From 85e102f10a4a03c79ab07000312e3cb4ab486e7e Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Sat, 20 May 2023 13:15:01 +0200
Subject: [PATCH] qbittorrent: init

---
 system/hosts/mediaserver.nix |  3 ++-
 system/nixos/qbittorrent.nix | 32 ++++++++++++++++++++++++++++++++
 system/nixos/sabnzbd.nix     |  4 ++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 system/nixos/qbittorrent.nix

diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix
index 7b64507..83cc8f1 100644
--- a/system/hosts/mediaserver.nix
+++ b/system/hosts/mediaserver.nix
@@ -25,9 +25,10 @@ in
     ../nixos/mediaserver-setup.nix
     (import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
     ../nixos/prowlarr.nix
-    ../nixos/sabnzbd.nix
     ../nixos/sonarr.nix
     ../nixos/radarr.nix
+    ../nixos/sabnzbd.nix
+    ../nixos/qbittorrent.nix
     ../nixos/jellyfin.nix
     ../nixos/aria2.nix
 
diff --git a/system/nixos/qbittorrent.nix b/system/nixos/qbittorrent.nix
new file mode 100644
index 0000000..5b61b27
--- /dev/null
+++ b/system/nixos/qbittorrent.nix
@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+
+{
+  systemd.tmpfiles.rules = [
+    "d /var/lib/qbittorrent 0750 media_user media_group"
+  ];
+
+  systemd.services.qbittorrent =
+    let
+      mounts = [ "mnt-downloads.mount" ];
+    in
+    {
+      description = "qbittorrent instance";
+      requires = mounts;
+      bindsTo = [ "wg.service" ];
+      after = [ "wg.service" ] ++ mounts;
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "exec";
+        User = "media_user";
+        Group = "media_group";
+        NetworkNamespacePath = "/var/run/netns/wg";
+        BindReadOnlyPaths = [
+          "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+          "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+        ];
+        ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=/var/lib/qbittorrent";
+        AmbientCapabilities = [ "CAP_NET_RAW" ];
+      };
+    };
+}
diff --git a/system/nixos/sabnzbd.nix b/system/nixos/sabnzbd.nix
index 223e00f..31110ad 100644
--- a/system/nixos/sabnzbd.nix
+++ b/system/nixos/sabnzbd.nix
@@ -1,6 +1,10 @@
 { pkgs, ... }:
 
 {
+  systemd.tmpfiles.rules = [
+    "d /var/lib/sabnzbd 0700 media_user media_group"
+  ];
+
   # The nix-provided options force a sabnzbd-user to a certain degree
   systemd.services.sabnzbd =
     let