qbit: fix CSRF-loop behind Authelia + self-heal data-dir ownership

- nginx: strip Referer on torrent.nordhammer.it so qBit's origin check
  doesn't reject the post-Authelia redirect (Referer was auth.nordhammer.it,
  Host was torrent.nordhammer.it → 401 loop).
- tmpfiles: collapse the nested qbittorrent `d` rules into a single
  `d` + recursive `Z` so systemd re-enforces ownership/perms on every
  boot. Caught Docker-migration UID drift that silently broke state
  persistence and file logging.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/nginx.nix

@@ -96,10 +96,13 @@ in
         "sonarr.nordhammer.it"   = protectedProxy 8989;
         "radarr.nordhammer.it"   = protectedProxy 7878;
         "prowlarr.nordhammer.it" = protectedProxy 9696;
-        # qBit trips its own session auth on any SID cookie the browser
-        # has cached; strip cookies so localhost-bypass always wins.
+        # qBit's CSRF check rejects any request whose Referer origin differs
+        # from the Host — after Authelia's redirect the Referer is
+        # auth.nordhammer.it, which trips the check. Strip it so qBit skips.
+        # Cookie stripped too so cached SID cookies don't fight localhost-bypass.
         "torrent.nordhammer.it"  = lib.recursiveUpdate (protectedProxy 8080) {
           locations."/".extraConfig = autheliaAuthConfig + ''
+            proxy_set_header Referer "";
             proxy_set_header Cookie "";
             proxy_hide_header Set-Cookie;
           '';