From 28010a5ebef607889163b57b193e39ec804b5d7e Mon Sep 17 00:00:00 2001
From: chayleaf <chayleaf-git@pavluk.org>
Date: Wed, 29 Nov 2023 01:50:24 +0700
Subject: [PATCH] server: add qbittorrent-nox

---
 flake.nix                           |   1 +
 system/hosts/router/default.nix     |   5 ++
 system/hosts/server/certspotter.nix |   2 +-
 system/hosts/server/files.nix       |  19 ++++
 system/hosts/server/home.nix        |   1 +
 system/modules/impermanence.nix     | 134 +++++++++++++++-------------
 system/modules/qbittorrent.nix      |  68 ++++++++++++++
 7 files changed, 165 insertions(+), 65 deletions(-)
 create mode 100644 system/modules/qbittorrent.nix

diff --git a/flake.nix b/flake.nix
index 7b5f714..f686f88 100644
--- a/flake.nix
+++ b/flake.nix
@@ -162,6 +162,7 @@
           (if devMaubot then import /${devPath}/maubot.nix/module else maubot.nixosModules.default)
           (if devCoopOfd then import /${devPath}/coop-ofd else coop-ofd).nixosModules.default
           ./system/modules/scanservjs.nix
+          ./system/modules/qbittorrent.nix
         ];
       };
       server-cross = crossConfig server;
diff --git a/system/hosts/router/default.nix b/system/hosts/router/default.nix
index 49b7d2d..497e59b 100644
--- a/system/hosts/router/default.nix
+++ b/system/hosts/router/default.nix
@@ -297,6 +297,8 @@ in {
     bannedPorts = [
       631 9100 # printing
       5353 # avahi
+      # pass it through to VPN rather than WAN
+      server-config.services.qbittorrent-nox.torrent.port
     ];
     inherit (server-config.networking.firewall) allowedTCPPorts allowedTCPPortRanges allowedUDPPorts allowedUDPPortRanges;
 
@@ -328,6 +330,9 @@ in {
   }) ++ lib.toList {
     port = 24; tcp = true; udp = true; target4.port = 22; target6.port = 22;
     target4.address = serverInitrdAddress4; target6.address = serverInitrdAddress6;
+  } ++ lib.toList {
+    inVpn = true; port = server-config.services.qbittorrent-nox.torrent.port; tcp = true; udp = true;
+    target4.address = serverAddress4; target6.address = serverAddress6;
   };
 
   router.enable = true;
diff --git a/system/hosts/server/certspotter.nix b/system/hosts/server/certspotter.nix
index 3147ea5..0d3efee 100644
--- a/system/hosts/server/certspotter.nix
+++ b/system/hosts/server/certspotter.nix
@@ -33,7 +33,7 @@ in {
   services.certspotter = {
     enable = true;
     extraFlags = [ ];
-    watchlist = [ ".pavluk.org" ];
+    watchlist = [ ".${cfg.domainName}" ];
     hooks = lib.toList (pkgs.writeShellScript "certspotter-hook" ''
       if [[ "$EVENT" == discovered_cert ]]; then
         ${pkgs.gnugrep}/bin/grep -r "$TBS_SHA256" /var/lib/certspotter/tbs-hashes/ && exit
diff --git a/system/hosts/server/files.nix b/system/hosts/server/files.nix
index be8c814..5d8c0c9 100644
--- a/system/hosts/server/files.nix
+++ b/system/hosts/server/files.nix
@@ -79,4 +79,23 @@ in {
     hostName = "cloud.${cfg.domainName}";
     https = true;
   };
+
+  services.qbittorrent-nox.enable = true;
+  services.qbittorrent-nox.ui.port = 19642;
+  services.qbittorrent-nox.torrent.port = 45522;
+
+  services.nginx.virtualHosts."home.${cfg.domainName}".locations."/torrent/" = {
+    extraConfig = ''
+      proxy_pass         http://127.0.0.1:${toString config.services.qbittorrent-nox.ui.port}/;
+      proxy_http_version 1.1;
+
+      proxy_set_header   Host               127.0.0.1:30000;
+      proxy_set_header   X-Forwarded-Host   $http_host;
+      proxy_set_header   X-Forwarded-For    $remote_addr;
+      proxy_cookie_path  /                  "/; Secure";
+    '';
+  };
+
+  services.jellyfin.enable = true;
+  services.jellyfin.openFirewall = true;
 }
diff --git a/system/hosts/server/home.nix b/system/hosts/server/home.nix
