-
-
Notifications
You must be signed in to change notification settings - Fork 14.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/qbittorrent: init #287923
base: master
Are you sure you want to change the base?
nixos/qbittorrent: init #287923
Conversation
d4984ad
to
dc84cc2
Compare
dc84cc2
to
35bc83d
Compare
This comment was marked as outdated.
This comment was marked as outdated.
@nu-nu-ko
If you are allowed, I'd like to be a contributor, thank you!
Do you mean during tests? |
This comment was marked as outdated.
This comment was marked as outdated.
I've seen this in https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/torrent/deluge.nix When you use
But it doesn't happen the other way, if |
This comment was marked as outdated.
This comment was marked as outdated.
Is it weird if there were two separate sets of options?
|
Also, related and unrelated. I was seeing that the web ui and other services were being unresponsive after a couple of hours. I thought that the IO of qbittorrent was bringing the system down, but after 2 days of trying everything, it was my network device's firmware. 😅 I'll try to retest it this week. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Afaik, it is possible to pass in the webui and torrenting port via command line arguments, and I assume these arguments take precedence over other configuration options. This should let us implement openFirewall
without forcing users to use the declarative config.
a better way to set CapabilityBoundingSet and SystemCallFilter to restrict all.
CapabilityBoundingSet
is an allowlist, the strictest setting is just the empty string. Although, given that we 1) don't run qbittorrent as root, 2) set NoNewPrivileges, 3) don't set AmbientCapabilities
, omitting it entirely is probably fine.
I personally think @system-service
is a good enough default for SystemCallFilter
.
I don't understand why it sets PrivateTmp to false
This comment in the upstream PR mentions adding torrents through the command line. Not sure if this is actually true.
ProtectSystem needs to be disabled if we aren't using declaritiveConfig
I don't think ProtectSystem
should be enabled here. It will break users with per-category/torrent save paths, no matter what.
imo, we don't need lock down every option by default. Users that want to further harden their system can easily add these options in their own nixos configuration.
d60b403
to
bc0a267
Compare
This comment was marked as outdated.
This comment was marked as outdated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see why we wouldn't set it regardless personally, leaving it empty seems to do nothing as according to systemd-analyze security qbittorrent on my system.
👍
I agree to some extent, id much rather every service does at least up to "breaks as little as possible"
I completely agree, we can enable everything that probably won't break users.
There are still a couple options left that I feel like are a tad bit too opinionated, namely
- non-default torrenting port
- umask 0066
This comment was marked as outdated.
This comment was marked as outdated.
Ah, did not realize the empty list wasn't doing anything.
The bittorrent port is chosen randomly by default, and it is quite unexpected for nixos to fix an arbitrary port number by default. Similar with the web port, I don't see a reason for the NixOS module to deviate from the upstream default. With this module, it would be trivial for users to change it as needed, anyway.
I think this would break users trying to access downloaded files without needing to run as the qbittorrent user, likely a common use case. Plus, if we're going for paranoid settings, why is it not 0077? |
e3913e0
to
c289233
Compare
c289233
to
07d92b9
Compare
aa2f5a4
to
145b6e3
Compare
Thanks man, If you have time if you could approve or give suggestions on my pr. It feels like this pr may have bitten off more than it can chew. But I understand these things are very complex and everyone has to agree on what is done. We can open a pr in the future trying to implement settings. |
ERRATA: this option already uses |
But this pr is incomplete, very complex with settings, and the author is not able to work on it. |
|
@poperigby if I'm not mistaken it's the qbittorent package that has that warning, and it's not caused by the option itself and a discussion here wouldn't be relevant. |
this PR does try to change meta.mainprogram for qbit to work here, I'm assuming it's a small issue but can't look into it |
After a second look you're completely right, I was checking the files on my phone and completely missed the changes to the package |
still unsure on exactly when I'll be able to get back to working on this but at worst sometime in 2-3 months 💀 |
unable to replicate please link to the code that encountered this.
isn't not giving the option a default |
testing this again on the unstable branch of nixpkgs I'm more confident this is functional and just missing some quality / reassurance things |
This is my configuration which gives that warning: https://gist.github.com/poperigby/8e669dd14165320a81d714b673e84eae
I don't think so, because not specifying |
Yeah you need to use the package from this PR. e.g.. setting |
Even when we allow null with |
optional torretingPort firewall feathecutie's improved genDeepINI update desc for Password_PBKDF2 & misc openFirewall mkEnableOption remove `.` from mkEnableOption desc update maintainer name & reword openFirewall desc
ddcebe9
to
eb14b05
Compare
No longer thousands of commits behind 👍 |
ok that commit is named poorly, should be "default null torrentingPort" but whatever itll get squashed xP |
edit: misread comment timeline but these questions still nice to know anyone aware of qbit writing global section config values? |
4a44075
to
06914f9
Compare
silly copy n paste mistake return stickybit
06914f9
to
ed44619
Compare
alright for now I have no clue why qbit is seemingly able to enable write permissions on that file.
its hacky but for now thats whatever.
|
61fc435
to
ed44619
Compare
to help with coverage
|
@@ -93,5 +93,7 @@ stdenv.mkDerivation rec { | |||
license = licenses.gpl2Plus; | |||
platforms = platforms.unix; | |||
maintainers = with maintainers; [ Anton-Latukha kashw2 ]; | |||
mainProgram = "qbittorrent" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change no longer needed on master when rebased :)
In regards to the |
that would be an approach if I was more sure of it. I haven't looked into doing either just yet as I wasn't sure they'd be whole solutions. well that and I've been very low availability to do much of anything 😅 |
Description of changes
create a module to use qbittorrent as a service.
closes #322456 and sort of? effectively, closes #296190
user notes
new
serverConfig
to ensure qbit accepts a new
serverConfig
before rebuilding the system you should/var/lib/qBittorrent/qBittorrent/config/qBittorrent.conf
serverConfig
isn't changed since the last build, or maybe a reboot etc.in ui settings changes
the config file does become editable once qbittorrent starts so changing settings within the UI does work however they will be need to be overwritten(removed) if you wish to "reapply" the exact config from setting
serverConfig
password formatting
the password format that qbittorrent expects can be generated using this tool ( thanks Fea )
alternative UI's
custom webuis managed with nix are possible, example of VueTorrent use with fetchzip
use before merge example
assumes you have this (https://github.com/fsnkty/nixpkgs/tree/init-nixos-qbittorrent) branch as an input named
qbit
blocking issues
serverConfig
gendeepINI
gets a fitting type to use for this option.qBittorrent.conf
/var/lib/qBittorrent/qBittorrent/config/qBittorrent.conf
comes from / why its possibleopenFirewall
nice to haves
CapabilityBoundingSet
to restrict all.PrivateTmp
being disabled upstream. ( Work on Systemd service unit qbittorrent/qBittorrent#6806 (comment) )pr notes
for service hardening I don't believe any of the following can be used simply because of the services purpose.
IPAddressDeny
PrivateNetwork
or restriction ofAF_NETLINK
AF_INET
orAF_INET6
address families.ProtectSystem
cant be used without entirely declarative configin my previous attempt at this here i was advised to simply make use of the service from the package, I'm unsure how to do this.
I started with an aim to follow https://github.com/qbittorrent/qBittorrent/blob/master/dist/unix/systemd/qbittorrent-nox%40.service.in I don't understand why it sets
PrivateTmp
to false however and have otherwise changed it significantly with service hardening and nix(os) specifics.Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.