From f83fd72a9855c5a01752ed25213754dbd88c1ec0 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 24 Apr 2026 20:04:04 +0100 Subject: [PATCH] qbit: fix CSRF-loop behind Authelia + self-heal data-dir ownership MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - nginx: strip Referer on torrent.nordhammer.it so qBit's origin check doesn't reject the post-Authelia redirect (Referer was auth.nordhammer.it, Host was torrent.nordhammer.it → 401 loop). - tmpfiles: collapse the nested qbittorrent `d` rules into a single `d` + recursive `Z` so systemd re-enforces ownership/perms on every boot. Caught Docker-migration UID drift that silently broke state persistence and file logging. Co-Authored-By: Claude Opus 4.7 --- services/nginx.nix | 7 +++++-- services/qbittorrent-nox.nix | 9 +++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/services/nginx.nix b/services/nginx.nix index 2c7c559..98e64c6 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -96,10 +96,13 @@ in "sonarr.nordhammer.it" = protectedProxy 8989; "radarr.nordhammer.it" = protectedProxy 7878; "prowlarr.nordhammer.it" = protectedProxy 9696; - # qBit trips its own session auth on any SID cookie the browser - # has cached; strip cookies so localhost-bypass always wins. + # qBit's CSRF check rejects any request whose Referer origin differs + # from the Host — after Authelia's redirect the Referer is + # auth.nordhammer.it, which trips the check. Strip it so qBit skips. + # Cookie stripped too so cached SID cookies don't fight localhost-bypass. "torrent.nordhammer.it" = lib.recursiveUpdate (protectedProxy 8080) { locations."/".extraConfig = autheliaAuthConfig + '' + proxy_set_header Referer ""; proxy_set_header Cookie ""; proxy_hide_header Set-Cookie; ''; diff --git a/services/qbittorrent-nox.nix b/services/qbittorrent-nox.nix index 006f8e0..f15db75 100644 --- a/services/qbittorrent-nox.nix +++ b/services/qbittorrent-nox.nix @@ -20,13 +20,10 @@ }; systemd.tmpfiles.rules = [ - # qbittorrent app data + # qbittorrent app data — Z recursively enforces ownership/perms on boot + # (self-heals UID/GID drift from migrations etc.) "d /var/lib/qbittorrent 0755 qbittorrent media -" - "d /var/lib/qbittorrent/.config 0755 qbittorrent media -" - "d /var/lib/qbittorrent/.config/qBittorrent 0755 qbittorrent media -" - "d /var/lib/qbittorrent/.local 0755 qbittorrent media -" - "d /var/lib/qbittorrent/.local/share 0755 qbittorrent media -" - "d /var/lib/qbittorrent/.local/share/qBittorrent 0755 qbittorrent media -" + "Z /var/lib/qbittorrent 0755 qbittorrent media -" # Storage - qbittorrent downloads here "d /mnt/storage/torrents/downloads 2775 qbittorrent media -"