index 0ef7e06..cca260e 100644
--- a/system/hosts/server/home.nix
+++ b/system/hosts/server/home.nix
@@ -46,6 +46,7 @@ in {
     enable = true;
     config.listener = "127.0.0.1:25783";
   };
+
   services.nginx.virtualHosts."home.${cfg.domainName}" = {
     quic = true;
     enableACME = true;
diff --git a/system/modules/impermanence.nix b/system/modules/impermanence.nix
index 08180c5..a1d5be9 100644
--- a/system/modules/impermanence.nix
+++ b/system/modules/impermanence.nix
@@ -61,78 +61,84 @@ in {
         { directory = /var/spool; user = "root"; group = "root"; mode = "0777"; }
       ] ++ lib.optionals cfg.persistTmp [
         { directory = /tmp; user = "root"; group = "root"; mode = "1777"; }
+      ] ++ lib.optionals config.networking.wireless.iwd.enable [
+        { directory = /var/lib/iwd; user = "root"; group = "root"; mode = "0700"; }
+      ] ++ lib.optionals (builtins.any (x: x.useDHCP != false) (builtins.attrValues config.networking.interfaces) || config.networking.useDHCP) [
+        { directory = /var/db/dhcpcd; user = "root"; group = "root"; mode = "0755"; }
+      ] ++ lib.optionals config.security.acme.acceptTerms [
+        { directory = /var/lib/acme; user = "acme"; group = "acme"; mode = "0755"; }
+      ] ++ lib.optionals config.services.akkoma.enable [
+        { directory = /var/lib/akkoma; user = "akkoma"; group = "akkoma"; mode = "0700"; }
+      ] ++ lib.optionals config.services.botamusique.enable [
+        { directory = /var/lib/private/botamusique; user = "root"; group = "root"; mode = "0750"; }
+      ] ++ lib.optionals config.programs.ccache.enable [
+        { directory = config.programs.ccache.cacheDir; user = "root"; group = "nixbld"; mode = "0770"; }
+        { directory = /var/cache/sccache; user = "root"; group = "nixbld"; mode = "0770"; }
+      ] ++ lib.optionals config.services.coop-ofd.enable [
+        { directory = /var/lib/coop-ofd; mode = "0750"; }
+      ] ++ lib.optionals config.services.dovecot2.enable [
+        { directory = /var/lib/dhparams; user = "root"; group = "root"; mode = "0755"; }
+        { directory = /var/lib/dovecot; user = "root"; group = "root"; mode = "0755"; }
+      ] ++ lib.optionals config.services.fail2ban.enable [
+        { directory = /var/lib/fail2ban; user = "root"; group = "root"; mode = "0700"; }
+      ] ++ lib.optionals config.services.forgejo.enable [
+        { directory = /var/lib/forgejo; user = "forgejo"; group = "forgejo"; mode = "0755"; }
+      ] ++ lib.optionals config.services.gitea.enable [
+        { directory = /var/lib/gitea; user = "gitea"; group = "gitea"; mode = "0755"; }
+      ] ++ lib.optionals config.services.grafana.enable [
+        { directory = /var/lib/grafana; user = "grafana"; group = "grafana"; mode = "0755"; }
+      ] ++ lib.optionals config.services.heisenbridge.enable [
+        { directory = /var/lib/heisenbridge; user = "heisenbridge"; group = "heisenbridge"; mode = "0755"; }
+      ] ++ lib.optionals config.services.hydra.enable [
+        { directory = /var/lib/hydra; user = "hydra"; group = "hydra"; mode = "0755"; }
+      ] ++ lib.optionals config.services.matrix-synapse.enable [
+        { directory = /var/lib/matrix-synapse; user = "matrix-synapse"; group = "matrix-synapse"; mode = "0700"; }
+      ] ++ lib.optionals config.services.monero.enable [
+        { directory = config.services.monero.dataDir; user = "monero"; group = "monero"; mode = "0750"; }
       ] ++ lib.optionals config.services.mullvad-vpn.enable [
         { directory = /etc/mullvad-vpn; user = "root"; group = "root"; mode = "0700"; }
         { directory = /var/cache/mullvad-vpn; user = "root"; group = "root"; mode = "0755"; }
+      ] ++ lib.optionals config.services.murmur.enable [
