Add files via upload

UPDATE v09.2025 : Should works with lastest Gluetun, mod, and Qbittorrent

Author: Damocles-fr

README.md

@@ -177,4 +177,4 @@ This project is licensed under the MIT License – see the LICENSE file for deta
 ---
 
 ## Github
-[https://github.com/Damocles-fr/](https://github.com/Damocles-fr)
+[https://github.com/Damocles-fr/](https://github.com/Damocles-fr)

docker-compose.yml

@@ -0,0 +1,76 @@
+services:
+  gluetun:
+    image: ghcr.io/qdm12/gluetun:latest
+    container_name: gluetun
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=1
+    environment:
+      - VPN_SERVICE_PROVIDER=protonvpn
+      - VPN_TYPE=wireguard
+      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
+      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
+      - SERVER_COUNTRIES=${SERVER_COUNTRIES}
+      - SERVER_CITIES=${SERVER_CITIES}
+      - VPN_PORT_FORWARDING=on
+      - DOT=${DOT}
+      - DNS_ADDRESS=${DNS_ADDRESS}
+      - TZ=${TZ}
+    volumes:
+      - ${CONFIG_ROOT}/gluetun:/gluetun
+    # Publish qB WebUI through gluetun (internal 8080) to host 8081
+    ports:
+      - "${WEBUI_HOST_PORT:-8081}:8080/tcp"
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:9999"]
+      interval: 40s
+      timeout: 15s
+      retries: 5
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+
+  qbittorrent:
+    image: lscr.io/linuxserver/qbittorrent:latest
+    container_name: qbittorrent
+    restart: unless-stopped
+    network_mode: "service:gluetun"
+    depends_on:
+      gluetun:
+        condition: service_healthy
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+      - WEBUI_PORT=8080
+      - QBITTORRENT_INTERFACE=tun0
+      # Port Forwarding Mod (Syncs qBittorrent with Gluetun)
+      - DOCKER_MODS=ghcr.io/t-anc/gsp-qbittorent-gluetun-sync-port-mod:main
+      - GSP_GTN_API_KEY=${GSP_GTN_API_KEY}
+      - GSP_QBITTORRENT_PORT=${GSP_QBITTORRENT_PORT}
+      - GSP_MINIMAL_LOGS=${GSP_MINIMAL_LOGS}
+    ulimits:
+      nofile:
+        soft: 32768
+        hard: 65536
+    volumes:
+      - ${CONFIG_ROOT}/qBittorrent:/config
+      - ${DOWNLOADS_ROOT}:/Downloads
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+
+  watchtower:
+    image: containrrr/watchtower:latest
+    container_name: watchtower
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - WATCHTOWER_CLEANUP=true
+      - WATCHTOWER_POLL_INTERVAL=86400
+      - WATCHTOWER_LABEL_ENABLE=true
+    labels:
+      - com.centurylinklabs.watchtower.enable=true

envExample

@@ -0,0 +1,37 @@
+# ──────────────────────────────────────────────────────────────────────────────
+# qbt-proton-qnap :: envExample (rename to .env and edit)
+# ──────────────────────────────────────────────────────────────────────────────
+# Paths on your QNAP (adapt if you don't use CACHEDEV3_DATA or SSD2TB)
+CONFIG_ROOT=/share/CACHEDEV3_DATA/SSD2TB/AppData/qbt-proton
+DOWNLOADS_ROOT=/share/CACHEDEV3_DATA/SSD2TB/Downloads
+
+# Container user
+PUID=1000
+PGID=100
+TZ=Europe/Paris
+
+# ProtonVPN (WireGuard) — get your private key from https://account.protonvpn.com/
+WIREGUARD_PRIVATE_KEY=REPLACE_WITH_YOUR_WG_PRIVATE_KEY
+# Proton WireGuard address and Proton DNS (fixed)
+WIREGUARD_ADDRESSES=10.2.0.2/32
+DNS_ADDRESS=10.2.0.1
+DOT=off
+
+# Server selection (only port-forwarding servers are chosen)
+SERVER_COUNTRIES=France
+SERVER_CITIES=Paris
+
+# qBittorrent
+# QNAP already binds 8080, so WebUI is published on host port 8081
+WEBUI_HOST_PORT=8081
+
+# Gluetun Control Server auth — used by the port-forwarding mod (GSP) inside qB
+# Use a random 22+ chars string (letters+digits). You can generate:
+#   docker run --rm qmcgaw/gluetun genkey
+GLUETUN_API_KEY=CHANGE_ME_TO_A_RANDOM_BASE58_KEY
+
+# GSP Mod (Port Forwarding Sync) — must match the Gluetun API key above
+GSP_GTN_API_KEY=${GLUETUN_API_KEY}
+# Initial qBittorrent listening port (updated automatically by the mod)
+GSP_QBITTORRENT_PORT=53764
+GSP_MINIMAL_LOGS=false

