qbt: increase ConnectionSpeed

configuration.nix

@@ -132,6 +132,31 @@
       compressor = "zstd";
       supportedFilesystems = [ "f2fs" ];
     };
+
+    # BBR congestion control handles variable-latency VPN connections much
+    # better than CUBIC by probing bandwidth continuously rather than
+    # reacting to packet loss.
+    kernelModules = [ "tcp_bbr" ];
+
+    kernel.sysctl = {
+      # Use BBR + fair queuing for smooth throughput through the WireGuard VPN
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
+
+      # Disable slow-start after idle: prevents TCP from resetting window
+      # size on each burst cycle (the primary cause of the 0 -> 40 MB/s spikes)
+      "net.ipv4.tcp_slow_start_after_idle" = 0;
+
+      # Larger socket buffers to accommodate the VPN bandwidth-delay product
+      # (22ms RTT * target throughput). Current 2.5MB max is too small.
+      "net.core.rmem_max" = 16777216;
+      "net.core.wmem_max" = 16777216;
+      "net.ipv4.tcp_rmem" = "4096 87380 16777216";
+      "net.ipv4.tcp_wmem" = "4096 65536 16777216";
+
+      # Higher backlog for the large number of concurrent torrent connections
+      "net.core.netdev_max_backlog" = 5000;
+    };
   };
 
   environment.etc = {

flake.lock

@@ -27,11 +27,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1770419512,
-        "narHash": "sha256-o8Vcdz6B6bkiGUYkZqFwH3Pv1JwZyXht3dMtS7RchIo=",
+        "lastModified": 1771121070,
+        "narHash": "sha256-aIlv7FRXF9q70DNJPI237dEDAznSKaXmL5lfK/Id/bI=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "2510f2cbc3ccd237f700bb213756a8f35c32d8d7",
+        "rev": "a2812c19f1ed2e5ed5ce2ef7109798b575c180e1",
         "type": "github"
       },
       "original": {
@@ -69,11 +69,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1771271879,
-        "narHash": "sha256-Vn32sMuvV35ChjVGZE4d8NNmCq3E/6HjaK2uVUUp2JI=",
+        "lastModified": 1771469470,
+        "narHash": "sha256-GnqdqhrguKNN3HtVfl6z+zbV9R9jhHFm3Z8nu7R6ml0=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "e963ed5aea88ad0c093adde7c1c2abd4e1b48beb",
+        "rev": "4707eec8d1d2db5182ea06ed48c820a86a42dc13",
         "type": "github"
       },
       "original": {
@@ -243,11 +243,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1770734117,
-        "narHash": "sha256-PNXSnK507MRj+hYMgnUR7InNJzVCmOfsjHV4YXZgpwQ=",
+        "lastModified": 1771492583,
+        "narHash": "sha256-nQzvnU4BGu8dA6BsPPCqmVcab/3ebVmHtX3ZWbW3Hxc=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "2038a9a19adb886eccba775321b055fdbdc5029d",
+        "rev": "5e9380994665ef66c87ab8e22c913ff837174ce4",
         "type": "github"
       },
       "original": {
@@ -265,11 +265,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1771296409,
-        "narHash": "sha256-p0fEFcqNnhYBKsHTint5pwkcnQk1b68OeQJh95B9Adg=",
+        "lastModified": 1771469368,
+        "narHash": "sha256-yGRHre2BINQJBDAyUwxyzvgAce22J4pNdpLS8roo6fY=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "22cb60087e549a90f6b0347e84ac178c0c9085ad",
+        "rev": "a708458be9b9421e377c54d86807d3490db53816",
         "type": "github"
       },
       "original": {
@@ -280,11 +280,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1771257191,
-        "narHash": "sha256-H1l+zHq+ZinWH7F1IidpJ2farmbfHXjaxAm1RKWE1KI=",
+        "lastModified": 1771423359,
+        "narHash": "sha256-yRKJ7gpVmXbX2ZcA8nFi6CMPkJXZGjie2unsiMzj3Ig=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "66e1a090ded57a0f88e2b381a7d4daf4a5722c3f",
+        "rev": "740a22363033e9f1bb6270fbfb5a9574067af15b",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771208521,
-        "narHash": "sha256-X01Q3DgSpjeBpapoGA4rzKOn25qdKxbPnxHeMLNoHTU=",
+        "lastModified": 1771419570,
+        "narHash": "sha256-bxAlQgre3pcQcaRUm/8A0v/X8d2nhfraWSFqVmMcBcU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fa56d7d6de78f5a7f997b0ea2bc6efd5868ad9e8",
+        "rev": "6d41bc27aaf7b6a3ba6b169db3bd5d6159cfaa47",
         "type": "github"
       },
       "original": {
@@ -336,11 +336,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769939035,
-        "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
+        "lastModified": 1770726378,
+        "narHash": "sha256-kck+vIbGOaM/dHea7aTBxdFYpeUl/jHOy5W3eyRvVx8=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "a8ca480175326551d6c4121498316261cbb5b260",
+        "rev": "5eaaedde414f6eb1aea8b8525c466dc37bba95ae",
         "type": "github"
       },
       "original": {
@@ -376,11 +376,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770520253,
-        "narHash": "sha256-6rWuHgSENXKnC6HGGAdRolQrnp/8IzscDn7FQEo1uEQ=",
+        "lastModified": 1771125043,
+        "narHash": "sha256-ldf/s49n6rOAxl7pYLJGGS1N/assoHkCOWdEdLyNZkc=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "ebb8a141f60bb0ec33836333e0ca7928a072217f",
+        "rev": "4912f951a26dc8142b176be2c2ad834319dc06e8",
         "type": "github"
       },
       "original": {
@@ -433,11 +433,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1771207491,
-        "narHash": "sha256-08s9LKq9Et4y9r6FSJLJUnRCyJHZMauAIok45ulQo0k=",
+        "lastModified": 1771501715,
+        "narHash": "sha256-U0P7KvlJZ3XLB8DhwnISmc5xEQWj9p9shRmCWAgT94k=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "434ed3900e9a7b23638da97ebe16ab0e0be7fef5",
+        "rev": "4744487ba359133ac2b04ea49aa0eb90841b8c67",
         "type": "github"
       },
       "original": {
@@ -509,11 +509,11 @@
     "trackerlist": {
       "flake": false,
       "locked": {
-        "lastModified": 1771283390,
-        "narHash": "sha256-rkSYYntpKP/OD1vXWw/W+GGRBSaC5OoHLR/yqJhlq/M=",
+        "lastModified": 1771542582,
+        "narHash": "sha256-sFWG+t8U1JuHViV2ESrtXf1kVq3GFHihmGSoAIAJjUQ=",
         "owner": "ngosang",
         "repo": "trackerslist",
-        "rev": "a7c87dd33cacc627b67447bdef591bd9a8b7d878",
+        "rev": "de994ca82ae92dca5ef1ea16cdcf7761ca1deff0",
         "type": "github"
       },
       "original": {