+        { directory = /var/lib/murmur; user = "murmur"; group = "murmur"; mode = "0700"; }
+      ] ++ lib.optionals config.services.nextcloud.enable [
+        { directory = /var/lib/nextcloud; user = "nextcloud"; group = "nextcloud"; mode = "0750"; }
+      ] ++ lib.optionals config.services.opendkim.enable [
+        { directory = /var/lib/opendkim; user = "opendkim"; group = "opendkim"; mode = "0700"; }
+      ] ++ lib.optionals config.services.openldap.enable [
+        { directory = /var/lib/openldap; inherit (config.services.openldap) user group; mode = "0755"; }
+      ] ++ lib.optionals config.services.pleroma.enable [
+        { directory = /var/lib/pleroma; user = "pleroma"; group = "pleroma"; mode = "0700"; }
+      ] ++ lib.optionals config.services.postfix.enable [
+        { directory = /var/lib/postfix; user = "root"; group = "root"; mode = "0755"; }
+      ] ++ lib.optionals config.services.postgresql.enable [
+        { directory = /var/lib/postgresql; user = "postgres"; group = "postgres"; mode = "0755"; }
+      ] ++ lib.optionals config.services.printing.enable [
+        { directory = /var/lib/cups; user = "root"; group = "root"; mode = "0755"; }
+        { directory = /var/cache/cups; user = "root"; group = "lp"; mode = "0770"; }
+      ] ++ lib.optionals config.services.prometheus.enable [
+        { directory = /var/lib/${config.services.prometheus.stateDir}; user = "prometheus"; group = "prometheus"; mode = "0755"; }
+      ] ++ lib.optionals config.services.qbittorrent-nox.enable [
+        { directory = /var/lib/qbittorrent-nox; mode = "0755"; }
+      ] ++ lib.optionals (config.services.redis.servers.rspamd.enable or false) [
+        { directory = /var/lib/redis-rspamd; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
+      ] ++ lib.optionals config.services.roundcube.enable [
+        { directory = /var/lib/roundcube; user = "roundcube"; group = "roundcube"; mode = "0700"; }
+      ] ++ lib.optionals config.services.rspamd.enable [
+        { directory = /var/lib/rspamd; user = "rspamd"; group = "rspamd"; mode = "0700"; }
+      ] ++ lib.optionals (config.services.scanservjs.enable or false) [
+        { directory = /var/lib/scanservjs; user = "scanservjs"; group = "scanservjs"; mode = "0750"; }
+      ] ++ lib.optionals config.services.searx.enable [
+        { directory = /var/lib/searx; user = "searx"; group = "searx"; mode = "0700"; }
+      ] ++ lib.optionals config.security.sudo.enable [
+        { directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; }
+      ] ++ lib.optionals config.services.unbound.enable [
+        { directory = /var/lib/unbound; user = "unbound"; group = "unbound"; mode = "0755"; }
       ] ++ lib.optionals config.virtualisation.libvirtd.enable ([
         # { directory = /var/cache/libvirt; user = "root"; group = "root"; mode = "0755"; }
         { directory = /var/lib/libvirt; user = "root"; group = "root"; mode = "0755"; }
       ] ++ lib.optionals config.virtualisation.libvirtd.qemu.swtpm.enable [
         { directory = /var/lib/swtpm-localca; user = "root"; group = "root"; mode = "0750"; }
-      ]) ++ lib.optionals config.networking.wireless.iwd.enable [
-        { directory = /var/lib/iwd; user = "root"; group = "root"; mode = "0700"; }
-      ] ++ lib.optionals (builtins.any (x: x.useDHCP != false) (builtins.attrValues config.networking.interfaces) || config.networking.useDHCP) [
-        { directory = /var/db/dhcpcd; user = "root"; group = "root"; mode = "0755"; }
-      ] ++ lib.optionals config.services.gitea.enable [
-        { directory = /var/lib/gitea; user = "gitea"; group = "gitea"; mode = "0755"; }
-      ] ++ lib.optionals config.services.forgejo.enable [
