rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

qbit: fix CSRF-loop behind Authelia + self-heal data-dir ownership

Browse source 
- nginx: strip Referer on torrent.nordhammer.it so qBit's origin check
  doesn't reject the post-Authelia redirect (Referer was auth.nordhammer.it,
  Host was torrent.nordhammer.it → 401 loop).
- tmpfiles: collapse the nested qbittorrent `d` rules into a single
  `d` + recursive `Z` so systemd re-enforces ownership/perms on every
  boot. Caught Docker-migration UID drift that silently broke state
  persistence and file logging.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-24 20:04:04 +01:00
parent 0c7b6f1b58
commit f83fd72a98
2 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

7
services/nginx.nix
View file

@ -96,10 +96,13 @@ in
"sonarr.nordhammer.it" = protectedProxy 8989; "sonarr.nordhammer.it" = protectedProxy 8989;
"radarr.nordhammer.it" = protectedProxy 7878; "radarr.nordhammer.it" = protectedProxy 7878;
"prowlarr.nordhammer.it" = protectedProxy 9696; "prowlarr.nordhammer.it" = protectedProxy 9696;
# qBit trips its own session auth on any SID cookie the browser # qBit's CSRF check rejects any request whose Referer origin differs
# has cached; strip cookies so localhost-bypass always wins. # from the Host — after Authelia's redirect the Referer is
# auth.nordhammer.it, which trips the check. Strip it so qBit skips.
# Cookie stripped too so cached SID cookies don't fight localhost-bypass.
"torrent.nordhammer.it" = lib.recursiveUpdate (protectedProxy 8080) { "torrent.nordhammer.it" = lib.recursiveUpdate (protectedProxy 8080) {
locations."/".extraConfig = autheliaAuthConfig + '' locations."/".extraConfig = autheliaAuthConfig + ''
proxy_set_header Referer "";
proxy_set_header Cookie ""; proxy_set_header Cookie "";
proxy_hide_header Set-Cookie; proxy_hide_header Set-Cookie;
''; '';

9
services/qbittorrent-nox.nix
View file

@ -20,13 +20,10 @@
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
# qbittorrent app data # qbittorrent app data — Z recursively enforces ownership/perms on boot
# (self-heals UID/GID drift from migrations etc.)
"d /var/lib/qbittorrent 0755 qbittorrent media -" "d /var/lib/qbittorrent 0755 qbittorrent media -"
"d /var/lib/qbittorrent/.config 0755 qbittorrent media -" "Z /var/lib/qbittorrent 0755 qbittorrent media -"
"d /var/lib/qbittorrent/.config/qBittorrent 0755 qbittorrent media -"
"d /var/lib/qbittorrent/.local 0755 qbittorrent media -"
"d /var/lib/qbittorrent/.local/share 0755 qbittorrent media -"
"d /var/lib/qbittorrent/.local/share/qBittorrent 0755 qbittorrent media -"
# Storage - qbittorrent downloads here # Storage - qbittorrent downloads here
"d /mnt/storage/torrents/downloads 2775 qbittorrent media -" "d /mnt/storage/torrents/downloads 2775 qbittorrent media -"