From 636a19debbf48d6a4c7cbf505f04c44b1ac30355 Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Sun, 6 Apr 2025 19:40:34 +0200 Subject: [PATCH] feat: initial setup media --- hosts/saberofxebec/configuration.nix | 108 ++++++++++++- modules/nixos/qbittorrent.nix | 226 +++++++++++++++++++++++++++ 2 files changed, 330 insertions(+), 4 deletions(-) create mode 100644 modules/nixos/qbittorrent.nix diff --git a/hosts/saberofxebec/configuration.nix b/hosts/saberofxebec/configuration.nix index 9cb622f..1a3ffb6 100644 --- a/hosts/saberofxebec/configuration.nix +++ b/hosts/saberofxebec/configuration.nix @@ -1,17 +1,19 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on +# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { + inputs, config, lib, pkgs, ... }: let serverIP = "192.168.0.201"; + pkgs-unstable = inputs.nixpkgs.legacyPackages.${pkgs.system}; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ../../modules/nixos/qbittorrent.nix ]; # Use the systemd-boot EFI boot loader. @@ -22,6 +24,7 @@ in { # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.firewall.allowedTCPPorts = [ 80 443 ]; # Set your time zone. time.timeZone = "Europe/Vienna"; @@ -71,8 +74,8 @@ in { ports = [ "${serverIP}:53:53/tcp" "${serverIP}:53:53/udp" - "80:80" - "443:443" + "12345:80" + "23456:443" ]; volumes = [ "/var/lib/pihole/:/etc/pihole/" @@ -90,5 +93,102 @@ in { }; }; + services.radarr = { + enable = true; + openFirewall = true; + dataDir = "/media/radarr"; + group = "media"; + }; + + services.sonarr = { + enable = true; + openFirewall = true; + dataDir = "/media/radarr"; + group = "media"; + }; + + services.readarr = { + enable = true; + openFirewall = true; + dataDir = "/media/radarr"; + group = "media"; + }; + + services.qbittorrent = { + enable = true; + openFirewall = true; + group = "media"; + profileDir = "/media/qbittorrent"; + + serverConfig = { + LegalNotice.Accepted = true; + Preferences = { + WebUI = { + Username = "Spr3eZ"; + Password_PBKDF2 = "@ByteArray(rSRSjyLjKHX4KeDHgtx8qA==:EdZC27+FdG0aFtqVtEsiuqQAA6NROdBRXVSySD6ktgBY7k9ORrq8Kgo2uIkXvAWssmMIFb+C3RZS2PMWAt/Ihw==)"; + }; + General.Locale = "en"; + }; + }; + }; + + services.jackett = { + enable = true; + openFirewall = true; + dataDir = "/media/jackett"; + package = pkgs-unstable.jackett; + }; + + services.jellyfin = { + enable = true; + openFirewall = true; + group = "media"; + dataDir = "/media/jellyfin"; + }; + + services.jellyseerr = { + enable = true; + openFirewall = true; + }; + + systemd.services.jellyseerr-restarter = { + enable = true; + description = "Restarts Jellyseerr on startup as that fixes it not loading anything and not recognizing anything for whatever reason."; + wantedBy = ["default.target"]; + after = ["jellyseerr.service"]; + script = '' + sleep 10 + systemctl restart jellyseerr.service + ''; + }; + + services.caddy = { + enable = true; + virtualHosts."jackett.saberofxebec".extraConfig = '' + reverse_proxy :9117 + ''; + virtualHosts."qbittorrent.saberofxebec".extraConfig = '' + reverse_proxy :8080 + ''; + virtualHosts."radarr.saberofxebec".extraConfig = '' + reverse_proxy :7878 + ''; + virtualHosts."sonarr.saberofxebec".extraConfig = '' + reverse_proxy :8989 + ''; + virtualHosts."readarr.saberofxebec".extraConfig = '' + reverse_proxy :8787 + ''; + virtualHosts."jellyfin.saberofxebec".extraConfig = '' + reverse_proxy :8787 + ''; + virtualHosts."jellyseer.saberofxebec".extraConfig = '' + reverse_proxy :8787 + ''; + virtualHosts."pihole.saberofxebec".extraConfig = '' + reverse_proxy :12345 + ''; + }; + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/modules/nixos/qbittorrent.nix b/modules/nixos/qbittorrent.nix new file mode 100644 index 0000000..6851e8c --- /dev/null +++ b/modules/nixos/qbittorrent.nix @@ -0,0 +1,226 @@ +# NOTE: +# This file is 1:1 stolen from the latest update of this nixpkgs pull request: +# https://github.com/NixOS/nixpkgs/pull/287923 +# If that at any point gets merged I would much rather just use that. +{ + config, + pkgs, + lib, + utils, + ... +}: let + cfg = config.services.qbittorrent; + inherit (builtins) concatStringsSep isAttrs isString; + inherit + (lib) + literalExpression + getExe + mkEnableOption + mkOption + mkPackageOption + mkIf + maintainers + escape + collect + mapAttrsRecursive + ; + inherit + (lib.types) + str + port + path + nullOr + listOf + attrsOf + anything + submodule + ; + inherit (lib.generators) toINI mkKeyValueDefault mkValueStringDefault; + gendeepINI = toINI { + mkKeyValue = let + sep = "="; + in + k: v: + if