batteredbunny/common.nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
common.nix/modules/qbittorrent-nox.nix
batteredbunny 848f8e1589 Formatting
2024-05-25 00:38:47 +03:00

100 lines
2.8 KiB
Nix
Raw Blame History

{ config
, pkgs
, lib
, ...
}:
let
cfg = config.services.qbittorrent-nox;
in
{
options.services.qbittorrent-nox = {
enable = lib.mkEnableOption "qbittorrent, BitTorrent client.";
package = lib.mkPackageOption pkgs "qbittorrent-nox" { };
openFirewall = lib.mkOption {
default = false;
description = "Opens the torreting port";
};
webuiPort = lib.mkOption {
type = lib.types.int;
description = "the port passed to qbittorrent via `--webui-port`";
};
torrentingPort = lib.mkOption {
type = lib.types.int;
description = "the port passed to qbittorrent via `--torrenting-port`";
};
user = lib.mkOption {
type = lib.types.str;
default = "qbittorrent";
description = "User account under which qbittorrent runs.";
};
group = lib.mkOption {
type = lib.types.str;
default = "qbittorrent";
description = "Group under which qbittorrent runs.";
};
};
config = lib.mkIf cfg.enable {
systemd = {
services.qbittorrent-nox = {
description = "qbittorrent BitTorrent client";
wants = [ "network-online.target" ];
after = [
"local-fs.target"
"network-online.target"
"nss-lookup.target"
];
wantedBy = [ "multi-user.target" ];
# Needed for running cross-seed's hook
# /bin/sh -c "curl -XPOST http://localhost:2468/api/webhook --data-urlencode 'name=%N'"
path = with pkgs; [
curl
];
# paths: ~/.config/qBittorrent/ and ~/.local/share/qBittorrent/
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${lib.getExe cfg.package} --webui-port=${toString cfg.webuiPort} --torrenting-port=${toString cfg.torrentingPort}";
TimeoutStopSec = 1800;
RemoveIPC = true;
NoNewPrivileges = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "full";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
CapabilityBoundingSet = "";
SystemCallFilter = [ "@system-service" ];
};
};
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
cfg.torrentingPort
];
};
}
Reference in a new issue View git blame Copy permalink