| blob | 8cbda677c2b12536c7d0c87f33fe432900c8af6d |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
8 with lib;
10 let
11 cfg = config.services.rutorrent;
13 rtorrentPluginDependencies = with pkgs; {
14 _task = [ procps ];
15 unpack = [
16 unzip
17 unrar
18 ];
19 rss = [ curl ];
20 mediainfo = [ mediainfo ];
21 spectrogram = [ sox ];
22 screenshots = [ ffmpeg ];
23 };
25 phpPluginDependencies = with pkgs; {
26 _cloudflare = [ python3 ];
27 };
29 getPluginDependencies = dependencies: concatMap (p: attrByPath [ p ] [ ] dependencies);
31 in
32 {
33 options = {
34 services.rutorrent = {
35 enable = mkEnableOption "ruTorrent";
37 hostName = mkOption {
38 type = types.str;
39 description = "FQDN for the ruTorrent instance.";
40 };
42 dataDir = mkOption {
43 type = types.str;
44 default = "/var/lib/rutorrent";
45 description = "Storage path of ruTorrent.";
46 };
48 user = mkOption {
49 type = types.str;
50 default = "rutorrent";
51 description = ''
52 User which runs the ruTorrent service.
53 '';
54 };
56 group = mkOption {
57 type = types.str;
58 default = "rutorrent";
59 description = ''
60 Group which runs the ruTorrent service.
61 '';
62 };
64 rpcSocket = mkOption {
65 type = types.str;
66 default = config.services.rtorrent.rpcSocket;
67 defaultText = "config.services.rtorrent.rpcSocket";
68 description = ''
69 Path to rtorrent rpc socket.
70 '';
71 };
73 plugins = mkOption {
74 type = with types; listOf (either str package);
75 default = [ "httprpc" ];
76 example = literalExpression ''[ "httprpc" "data" "diskspace" "edit" "erasedata" "theme" "trafic" ]'';
77 description = ''
78 List of plugins to enable. See the list of <link xlink:href="https://github.com/Novik/ruTorrent/wiki/Plugins#currently-there-are-the-following-plugins">available plugins</link>. Note: the <literal>unpack</literal> plugin needs the nonfree <literal>unrar</literal> package.
79 You need to either enable one of the <literal>rpc</literal> or <literal>httprpc</literal> plugin or enable the <xref linkend="opt-services.rutorrent.nginx.exposeInsecureRPC2mount"/> option.
80 '';
81 };
83 poolSettings = mkOption {
84 type =
85 with types;
86 attrsOf (oneOf [
87 str
88 int
89 bool
90 ]);
91 default = {
92 "pm" = "dynamic";
93 "pm.max_children" = 32;
94 "pm.start_servers" = 2;
95 "pm.min_spare_servers" = 2;
96 "pm.max_spare_servers" = 4;
97 "pm.max_requests" = 500;
98 };
99 description = ''
100 Options for ruTorrent's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
101 '';
102 };
104 nginx = {
105 enable = mkOption {
106 type = types.bool;
107 default = false;
108 description = ''
109 Whether to enable nginx virtual host management.
110 Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>.
111 See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
112 '';
113 };
115 exposeInsecureRPC2mount = mkOption {
116 type = types.bool;
117 default = false;
118 description = ''
119 If you do not enable one of the <literal>rpc</literal> or <literal>httprpc</literal> plugins you need to expose an RPC mount through scgi using this option.
120 Warning: This allow to run arbitrary commands, as the rtorrent user, so make sure to use authentification. The simplest way would be to use the <literal>services.nginx.virtualHosts.<name>.basicAuth</literal> option.