isAttrs v + then + concatStringsSep "\n" ( + collect isString ( + mapAttrsRecursive ( + path: value: "${escape [sep] (concatStringsSep "\\" ([k] ++ path))}${sep}${mkValueStringDefault {} value}" + ) + v + ) + ) + else mkKeyValueDefault {} sep k v; + }; + configFile = pkgs.writeText "qBittorrent.conf" (gendeepINI cfg.serverConfig); +in { + options.services.qbittorrent = { + enable = mkEnableOption "qbittorrent, BitTorrent client"; + + package = mkPackageOption pkgs "qbittorrent-nox" {}; + + user = mkOption { + type = str; + default = "qbittorrent"; + description = "User account under which qbittorrent runs."; + }; + + group = mkOption { + type = str; + default = "qbittorrent"; + description = "Group under which qbittorrent runs."; + }; + + profileDir = mkOption { + type = path; + default = "/var/lib/qBittorrent/"; + description = "the path passed to qbittorrent via --profile."; + }; + + openFirewall = mkEnableOption "opening both the webuiPort and torrentPort over TCP in the firewall"; + + webuiPort = mkOption { + default = 8080; + type = nullOr port; + description = "the port passed to qbittorrent via `--webui-port`"; + }; + + torrentingPort = mkOption { + default = null; + type = nullOr port; + description = "the port passed to qbittorrent via `--torrenting-port`"; + }; + + serverConfig = mkOption { + type = submodule { + freeformType = attrsOf (attrsOf anything); + options.Preferences.WebUI.UseUPnP = mkEnableOption "UPnP for access to the qbittorrent WebUI"; + }; + description = '' + Free-form settings mapped to the `qBittorrent.conf` file in the profile. + Refer to [Explanation-of-Options-in-qBittorrent](https://github.com/qbittorrent/qBittorrent/wiki/Explanation-of-Options-in-qBittorrent) + the Password_PBKDF2 format is oddly unique, you will likely want to use [this tool](https://codeberg.org/feathecutie/qbittorrent_password) to generate the format. + alternatively you can run qBittorrent independently first and use its webUI to generate the format. + ''; + example = literalExpression '' + { + LegalNotice.Accepted = true; + Preferences = { + WebUI = { + Username = "user"; + Password_PBKDF2 = "generated ByteArray."; + }; + General.Locale = "en"; + }; + } + ''; + }; + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + Extra arguments passed to qbittorrent. See `qbittorrent -h`, or the [source code](https://github.com/qbittorrent/qBittorrent/blob/master/src/app/cmdoptions.cpp), for the available arguments. + ''; + example = [ + "--confirm-legal-notice" + ]; + }; + }; + config = mkIf cfg.enable { + systemd = { + tmpfiles.settings = { + qbittorrent = { + "${cfg.profileDir}/qBittorrent/"."d" = { + mode = "775"; + inherit (cfg) user group; + }; + "${cfg.profileDir}/qBittorrent/config/"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + "${cfg.profileDir}/qBittorrent/config/qBittorrent.conf"."L+" = lib.mkIf (cfg.serverConfig != null) { + mode = "1400"; + inherit (cfg) user group; + argument = "${configFile}"; + }; + }; + }; + services.qbittorrent = { + description = "qbittorrent BitTorrent client"; + wants = ["network-online.target"]; + after = [ + "local-fs.target" + "network-online.target" + "nss-lookup.target" + ]; + wantedBy = ["multi-user.target"]; + restartTriggers = lib.optional (cfg.serverConfig != null) configFile; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + ExecStart = utils.escapeSystemdExecArgs ( + [ + (getExe cfg.package) + "--profile=${cfg.profileDir}" + ] + ++ lib.optional (cfg.webuiPort != null) "--webui-port=${toString cfg.webuiPort}" + ++ lib.optional (cfg.torrentingPort != null) "--torrenting-port=${toString cfg.torrentingPort}" + ++ cfg.extraArgs + ); + TimeoutStopSec = 1800; + + # https://github.com/qbittorrent/qBittorrent/pull/6806#discussion_r121478661 + PrivateTmp = false; + + PrivateNetwork = false; + RemoveIPC = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = "yes"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "full"; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + CapabilityBoundingSet = ""; + SystemCallFilter = ["@system-service"]; + }; + }; + }; + + users = { + users = mkIf (cfg.user == "qbittorrent") { + qbittorrent = { + inherit (cfg) group; + isSystemUser = true; + }; + }; + groups = mkIf (cfg.group == "qbittorrent") {qbittorrent = {};}; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall ( + lib.optional (cfg.webuiPort != null) cfg.webuiPort + ++ lib.optional (cfg.torrentingPort != null) cfg.torrentingPort + ); + }; + meta.maintainers = with maintainers; [fsnkty]; +}