services/matrix.nix

@@ -12,8 +12,8 @@ let
         domain = "forgejo.ellis.link";
         owner = "continuwuation";
         repo = "continuwuity";
-        rev = "082c44f3556e4e939c31cb66dda261af4f70bea8";
-        hash = "sha256-v7W6ZqSYB2TSkRj6Hte/UxBTCad94b+uzpROQ9jlwdQ=";
+        rev = "efd879fcd8013e359d398bb495ee5520d0e5156b";
+        hash = "sha256-7hS6Mi8iOrJqRnQvfbg7MM4SWf1ntMCe3uVGb2Gq7l8=";
       };
     in
     pkgs.matrix-continuwuity.overrideAttrs (old: {
@@ -21,7 +21,7 @@ let
       cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
         inherit src;
         name = "${old.pname}-vendor";
-        hash = "sha256-Ib4yAT0Ncch8QT8CioF9s3fN34E50ZhbcX7m0lgwJkI=";
+        hash = "sha256-N7PdVPKnXAUZx1GElAolxTFWCU1MSmFjzZrEAsedCnU=";
       };
 
       patches = (old.patches or [ ]) ++ [

services/monero.nix

@@ -20,5 +20,4 @@
       restricted = true;
     };
   };
-
 }

services/qbittorrent.nix

@@ -18,7 +18,9 @@
     ])
     (lib.vpnNamespaceOpenPort config.services.qbittorrent.webuiPort "qbittorrent")
     (lib.serviceFilePerms "qbittorrent" [
-      "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}"
+      # 0770: group (media) needs write to delete files during upgrades —
+      # Radarr/Sonarr must unlink the old file before placing the new one.
+      "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.media_group}"
       "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
       "Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
     ])
@@ -28,6 +30,11 @@
     enable = true;
     webuiPort = service_configs.ports.torrent;
     profileDir = "/var/lib/qBittorrent";
+    # Set the service group to 'media' so the systemd unit runs with media as
+    # the primary GID. Linux assigns new file ownership from the process's GID
+    # (set by systemd's Group= directive), not from /etc/passwd. Without this,
+    # downloads land as qbittorrent:qbittorrent (0700), blocking Radarr/Sonarr.
+    group = service_configs.media_group;
 
     serverConfig.LegalNotice.Accepted = true;
 
@@ -48,7 +55,7 @@
 
     serverConfig.BitTorrent = {
       Session = {
-        MaxConnectionsPerTorrent = 100;
+        MaxConnectionsPerTorrent = 50;
         MaxUploadsPerTorrent = 10;
         MaxConnections = -1;
         MaxUploads = -1;
@@ -57,7 +64,7 @@
 
         # queueing
         QueueingSystemEnabled = true;
-        MaxActiveDownloads = 8; # num of torrents that can download at the same time
+        MaxActiveDownloads = 5; # keep focused: fewer torrents, each gets more bandwidth
         MaxActiveUploads = -1;
         MaxActiveTorrents = -1;
         IgnoreSlowTorrentsForQueueing = true;
@@ -84,8 +91,7 @@
         inherit (config.services.qbittorrent.serverConfig.Preferences.Downloads) TempPath;
         TempPathEnabled = true;
 
-        # how many connections per sec
-        ConnectionSpeed = 300;
+        ConnectionSpeed = 200;
 
         # Automatic Torrent Management: use category save paths for new torrents
         DisableAutoTMMByDefault = false;