ediblerope
f83fd72a98
- nginx: strip Referer on torrent.nordhammer.it so qBit's origin check doesn't reject the post-Authelia redirect (Referer was auth.nordhammer.it, Host was torrent.nordhammer.it → 401 loop). - tmpfiles: collapse the nested qbittorrent `d` rules into a single `d` + recursive `Z` so systemd re-enforces ownership/perms on every boot. Caught Docker-migration UID drift that silently broke state persistence and file logging. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
61 lines
1.7 KiB
Nix
61 lines
1.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
{
|
|
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
|
environment.systemPackages = with pkgs; [
|
|
qbittorrent-nox
|
|
];
|
|
|
|
# Create qbittorrent user with media group
|
|
users.users.qbittorrent = {
|
|
isSystemUser = true;
|
|
group = "media";
|
|
extraGroups = [ "media" ];
|
|
home = "/var/lib/qbittorrent";
|
|
createHome = true;
|
|
};
|
|
|
|
# Create media group (shared with sonarr/radarr)
|
|
users.groups.media = {
|
|
gid = 3000;
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
# qbittorrent app data — Z recursively enforces ownership/perms on boot
|
|
# (self-heals UID/GID drift from migrations etc.)
|
|
"d /var/lib/qbittorrent 0755 qbittorrent media -"
|
|
"Z /var/lib/qbittorrent 0755 qbittorrent media -"
|
|
|
|
# Storage - qbittorrent downloads here
|
|
"d /mnt/storage/torrents/downloads 2775 qbittorrent media -"
|
|
"Z /mnt/storage/torrents/downloads 2775 qbittorrent media -"
|
|
];
|
|
|
|
systemd.services.qbittorrent-nox = {
|
|
description = "qBittorrent-nox service";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = "qbittorrent";
|
|
Group = "media";
|
|
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --confirm-legal-notice";
|
|
Restart = "on-failure";
|
|
UMask = "0002";
|
|
|
|
# Security hardening - FIXED
|
|
NoNewPrivileges = true;
|
|
PrivateTmp = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = false; # Changed to false so it can write to /var/lib/qbittorrent
|
|
ReadWritePaths = [
|
|
"/var/lib/qbittorrent"
|
|
"/mnt/storage/torrents"
|
|
];
|
|
# Set proper working directory
|
|
WorkingDirectory = "/var/lib/qbittorrent";
|
|
};
|
|
};
|
|
|
|
users.users.fred.extraGroups = [ "media" ];
|
|
};
|
|
}
|