throttle torrenting when needed

flake.lock

@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744117652,
+        "lastModified": 1744743431,
-        "narHash": "sha256-t7dFCDl4vIOOUMhEZnJF15aAzkpaup9x4ZRGToDFYWI=",
+        "narHash": "sha256-iyn/WBYDc7OtjSawbegINDe/gIkok888kQxk3aVnkgg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b4e98224ad1336751a2ac7493967a4c9f6d9cb3f",
+        "rev": "c61bfe3ae692f42ce688b5865fac9e0de58e1387",
         "type": "github"
       },
       "original": {
@@ -200,11 +200,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744717505,
+        "lastModified": 1744791665,
-        "narHash": "sha256-8GS3nqO7iCIdjsd63t5EpHDu489tJYe4MjXpFtgc+No=",
+        "narHash": "sha256-PeX0XesV1AsM4e+Rv5jIFC67boZl3MQpyC0RvXZZdF8=",
         "owner": "ggml-org",
         "repo": "llama.cpp",
-        "rev": "f8f820cc4dc37032d5375972ba904ce53043445d",
+        "rev": "b43d89e311c5e7fbf62e5ec3c0401eb536677267",
         "type": "github"
       },
       "original": {
@@ -222,11 +222,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744682339,
+        "lastModified": 1744768706,
-        "narHash": "sha256-EnfBeDSsqEku5gvudXWYdXoFghmXb4Vp9YY1vMNzebY=",
+        "narHash": "sha256-7W63qdst98cXE4j/QDF1L3OHz5N5JjcfTVL17a4a3kw=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "deaa09e85d9288c27e0f76431dcdea21f32f96fa",
+        "rev": "46be353e058e970480a9c62ee94a0d1ad2f0c569",
         "type": "github"
       },
       "original": {

services/qbittorrent.nix

@@ -62,7 +62,7 @@
 
     serverConfig.BitTorrent = {
       Session = {
-        GlobalUPSpeedLimit = 1500; # 1.500 MiB/s
+        GlobalUPSpeedLimit = 0; # unlimited upload
         GlobalDLSpeedLimit = 500; # 500 KiB/s
 
         IgnoreLimitsOnLAN = true;

services/wg.nix

@@ -1,4 +1,9 @@
-{ pkgs, service_configs, ... }:
+{
+  pkgs,
+  service_configs,
+  eth_interface,
+  ...
+}:
 {
   # network namespace that is proxied through mullvad
   vpnNamespaces.wg = {
@@ -8,4 +13,49 @@
       # "192.168.0.0/24"
     ];
   };
+
+  environment.systemPackages = with pkgs; [
+    # used to monitor bandwidth usage
+    nload
+  ];
+
+  networking.firewall.extraCommands = ''
+    # Exempt local traffic from marking
+    iptables -t mangle -A POSTROUTING -s ${service_configs.https.wg_ip}/24 -d 192.168.1.0/24 -j RETURN
+
+    # Mark all other traffic from the VPN namespace
+    iptables -t mangle -A POSTROUTING -s ${service_configs.https.wg_ip}/24 -j MARK --set-mark 1
+  '';
+
+  systemd.services."traffic-shaping" =
+    let
+      upload_pipe = 20;
+      high_prio = 18;
+      low_prio = 2;
+    in
+    {
+      description = "Apply QoS to prioritize non-VPN traffic";
+      after = [
+        "network.target"
+        "vpn-wg.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = pkgs.writeShellScript "tc-setup" ''
+          # Add HTB qdisc to physical interface
+          ${pkgs.iproute2}/bin/tc qdisc add dev ${eth_interface} root handle 1: htb default 10
+
+          # Define classes:
+          # - Class 1:10 (high priority, unmarked)
+          # - Class 1:20 (low priority, marked VPN traffic)
+          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1: classid 1:1 htb rate ${builtins.toString upload_pipe}mbit ceil ${builtins.toString upload_pipe}mbit
+          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1:1 classid 1:10 htb rate ${builtins.toString high_prio}mbit ceil ${builtins.toString upload_pipe}mbit prio 1
+          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1:1 classid 1:20 htb rate ${builtins.toString low_prio}mbit ceil ${builtins.toString upload_pipe}mbit prio 2
+
+          # Direct marked packets to low-priority class
+          ${pkgs.iproute2}/bin/tc filter add dev ${eth_interface} parent 1: protocol ip prio 1 handle 1 fw flowid 1:20
+        '';
+      };
+    };
 }