chayleaf/dotfiles
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

server: add qbittorrent-nox

Browse source
This commit is contained in:
chayleaf 2023-11-29 01:50:24 +07:00
parent 1524c347d6
commit 28010a5ebe
Signed by: chayleaf
GPG key ID: 78171AD46227E68E
7 changed files with 165 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -162,6 +162,7 @@
(if devMaubot then import /${devPath}/maubot.nix/module else maubot.nixosModules.default)
(if devCoopOfd then import /${devPath}/coop-ofd else coop-ofd).nixosModules.default
./system/modules/scanservjs.nix
./system/modules/qbittorrent.nix
];
};
server-cross = crossConfig server;

5
system/hosts/router/default.nix
View file

@ -297,6 +297,8 @@ in {
bannedPorts = [
631 9100 # printing
5353 # avahi
# pass it through to VPN rather than WAN
server-config.services.qbittorrent-nox.torrent.port
];
inherit (server-config.networking.firewall) allowedTCPPorts allowedTCPPortRanges allowedUDPPorts allowedUDPPortRanges;
@ -328,6 +330,9 @@ in {
}) ++ lib.toList {
port = 24; tcp = true; udp = true; target4.port = 22; target6.port = 22;
target4.address = serverInitrdAddress4; target6.address = serverInitrdAddress6;
} ++ lib.toList {
inVpn = true; port = server-config.services.qbittorrent-nox.torrent.port; tcp = true; udp = true;
target4.address = serverAddress4; target6.address = serverAddress6;
};
router.enable = true;

2
system/hosts/server/certspotter.nix
View file

@ -33,7 +33,7 @@ in {
services.certspotter = {
enable = true;
extraFlags = [ ];
watchlist = [ ".pavluk.org" ];
watchlist = [ ".${cfg.domainName}" ];
hooks = lib.toList (pkgs.writeShellScript "certspotter-hook" ''
if [[ "$EVENT" == discovered_cert ]]; then
${pkgs.gnugrep}/bin/grep -r "$TBS_SHA256" /var/lib/certspotter/tbs-hashes/ && exit

19
system/hosts/server/files.nix
View file

@ -79,4 +79,23 @@ in {
hostName = "cloud.${cfg.domainName}";
https = true;
};
services.qbittorrent-nox.enable = true;
services.qbittorrent-nox.ui.port = 19642;
services.qbittorrent-nox.torrent.port = 45522;
services.nginx.virtualHosts."home.${cfg.domainName}".locations."/torrent/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:${toString config.services.qbittorrent-nox.ui.port}/;
proxy_http_version 1.1;
proxy_set_header Host 127.0.0.1:30000;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_cookie_path / "/; Secure";
'';
};
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
}

1
system/hosts/server/home.nix
View file

@ -46,6 +46,7 @@ in {
enable = true;
config.listener = "127.0.0.1:25783";
};
services.nginx.virtualHosts."home.${cfg.domainName}" = {
quic = true;
enableACME = true;