qBittorrent/categories.json

@@ -0,0 +1,14 @@
+{
+  "Movies": {
+    "save_path": "/Downloads/Movies",
+    "download_path": "/Downloads/Movies"
+  },
+  "TV": {
+    "save_path": "/Downloads/TV",
+    "download_path": "/Downloads/TV"
+  },
+  "Music": {
+    "save_path": "/Downloads/Music",
+    "download_path": "/Downloads/Music"
+  }
+}

qBittorrent/qBittorrent.conf

@@ -0,0 +1,47 @@
+\
+[LegalNotice]
+Accepted=true
+
+[Meta]
+MigrationVersion=5
+
+[Network]
+PortForwardingEnabled=false
+
+[Preferences]
+# Anonymous mode OFF, Encryption ALLOW (0)
+Session\AnonymousMode=false
+Session\Encryption=0
+
+# Force tun0 interface
+Connection\Interface=tun0
+Connection\PortRangeMin=53764
+Connection\UPnP=false
+
+# Save paths
+Downloads\SavePath=/Downloads/
+Session\DefaultSavePath=/Downloads
+Downloads\TempPath=/Downloads/Incomplete/
+Session\TempPath=/Downloads/Incomplete
+Session\TempPathEnabled=true
+
+# Reasonable log size for NAS
+FileLogger\Enabled=true
+FileLogger\Path=/config/qbittorrent.log
+FileLogger\MaxSizeBytes=67108864
+FileLogger\Age=7
+
+# Web UI permissive to avoid Unauthorized on first boot
+WebUI\Port=8080
+WebUI\Address=*
+WebUI\HostHeaderValidation=false
+WebUI\CSRFProtection=false
+WebUI\BypassLocalAuth=true
+WebUI\AuthSubnetWhitelistEnabled=true
+WebUI\AuthSubnetWhitelist=127.0.0.1/32, ::1/128
+WebUI\HTTPS\Enabled=false
+
+# Performance (non-breaking)
+Session\ReannounceWhenAddressChanged=true
+Session\MaxConcurrentHTTPAnnounces=32
+DiskCache\Size=1024

qBittorrent/watched_folders.json

@@ -0,0 +1,7 @@
+[
+  {
+    "path": "/Downloads/Torrents",
+    "enabled": true,
+    "recursive": false
+  }
+]

