diff --git a/flake.nix b/flake.nix
index 0574c1e..301ef97 100644
--- a/flake.nix
+++ b/flake.nix
@@ -41,6 +41,7 @@
                     simple-nixos-mailserver.nixosModules.mailserver
                     sops-nix.nixosModules.sops
                     self.nixosModules.papermc
+                    self.nixosModules.qbittorrent-nox
                 ];
                 specialArgs = { inherit inputs self; };
             };
@@ -52,6 +53,8 @@
             spoofdpi = import ./nixosModules/spoofdpi { inherit self; };
 
             papermc = import ./nixosModules/papermc { inherit self; };
+
+            qbittorrent-nox = import ./nixosModules/qbittorrent-nox { inherit self; };
         };
 
         templates = {
diff --git a/nixosConfigurations/astora/hardware.nix b/nixosConfigurations/astora/hardware.nix
index a56c682..e951820 100644
--- a/nixosConfigurations/astora/hardware.nix
+++ b/nixosConfigurations/astora/hardware.nix
@@ -71,6 +71,8 @@
             { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
             { domain = "@audio"; item = "nofile"; type = "soft"; value = "99999"; }
             { domain = "@audio"; item = "nofile"; type = "hard"; value = "99999"; }
+            { domain = "*"; item = "nofile"; type = "-"; value = "524288"; }
+            { domain = "*"; item = "memlock"; type = "-"; value = "524288"; }
         ];
         polkit.enable = true;
     };
diff --git a/nixosConfigurations/catarina/default.nix b/nixosConfigurations/catarina/default.nix
index a678417..65fd9c1 100644
--- a/nixosConfigurations/catarina/default.nix
+++ b/nixosConfigurations/catarina/default.nix
@@ -161,6 +161,12 @@ rec {
 
     services.spoofdpi.enable = true;
 
+    services.qbittorrent-nox = {
+        enable = true;
+        webuiPort = 8085;
+        openFirewall = true;
+    };
+
     #services.btrbk = {
     #    instances."catarina" = {
     #        onCalendar = "weekly";
diff --git a/nixosConfigurations/catarina/hardware.nix b/nixosConfigurations/catarina/hardware.nix
index 5547675..7bb717d 100644
--- a/nixosConfigurations/catarina/hardware.nix
+++ b/nixosConfigurations/catarina/hardware.nix
@@ -129,7 +129,7 @@
 
         firewall = {
             enable = true;
-            allowedTCPPorts = [ 80 443 3001 25600 8080 ];
+            allowedTCPPorts = [ 80 443 3001 25600 8080 8085 ];
         };
 
