home-server/roles/dmz_transmission/tasks/main.yml

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: Transmission
### ⇐ UPSTREAM BEGIN ###

- name: install software
  package:
    name: transmission-cli

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: Transmission
### ⇐ UPSTREAM END ###

- name: prepare to override systemd settings for transmission
  file:
    name: /etc/systemd/system/transmission.service.d
    state: directory
    mode: 0755

- name: override systemd settings for transmission
  copy:
    content: |
      [Unit]
      Requires=nslcd.service
      After=nslcd.service
      [Service]
      {% if is_vpn_used is not defined %}
      CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT CAP_SYS_NICE
      {% endif %}
      PrivateDevices=yes
      ProtectHome=yes
      ProtectSystem=full
      LimitNOFILE=4096
      Group={{media_group}}
    dest: /etc/systemd/system/transmission.service.d/secure-{{nickname}}.conf
    mode: 0644

- name: override network settings for transmission
  copy:
    content: |
      [Unit]
      Requires=no-vpn-network-namespace.service
      After=no-vpn-network-namespace.service
      [Service]
      Type=exec
      User=root
      Group=root
      ExecStart=
      ExecStart=/usr/bin/ip netns exec no-vpn /usr/bin/sudo -g {{media_group}} -u transmission -H -n /usr/bin/transmission-daemon -f --log-level=error
    dest: /etc/systemd/system/transmission.service.d/zz-no-vpn.conf
    mode: 0644
  when: (is_vpn_used is defined)

- name: ensure existence and mode of Transmission working directories
  file:
    path: /var/lib/transmission{{item}}
    state: directory
    owner: transmission
    group: "{{media_group}}"
    mode: 06770
  with_items:
    - ''
    - /.config/transmission-daemon
    - /Todo
    - /Doing
    - /Done

- name: set default ACL on Todo and Done
  acl:
    path: /var/lib/transmission{{item.path}}
    default: true
    entity: "{{item.e}}"
    etype: "{{item.t}}"
    permissions: rwx
    state: present
    recursive: true
  with_items:
    - {path: /Todo, e: transmission, t: user}
    - {path: /Todo, e: "{{media_group}}", t: group}
    - {path: /Done, e: transmission, t: user}
    - {path: /Done, e: "{{media_group}}", t: group}

- name: set current ACL on Todo and Done
  acl:
    path: /var/lib/transmission{{item.path}}
    default: false
    entity: "{{item.e}}"
    etype: "{{item.t}}"
    permissions: rwx
    state: present
    recursive: true
  with_items:
    - {path: /Todo, e: transmission, t: user}
    - {path: /Todo, e: "{{media_group}}", t: group}
    - {path: /Done, e: transmission, t: user}
    - {path: /Done, e: "{{media_group}}", t: group}

- name: make sure that at least an empty configuration file is present
  copy:
    content: |
      {
      }
    dest: /var/lib/transmission/.config/transmission-daemon/settings.json
    group: "{{media_group}}"
    mode: 0640
    force: false

- name: stop transmission.service
  systemd:
    daemon_reload: true
    name: transmission.service
    state: stopped

- name: store DMZ IP (direct)
  set_fact:
    no_vpn_front_IP: "{{DMZ_IP}}"
  when:
    - (is_vpn_used is not defined)

- name: store DMZ IP (avoid VPN)
  set_fact:
    no_vpn_front_IP: "{{vpn_avoiding_ip_cidr | replace('/.*', '')}}"
  when:
    - (is_vpn_used is defined)

- name: put a JSON terminator to avoid a trailing comma
  lineinfile:
    path: /var/lib/transmission/.config/transmission-daemon/settings.json
    regexp: '^\s*"zzz"'
    line: '    "zzz": false'
    insertbefore: '^}'

- name: send Transmission configuration
  lineinfile:
    path: /var/lib/transmission/.config/transmission-daemon/settings.json
    regexp: '^\s*"{{item.key}}"'
    line: '    "{{item.key}}": {{item.value}},'
    insertbefore: '"zzz"'
  with_dict:
    speed-limit-up: '500'
    speed-limit-up-enabled: 'true'
    download-dir: '"/var/lib/transmission/Done"'
    incomplete-dir: '"/var/lib/transmission/Doing"'
    incomplete-dir-enabled: 'true'
    rename-partial-files: 'false'
    trash-original-torrent-files: 'true'
    umask: '7'
    watch-dir: '"/var/lib/transmission/Todo"'
    watch-dir-enabled: 'true'
    encryption: '2'
    message-level: '1'
    bind-address-ipv4: '"{{no_vpn_front_IP}}"'
    peer-port: '{{transmission_bt_port}}'
    peer-port-random-on-start: 'false'
    port-forwarding-enabled: '{{is_vpn_used is defined}}'
    queue-stalled-minutes: '5'
    rpc-authentication-required: 'false'
    rpc-bind-address: '"unix:/run/shared_sockets/transmission-rpc.sock"'
    rpc-socket-mode: '"0777"'
    rpc-port: '{{transmission_rpc_port}}'
    rpc-url: '"{{http_pfx_transmission}}/"'
    rpc-whitelist-enabled: 'false'

- name: start transmission.service
  systemd:
    daemon_reload: true
    name: transmission.service
    state: started

- name: configure nginx for Transmission
  copy:
    content: |
      location {{http_pfx_transmission}}/web {
        alias /usr/share/transmission/public_html;
      }
      location ~ ^{{http_pfx_transmission}}/?$ {
        return 307 https://{{net_soa}}{{http_pfx_transmission}}/web/;
      }
      location ~ ^{{http_pfx_transmission}}.*$(?<!\.css|\.js)$ {
        proxy_pass http://unix:/run/shared_sockets/transmission-rpc.sock;
        proxy_pass_header X-Transmission-Session-Id;
        proxy_hide_header ETag;
        proxy_hide_header Cache-Control;
        add_header Cache-Control "no-cache";
      }
    dest: /etc/nginx/inc.d/transmission.https.inc
    mode: 0440
    owner: http
    group: http
  notify:
    - restart openresty.service

- name: enable transmission.service
  systemd:
    daemon_reload: true
    name: transmission.service
    enabled: true

- name: configure SSO
  copy:
    content: |
      { "patterns": [{
          "lua_regex": ["^{{http_pfx_transmission}}"],
          "allow": ["me"],
          "portal": {"{{http_pfx_transmission}}": "BitTorrent"}
        }]
      }
    dest: /etc/nginx/ssso/sites/transm.json
  when: (is_sso_used is defined)
  notify:
    - restart openresty.service

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: Transmission
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers