# DEPLOYMENT LOCATION: /opt/docker/qbittorrent/docker-compose.yml
# Deploy with: sudo mkdir -p /opt/docker/qbittorrent && sudo cp config/docker/qbittorrent/docker-compose.yml /opt/docker/qbittorrent/
# Start with: cd /opt/docker/qbittorrent && sudo docker-compose up -d

# HARDENED CONFIGURATION - Updated for security
# - Torrent ports bound to localhost (VPN/reverse tunnel recommended for external access)
# - Non-root user (1000:1000)
# - Security options added
# - Resource limits maintained
# - Read-only config volume where possible

services:
  qbittorrent:
    image: linuxserver/qbittorrent:latest
    container_name: qbittorrent
    restart: unless-stopped

    # User and group IDs to match host user (hoborg)
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Prague
      - WEBUI_PORT=8080

    # Security hardening
    user: "1000:1000"
    read_only: false  # qBittorrent needs write access for downloads
    tmpfs:
      - /tmp:noexec,nosuid,size=100m
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - NET_BIND_SERVICE  # For port binding
    security_opt:
      - no-new-privileges:true

    # Network - bind to localhost for security
    # NOTE: For external torrent access, use VPN or port forwarding
    ports:
      - "127.0.0.1:8080:8080"  # Web UI (reverse proxy only)
      - "127.0.0.1:6881:6881"  # BitTorrent TCP (localhost only)
      - "127.0.0.1:6881:6881/udp"  # BitTorrent UDP (localhost only)

    # Volume mounts
    volumes:
      # qBittorrent configuration
      - /opt/docker/qbittorrent/config:/config

      # Torrent storage on NAS
      - /mnt/nas/torrent:/downloads

    # Enhanced resource limits
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 1G
        reservations:
          cpus: '0.25'
          memory: 256M

    # Health check
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s