 #        interfaces.enp9s0.ipv4.addresses = [ {
diff --git a/nixosModules/qbittorrent-nox/default.nix b/nixosModules/qbittorrent-nox/default.nix
new file mode 100644
index 0000000..dd786ce
--- /dev/null
+++ b/nixosModules/qbittorrent-nox/default.nix
@@ -0,0 +1,119 @@
+{ self, ... }:
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+    cfg = config.services.qbittorrent-nox;
+in {
+    options.services.qbittorrent-nox = {
+        enable = mkEnableOption "Enables the qbittorrent-nox services";
+
+        port = mkOption rec {
+            type = types.int;
+            default = 6969;
+            example = default;
+            description = "Torrenting port";
+        };
+
+        webuiPort = mkOption rec {
+            type = types.port;
+            default = 8080;
+            example = default;
+            description = "WebUI port";
+        };
+
+        dataDir = mkOption rec {
+            type = types.path;
+            default = "/var/lib/qbittorrent-nox";
+            example = default;
+            description = "Directory to store qbittorrent-nox data files";
+        };
+
+        user = mkOption {
+            type = types.str;
+            default = "qbittorrent-nox";
+            description = lib.mdDoc "User account under which qbittorrent-nox runs.";
+        };
+
+        group = mkOption {
+            type = types.str;
+            default = "qbittorrent-nox";
+            description = lib.mdDoc "Group under which qbittorrent-nox runs.";
+        };
+
+        openFirewall = mkOption {
+            type = types.bool;
+            default = false;
+            description = "Open services.qbittorrent-nox.port";
+        };
+
+        package = mkOption {
+            type = types.package;
+            default = pkgs.qbittorrent-nox;
+            description = "The qbittorrent package to use";
+        };
+    };
+
+    config = mkIf cfg.enable {
+        users.users.qbittorrent-nox = {
+            description = "qbittorrent-nox service user";
+            home = cfg.dataDir;
+            createHome = true;
+            isSystemUser = true;
+            group = "qbittorrent-nox";
+        };
+        users.groups.qbittorrent-nox = {};
+
+        networking.firewall = mkIf cfg.openFirewall {
+            allowedTCPPorts = [ cfg.port ];
+            allowedUDPPorts = [ cfg.port ];
+        };
+
+        systemd.services.qbittorrent-nox = {
+            wantedBy = [ "multi-user.target" ];
+            after = [ "network.target" ];
+
+            serviceConfig = {
+                Type = "simple";
+                ExecStart = "${cfg.package}/bin/qbittorrent-nox --torrenting-port=${toString cfg.port} --webui-port=${toString cfg.webuiPort}";
+                Restart = "always";
+                User = cfg.user;
+                Group = cfg.group;
+                WorkingDirectory = cfg.dataDir;
+                # Runtime directory and mode
+                RuntimeDirectory = "qbittorrent-nox";
+                RuntimeDirectoryMode = "0755";
+                # Proc filesystem
+                ProcSubset = "pid";
+                ProtectProc = "invisible";
+                # Access write directories
+                ReadWritePaths = [ cfg.dataDir ];
+                UMask = "0027";
+                # Capabilities
+                CapabilityBoundingSet = "";
+                # Security
+                NoNewPrivileges = true;
+                # Sandboxing
+                ProtectSystem = "strict";
+                ProtectHome = true;
+                PrivateTmp = true;
+                PrivateDevices = true;
+                PrivateUsers = true;
+                ProtectHostname = true;
+                ProtectClock = true;
+                ProtectKernelTunables = true;
+                ProtectKernelModules = true;
+                ProtectKernelLogs = true;
+                ProtectControlGroups = true;
+                RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+                RestrictNamespaces = true;
+                LockPersonality = true;
+                MemoryDenyWriteExecute = true;
+                RestrictRealtime = true;
+                RestrictSUIDSGID = true;
+                RemoveIPC = true;
+                PrivateMounts = true;
+            };
+
+        };
+    };
+}
diff --git a/nixosModules/spoofdpi/default.nix b/nixosModules/spoofdpi/default.nix
index 21c7ea5..8dc143c 100644
--- a/nixosModules/spoofdpi/default.nix
+++ b/nixosModules/spoofdpi/default.nix
@@ -16,12 +16,18 @@ in {
         };
 
         port = mkOption rec {
-            type = types.str;
-            default = "8080";
+            type = types.port;
+            default = 8080;
             example = default;
             description = "Port";
         };
 
+        openFirewall = mkOption {
+            type = types.bool;
+            default = false;
+            description = "Open services.spoofdpi.port";
+        };
+
         dns = mkOption rec {
             type = types.str;
             default = "8.8.8.8";
@@ -33,11 +39,16 @@ in {
     config = mkIf cfg.enable {
         systemd.services.spoofdpi = {
             wantedBy = [ "multi-user.target" ];
+            after = [ "network.target" ];
             serviceConfig = {
                 Restart = "on-failure";
-                ExecStart = "${pkg}/bin/spoof-dpi -no-banner -addr ${cfg.address} -port ${cfg.port} -dns ${cfg.dns}";
+                ExecStart = "${pkg}/bin/spoof-dpi -no-banner -addr ${cfg.address} -port ${toString cfg.port} -dns ${cfg.dns}";
                 DynamicUser = "yes";
             };
         };
+
+        networking.firewall = mkIf cfg.openFirewall {
+            allowedTCPPorts = [ cfg.port ];
+        };
     };
 }