feat(qbit): add qbit config

devices/nas/modules/qbittorrent/default.nix

@@ -1,5 +1,17 @@
 {...}: {
   imports = [
+    ./qbittorrent.nix
     ./wireguard.nix
   ];
+
+  users.groups."matt" = {
+    gid = 1000;
+    members = ["matt"];
+  };
+
+  services.qbittorrent = {
+    enable = true;
+    user = "matt";
+    group = "matt";
+  };
 }

devices/nas/modules/qbittorrent/qbittorrent.nix

@@ -0,0 +1,132 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.qbittorrent;
+  pkg = pkgs.qbittorrent-nox;
+
+  vue = pkgs.stdenv.mkDerivation {
+    name = "vuetorrent";
+    nativeBuildInputs = [pkgs.unzip];
+    buildInputs = [pkgs.unzip];
+    src = pkgs.fetchurl {
+      url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.7.1/vuetorrent.zip";
+      hash = "sha256-/6biiWVgYQF7SpiY3JmcW4NDAvePLwPyD+j12/BqPIE=";
+    };
+    postInstall = ''
+      mkdir $out
+      cp -a ./* $out
+    '';
+  };
+
+  inherit
+    (lib)
+    mkEnableOption
+    mkOption
+    types
+    mkIf
+    ;
+in {
+  options.services.qbittorrent = {
+    enable = mkEnableOption "qbittorrent";
+
+    dataDir = mkOption {
+      type = types.path;
+      default = "/var/lib/qbittorrent";
+      description = ''
+        The directory where qBittorrent will create files.
+      '';
+    };
+
+    configDir = mkOption {
+      type = types.path;
+      default = "${cfg.dataDir}/.config";
+      description = ''
+        The directory where qBittorrent will store its configuration.
+      '';
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "qbittorrent";
+      description = ''
+        User account under which qBittorrent runs.
+      '';
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "qbittorrent";
+      description = ''
+        Group under which qBittorrent runs.
+      '';
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 8080;
+      description = ''
+        qBittorrent web UI port.
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Allow qBittorrent's ports to accept connections from the outside network.
+      '';
+    };
+
+    openFilesLimit = mkOption {
+      default = 4096;
+      description = ''
+        Number of files to allow qBittorrent to open.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [pkg];
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [cfg.port];
+      allowedUDPPorts = [cfg.port];
+    };
+
+    systemd.services.qbittorrent = {
+      after = ["network.target"];
+      description = "qBittorrent Daemon";
+      wantedBy = ["multi-user.target"];
+      path = [pkg];
+      script = ''
+        ln -sf ${vue} ${cfg.configDir}/vuetorrent
+        qbittorrent-nox \
+          --profile=${cfg.configDir} \
+          --webui-port=${toString cfg.port}
+      '';
+      serviceConfig = {
+        Restart = "on-success";
+        User = cfg.user;
+        Group = cfg.group;
+        UMask = "0002";
+        LimitNOFILE = cfg.openFilesLimit;
+      };
+    };
+
+    users.users = mkIf (cfg.user == "qbittorrent") {
+      qbittorrent = {
+        group = cfg.group;
+        home = cfg.dataDir;
+        createHome = true;
+        description = "qBittorrent Daemon user";
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "qbittorrent") {
+      qbittorrent = {};
+    };
+  };
+}

devices/nas/modules/qbittorrent/wireguard.nix

@@ -42,6 +42,7 @@ in {
       description = "Forward to ${service} in wireguard namespace";
       requires = ["${service}.service"];
       after = ["${service}.service"];
+      partOf = ["${service}.service"];
       serviceConfig = {
         Restart = "on-failure";
         TimeoutStopSec = 300;
@@ -66,5 +67,8 @@ in {
       };
     };
     "wireguard-wg0".wants = ["netns@wg.service"];
+
+    "qbittorrent" = joinWgNamespace;
+    "qbittorrent-port-route" = mkPortRoute "qbittorrent" "8080";
   };
 }