nixos/services/qbittorrent-nox.nix

{ config, pkgs, lib, ... }:
{
	config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
		environment.systemPackages = with pkgs; [
		    qbittorrent-nox
		];
		
		# Create qbittorrent user with media group
		users.users.qbittorrent = {
			isSystemUser = true;
			group = "media";
			extraGroups = [ "media" ];
			home = "/var/lib/qbittorrent";
			createHome = true;
		};
		
		# Create media group (shared with sonarr/radarr)
		users.groups.media = {
			gid = 3000;
		};
		
		systemd.tmpfiles.rules = [
			# qbittorrent app data — Z recursively enforces ownership/perms on boot
			# (self-heals UID/GID drift from migrations etc.)
			"d /var/lib/qbittorrent 0755 qbittorrent media -"
			"Z /var/lib/qbittorrent 0755 qbittorrent media -"

			# Storage - qbittorrent downloads here
			"d /mnt/storage/torrents/downloads 2775 qbittorrent media -"
			"Z /mnt/storage/torrents/downloads 2775 qbittorrent media -"
		];

		systemd.services.qbittorrent-nox = {
			description = "qBittorrent-nox service";
			after = [ "network.target" ];
			wantedBy = [ "multi-user.target" ];
			serviceConfig = {
				Type = "simple";
				User = "qbittorrent";
				Group = "media";
				ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --confirm-legal-notice";
				Restart = "on-failure";
				UMask = "0002";

				# Security hardening - FIXED
				NoNewPrivileges = true;
				PrivateTmp = true;
				ProtectSystem = "strict";
				ProtectHome = false;  # Changed to false so it can write to /var/lib/qbittorrent
				ReadWritePaths = [ 
					"/var/lib/qbittorrent"
					"/mnt/storage/torrents"
				];
				# Set proper working directory
				WorkingDirectory = "/var/lib/qbittorrent";
			};
		};
		
		users.users.fred.extraGroups = [ "media" ];
	};
}
Update arr-stack.nix 2026-01-20 21:10:47 +00:00			`{ config, pkgs, lib, ... }:`
			`{`
			`config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {`
Update arr-stack.nix 2026-01-21 22:37:12 +00:00			`environment.systemPackages = with pkgs; [`
Update arr-stack.nix 2026-01-21 22:34:37 +00:00			`qbittorrent-nox`
			`];`
Update qbittorrent-nox.nix 2026-01-22 09:39:13 +00:00
			`# Create qbittorrent user with media group`
			`users.users.qbittorrent = {`
			`isSystemUser = true;`
Update qbittorrent-nox.nix 2026-01-26 19:41:28 +00:00			`group = "media";`
Update qbittorrent-nox.nix 2026-01-22 09:39:13 +00:00			`extraGroups = [ "media" ];`
			`home = "/var/lib/qbittorrent";`
			`createHome = true;`
			`};`

Update qbittorrent-nox.nix 2026-01-26 19:41:28 +00:00			`# Create media group (shared with sonarr/radarr)`
Update qbittorrent-nox.nix 2026-01-22 09:39:13 +00:00			`users.groups.media = {`
			`gid = 3000;`
			`};`

Reorganise hardware vs host config, tidy settings and services 2026-04-01 21:14:16 +01:00			`systemd.tmpfiles.rules = [`
qbit: fix CSRF-loop behind Authelia + self-heal data-dir ownership - nginx: strip Referer on torrent.nordhammer.it so qBit's origin check doesn't reject the post-Authelia redirect (Referer was auth.nordhammer.it, Host was torrent.nordhammer.it → 401 loop). - tmpfiles: collapse the nested qbittorrent `d` rules into a single `d` + recursive `Z` so systemd re-enforces ownership/perms on every boot. Caught Docker-migration UID drift that silently broke state persistence and file logging. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 20:04:04 +01:00			`# qbittorrent app data — Z recursively enforces ownership/perms on boot`
			`# (self-heals UID/GID drift from migrations etc.)`
Reorganise hardware vs host config, tidy settings and services 2026-04-01 21:14:16 +01:00			`"d /var/lib/qbittorrent 0755 qbittorrent media -"`
qbit: fix CSRF-loop behind Authelia + self-heal data-dir ownership - nginx: strip Referer on torrent.nordhammer.it so qBit's origin check doesn't reject the post-Authelia redirect (Referer was auth.nordhammer.it, Host was torrent.nordhammer.it → 401 loop). - tmpfiles: collapse the nested qbittorrent `d` rules into a single `d` + recursive `Z` so systemd re-enforces ownership/perms on every boot. Caught Docker-migration UID drift that silently broke state persistence and file logging. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 20:04:04 +01:00			`"Z /var/lib/qbittorrent 0755 qbittorrent media -"`
Reorganise hardware vs host config, tidy settings and services 2026-04-01 21:14:16 +01:00
			`# Storage - qbittorrent downloads here`
			`"d /mnt/storage/torrents/downloads 2775 qbittorrent media -"`
			`"Z /mnt/storage/torrents/downloads 2775 qbittorrent media -"`
			`];`

Update arr-stack.nix 2026-01-21 22:41:48 +00:00			`systemd.services.qbittorrent-nox = {`
			`description = "qBittorrent-nox service";`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`Type = "simple";`
			`User = "qbittorrent";`
Update qbittorrent-nox.nix 2026-01-26 19:41:28 +00:00			`Group = "media";`
			`ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --confirm-legal-notice";`
Update arr-stack.nix 2026-01-21 22:41:48 +00:00			`Restart = "on-failure";`
Set UMask 0002 on all media services for group-writable files Sonarr, Radarr, qBittorrent, Jellyfin, and Bazarr all need to create files that are writable by the media group. Without this, Jellyfin can't write thumbnails/artwork to media directories and services can't collaborate on shared files. Also fixes radarr movies directory to use setgid (2775) consistently. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-15 23:23:56 +01:00			`UMask = "0002";`

Update qbittorrent-nox.nix 2026-01-26 19:41:28 +00:00			`# Security hardening - FIXED`
Update arr-stack.nix 2026-01-21 22:41:48 +00:00			`NoNewPrivileges = true;`
			`PrivateTmp = true;`
			`ProtectSystem = "strict";`
Update qbittorrent-nox.nix 2026-01-26 19:41:28 +00:00			`ProtectHome = false; # Changed to false so it can write to /var/lib/qbittorrent`
Update arr-stack.nix 2026-01-21 22:41:48 +00:00			`ReadWritePaths = [`
			`"/var/lib/qbittorrent"`
Update arr-stack.nix 2026-01-21 22:49:01 +00:00			`"/mnt/storage/torrents"`
Update arr-stack.nix 2026-01-21 22:41:48 +00:00			`];`
Update qbittorrent-nox.nix 2026-01-26 19:41:28 +00:00			`# Set proper working directory`
			`WorkingDirectory = "/var/lib/qbittorrent";`
Update arr-stack.nix 2026-01-21 22:41:48 +00:00			`};`
			`};`
Update qbittorrent-nox.nix 2026-01-22 09:39:13 +00:00
Update qbittorrent-nox.nix 2026-01-26 19:41:28 +00:00			`users.users.fred.extraGroups = [ "media" ];`
Update arr-stack.nix 2026-01-20 21:39:16 +00:00			`};`
Update arr-stack.nix 2026-01-20 21:10:47 +00:00			`}`