134
system/modules/impermanence.nix
View file

@ -61,78 +61,84 @@ in {
{ directory = /var/spool; user = "root"; group = "root"; mode = "0777"; }
] ++ lib.optionals cfg.persistTmp [
{ directory = /tmp; user = "root"; group = "root"; mode = "1777"; }
] ++ lib.optionals config.networking.wireless.iwd.enable [
{ directory = /var/lib/iwd; user = "root"; group = "root"; mode = "0700"; }
] ++ lib.optionals (builtins.any (x: x.useDHCP != false) (builtins.attrValues config.networking.interfaces) || config.networking.useDHCP) [
{ directory = /var/db/dhcpcd; user = "root"; group = "root"; mode = "0755"; }
] ++ lib.optionals config.security.acme.acceptTerms [
{ directory = /var/lib/acme; user = "acme"; group = "acme"; mode = "0755"; }
] ++ lib.optionals config.services.akkoma.enable [
{ directory = /var/lib/akkoma; user = "akkoma"; group = "akkoma"; mode = "0700"; }
] ++ lib.optionals config.services.botamusique.enable [
{ directory = /var/lib/private/botamusique; user = "root"; group = "root"; mode = "0750"; }
] ++ lib.optionals config.programs.ccache.enable [
{ directory = config.programs.ccache.cacheDir; user = "root"; group = "nixbld"; mode = "0770"; }
{ directory = /var/cache/sccache; user = "root"; group = "nixbld"; mode = "0770"; }
] ++ lib.optionals config.services.coop-ofd.enable [
{ directory = /var/lib/coop-ofd; mode = "0750"; }
] ++ lib.optionals config.services.dovecot2.enable [
{ directory = /var/lib/dhparams; user = "root"; group = "root"; mode = "0755"; }
{ directory = /var/lib/dovecot; user = "root"; group = "root"; mode = "0755"; }
] ++ lib.optionals config.services.fail2ban.enable [
{ directory = /var/lib/fail2ban; user = "root"; group = "root"; mode = "0700"; }
] ++ lib.optionals config.services.forgejo.enable [
{ directory = /var/lib/forgejo; user = "forgejo"; group = "forgejo"; mode = "0755"; }
] ++ lib.optionals config.services.gitea.enable [
{ directory = /var/lib/gitea; user = "gitea"; group = "gitea"; mode = "0755"; }
] ++ lib.optionals config.services.grafana.enable [
{ directory = /var/lib/grafana; user = "grafana"; group = "grafana"; mode = "0755"; }
] ++ lib.optionals config.services.heisenbridge.enable [
{ directory = /var/lib/heisenbridge; user = "heisenbridge"; group = "heisenbridge"; mode = "0755"; }
] ++ lib.optionals config.services.hydra.enable [
{ directory = /var/lib/hydra; user = "hydra"; group = "hydra"; mode = "0755"; }
] ++ lib.optionals config.services.matrix-synapse.enable [
{ directory = /var/lib/matrix-synapse; user = "matrix-synapse"; group = "matrix-synapse"; mode = "0700"; }
] ++ lib.optionals config.services.monero.enable [
{ directory = config.services.monero.dataDir; user = "monero"; group = "monero"; mode = "0750"; }
] ++ lib.optionals config.services.mullvad-vpn.enable [
{ directory = /etc/mullvad-vpn; user = "root"; group = "root"; mode = "0700"; }
{ directory = /var/cache/mullvad-vpn; user = "root"; group = "root"; mode = "0755"; }
] ++ lib.optionals config.services.murmur.enable [
{ directory = /var/lib/murmur; user = "murmur"; group = "murmur"; mode = "0700"; }
] ++ lib.optionals config.services.nextcloud.enable [
{ directory = /var/lib/nextcloud; user = "nextcloud"; group = "nextcloud"; mode = "0750"; }
] ++ lib.optionals config.services.opendkim.enable [
{ directory = /var/lib/opendkim; user = "opendkim"; group = "opendkim"; mode = "0700"; }
] ++ lib.optionals config.services.openldap.enable [
{ directory = /var/lib/openldap; inherit (config.services.openldap) user group; mode = "0755"; }
] ++ lib.optionals config.services.pleroma.enable [
{ directory = /var/lib/pleroma; user = "pleroma"; group = "pleroma"; mode = "0700"; }
] ++ lib.optionals config.services.postfix.enable [
{ directory = /var/lib/postfix; user = "root"; group = "root"; mode = "0755"; }
] ++ lib.optionals config.services.postgresql.enable [
{ directory = /var/lib/postgresql; user = "postgres"; group = "postgres"; mode = "0755"; }
] ++ lib.optionals config.services.printing.enable [
{ directory = /var/lib/cups; user = "root"; group = "root"; mode = "0755"; }
{ directory = /var/cache/cups; user = "root"; group = "lp"; mode = "0770"; }
] ++ lib.optionals config.services.prometheus.enable [
{ directory = /var/lib/${config.services.prometheus.stateDir}; user = "prometheus"; group = "prometheus"; mode = "0755"; }
] ++ lib.optionals config.services.qbittorrent-nox.enable [
{ directory = /var/lib/qbittorrent-nox; mode = "0755"; }
] ++ lib.optionals (config.services.redis.servers.rspamd.enable or false) [
{ directory = /var/lib/redis-rspamd; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
] ++ lib.optionals config.services.roundcube.enable [
{ directory = /var/lib/roundcube; user = "roundcube"; group = "roundcube"; mode = "0700"; }
] ++ lib.optionals config.services.rspamd.enable [
{ directory = /var/lib/rspamd; user = "rspamd"; group = "rspamd"; mode = "0700"; }
] ++ lib.optionals (config.services.scanservjs.enable or false) [
{ directory = /var/lib/scanservjs; user = "scanservjs"; group = "scanservjs"; mode = "0750"; }
] ++ lib.optionals config.services.searx.enable [
{ directory = /var/lib/searx; user = "searx"; group = "searx"; mode = "0700"; }
] ++ lib.optionals config.security.sudo.enable [
{ directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; }
