The download engine executes the actual peer-to-peer file acquisition. We utilize `qBittorrent-nox`, a headless daemon devoid of a desktop GUI, managed entirely via a web interface running on TCP Port 8023.

Never run a public-facing torrent daemon as the `root` user. Create a dedicated, unprivileged system user (`qbituser`) before installation.

sudo adduser --system --group qbituser
sudo apt update && sudo apt install qbittorrent-nox -y

Ensure `qbituser` has explicit read/write access to the NFS mount created in nfs_fabric. (Refer to the IAM Permissions Matrix for detailed GID/UID matching).

Create a native systemd unit file to ensure the daemon automatically starts on boot and restarts in the event of a crash.

sudo nano /etc/systemd/system/qbittorrent-nox.service

/etc/systemd/system/qbittorrent-nox.service

[Unit]
Description=qBittorrent Command Line Client
After=network.target
 
[Service]
Type=forking
User=qbituser
Group=qbituser
UMask=002
ExecStart=/usr/bin/qbittorrent-nox -d --webui-port=8023
Restart=on-failure
 
[Install]
WantedBy=multi-user.target

Enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable --now qbittorrent-nox

While the NordVPN kill-switch provides routing-level protection, application-level binding provides a mandatory secondary defense layer. If the VPN drops, qBittorrent must become completely deaf and blind to the network.

1. Navigate to the WebUI at `http:<ACQUISITION_SERVER_IP>:8023`. - Go to Tools → Options → Advanced. - Network Interface: Change from `Any interface` to explicitly select `nordlynx`. - Optional IP Address Binding: Set to `All IPv4 addresses`. ===== 4. Directory Mapping ===== Within the WebUI Downloads settings, map your default save paths directly to your NFS storage fabric: * Default Save Path: `/mnt/data/torrents/completed/` * Keep Incomplete Torrents In: `/mnt/data/torrents/incomplete/` Next Step: Deploy the indexer coordination layer in Prowlarr Indexer Proxy.