalr.qbittorrent = {
enable = lib.mkEnableOption "the qbittorrent service";
homeDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/qbittorrent";
};
configDir = lib.mkOption {
type = lib.types.path;
default = "${cfg.homeDir}/config";
};
downloadDir = lib.mkOption {
type = lib.types.path;
default = "${cfg.homeDir}/download";
};
webuiPort = lib.mkOption {
type = lib.types.int;
default = 8099;
};
sopsFile = lib.mkOption {
type = lib.types.path;
default = ../../hosts/${config.networking.hostName}/secrets.yaml;
description = ''
The sops secret file that includes the htpasswd file.
'';
};
fqdn = lib.mkOption {
type = lib.types.str;
description = "The fqdn nginx should listen on. It must not be used for anything else.";
};
};
config = lib.mkIf cfg.enable
{
users.users.qbittorrent = {
group = "qbittorrent";
home = cfg.homeDir;
isSystemUser = true;
};
users.groups.qbittorrent = { };
systemd.tmpfiles.rules = [
"d '${cfg.downloadDir}' 0775 qbittorrent users - -"
"d '${cfg.homeDir}' 0771 qbittorrent qbittorrent - -"
];
sops.secrets.sturzbach-htpasswd = {
inherit (cfg) sopsFile;
owner = "nginx";
};
systemd.services.qbittorrent = {
description = "qBittorrent Service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=${cfg.configDir} --webui-port=${toString cfg.webuiPort}";
User = "qbittorrent";
Group = "qbittorrent";
# Increase number of open file descriptors (default: 1024)
LimitNOFILE = 65536;
# systemd-analyze --no-pager security qbittorrent.service
CapabilityBoundingSet = null;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectHome = true;
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
};
};
services.nginx.virtualHosts."${cfg.fqdn}" = {
enableACME = lib.mkDefault true;
forceSSL = lib.mkDefault true;
basicAuthFile = config.sops.secrets.sturzbach-htpasswd.path;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString cfg.webuiPort}";
proxyWebsockets = true;
};
};
};
};
}