scripts/fix_after_login.sh

@@ -0,0 +1,138 @@
+\
+#!/bin/sh
+# qbt-proton-qnap :: fix_after_login.sh
+# Goal:
+# - Stop containers cleanly
+# - Patch .fastresume paths (/downloads -> /Downloads)
+# - Ensure /Downloads subfolders & permissions
+# - Start Gluetun and wait healthy
+# - Start qBittorrent and wait for WebUI API ready
+# - Fetch forwarded port from Gluetun
+# - Apply WebUI & runtime prefs through API (bypass local, host header off, csrf off, whitelist localhost)
+# - Verify and restart qB to lock values
+set -eu
+
+echo "[*] qbt-proton-qnap :: fix_after_login.sh"
+
+# Load .env
+if [ -f ".env" ]; then
+  # shellcheck disable=SC1091
+  . ./.env
+else
+  echo "[-] .env not found. Run from project root after creating .env from envExample."
+  exit 1
+fi
+
+: "${CONFIG_ROOT:?set in .env}"
+: "${DOWNLOADS_ROOT:?set in .env}"
+: "${PUID:?set}"
+: "${PGID:?set}"
+: "${WEBUI_HOST_PORT:=8081}"
+
+CONF="${CONFIG_ROOT}/qBittorrent/qBittorrent.conf"
+BT_BACKUP="${CONFIG_ROOT}/qBittorrent/BT_backup"
+
+echo "[i] Using config: ${CONF}"
+echo "[i] PUID=${PUID} PGID=${PGID}"
+
+# Stop containers with patience
+echo "[*] Stopping qbittorrent"
+docker compose stop qbittorrent >/dev/null 2>&1 || true
+for i in $(seq 1 20); do
+  state="$(docker inspect -f '{{.State.Running}}' qbittorrent 2>/dev/null || echo 'false')"
+  [ "${state}" = "false" ] && break
+  sleep 0.5
+done
+
+echo "[*] Stopping gluetun"
+docker compose stop gluetun >/dev/null 2>&1 || true
+for i in $(seq 1 20); do
+  state="$(docker inspect -f '{{.State.Running}}' gluetun 2>/dev/null || echo 'false')"
+  [ "${state}" = "false" ] && break
+  sleep 0.5
+done
+
+# Patch /downloads to /Downloads in .fastresume (if any)
+if [ -d "${BT_BACKUP}" ]; then
+  echo "[*] Patching /downloads -> /Downloads in .fastresume"
+  # BusyBox compatible grep -r
+  find "${BT_BACKUP}" -type f -name "*.fastresume" -print0 | xargs -0 -r sed -i 's#/downloads#/Downloads#g'
+fi
+
+# Ensure folders and permissions
+echo "[*] Ensuring folders & permissions under: ${DOWNLOADS_ROOT}"
+mkdir -p "${DOWNLOADS_ROOT}/Incomplete" "${DOWNLOADS_ROOT}/Torrents"
+chown -R "${PUID}:${PGID}" "${DOWNLOADS_ROOT}"
+chmod -R u+rwX,g+rwX "${DOWNLOADS_ROOT}"
+
+# Start Gluetun and wait healthy
+echo "[*] Starting gluetun"
+docker compose up -d gluetun >/dev/null
+# Wait for health=healthy
+for i in $(seq 1 60); do
+  h="$(docker inspect -f '{{.State.Health.Status}}' gluetun 2>/dev/null || echo 'starting')"
+  [ "${h}" = "healthy" ] && break
+  sleep 2
+done
+docker inspect -f '{{.State.Health.Status}}' gluetun 2>/dev/null || true
+
+# Start qB
+echo "[*] Starting qbittorrent"
+docker compose up -d qbittorrent >/dev/null
+
+# Wait WebUI readiness (API version)
+echo "[*] Waiting for qBittorrent API inside container..."
+ok=false
+for i in $(seq 1 60); do
+  if docker exec qbittorrent sh -lc "wget -qO- http://localhost:8080/api/v2/app/version >/dev/null 2>&1"; then
+    ok=true
+    break
+  fi
+  sleep 2
+done
+if [ "${ok}" != "true" ]; then
+  echo "[-] WebUI API did not become ready"
+  exit 1
+fi
+
+# Get forwarded port from Gluetun
+FWD="$(docker exec gluetun sh -lc 'cat /tmp/gluetun/forwarded_port 2>/dev/null || curl -fsS http://localhost:8000/v1/openvpn/portforwarded' | sed -E 's/[^0-9]//g' || true)"
+FWD="${FWD:-0}"
+echo "[i] Forwarded port = ${FWD}"
+
+# Temp WebUI password if LSIO reset it
+QBU="admin"
+QBP="$(docker logs qbittorrent 2>&1 | awk '/WebUI administrator username is/{f=1;next} f{print $NF; exit}')"
+
+# Login & apply preferences via API (payload param 'json=...' per qB API spec)
+docker exec qbittorrent sh -lc "
+u='${QBU}'; p='${QBP}';
+curl -s -c /tmp/c.txt -X POST --data \"username=\$u&password=\$p\" http://localhost:8080/api/v2/auth/login >/dev/null && \
+curl -s -b /tmp/c.txt -H 'Referer: http://localhost:8080' \
+  -d 'json={\"bypass_local_auth\":true,\"web_ui_host_header_validation\":false,\"web_ui_csrf_protection_enabled\":false,\"bypass_auth_subnet_whitelist_enabled\":true,\"web_ui_auth_subnet_whitelist\":\"127.0.0.1/32,::1/128\",\"web_ui_address\":\"*\",\"save_path\":\"/Downloads\",\"temp_path_enabled\":true,\"temp_path\":\"/Downloads/Incomplete\"%s}' \
+  http://localhost:8080/api/v2/app/setPreferences >/dev/null
+" >/dev/null
+
+# If forwarded port is valid, set it too
+if [ "${FWD}" -gt 0 ]; then
+  docker exec qbittorrent sh -lc "
+u='${QBU}'; p='${QBP}';
+curl -s -c /tmp/c.txt -X POST --data \"username=\$u&password=\$p\" http://localhost:8080/api/v2/auth/login >/dev/null && \
+curl -s -b /tmp/c.txt -H 'Referer: http://localhost:8080' \
+  -d 'json={\"listen_port\":${FWD}}' \
+  http://localhost:8080/api/v2/app/setPreferences >/dev/null
+" >/dev/null
+fi
+
+# Verify a subset
+docker exec qbittorrent sh -lc "
+u='${QBU}'; p='${QBP}';
+curl -s -c /tmp/c.txt -X POST --data \"username=\$u&password=\$p\" http://localhost:8080/api/v2/auth/login >/dev/null && \
+curl -s -b /tmp/c.txt http://localhost:8080/api/v2/app/preferences \
+  | tr ',' '\n' | grep -E '\"listen_port\"|\"save_path\"|\"temp_path\"|\"bypass_local_auth\"|\"web_ui_host_header_validation\"|\"web_ui_csrf_protection_enabled\"|\"bypass_auth_subnet_whitelist_enabled\"' || true
+" || true
+
+# Final restart to ensure the runtime applies cleanly
+docker restart qbittorrent >/dev/null
+
+echo "[OK] Done. Open WebUI at your host:port. If some torrents error due to path updates, select them and 'Force recheck'."