135 current 2025-10-08 22:40:45 25.05.20251006.20c4598 6.12.50 *

2025-10-08 23:00:15 -05:00
parent 34397fbb50
commit e012243194
2 changed files with 15 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 134 current  2025-10-08 22:40:11  25.05.20251006.20c4598  6.12.50                          *
+# generation: 135 current  2025-10-08 22:40:45  25.05.20251006.20c4598  6.12.50                          *
 {
  description = "blakes nix config";
  inputs = {
--- a/modules/homelab/services/qbittorrent/default.nix
+++ b/modules/homelab/services/qbittorrent/default.nix
@@ -2,9 +2,10 @@

 let
  cfg = config.modules.services.qbittorrent;
-  ids = 2003;
  default_port = 8080;
  data_dir = "/var/lib/qBittorrent";
+  ids = 2003;
+  vpn_inf = "enp89s0.69"; # vpn interfacve
 in
 {
  options.modules.services.qbittorrent = {
@@ -49,22 +50,31 @@ in
      profileDir = data_dir;
      webuiPort = cfg.port;
 #      torrentingPort = cfg.port;
-
    };

    # override umask to make permissions work out
    systemd.services.qbittorrent = {
      serviceConfig = {
        UMask = lib.mkForce "0007";
-#       User = "qbittorrent";
-#       Group = "qbittorrent";
      };

+    networking.firewall.extraCommands = ''
+      # qbittorrent kill switch for uid ${toString ids}
+      iptables -N QBIT
+      iptables -A OUTPUT -m owner --uid-owner ${toString ids} -j QBIT
+      iptables -A QBIT -o ${vpn_inf} -j ACCEPT
+      iptables -A QBIT -j DROP
+    '';
+
+
+
+# ------------------------------------------------------------------------------
 #      # add systemd service to VPN network namespace
 #      vpnConfinement = {
 #        enable = true;
 #        vpnNamespace = "wgmex";
 #      };
+# ------------------------------------------------------------------------------
    };

 #    # open firewall