From 46da53653c87b0b3808765644bd4cb8ddd445734 Mon Sep 17 00:00:00 2001
From: blake <me@blakedheld.xyz>
Date: Wed, 8 Oct 2025 11:52:55 -0500
Subject: [PATCH] adding qbittorrent

---
 .../homelab/services/qbittorrent/default.nix  | 96 +++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 modules/homelab/services/qbittorrent/default.nix

diff --git a/modules/homelab/services/qbittorrent/default.nix b/modules/homelab/services/qbittorrent/default.nix
new file mode 100644
index 0000000..3040285
--- /dev/null
+++ b/modules/homelab/services/qbittorrent/default.nix
@@ -0,0 +1,96 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.<service_name>;
+  ids = <gid_and_uid_number>;
+  default_port = <port_number>;
+  data_dir = "/var/lib/<service_name>";
+in
+{
+  options.modules.services.<service_name> = {
+    enable = lib.mkEnableOption "enables <service_name>";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = <port>;
+      description = "set port for <service_name> (default: ${toString default_port}";
+    };
+
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for <service_name>";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare <service_name> group
+    users.groups.<service_name> = { gid = ids; };
+
+    # declare <service_name> user
+    users.users.<service_name> = {
+      description = "<service_name> server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/<service_name>";
+      createHome = true;
+      group = "<service_name>";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the <service_name> service
+    services.<service_name> = {
+      enable = true;
+      openFirewall = true;
+      user = "<service_name>";
+      group = "<service_name>";
+      dataDir = data_dir;
+      settings = {
+        server.port = cfg.port;
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.<service_name>.serviceConfig = {
+      UMask = lib.mkForce "0007";
+#      User = "<service_name>";
+#      Group = "<service_name>";
+    };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."<service_name>.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+#     # external reverse proxy entry
+#     services.nginx.virtualHosts."<service_name>.blakedheld.xyz" = {
+#      enableACME = false;
+#      forceSSL = true;
+#      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+#      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+#      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+#      };
+#    };
+
+    sops.secrets = {
+      "<service_name>_" = {
+        owner = "<service_name>";
+        group = "<service_name>";
+      };
+    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
+  };
+}