121 '';
122 };
123 };
124 };
125 };
127 config = mkIf cfg.enable (mkMerge [
128 {
129 assertions =
130 let
131 usedRpcPlugins = intersectLists cfg.plugins [
132 "httprpc"
133 "rpc"
134 ];
135 in
136 [
137 {
138 assertion = (length usedRpcPlugins < 2);
139 message = "Please specify only one of httprpc or rpc plugins";
140 }
141 {
142 assertion = !(length usedRpcPlugins > 0 && cfg.nginx.exposeInsecureRPC2mount);
143 message = "Please do not use exposeInsecureRPC2mount if you use one of httprpc or rpc plugins";
144 }
145 ];
147 warnings =
148 let
149 nginxVhostCfg = config.services.nginx.virtualHosts."${cfg.hostName}";
150 in
151 [ ]
152 ++ (optional
153 (
154 cfg.nginx.exposeInsecureRPC2mount
155 && (nginxVhostCfg.basicAuth == { } || nginxVhostCfg.basicAuthFile == null)
156 )
157 ''
158 You are using exposeInsecureRPC2mount without using basic auth on the virtual host. The exposed rpc mount allow for remote command execution.
160 Please make sure it is not accessible from the outside.
161 ''
162 );
164 systemd = {
165 services = {
166 rtorrent.path = getPluginDependencies rtorrentPluginDependencies cfg.plugins;
167 rutorrent-setup =
168 let
169 rutorrentConfig = pkgs.writeText "rutorrent-config.php" ''
170 <?php
171 // configuration parameters
173 // for snoopy client
174 @define('HTTP_USER_AGENT', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36', true);
175 @define('HTTP_TIME_OUT', 30, true); // in seconds
176 @define('HTTP_USE_GZIP', true, true);
177 $httpIP = null; // IP string. Or null for any.
178 $httpProxy = array
179 (
180 'use' => false,
181 'proto' => 'http', // 'http' or 'https'
182 'host' => 'PROXY_HOST_HERE',
183 'port' => 3128
184 );
186 @define('RPC_TIME_OUT', 5, true); // in seconds
188 @define('LOG_RPC_CALLS', false, true);
189 @define('LOG_RPC_FAULTS', true, true);
191 // for php
192 @define('PHP_USE_GZIP', false, true);
193 @define('PHP_GZIP_LEVEL', 2, true);
195 $schedule_rand = 10; // rand for schedulers start, +0..X seconds
197 $do_diagnostic = true;
198 $log_file = '${cfg.dataDir}/logs/errors.log'; // path to log file (comment or leave blank to disable logging)
200 $saveUploadedTorrents = true; // Save uploaded torrents to profile/torrents directory or not
201 $overwriteUploadedTorrents = false; // Overwrite existing uploaded torrents in profile/torrents directory or make unique name
203 $topDirectory = '/'; // Upper available directory. Absolute path with trail slash.
204 $forbidUserSettings = false;
206 $scgi_port = 0;
207 $scgi_host = "unix://${cfg.rpcSocket}";
209 $XMLRPCMountPoint = "/RPC2"; // DO NOT DELETE THIS LINE!!! DO NOT COMMENT THIS LINE!!!
211 $throttleMaxSpeed = 327625*1024;
213 $pathToExternals = array(
214 "php" => "${pkgs.php}/bin/php", // Something like /usr/bin/php. If empty, will be found in PATH.
215 "curl" => "${pkgs.curl}/bin/curl", // Something like /usr/bin/curl. If empty, will be found in PATH.
216 "gzip" => "${pkgs.gzip}/bin/gzip", // Something like /usr/bin/gzip. If empty, will be found in PATH.
217 "id" => "${pkgs.coreutils}/bin/id", // Something like /usr/bin/id. If empty, will be found in PATH.
218 "stat" => "${pkgs.coreutils}/bin/stat", // Something like /usr/bin/stat. If empty, will be found in PATH.
219 "pgrep" => "${pkgs.procps}/bin/pgrep", // TODO why can't we use phpEnv.PATH
220 );
222 $localhosts = array( // list of local interfaces
223 "127.0.0.1",
224 "localhost",
225 );
227 $profilePath = '${cfg.dataDir}/share'; // Path to user profiles
228 $profileMask = 0770; // Mask for files and directory creation in user profiles.
229 // Both Webserver and rtorrent users must have read-write access to it.