] ++ lib.optionals config.services.unbound.enable [
{ directory = /var/lib/unbound; user = "unbound"; group = "unbound"; mode = "0755"; }
] ++ lib.optionals config.virtualisation.libvirtd.enable ([
# { directory = /var/cache/libvirt; user = "root"; group = "root"; mode = "0755"; }
{ directory = /var/lib/libvirt; user = "root"; group = "root"; mode = "0755"; }
] ++ lib.optionals config.virtualisation.libvirtd.qemu.swtpm.enable [
{ directory = /var/lib/swtpm-localca; user = "root"; group = "root"; mode = "0750"; }
]) ++ lib.optionals config.networking.wireless.iwd.enable [
{ directory = /var/lib/iwd; user = "root"; group = "root"; mode = "0700"; }
] ++ lib.optionals (builtins.any (x: x.useDHCP != false) (builtins.attrValues config.networking.interfaces) || config.networking.useDHCP) [
{ directory = /var/db/dhcpcd; user = "root"; group = "root"; mode = "0755"; }
] ++ lib.optionals config.services.gitea.enable [
{ directory = /var/lib/gitea; user = "gitea"; group = "gitea"; mode = "0755"; }
] ++ lib.optionals config.services.forgejo.enable [
{ directory = /var/lib/forgejo; user = "forgejo"; group = "forgejo"; mode = "0755"; }
] ++ lib.optionals config.services.matrix-synapse.enable [
{ directory = /var/lib/matrix-synapse; user = "matrix-synapse"; group = "matrix-synapse"; mode = "0700"; }
] ++ lib.optionals config.services.heisenbridge.enable [
{ directory = /var/lib/heisenbridge; user = "heisenbridge"; group = "heisenbridge"; mode = "0755"; }
] ++ lib.optionals config.services.murmur.enable [
{ directory = /var/lib/murmur; user = "murmur"; group = "murmur"; mode = "0700"; }
] ++ lib.optionals config.services.nextcloud.enable [
{ directory = /var/lib/nextcloud; user = "nextcloud"; group = "nextcloud"; mode = "0750"; }
] ++ lib.optionals config.services.botamusique.enable [
{ directory = /var/lib/private/botamusique; user = "root"; group = "root"; mode = "0750"; }
] ++ lib.optionals config.security.acme.acceptTerms [
{ directory = /var/lib/acme; user = "acme"; group = "acme"; mode = "0755"; }
] ++ lib.optionals config.services.printing.enable [
{ directory = /var/lib/cups; user = "root"; group = "root"; mode = "0755"; }
{ directory = /var/cache/cups; user = "root"; group = "lp"; mode = "0770"; }
] ++ lib.optionals config.services.fail2ban.enable [
{ directory = /var/lib/fail2ban; user = "root"; group = "root"; mode = "0700"; }
] ++ lib.optionals config.services.opendkim.enable [
{ directory = /var/lib/opendkim; user = "opendkim"; group = "opendkim"; mode = "0700"; }
] ++ lib.optionals config.services.pleroma.enable [
{ directory = /var/lib/pleroma; user = "pleroma"; group = "pleroma"; mode = "0700"; }
] ++ lib.optionals config.services.akkoma.enable [
{ directory = /var/lib/akkoma; user = "akkoma"; group = "akkoma"; mode = "0700"; }
] ++ lib.optionals config.services.hydra.enable [
{ directory = /var/lib/hydra; user = "hydra"; group = "hydra"; mode = "0755"; }
] ++ lib.optionals config.services.grafana.enable [
{ directory = /var/lib/grafana; user = "grafana"; group = "grafana"; mode = "0755"; }
] ++ lib.optionals config.services.prometheus.enable [
{ directory = /var/lib/${config.services.prometheus.stateDir}; user = "prometheus"; group = "prometheus"; mode = "0755"; }
] ++ lib.optionals config.services.postfix.enable [
{ directory = /var/lib/postfix; user = "root"; group = "root"; mode = "0755"; }
] ++ lib.optionals config.services.postgresql.enable [
{ directory = /var/lib/postgresql; user = "postgres"; group = "postgres"; mode = "0755"; }
] ++ lib.optionals config.services.unbound.enable [
{ directory = /var/lib/unbound; user = "unbound"; group = "unbound"; mode = "0755"; }
] ++ lib.optionals config.services.searx.enable [
{ directory = /var/lib/searx; user = "searx"; group = "searx"; mode = "0700"; }
] ++ lib.optionals config.services.roundcube.enable [
{ directory = /var/lib/roundcube; user = "roundcube"; group = "roundcube"; mode = "0700"; }
] ++ lib.optionals config.services.rspamd.enable [
{ directory = /var/lib/rspamd; user = "rspamd"; group = "rspamd"; mode = "0700"; }
] ++ lib.optionals (config.services.redis.servers.rspamd.enable or false) [
{ directory = /var/lib/redis-rspamd; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
] ++ lib.optionals config.services.dovecot2.enable [
{ directory = /var/lib/dhparams; user = "root"; group = "root"; mode = "0755"; }
{ directory = /var/lib/dovecot; user = "root"; group = "root"; mode = "0755"; }
] ++ lib.optionals config.security.sudo.enable [
{ directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; }
] ++ lib.optionals config.services.openldap.enable [
{ directory = /var/lib/openldap; inherit (config.services.openldap) user group; mode = "0755"; }
] ++ lib.optionals (config.services.scanservjs.enable or false) [
{ directory = /var/lib/scanservjs; user = "scanservjs"; group = "scanservjs"; mode = "0750"; }
] ++ lib.optionals config.programs.ccache.enable [
{ directory = config.programs.ccache.cacheDir; user = "root"; group = "nixbld"; mode = "0770"; }
{ directory = /var/cache/sccache; user = "root"; group = "nixbld"; mode = "0770"; }
] ++ cfg.directories);
]) ++ cfg.directories);
files = map (x:
if builtins.isPath x then toString x
else if builtins.isPath (x.file or null) then x // { file = toString x.file; }

