117 current 2025-10-08 19:07:36 25.05.20251006.20c4598 6.12.50 *

modules/homelab/services/qbittorrent/default.nix

@@ -53,10 +53,18 @@ in
     };
 
     # override umask to make permissions work out
-    systemd.services.qbittorrent.serviceConfig = {
-      UMask = lib.mkForce "0007";
-#      User = "qbittorrent";
-#      Group = "qbittorrent";
+    systemd.services.qbittorrent = {
+      serviceConfig = {
+        UMask = lib.mkForce "0007";
+#       User = "qbittorrent";
+#       Group = "qbittorrent";
+      };
+
+      # add systemd service to VPN network namespace
+      vpnConfinement = {
+        enable = true;
+        vpnNamespace = "wgmex";
+      };
     };
 
 #    # open firewall

modules/system/default.nix

@@ -8,6 +8,7 @@
     ./docker.nix
     ./tailscale.nix
     ./vpns.nix
+    ./vpn-confinement.nix
     ./syncthing.nix
     ./nvidia.nix
   ];
@@ -18,6 +19,7 @@
   modules.system.docker.enable = lib.mkDefault false;
   modules.system.tailscale.enable = lib.mkDefault true;
   modules.system.vpns.enable = lib.mkDefault false;
+  modules.system.vpn-confinement.enable = lib.mkDefault false;
   modules.system.syncthing.enable = lib.mkDefault false;
   modules.system.nvidia.enable = lib.mkDefault false;