Merge pull request 'qbit is host networked' (#171) from feature/qbit into main

Reviewed-on: #171

systems/palatine-hill/docker/torr.nix

@@ -1,130 +1,108 @@
 { config, pkgs, ... }:
 
 let
-  delugeBase = {
+  qbitBase = {
+    image = "ghcr.io/linuxserver/qbittorrent:latest";
     pull = "always";
     environment = {
       PUID = "600";
       PGID = "100";
       TZ = "America/New_York";
-      UMASK = "000";
-      DEBUG = "true";
-      DELUGE_DAEMON_LOG_LEVEL = "debug";
-      DELUGE_WEB_LOG_LEVEL = "debug";
     };
   };
 
   vars = import ../vars.nix;
   #docker_path = vars.primary_docker;
   torr_path = vars.primary_torr;
-  deluge_path = "${torr_path}/deluge";
-  delugevpn_path = "${torr_path}/delugevpn";
-
-  #genSopsConfWg = file: {
-  #  "${file}" = {
-  #    format = "binary";
-  #    sopsFile = ./wg/${file};
-  #    path = "${delugevpn_path}/config/wireguard/configs/${file}";
-  #    owner = "docker-service";
-  #    group = "users";
-  #    restartUnits = [ "docker-delugeVPN.service" ];
-  #  };
-  #};
-
-  genSopsConfOvpn = file: {
-    "${file}" = {
-      format = "binary";
-      sopsFile = ./openvpn/${file};
-      path = "${delugevpn_path}/config/openvpn/configs/${file}";
-      owner = "docker-service";
-      group = "users";
-      restartUnits = [ "docker-delugeVPN.service" ];
-    };
-
-  };
+  qbit_path = "${torr_path}/qbit";
+  qbitvpn_path = "${torr_path}/qbitvpn";
+  qbitperm_path = "${torr_path}/qbitperm";
 in
 {
 
   virtualisation.oci-containers.containers = {
-    deluge = delugeBase // {
-      image = "binhex/arch-deluge";
+    qbit = qbitBase // {
+      # webui port is 8082, torr port is 29432
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8082";
+        TORRENTING_PORT = "29432";
+      };
       volumes = [
-        "${deluge_path}/config:/config"
-        "${deluge_path}/data/:/data"
+        "${qbit_path}/config:/config" # move from docker/qbit to qbit_path
+        "${torr_path}/data/:/data"
         "/etc/localtime:/etc/localtime:ro"
       ];
+      networks = [ "host" ];
       ports = [
-        "8084:8112"
-        "29433:29433"
+        "8082:8082"
+        "29432:29432"
+        "29432:29432/udp"
+      ];
+      extraOptions = [
+        "--dns=9.9.9.9"
       ];
     };
-    delugeVPN = delugeBase // {
-      image = "binhex/arch-delugevpn:latest";
+    qbitVPN = qbitBase // {
+      # webui port is 8081, torr port is 39274
+      networks = [
+        "container:gluetun-qbit"
+      ];
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8081";
+      };
+      dependsOn = [ "gluetun-qbit" ];
+      volumes = [
+        "${qbitvpn_path}/config:/config"
+        "${torr_path}/data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+    };
+    qbitPerm = qbitBase // {
+      # webui port is 8083, torr port is 29434
+      networks = [
+        "container:gluetun-qbit"
+      ];
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8083";
+      };
+      dependsOn = [ "gluetun-qbit" ];
+      volumes = [
+        "${qbitperm_path}/config:/config"
+        "${torr_path}/data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+    };
+    gluetun-qbit = {
+      image = "qmcgaw/gluetun:v3";
       capabilities = {
         NET_ADMIN = true;
       };
-      autoRemoveOnStop = false;
-      environment = delugeBase.environment // {
-        VPN_ENABLED = "yes";
-        VPN_CLIENT = "openvpn";
-        VPN_PROV = "protonvpn";
-        ENABLE_PRIVOXY = "yes";
-        LAN_NETWORK = "192.168.0.0/16";
-        ENABLE_STARTUP_SCRIPTS = "yes";
-        #NAME_SERVERS = "194.242.2.9";
-        #NAME_SERVERS = "9.9.9.9";
-        # note, delete /config/perms.txt to force a bulk permissions update
-      };
-      environmentFiles = [ config.sops.secrets."docker/delugevpn".path ];
-      volumes = [
-        "${delugevpn_path}/config:/config"
-        "${deluge_path}/data:/data" # use common torrent path yuck
-        "/etc/localtime:/etc/localtime:ro"
+      devices = [
+        "/dev/net/tun:/dev/net/tun"
       ];
       ports = [
-        "8085:8112"
-        "8119:8118"
-        "39275:39275"
-        "39275:39275/udp"
-        "48346:48346"
-        "48346:48346/udp"
+        # qbitvpn
+        "8081:8081"
+        "39274:39274"
 
