From 3849dd705ec0e81e3122412c751738ca0c491cfe Mon Sep 17 00:00:00 2001 From: nuko Date: Sun, 26 May 2024 17:17:55 +1200 Subject: [PATCH 1/3] nixos/qbittorrent: init service module nixos/qbittorrent: add default serverConfig & fix test Migrate to runTest Replace lib.optional with lib.optionals nixos/qbittorrent: update release notes to 2511 (cherry picked from commit 84d174e312870ccefb9ba0dd11532bb2a58773db) --- .../manual/release-notes/rl-2511.section.md | 2 + nixos/modules/module-list.nix | 1 + .../modules/services/torrent/qbittorrent.nix | 238 ++++++++++++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/qbittorrent.nix | 190 ++++++++++++++ pkgs/by-name/qb/qbittorrent/package.nix | 6 +- 6 files changed, 437 insertions(+), 1 deletion(-) create mode 100644 nixos/modules/services/torrent/qbittorrent.nix create mode 100644 nixos/tests/qbittorrent.nix diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md index d165ee28f195f..9f300ffdade3f 100644 --- a/nixos/doc/manual/release-notes/rl-2511.section.md +++ b/nixos/doc/manual/release-notes/rl-2511.section.md @@ -16,6 +16,8 @@ - [go-httpbin](https://github.com/mccutchen/go-httpbin), a reasonably complete and well-tested golang port of httpbin, with zero dependencies outside the go stdlib. Available as [services.go-httpbin](#opt-services.go-httpbin.enable). +- [qBittorrent](https://www.qbittorrent.org/), is a bittorrent client programmed in C++ / Qt that uses libtorrent by Arvid Norberg. Available as [services.qbittorrent](#opt-services.qbittorrent.enable). + ## Backward Incompatibilities {#sec-release-25.11-incompatibilities} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2ee30328579c4..5466f36d476dc 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1486,6 +1486,7 @@ ./services/torrent/magnetico.nix ./services/torrent/opentracker.nix ./services/torrent/peerflix.nix + ./services/torrent/qbittorrent.nix ./services/torrent/rtorrent.nix ./services/torrent/torrentstream.nix ./services/torrent/transmission.nix diff --git a/nixos/modules/services/torrent/qbittorrent.nix b/nixos/modules/services/torrent/qbittorrent.nix new file mode 100644 index 0000000000000..f62750a023610 --- /dev/null +++ b/nixos/modules/services/torrent/qbittorrent.nix @@ -0,0 +1,238 @@ +{ + config, + pkgs, + lib, + utils, + ... +}: +let + cfg = config.services.qbittorrent; + inherit (builtins) concatStringsSep isAttrs isString; + inherit (lib) + literalExpression + getExe + mkEnableOption + mkOption + mkPackageOption + mkIf + maintainers + escape + collect + mapAttrsRecursive + optionals + ; + inherit (lib.types) + str + port + path + nullOr + listOf + attrsOf + anything + submodule + ; + inherit (lib.generators) toINI mkKeyValueDefault mkValueStringDefault; + gendeepINI = toINI { + mkKeyValue = + let + sep = "="; + in + k: v: + if isAttrs v then + concatStringsSep "\n" ( + collect isString ( + mapAttrsRecursive ( + path: value: + "${escape [ sep ] (concatStringsSep "\\" ([ k ] ++ path))}${sep}${mkValueStringDefault { } value}" + ) v + ) + ) + else + mkKeyValueDefault { } sep k v; + }; + configFile = pkgs.writeText "qBittorrent.conf" (gendeepINI cfg.serverConfig); +in +{ + options.services.qbittorrent = { + enable = mkEnableOption "qbittorrent, BitTorrent client"; + + package = mkPackageOption pkgs "qbittorrent-nox" { }; + + user = mkOption { + type = str; + default = "qbittorrent"; + description = "User account under which qbittorrent runs."; + }; + + group = mkOption { + type = str; + default = "qbittorrent"; + description = "Group under which qbittorrent runs."; + }; + + profileDir = mkOption { + type = path; + default = "/var/lib/qBittorrent/"; + description = "the path passed to qbittorrent via --profile."; + }; + + openFirewall = mkEnableOption "opening both the webuiPort and torrentPort over TCP in the firewall"; + + webuiPort = mkOption { + default = 8080; + type = nullOr port; + description = "the port passed to qbittorrent via `--webui-port`"; + }; + + torrentingPort = mkOption { + default = null; + type = nullOr port; + description = "the port passed to qbittorrent via `--torrenting-port`"; + }; + + serverConfig = mkOption { + default = { }; + type = submodule { + freeformType = attrsOf (attrsOf anything); + }; + description = '' + Free-form settings mapped to the `qBittorrent.conf` file in the profile. + Refer to [Explanation-of-Options-in-qBittorrent](https://github.com/qbittorrent/qBittorrent/wiki/Explanation-of-Options-in-qBittorrent). + The Password_PBKDF2 format is oddly unique, you will likely want to use [this tool](https://codeberg.org/feathecutie/qbittorrent_password) to generate the format. + Alternatively you can run qBittorrent independently first and use its webUI to generate the format. + + Optionally an alternative webUI can be easily set. VueTorrent for example: + ```nix + { + Preferences = { + WebUI = { + AlternativeUIEnabled = true; + RootFolder = "''${pkgs.vuetorrent}/share/vuetorrent"; + }; + }; + } + ]; + ``` + ''; + example = literalExpression '' + { + LegalNotice.Accepted = true; + Preferences = { + WebUI = { + Username = "user"; + Password_PBKDF2 = "generated ByteArray."; + }; + General.Locale = "en"; + }; + } + ''; + }; + + extraArgs = mkOption { + type = listOf str; + default = [ ]; + description = '' + Extra arguments passed to qbittorrent. See `qbittorrent -h`, or the [source code](https://github.com/qbittorrent/qBittorrent/blob/master/src/app/cmdoptions.cpp), for the available arguments. + ''; + example = [ + "--confirm-legal-notice" + ]; + }; + }; + config = mkIf cfg.enable { + systemd = { + tmpfiles.settings = { + qbittorrent = { + "${cfg.profileDir}/qBittorrent/"."d" = { + mode = "755"; + inherit (cfg) user group; + }; + "${cfg.profileDir}/qBittorrent/config/"."d" = { + mode = "755"; + inherit (cfg) user group; + }; + "${cfg.profileDir}/qBittorrent/config/qBittorrent.conf"."L+" = mkIf (cfg.serverConfig != { }) { + mode = "1400"; + inherit (cfg) user group; + argument = "${configFile}"; + }; + }; + }; + services.qbittorrent = { + description = "qbittorrent BitTorrent client"; + wants = [ "network-online.target" ]; + after = [ + "local-fs.target" + "network-online.target" + "nss-lookup.target" + ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = optionals (cfg.serverConfig != { }) [ configFile ]; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + ExecStart = utils.escapeSystemdExecArgs ( + [ + (getExe cfg.package) + "--profile=${cfg.profileDir}" + ] + ++ optionals (cfg.webuiPort != null) [ "--webui-port=${toString cfg.webuiPort}" ] + ++ optionals (cfg.torrentingPort != null) [ "--torrenting-port=${toString cfg.torrentingPort}" ] + ++ cfg.extraArgs + ); + TimeoutStopSec = 1800; + + # https://github.com/qbittorrent/qBittorrent/pull/6806#discussion_r121478661 + PrivateTmp = false; + + PrivateNetwork = false; + RemoveIPC = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = "yes"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "full"; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + CapabilityBoundingSet = ""; + SystemCallFilter = [ "@system-service" ]; + }; + }; + }; + + users = { + users = mkIf (cfg.user == "qbittorrent") { + qbittorrent = { + inherit (cfg) group; + isSystemUser = true; + }; + }; + groups = mkIf (cfg.group == "qbittorrent") { qbittorrent = { }; }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall ( + optionals (cfg.webuiPort != null) [ cfg.webuiPort ] + ++ optionals (cfg.torrentingPort != null) [ cfg.torrentingPort ] + ); + }; + meta.maintainers = with maintainers; [ fsnkty ]; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 5b1e2ed9f81ca..905a9afc85bae 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -1146,6 +1146,7 @@ in public-inbox = handleTest ./public-inbox.nix { }; pufferpanel = handleTest ./pufferpanel.nix { }; pulseaudio = discoverTests (import ./pulseaudio.nix); + qbittorrent = runTest ./qbittorrent.nix; qboot = handleTestOn [ "x86_64-linux" "i686-linux" ] ./qboot.nix { }; qemu-vm-restrictnetwork = handleTest ./qemu-vm-restrictnetwork.nix { }; qemu-vm-volatile-root = runTest ./qemu-vm-volatile-root.nix; diff --git a/nixos/tests/qbittorrent.nix b/nixos/tests/qbittorrent.nix new file mode 100644 index 0000000000000..e7bafbef06312 --- /dev/null +++ b/nixos/tests/qbittorrent.nix @@ -0,0 +1,190 @@ +{ pkgs, lib, ... }: +{ + name = "qbittorrent"; + + meta = with pkgs.lib.maintainers; { + maintainers = [ fsnkty ]; + }; + + nodes = { + simple = { + services.qbittorrent.enable = true; + + specialisation.portChange.configuration = { + services.qbittorrent = { + enable = true; + webuiPort = 5555; + torrentingPort = 44444; + }; + }; + + specialisation.openPorts.configuration = { + services.qbittorrent = { + enable = true; + openFirewall = true; + webuiPort = 8080; + torrentingPort = 55555; + }; + }; + + specialisation.serverConfig.configuration = { + services.qbittorrent = { + enable = true; + webuiPort = null; + serverConfig.Preferences.WebUI.Port = "8181"; + }; + }; + }; + # Seperate vm because it's not possible to reboot into a specialisation with + # switch-to-configuration: https://github.com/NixOS/nixpkgs/issues/82851 + # For one of the test we check if manual changes are overridden during + # reboot, therefore it's necessary to reboot into a declarative setup. + declarative = { + services.qbittorrent = { + enable = true; + webuiPort = null; + serverConfig = { + Preferences = { + WebUI = { + Username = "user"; + # Default password: adminadmin + Password_PBKDF2 = "@ByteArray(6DIf26VOpTCYbgNiO6DAFQ==:e6241eaAWGzRotQZvVA5/up9fj5wwSAThLgXI2lVMsYTu1StUgX9MgmElU3Sa/M8fs+zqwZv9URiUOObjqJGNw==)"; + Port = lib.mkDefault "8181"; + }; + }; + }; + }; + + specialisation.serverConfigChange.configuration = { + services.qbittorrent = { + enable = true; + webuiPort = null; + serverConfig.Preferences.WebUI.Port = "7171"; + }; + }; + }; + }; + + testScript = + { nodes, ... }: + let + simpleSpecPath = "${nodes.simple.system.build.toplevel}/specialisation"; + declarativeSpecPath = "${nodes.declarative.system.build.toplevel}/specialisation"; + portChange = "${simpleSpecPath}/portChange"; + openPorts = "${simpleSpecPath}/openPorts"; + serverConfig = "${simpleSpecPath}/serverConfig"; + serverConfigChange = "${declarativeSpecPath}/serverConfigChange"; + in + '' + simple.start(allow_reboot=True) + declarative.start(allow_reboot=True) + + + def test_webui(machine, port): + machine.wait_for_unit("qbittorrent.service") + machine.wait_for_open_port(port) + machine.wait_until_succeeds(f"curl --fail http://localhost:{port}") + + + # To simulate an interactive change in the settings + def setPreferences_api(machine, port, post_creds, post_data): + qb_url = f"http://localhost:{port}" + api_url = f"{qb_url}/api/v2" + cookie_path = "/tmp/qbittorrent.cookie" + + machine.succeed( + f'curl --header "Referer: {qb_url}" \ + --data "{post_creds}" {api_url}/auth/login \ + -c {cookie_path}' + ) + machine.succeed( + f'curl --header "Referer: {qb_url}" \ + --data "{post_data}" {api_url}/app/setPreferences \ + -b {cookie_path}' + ) + + + # A randomly generated password is printed in the service log when no + # password it set + def get_temp_pass(machine): + _, password = machine.execute( + "journalctl -u qbittorrent.service |\ + grep 'The WebUI administrator password was not set.' |\ + awk '{ print $NF }' | tr -d '\n'" + ) + return password + + + # Non declarative tests + + with subtest("webui works with all default settings"): + test_webui(simple, 8080) + + with subtest("check if manual changes in settings are saved correctly"): + temp_pass = get_temp_pass(simple) + + ## Change some settings + api_post = [r"json={\"listen_port\": 33333}", r"json={\"web_ui_port\": 9090}"] + for x in api_post: + setPreferences_api( + machine=simple, + port=8080, + post_creds=f"username=admin&password={temp_pass}", + post_data=x, + ) + + simple.wait_for_open_port(33333) + test_webui(simple, 9090) + + ## Test which settings are reset + ## As webuiPort is passed as an cli it should reset after reboot + ## As torrentingPort is not passed as an cli it should not reset after + ## reboot + simple.reboot() + test_webui(simple, 8080) + simple.wait_for_open_port(33333) + + with subtest("ports are changed on config change"): + simple.succeed("${portChange}/bin/switch-to-configuration test") + test_webui(simple, 5555) + simple.wait_for_open_port(44444) + + with