nixos/qbittorrent: init

[fsnkty]

Description of changes

create a module to use qbittorrent as a service.

blocking issues

• sufficient test(s,ing)
• serverConfig
  • gendeepINI gets a fitting type to use for this option.
  • qBittorrent.conf
    • more feedback / info on what does/does not cause qbit to "take in" new config.
    • understanding where the write permission on /var/lib/qBittorrent/qBittorrent/config/qBittorrent.conf comes from / why its possible
• openFirewall

nice to haves

• a better way to set CapabilityBoundingSet to restrict all.
• an explanation for PrivateTmp being disabled upstream. ( Work on Systemd service unit qbittorrent/qBittorrent#6806 (comment) )
• some way to generate the bizare password format used independently. (Thank you Fea)
  • format conversion within the module (/on activation/ whatever else)

notes

for service hardening I don't believe any of the following can be used simply because of the services purpose.
IPAddressDeny PrivateNetwork or restriction of AF_NETLINK AF_INET or AF_INET6 address families.
ProtectSystem cant be used without entirely declarative config

in my previous attempt at this here i was advised to simply make use of the service from the package, I'm unsure how to do this.
I started with an aim to follow https://github.com/qbittorrent/qBittorrent/blob/master/dist/unix/systemd/qbittorrent-nox%40.service.in I don't understand why it sets PrivateTmp to false however and have otherwise changed it significantly with service hardening and nix(os) specifics.

testing so far has been taken from #279716
Likely to replace once I figure the testing framework myself.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

[fsnkty]

for reference my systems config makes fairly "full" use of this module already.
https://github.com/nu-nu-ko/crystal/blob/main/mods/services/qbit.nix

the port and path options likely need to be set, they should be given a default because of this.
defaults should likely just follow upstream however it gets done.

[camilosampedro]

@nu-nu-ko

I've added you to contributors here now that I've taken parts of your work in the tests and since you had added yourself to them in your branch I assume you're still keen to? let me know if not and ill remove of course.

If you are allowed, I'd like to be a contributor, thank you!

still unsure how to do assertions for options on other options so for now I've left it be

Do you mean during tests?

[camilosampedro]

I've seen this in deluge:

https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/torrent/deluge.nix

When you use declarative = true, it tries to use the options that are required to be declarative, and if they are not set it errors:

The option `services.deluge.authFile' is used but not defined.

But it doesn't happen the other way, if authFile is declared and declarative = false

[camilosampedro]

Is it weird if there were two separate sets of options?

qbittorrent-nox
qbittorrent-nox-declarative?

[camilosampedro]

Also, related and unrelated. I was seeing that the web ui and other services were being unresponsive after a couple of hours.

I thought that the IO of qbittorrent was bringing the system down, but after 2 days of trying everything, it was my network device's firmware. 😅

I'll try to retest it this week.

[nevivurn]

Afaik, it is possible to pass in the webui and torrenting port via command line arguments, and I assume these arguments take precedence over other configuration options. This should let us implement openFirewall without forcing users to use the declarative config.

a better way to set CapabilityBoundingSet and SystemCallFilter to restrict all.

CapabilityBoundingSet is an allowlist, the strictest setting is just the empty string. Although, given that we 1) don't run qbittorrent as root, 2) set NoNewPrivileges, 3) don't set AmbientCapabilities, omitting it entirely is probably fine.

I personally think @system-service is a good enough default for SystemCallFilter.

I don't understand why it sets PrivateTmp to false

This comment in the upstream PR mentions adding torrents through the command line. Not sure if this is actually true.

ProtectSystem needs to be disabled if we aren't using declaritiveConfig

I don't think ProtectSystem should be enabled here. It will break users with per-category/torrent save paths, no matter what.

imo, we don't need lock down every option by default. Users that want to further harden their system can easily add these options in their own nixos configuration.

[nevivurn]

I don't see why we wouldn't set it regardless personally, leaving it empty seems to do nothing as according to systemd-analyze security qbittorrent on my system.

👍

I agree to some extent, id much rather every service does at least up to "breaks as little as possible"

I completely agree, we can enable everything that probably won't break users.

There are still a couple options left that I feel like are a tad bit too opinionated, namely

• non-default torrenting port
• umask 0066

[nevivurn]

an empty list isn't equivalent sooo 😅

Ah, did not realize the empty list wasn't doing anything. "" should work.

there is no default? its randomly selected from within a range from what i can tell. the non default web port is questionable.. but I think defaulting to 8080 is kinda dumb, happy to change it.

The bittorrent port is chosen randomly by default, and it is quite unexpected for nixos to fix an arbitrary port number by default. Similar with the web port, I don't see a reason for the NixOS module to deviate from the upstream default. With this module, it would be trivial for users to change it as needed, anyway.

umask 0066

how is this opinionated? in what case may this break something?