230 // For example, if Webserver and rtorrent users are in the same group then the value may be 0770.
232 $tempDirectory = null; // Temp directory. Absolute path with trail slash. If null, then autodetect will be used.
234 $canUseXSendFile = false; // If true then use X-Sendfile feature if it exist
236 $locale = "UTF8";
237 '';
238 in
239 {
240 wantedBy = [ "multi-user.target" ];
241 before = [ "phpfpm-rutorrent.service" ];
242 script = ''
243 ln -sf ${pkgs.rutorrent}/{css,images,js,lang,index.html} ${cfg.dataDir}/
244 mkdir -p ${cfg.dataDir}/{conf,logs,plugins} ${cfg.dataDir}/share/{settings,torrents,users}
245 ln -sf ${pkgs.rutorrent}/conf/{access.ini,plugins.ini} ${cfg.dataDir}/conf/
246 ln -sf ${rutorrentConfig} ${cfg.dataDir}/conf/config.php
248 cp -r ${pkgs.rutorrent}/php ${cfg.dataDir}/
250 ${optionalString (cfg.plugins != [ ])
251 ''cp -r ${
252 concatMapStringsSep " " (p: "${pkgs.rutorrent}/plugins/${p}") cfg.plugins
253 } ${cfg.dataDir}/plugins/''
254 }
256 chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}/{conf,share,logs,plugins}
257 chmod -R 755 ${cfg.dataDir}/{conf,share,logs,plugins}
258 '';
259 serviceConfig.Type = "oneshot";
260 };
261 };
263 tmpfiles.rules = [ "d '${cfg.dataDir}' 0775 ${cfg.user} ${cfg.group} -" ];
264 };
266 users.groups."${cfg.group}" = { };
268 users.users = {
269 "${cfg.user}" = {
270 home = cfg.dataDir;
271 group = cfg.group;
272 extraGroups = [ config.services.rtorrent.group ];
273 description = "ruTorrent Daemon user";
274 isSystemUser = true;
275 };
277 "${config.services.rtorrent.user}" = {
278 extraGroups = [ cfg.group ];
279 };
280 };
281 }
283 (mkIf cfg.nginx.enable (mkMerge [
284 {
285 services = {
286 phpfpm.pools.rutorrent =
287 let
288 envPath = lib.makeBinPath (getPluginDependencies phpPluginDependencies cfg.plugins);
289 pool = {
290 user = cfg.user;
291 group = config.services.rtorrent.group;
292 settings =
293 mapAttrs (name: mkDefault) {
294 "listen.owner" = config.services.nginx.user;
295 "listen.group" = config.services.nginx.group;
296 }
297 // cfg.poolSettings;
298 };
299 in
300 if (envPath == "") then pool else pool // { phpEnv.PATH = envPath; };
302 nginx = {
303 enable = true;
304 virtualHosts = {
305 ${cfg.hostName} = {
306 root = cfg.dataDir;
307 locations = {
308 "~ [^/]\.php(/|$)" = {
309 extraConfig = ''
310 fastcgi_split_path_info ^(.+?\.php)(/.*)$;
311 if (!-f $document_root$fastcgi_script_name) {
312 return 404;
313 }
315 # Mitigate https://httpoxy.org/ vulnerabilities
316 fastcgi_param HTTP_PROXY "";
318 fastcgi_pass unix:${config.services.phpfpm.pools.rutorrent.socket};
319 fastcgi_index index.php;
321 include ${pkgs.nginx}/conf/fastcgi.conf;
322 '';
323 };
324 };
325 };
326 };
327 };
328 };
329 }
331 (mkIf cfg.nginx.exposeInsecureRPC2mount {
332 services.nginx.virtualHosts."${cfg.hostName}".locations."/RPC2" = {
333 extraConfig = ''
334 include ${pkgs.nginx}/conf/scgi_params;
335 scgi_pass unix:${cfg.rpcSocket};
336 '';
337 };
339 services.rtorrent.group = "nginx";
340 })
341 ]))
342 ]);
343 }