Rework sturzbach service

hosts/iron/configuration.nix

@@ -18,8 +18,8 @@ let
     "rpool/nixos/home" = "/home";
     "rpool/nixos/root" = "/";
     "rpool/nixos/var/lib" = "/var/lib";
-    "rpool/nixos/var/lib/qbittorrent" = "/var/lib/qbittorrent";
-    "rpool/nixos/var/lib/qbittorrent/downloads" = "/var/lib/qbittorrent/downloads";
+    "rpool/nixos/var/lib/qBittorrent" = "/var/lib/qBittorrent";
+    "rpool/nixos/var/lib/qBittorrent/downloads" = "/var/lib/qBittorrent/downloads";
     "rpool/nixos/var/log" = "/var/log";
   };
   partitionScheme = {

hosts/iron/services/jellyfin.nix

@@ -17,7 +17,7 @@ in
         "/nix/store"
         "/filebitch/pub/Filme"
         "/filebitch/pub/Serien"
-        "/var/lib/qbittorrent/downloads"
+        "/var/lib/qBittorrent/downloads"
       ];
       CapabilityBoundingSet = "";
       #IPAddressAllow = "localhost";

hosts/iron/services/sturzbach.nix

@@ -2,15 +2,72 @@
 
 let
   inherit (config.networking) ports;
+  interfaces = import ../interfaces.nix;
+  domain = "sturzbach.jalr.de";
+  cfg = config.services.qbittorrent;
 in
 {
-  jalr.qbittorrent = {
-    enable = true;
-    downloadDir = "/sturzbach";
-    fqdn = "sturzbach.jalr.de";
-    webuiPort = ports.qbittorrent-webui.tcp;
+  sops.secrets.sturzbach-htpasswd = {
+    owner = "nginx";
   };
+
   networking.firewall = {
     allowedTCPPorts = [ ports.qbittorrent-torrent.tcp ];
   };
+
+  systemd.services.qbittorrent.serviceConfig = {
+    # Increase number of open file descriptors (default: 1024)
+    LimitNOFILE = 65536;
+  };
+
+  services = {
+    qbittorrent = {
+      enable = true;
+      torrentingPort = ports.qbittorrent-torrent.tcp;
+      webuiPort = ports.qbittorrent-webui.tcp;
+      serverConfig = {
+        Network.PortForwardingEnabled = false;
+        Preferences.WebUI = {
+          Address = "127.0.0.1";
+          LocalHostAuth = false;
+          SecureCookie = true;
+          ServerDomains = domain;
+          SessionTimeout = 24 * 60 * 60;
+          UseUPnP = false;
+        };
+        BitTorrent.Session = {
+          DHTEnabled = false;
+          LSDEnabled = false;
+          PeXEnabled = false;
+          MaxActiveDownloads = 5;
+          MaxActiveTorrents = 10000;
+          MaxActiveUploads = 10000;
+          TempPath = "${cfg.profileDir}/downloads/incomplete";
+          TorrentContentLayout = "Subfolder";
+          AddTorrentStopped = false;
+          AnnounceToAllTiers = false;
+          DefaultSavePath = "${cfg.profileDir}/downloads";
+          DisableAutoTMMByDefault = false;
+          Interface = interfaces.wan;
+          InterfaceAddress = "0.0.0.0";
+          InterfaceName = interfaces.wan;
+          QueueingSystemEnabled = true;
+          ReannounceWhenAddressChanged = false;
+        };
+      };
+    };
+    nginx.virtualHosts."${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      basicAuthFile = config.sops.secrets.sturzbach-htpasswd.path;
+
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.qbittorrent.webuiPort}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
 }

modules/default.nix

@@ -42,7 +42,6 @@
     ./pipewire.nix
     ./podman.nix
     ./printers
-    ./qbittorrent
     ./remarkable.nix
     ./sdr.nix
     ./sshd.nix

modules/qbittorrent/default.nix

@@ -1,94 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.jalr.qbittorrent;
-in
-{
-  options.jalr.qbittorrent = {
-    enable = lib.mkEnableOption "the qbittorrent service";
-    homeDir = lib.mkOption {
-      type = lib.types.path;
-      default = "/var/lib/qbittorrent";
-    };
-    configDir = lib.mkOption {
-      type = lib.types.path;
-      default = "${cfg.homeDir}/config";
-    };
-    downloadDir = lib.mkOption {
-      type = lib.types.path;
-      default = "${cfg.homeDir}/download";
-    };
-    webuiPort = lib.mkOption {
-      type = lib.types.int;
-      default = 8099;
-    };
-    sopsFile = lib.mkOption {
-      type = lib.types.path;
-      default = ../../hosts/${config.networking.hostName}/secrets.yaml;
-      description = ''
-        The sops secret file that includes the htpasswd file.
-      '';
-    };
-    fqdn = lib.mkOption {
-      type = lib.types.str;
-      description = "The fqdn nginx should listen on. It must not be used for anything else.";
-    };
-  };
-
-  config = lib.mkIf cfg.enable
-    {
-      users.users.qbittorrent = {
-        group = "qbittorrent";
-        home = cfg.homeDir;
-        isSystemUser = true;
-      };
-      users.groups.qbittorrent = { };
-
-      systemd.tmpfiles.rules = [
-        "d '${cfg.downloadDir}' 0775 qbittorrent users - -"
-        "d '${cfg.homeDir}' 0771 qbittorrent qbittorrent - -"
-      ];
-
-      sops.secrets.sturzbach-htpasswd = {
-        inherit (cfg) sopsFile;
-        owner = "nginx";
-      };
-
-      systemd.services.qbittorrent = {
-        description = "qBittorrent Service";
-        wantedBy = [ "multi-user.target" ];
-
-        serviceConfig = {
-          Restart = "always";
-          ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=${cfg.configDir} --webui-port=${toString cfg.webuiPort}";
-          User = "qbittorrent";
-          Group = "qbittorrent";
-
-          # Increase number of open file descriptors (default: 1024)
-          LimitNOFILE = 65536;
-
-          # systemd-analyze --no-pager security qbittorrent.service
-          CapabilityBoundingSet = null;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProtectHome = true;
-          RestrictNamespaces = true;
-          SystemCallFilter = "@system-service";
-        };
-      };
-
-      services.nginx.virtualHosts."${cfg.fqdn}" = {
-        enableACME = lib.mkDefault true;
-        forceSSL = lib.mkDefault true;
-
-        basicAuthFile = config.sops.secrets.sturzbach-htpasswd.path;
-
-        locations = {
-          "/" = {
-            proxyPass = "http://127.0.0.1:${toString cfg.webuiPort}";
-            proxyWebsockets = true;
-          };
-        };
-      };
-    };
-}