-        { directory = /var/lib/forgejo; user = "forgejo"; group = "forgejo"; mode = "0755"; }
-      ] ++ lib.optionals config.services.matrix-synapse.enable [
-        { directory = /var/lib/matrix-synapse; user = "matrix-synapse"; group = "matrix-synapse"; mode = "0700"; }
-      ] ++ lib.optionals config.services.heisenbridge.enable [
-        { directory = /var/lib/heisenbridge; user = "heisenbridge"; group = "heisenbridge"; mode = "0755"; }
-      ] ++ lib.optionals config.services.murmur.enable [
-        { directory = /var/lib/murmur; user = "murmur"; group = "murmur"; mode = "0700"; }
-      ] ++ lib.optionals config.services.nextcloud.enable [
-        { directory = /var/lib/nextcloud; user = "nextcloud"; group = "nextcloud"; mode = "0750"; }
-      ] ++ lib.optionals config.services.botamusique.enable [
-        { directory = /var/lib/private/botamusique; user = "root"; group = "root"; mode = "0750"; }
-      ] ++ lib.optionals config.security.acme.acceptTerms [
-        { directory = /var/lib/acme; user = "acme"; group = "acme"; mode = "0755"; }
-      ] ++ lib.optionals config.services.printing.enable [
-        { directory = /var/lib/cups; user = "root"; group = "root"; mode = "0755"; }
-        { directory = /var/cache/cups; user = "root"; group = "lp"; mode = "0770"; }
-      ] ++ lib.optionals config.services.fail2ban.enable [
-        { directory = /var/lib/fail2ban; user = "root"; group = "root"; mode = "0700"; }
-      ] ++ lib.optionals config.services.opendkim.enable [
-        { directory = /var/lib/opendkim; user = "opendkim"; group = "opendkim"; mode = "0700"; }
-      ] ++ lib.optionals config.services.pleroma.enable [
-        { directory = /var/lib/pleroma; user = "pleroma"; group = "pleroma"; mode = "0700"; }
-      ] ++ lib.optionals config.services.akkoma.enable [
-        { directory = /var/lib/akkoma; user = "akkoma"; group = "akkoma"; mode = "0700"; }
-      ] ++ lib.optionals config.services.hydra.enable [
-        { directory = /var/lib/hydra; user = "hydra"; group = "hydra"; mode = "0755"; }
-      ] ++ lib.optionals config.services.grafana.enable [
-        { directory = /var/lib/grafana; user = "grafana"; group = "grafana"; mode = "0755"; }
-      ] ++ lib.optionals config.services.prometheus.enable [
-        { directory = /var/lib/${config.services.prometheus.stateDir}; user = "prometheus"; group = "prometheus"; mode = "0755"; }
-      ] ++ lib.optionals config.services.postfix.enable [
-        { directory = /var/lib/postfix; user = "root"; group = "root"; mode = "0755"; }
-      ] ++ lib.optionals config.services.postgresql.enable [
-        { directory = /var/lib/postgresql; user = "postgres"; group = "postgres"; mode = "0755"; }
-      ] ++ lib.optionals config.services.unbound.enable [
-        { directory = /var/lib/unbound; user = "unbound"; group = "unbound"; mode = "0755"; }
-      ] ++ lib.optionals config.services.searx.enable [
-        { directory = /var/lib/searx; user = "searx"; group = "searx"; mode = "0700"; }
-      ] ++ lib.optionals config.services.roundcube.enable [
-        { directory = /var/lib/roundcube; user = "roundcube"; group = "roundcube"; mode = "0700"; }
-      ] ++ lib.optionals config.services.rspamd.enable [
-        { directory = /var/lib/rspamd; user = "rspamd"; group = "rspamd"; mode = "0700"; }
-      ] ++ lib.optionals (config.services.redis.servers.rspamd.enable or false) [
-        { directory = /var/lib/redis-rspamd; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
-      ] ++ lib.optionals config.services.dovecot2.enable [
-        { directory = /var/lib/dhparams; user = "root"; group = "root"; mode = "0755"; }
-        { directory = /var/lib/dovecot; user = "root"; group = "root"; mode = "0755"; }