I think this would break users trying to access downloaded files without needing to run as the qbittorrent user, likely a common use case. Plus, if we're going for paranoid settings, why is it not 0077?

[Redhawk18]

@fsnkty Can you merge this? I already started my own pr since this has been open for 6 months with little to no activity.

I do not have permission to merge this. I'm also not willing to since it's unfinished, please see the Todo list in the description.

I'd encourage you to look into the issues with this PR before duplicating work on another but do as you wish afaict the scope of our two PR's isn't the same so please keep that in mind.

I won't be able to work on this for some time so would love to see someone else take it on, e.g.. rebase on something up to date n see how the Todo list holds up

Glad to see your active, for me I'm just trying to get the ground work for this pr finish. I choose not to look into settings because it seems like it just increases the complexity of this pr by 100 or 1000 fold. I'm trying to keep my pr simple so it can get merge and then everyone can argue over complex setting options in a new pr after the service is already merged. You should check out my pr aswell! 😄

[alexandru0-dev]

@fsnkty @Redhawk18 aren't both PR try to achieve the same thing no?
qbittorent-nox is just headless qbittorent.
It's named differently so you don't have to compile the GUI but apparently both PR are implementing the same service
Correct me if I'm mistaken

[fsnkty]

@fsnkty @Redhawk18 aren't both PR try to achieve the same thing no?
qbittorent-nox is just headless qbittorent.
It's named differently so you don't have to compile the GUI but apparently both PR are implementing the same service
Correct me if I'm mistaken

yes both PR's create a service for qbit, difference afaict is this PR uses nix for configuration, their PR leaves it up to the user to do so manually

[alexandru0-dev]

@fsnkty as I expected

@Redhawk18 why the rush?

Personally I use this module in my nix config and it works great, it may be a more complex PR and being not upstream it's probably not as plug and play as you would like but I don't see why the need for another PR but that's just my opinion

If you want to use nox with this module just override the pkg config to qbittorrent-nox which is also something that this PR by default should use if it's intended to use headless

@fsnkty if we want to contribute, can we submit patches in case here? Or should we make a PR to your branch?

[fsnkty]

@fsnkty as I expected

@Redhawk18 why the rush?

Personally I use this module in my nix config and it works great, it may be a more complex PR and being not upstream it's probably not as plug and play as you would like but I don't see why the need for another PR but that's just my opinion

If you want to use nox with this module just override the pkg config to qbittorrent-nox which is also something that this PR by default should use if it's intended to use headless

@fsnkty if we want to contribute, can we submit patches in case here? Or should we make a PR to your branch?

either is fine but please understand I don't have the time or ability to work on or test this for the time being (3weeks+ minimum)

I'd love to see someone take on guiding this PR in the meantime if they're able to do so faster than me ^^``

[Redhawk18]

@fsnkty as I expected

@Redhawk18 why the rush?

Personally I use this module in my nix config and it works great, it may be a more complex PR and being not upstream it's probably not as plug and play as you would like but I don't see why the need for another PR but that's just my opinion

If you want to use nox with this module just override the pkg config to qbittorrent-nox which is also something that this PR by default should use if it's intended to use headless

@fsnkty if we want to contribute, can we submit patches in case here? Or should we make a PR to your branch?

I don't know if this would work with qbittorrent, this was just meant for the webui in this doc page here.
https://github.com/qbittorrent/qBittorrent/wiki/Running-qBittorrent-without-X-server-(WebUI-only,-systemd-service-set-up,-Ubuntu-15.04-or-newer)

[Redhawk18]

I'd love to see someone take on guiding this PR in the meantime if they're able to do so faster than me ^^``

Thanks man, If you have time if you could approve or give suggestions on my pr. It feels like this pr may have bitten off more than it can chew. But I understand these things are very complex and everyone has to agree on what is done. We can open a pr in the future trying to implement settings.

[alexandru0-dev]

If you want to use nox with this module just override the pkg config to qbittorrent-nox which is also something that this PR by default should use if it's intended to use headless

ERRATA: this option already uses qbittorrent-nox as the default package

@Redhawk18

[Redhawk18]

If you want to use nox with this module just override the pkg config to qbittorrent-nox which is also something that this PR by default should use if it's intended to use headless

ERRATA: this option already uses qbittorrent-nox as the default package

@Redhawk18

But this pr is incomplete, very complex with settings, and the author is not able to work on it.