68
system/modules/qbittorrent.nix Normal file
View file

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.qbittorrent-nox;
in {
options.services.qbittorrent-nox = {
enable = lib.mkEnableOption "qbittorrent-nox";
package = lib.mkPackageOptionMD pkgs "qbittorrent-nox" { };
ui.addToFirewall = lib.mkOption {
description = "Add the web UI port to firewall";
type = lib.types.bool;
default = false;
};
ui.port = lib.mkOption {
description = "Web UI port";
type = lib.types.port;
default = 8080;
};
torrent.addToFirewall = lib.mkOption {
description = "Add the torrenting port to firewall";
type = lib.types.bool;
default = true;
};
torrent.port = lib.mkOption {
description = "Torrenting port";
type = with lib.types; nullOr port;
default = null;
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts =
lib.optional (cfg.torrent.addToFirewall && cfg.torrent.port != null) cfg.torrent.port
++ lib.optional (cfg.ui.addToFirewall && cfg.ui.port != null) cfg.ui.port;
networking.firewall.allowedUDPPorts =
lib.optional (cfg.torrent.addToFirewall && cfg.torrent.port != null) cfg.torrent.port;
# users.users.qbittorrent-nox = {
# isSystemUser = true;
# group = "qbittorrent-nox";
# home = "/var/lib/qbittorrent-nox";
# };
# groups.groups.qbittorrent-nox = { };
systemd.services.qbittorrent-nox = {
description = "qBittorrent-nox service";
wants = [ "network-online.target" ];
after = [ "local-fs.target" "network-online.target" "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig.Documentation = "man:qbittorrent-nox(1)";
preStart = ''
if [[ ! -f /var/lib/qbittorrent-nox/qBittorrent/config/qBittorrent.conf ]]; then
mkdir -p /var/lib/qbittorrent-nox/qBittorrent/config
echo "[Preferences]" > /var/lib/qbittorrent-nox/qBittorrent/config/qBittorrent.conf
echo "WebUI\UseUPnP=false" > /var/lib/qbittorrent-nox/qBittorrent/config/qBittorrent.conf
fi
'';
serviceConfig = {
User = "qbittorrent-nox";
Group = "qbittorrent-nox";
DynamicUser = true;
StateDirectory = "qbittorrent-nox";
WorkingDirectory = "/var/lib/qbittorrent-nox";
ExecStart = ''
${cfg.package}/bin/qbittorrent-nox ${lib.optionalString (cfg.torrent.port != null) "--torrenting-port=${toString cfg.torrent.port}"} \
--webui-port=${toString cfg.ui.port} --profile=/var/lib/qbittorrent-nox
'';
};
};
};
}