-      ] ++ lib.optionals config.security.sudo.enable [
-        { directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; }
-      ] ++ lib.optionals config.services.openldap.enable [
-        { directory = /var/lib/openldap; inherit (config.services.openldap) user group; mode = "0755"; }
-      ] ++ lib.optionals (config.services.scanservjs.enable or false) [
-        { directory = /var/lib/scanservjs; user = "scanservjs"; group = "scanservjs"; mode = "0750"; }
-      ] ++ lib.optionals config.programs.ccache.enable [
-        { directory = config.programs.ccache.cacheDir; user = "root"; group = "nixbld"; mode = "0770"; }
-        { directory = /var/cache/sccache; user = "root"; group = "nixbld"; mode = "0770"; }
-      ] ++ cfg.directories);
+      ]) ++ cfg.directories);
       files = map (x:
         if builtins.isPath x then toString x
         else if builtins.isPath (x.file or null) then x // { file = toString x.file; }
diff --git a/system/modules/qbittorrent.nix b/system/modules/qbittorrent.nix
new file mode 100644
index 0000000..88616dd
--- /dev/null
+++ b/system/modules/qbittorrent.nix
@@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.qbittorrent-nox;
+in {
+  options.services.qbittorrent-nox = {
+    enable = lib.mkEnableOption "qbittorrent-nox";
+    package = lib.mkPackageOptionMD pkgs "qbittorrent-nox" { };
+    ui.addToFirewall = lib.mkOption {
+      description = "Add the web UI port to firewall";
+      type = lib.types.bool;
+      default = false;
+    };
+    ui.port = lib.mkOption {
+      description = "Web UI port";
+      type = lib.types.port;
+      default = 8080;
+    };
+    torrent.addToFirewall = lib.mkOption {
+      description = "Add the torrenting port to firewall";
+      type = lib.types.bool;
+      default = true;
+    };
+    torrent.port = lib.mkOption {
+      description = "Torrenting port";
+      type = with lib.types; nullOr port;
+      default = null;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts =
+      lib.optional (cfg.torrent.addToFirewall && cfg.torrent.port != null) cfg.torrent.port
+      ++ lib.optional (cfg.ui.addToFirewall && cfg.ui.port != null) cfg.ui.port;
+    networking.firewall.allowedUDPPorts =
+      lib.optional (cfg.torrent.addToFirewall && cfg.torrent.port != null) cfg.torrent.port;
+    # users.users.qbittorrent-nox = {
+    #   isSystemUser = true;
+    #   group = "qbittorrent-nox";
+    #   home = "/var/lib/qbittorrent-nox";
+    # };
+    # groups.groups.qbittorrent-nox = { };
+    systemd.services.qbittorrent-nox = {
+      description = "qBittorrent-nox service";
+      wants = [ "network-online.target" ];
+      after = [ "local-fs.target" "network-online.target" "nss-lookup.target" ];
+      wantedBy = [ "multi-user.target" ];
+      unitConfig.Documentation = "man:qbittorrent-nox(1)";
+      preStart = ''
+        if [[ ! -f /var/lib/qbittorrent-nox/qBittorrent/config/qBittorrent.conf ]]; then
+          mkdir -p /var/lib/qbittorrent-nox/qBittorrent/config
+          echo "[Preferences]" > /var/lib/qbittorrent-nox/qBittorrent/config/qBittorrent.conf
+          echo "WebUI\UseUPnP=false" > /var/lib/qbittorrent-nox/qBittorrent/config/qBittorrent.conf
+        fi
+      '';
+      serviceConfig = {
+        User = "qbittorrent-nox";
+        Group = "qbittorrent-nox";
+        DynamicUser = true;
+        StateDirectory = "qbittorrent-nox";
+        WorkingDirectory = "/var/lib/qbittorrent-nox";
+        ExecStart = ''
+          ${cfg.package}/bin/qbittorrent-nox ${lib.optionalString (cfg.torrent.port != null) "--torrenting-port=${toString cfg.torrent.port}"} \
+            --webui-port=${toString cfg.ui.port} --profile=/var/lib/qbittorrent-nox
+        '';
+      };
+    };
+  };
+}