subtest("firewall is opened correctly"): + simple.succeed("${openPorts}/bin/switch-to-configuration test") + test_webui(simple, 8080) + declarative.wait_until_succeeds("curl --fail http://simple:8080") + declarative.wait_for_open_port(55555, "simple") + + with subtest("switching from simple to declarative works"): + simple.succeed("${serverConfig}/bin/switch-to-configuration test") + test_webui(simple, 8181) + + + # Declarative tests + + with subtest("serverConfig is applied correctly"): + test_webui(declarative, 8181) + + with subtest("manual changes are overridden during reboot"): + ## Change some settings + setPreferences_api( + machine=declarative, + port=8181, # as set through serverConfig + post_creds="username=user&password=adminadmin", + post_data=r"json={\"web_ui_port\": 9191}", + ) + + test_webui(declarative, 9191) + + ## Test which settings are reset + ## The generated qBittorrent.conf is, apparently, reapplied after reboot. + ## Because the port is set in `serverConfig` this overrides the manually + ## set port. + declarative.reboot() + test_webui(declarative, 8181) + + with subtest("changes in serverConfig are applied correctly"): + declarative.succeed("${serverConfigChange}/bin/switch-to-configuration test") + test_webui(declarative, 7171) + ''; +} diff --git a/pkgs/by-name/qb/qbittorrent/package.nix b/pkgs/by-name/qb/qbittorrent/package.nix index d5592aea1dd3b..98ff4d7bbf937 100644 --- a/pkgs/by-name/qb/qbittorrent/package.nix +++ b/pkgs/by-name/qb/qbittorrent/package.nix @@ -16,6 +16,7 @@ webuiSupport ? true, wrapGAppsHook3, zlib, + nixosTests, }: stdenv.mkDerivation (finalAttrs: { @@ -74,7 +75,10 @@ stdenv.mkDerivation (finalAttrs: { qtWrapperArgs+=("''${gappsWrapperArgs[@]}") ''; - passthru.updateScript = nix-update-script { extraArgs = [ "--version-regex=release-(.*)" ]; }; + passthru = { + updateScript = nix-update-script { extraArgs = [ "--version-regex=release-(.*)" ]; }; + tests.testService = nixosTests.qbittorrent; + }; meta = { description = "Featureful free software BitTorrent client"; From ff6b4e99e50ce9a9ea936e370027c902691dfd5f Mon Sep 17 00:00:00 2001 From: bas Date: Tue, 22 Jul 2025 17:28:24 +0200 Subject: [PATCH 2/3] maintainers: add undefined-landmark (cherry picked from commit 6caef45a8fdfcdb6ab8d735dc44e4bf3a2f31877) --- maintainers/maintainer-list.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index fbe03d7f865cf..2b2ebc50894fc 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -25562,6 +25562,12 @@ githubId = 799353; keys = [ { fingerprint = "EE59 5E29 BB5B F2B3 5ED2 3F1C D276 FF74 6700 7335"; } ]; }; + undefined-landmark = { + name = "bas"; + email = "github.plated100@passmail.net"; + github = "undefined-landmark"; + githubId = 74454337; + }; undefined-moe = { name = "undefined"; email = "i@undefined.moe"; From 13df1220cc694b8f10e104f065967ac896b1f614 Mon Sep 17 00:00:00 2001 From: bas Date: Tue, 22 Jul 2025 17:37:56 +0200 Subject: [PATCH 3/3] nixos/qbittorrent: add maintainer undefined-landmark As discussed in PR #287923. The author agreed to add me as a maintainer to the module after merging. (cherry picked from commit 380cd5924bbdbd310bcf5ce26ba35cd83e766ab6) --- nixos/modules/services/torrent/qbittorrent.nix | 5 ++++- nixos/tests/qbittorrent.nix | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/torrent/qbittorrent.nix b/nixos/modules/services/torrent/qbittorrent.nix index f62750a023610..44c710c6da6ba 100644 --- a/nixos/modules/services/torrent/qbittorrent.nix +++ b/nixos/modules/services/torrent/qbittorrent.nix @@ -234,5 +234,8 @@ in ++ optionals (cfg.torrentingPort != null) [ cfg.torrentingPort ] ); }; - meta.maintainers = with maintainers; [ fsnkty ]; + meta.maintainers = with maintainers; [ + fsnkty + undefined-landmark + ]; } diff --git a/nixos/tests/qbittorrent.nix b/nixos/tests/qbittorrent.nix index e7bafbef06312..8b322af746dac 100644 --- a/nixos/tests/qbittorrent.nix +++ b/nixos/tests/qbittorrent.nix @@ -3,7 +3,10 @@ name = "qbittorrent"; meta = with pkgs.lib.maintainers; { - maintainers = [ fsnkty ]; + maintainers = [ + fsnkty + undefined-landmark + ]; }; nodes = {