[poperigby]

meta.mainProgram isn't being set correctly. I'm still getting this warning when building my system:

trace: evaluation warning: getExe: Package "qbittorrent-nox-4.6.5" does not have the meta.mainProgram attribute. We'll assume that the main program has the same name for now, but this behavior is deprecated, because it leads to surprising errors when the assumption does not hold. If the package has a main program, please set `meta.mainProgram` in its definition to make this warning go away. Otherwise, if the package does not have a main program, or if you don't control its definition, use getExe' to specify the name to the program, such as lib.getExe' foo "bar".

[alexandru0-dev]

@poperigby if I'm not mistaken it's the qbittorent package that has that warning, and it's not caused by the option itself and a discussion here wouldn't be relevant.
Can you create another issue if there isn't already one?

[fsnkty]

@poperigby if I'm not mistaken it's the qbittorent package that has that warning, and it's not caused by the option itself and a discussion here wouldn't be relevant.
Can you create another issue if there isn't already one?

this PR does try to change meta.mainprogram for qbit to work here, I'm assuming it's a small issue but can't look into it
no seperate issue needed, though if you want to improve that part of the package seperately that'd be fine

[alexandru0-dev]

this PR does try to change meta.mainprogram for qbit to work here, I'm assuming it's a small issue but can't look into it

After a second look you're completely right, I was checking the files on my phone and completely missed the changes to the package

[fsnkty]

still unsure on exactly when I'll be able to get back to working on this but at worst sometime in 2-3 months 💀
as always if anyone's able and willing to "take over" this work as it is now, be my guest.
otherwise anyone still currently using this module, now is the best time to explain your experience problematic or not, simply knowing what's already working is helpful etc.

[fsnkty]

meta.mainProgram isn't being set correctly. I'm still getting this warning when building my system:

trace: evaluation warning: getExe: Package "qbittorrent-nox-4.6.5" does not have the meta.mainProgram attribute. We'll assume that the main program has the same name for now, but this behavior is deprecated, because it leads to surprising errors when the assumption does not hold. If the package has a main program, please set `meta.mainProgram` in its definition to make this warning go away. Otherwise, if the package does not have a main program, or if you don't control its definition, use getExe' to specify the name to the program, such as lib.getExe' foo "bar".

unable to replicate please link to the code that encountered this.

@fsnkty wouldn't it be best to make torrentingPort default to null? Then people wouldn't have to set it if they didn't want to.

isn't not giving the option a default null already? it is nullOr port

[fsnkty]

testing this again on the unstable branch of nixpkgs I'm more confident this is functional and just missing some quality / reassurance things
the type and testing would be nice but both require a little more time in learning than I can afford to spare atm.

[poperigby]

unable to replicate please link to the code that encountered this.

This is my configuration which gives that warning: https://gist.github.com/poperigby/8e669dd14165320a81d714b673e84eae

isn't not giving the option a default null already? it is nullOr port

I don't think so, because not specifying torrentingPort makes it fail to evaluate saying that it's used but not defined, meaning there's no default value.

[fsnkty]

unable to replicate please link to the code that encountered this.

This is my configuration which gives that warning: https://gist.github.com/poperigby/8e669dd14165320a81d714b673e84eae

isn't not giving the option a default null already? it is nullOr port

I don't think so, because not specifying torrentingPort makes it fail to evaluate saying that it's used but not defined, meaning there's no default value.

Yeah you need to use the package from this PR. e.g.. setting config.services.qbittorrent.package = inputs.qbit.legacyPackages.${pkgs.system}.qbittorrent-nox

[nevivurn]

Even when we allow null with nullOr, we still need to set the default value as null otherwise users get the used but not defined. A value being null (by default or otherwise) is different from it never being set at all.

[fsnkty]

No longer thousands of commits behind 👍
seems to work the exact same, love to see it.

[fsnkty]

@fsnkty wouldn't it be best to make torrentingPort default to null? Then people wouldn't have to set it if they didn't want to.

ok that commit is named poorly, should be "default null torrentingPort" but whatever itll get squashed xP
but yeah good catch, should be alright to not specify a torrenting port now 👍

[fsnkty]

edit: misread comment timeline but these questions still nice to know

anyone aware of qbit writing global section config values?
also anyone aware of config value depth greater than 5?

[fsnkty]

alright for now I have no clue why qbit is seemingly able to enable write permissions on that file.
if you want to reapply from config you can

1. stop the qbit service
2. remove the file /var/lib/qBittorrent/qBittorrent/config/qBittorrent.conf
3. apply new system config

its hacky but for now thats whatever.
fyi custom webuis work, e.g..

serverConfig = { 
  Preferences = {
    WebUI = {
      AlternativeUIEnabled = true;
      RootFolder = "${pkgs.fetchzip {
        url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.7.2/vuetorrent.zip";
        hash = "sha256-bJyI7RvVCf0M5vs8Qi+uAHv74CWxSDZ0Bb6zWJ4x4CM=";
      }}";
    };
  };
};