+        # qbitperm
+        "8083:8083"
+        "29433:24933"
+      ];
+      environment = {
+        TZ = "America/New_York";
+        # SOPS prep
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/gluetun".path
       ];
     };
   };
 
-  systemd.services.docker-delugeVPN = {
-    serviceConfig = {
-      ExecStartPre = [
-        (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/openvpn/configs "
-          + "-type l -not -name network.ovpn "
-          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/openvpn/network.ovpn &&"
-          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/openvpn/network.ovpn &&"
-          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/openvpn/network.ovpn\""
-        )
-        (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/scripts/links "
-          + "-type l "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/scripts/ \""
-        )
-      ];
-      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/scripts/*sh" ];
-    };
-  };
-
-  sops.secrets = (genSopsConfOvpn "se.protonvpn.udp.ovpn") // {
-    "docker/delugevpn" = {
+  sops.secrets = {
+    "docker/gluetun" = {
       owner = "docker-service";
-      group = "users";
-      restartUnits = [ "docker-delugeVPN.service" ];
-    };
-    "docker/protonvpn-start-script" = {
-      path = "${delugevpn_path}/config/scripts/links/protonvpn-start-script.sh";
-      owner = "docker-service";
-      group = "users";
-      restartUnits = [ "docker-delugeVPN.service" ];
+      restartUnits = [ "docker-gluetun-qbit.service" ];
     };
   };
 }

systems/palatine-hill/firewall.nix

@@ -45,6 +45,14 @@
       8686
       8787
       5055
+
+      # torr
+      29432
+    ];
+
+    allowedUDPPorts = [
+      # torr
+      29432
     ];
 
   };

systems/palatine-hill/secrets.yaml

@@ -32,6 +32,7 @@ docker:
     sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
     lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
     jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
+    gluetun: ENC[AES256_GCM,data:LSIHzw4HXoegkPwpEzLGFZfrAJG37Qcb+1aPVkbqElMyezxgEXUMzA3IOjkI/2aREmfjnm2gQxuidtvL+50jT7bBP6I/8+BTifVfdgk1nqtLasyGRcjDi2BGvITFGoXoHMY+3cNp1bhrDp0VjOtkwR4S2EsTajvUjvuj+TKcPkBlBIjNhO0UXbBZhfh0cERCEa5BxKz/wOKgyu8Gqgts+QPFhVpV/xT8LzI1Wx3+fG6UxUFqeY3XKsPf8Ku9Ghw+D9ZEbMOxbXsRg0ljtwHJ+o8SJ1mQCSkkbCHKskFwM7mH3xqBQT7HlnI3xKHpimCTB1FUQLxJoJ9eUWEfJKnFv363OgnUdB682vofFe1H/hzKP9/EbdGxe1JYqf+9VlYcoYXnFxJhBwvd3zjRJpDZRoiIndSTopi46A+nsw18jRtj6VQaNvbqe76bZWN7+cCzfNHy57qZSF0bUKqLj1HoBSDbPrxFAkuOdelHmMBx6Aer8MEepR1YDOS1rW9Uw60vYgyQDGdHz1pU4JUkD4Ny5gc2nOnAoHjzqCHX0rLqCiF/qOEfDI3cb0g48ccH5n8TyjO4mtoj0Q==,iv:0IQfKX0KcdCloo8KEyQOpoZ4NdwX6am46b0QPHOXguA=,tag:9hCV1TDycq0XUcc2Xd1//Q==,type:str]
 acme:
     bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
     dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -50,8 +51,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-25T17:45:31Z"
-    mac: ENC[AES256_GCM,data:lVRqQWnO1RvmoW13/xCpP2SvibccRWwmr1Gyj6EgrE+V+Iu1bfnZRkTkHiFIQqQLQgCy2qBiSHeZF/dNERe83eEwpXgRQAduarpE/qL8K1mxcwf5HMMYACjlNfsL/I1/TCJrJ7DZBxI4neRLetc5OpScVXqHj1neOodD/g8n+ls=,iv:+gZpo0I2NVYz24o42mUW/OkfONqNSjgaJeKeFdKx7dg=,tag:EJnpiotQuBKth21mdhvjZQ==,type:str]
+    lastmodified: "2026-01-08T04:11:30Z"
+    mac: ENC[AES256_GCM,data:dSrAVkL44NOXqgFog7XjD+zSane7YeqKM/SnAPaDNEYJVUcS3V1RYdL8Br1Vjrgac9ZVMU2W04jXCuZPg13uFsyYgczC0l1s39FodKnRc7Xt8eoHSejsETBeaaC8aLH7xVhWGk+fR4w7o4Vw+gtOzKPyvobuevBZfg7ugfObn10=,iv:vfHm3jjKXdi8V+2x8br5DqVgDgchJ9yewgP0vfeOP9M=,tag:z4bkPbK6weHaPyYbGJxaOw==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-