230 lines
6.5 KiB
YAML
230 lines
6.5 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: Transmission
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install software
|
||
package:
|
||
name: transmission-cli
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: Transmission
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: prepare to override systemd settings for transmission
|
||
file:
|
||
name: /etc/systemd/system/transmission.service.d
|
||
state: directory
|
||
mode: 0755
|
||
|
||
- name: override systemd settings for transmission
|
||
copy:
|
||
content: |
|
||
[Unit]
|
||
Requires=nslcd.service
|
||
After=nslcd.service
|
||
[Service]
|
||
{% if is_vpn_used is not defined %}
|
||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT CAP_SYS_NICE
|
||
{% endif %}
|
||
PrivateDevices=yes
|
||
ProtectHome=yes
|
||
ProtectSystem=full
|
||
LimitNOFILE=4096
|
||
Group={{media_group}}
|
||
dest: /etc/systemd/system/transmission.service.d/secure-{{nickname}}.conf
|
||
mode: 0644
|
||
|
||
- name: override network settings for transmission
|
||
copy:
|
||
content: |
|
||
[Unit]
|
||
Requires=no-vpn-network-namespace.service
|
||
After=no-vpn-network-namespace.service
|
||
[Service]
|
||
Type=exec
|
||
User=root
|
||
Group=root
|
||
ExecStart=
|
||
ExecStart=/usr/bin/ip netns exec no-vpn /usr/bin/sudo -g {{media_group}} -u transmission -H -n /usr/bin/transmission-daemon -f --log-level=error
|
||
dest: /etc/systemd/system/transmission.service.d/zz-no-vpn.conf
|
||
mode: 0644
|
||
when: (is_vpn_used is defined)
|
||
|
||
- name: ensure existence and mode of Transmission working directories
|
||
file:
|
||
path: /var/lib/transmission{{item}}
|
||
state: directory
|
||
owner: transmission
|
||
group: "{{media_group}}"
|
||
mode: 06770
|
||
with_items:
|
||
- ''
|
||
- /.config/transmission-daemon
|
||
- /Todo
|
||
- /Doing
|
||
- /Done
|
||
|
||
- name: set default ACL on Todo and Done
|
||
acl:
|
||
path: /var/lib/transmission{{item.path}}
|
||
default: true
|
||
entity: "{{item.e}}"
|
||
etype: "{{item.t}}"
|
||
permissions: rwx
|
||
state: present
|
||
recursive: true
|
||
with_items:
|
||
- {path: /Todo, e: transmission, t: user}
|
||
- {path: /Todo, e: "{{media_group}}", t: group}
|
||
- {path: /Done, e: transmission, t: user}
|
||
- {path: /Done, e: "{{media_group}}", t: group}
|
||
|
||
- name: set current ACL on Todo and Done
|
||
acl:
|
||
path: /var/lib/transmission{{item.path}}
|
||
default: false
|
||
entity: "{{item.e}}"
|
||
etype: "{{item.t}}"
|
||
permissions: rwx
|
||
state: present
|
||
recursive: true
|
||
with_items:
|
||
- {path: /Todo, e: transmission, t: user}
|
||
- {path: /Todo, e: "{{media_group}}", t: group}
|
||
- {path: /Done, e: transmission, t: user}
|
||
- {path: /Done, e: "{{media_group}}", t: group}
|
||
|
||
- name: make sure that at least an empty configuration file is present
|
||
copy:
|
||
content: |
|
||
{
|
||
}
|
||
dest: /var/lib/transmission/.config/transmission-daemon/settings.json
|
||
group: "{{media_group}}"
|
||
mode: 0640
|
||
force: false
|
||
|
||
- name: stop transmission.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: transmission.service
|
||
state: stopped
|
||
|
||
- name: store DMZ IP (direct)
|
||
set_fact:
|
||
no_vpn_front_IP: "{{DMZ_IP}}"
|
||
when:
|
||
- (is_vpn_used is not defined)
|
||
|
||
- name: store DMZ IP (avoid VPN)
|
||
set_fact:
|
||
no_vpn_front_IP: "{{vpn_avoiding_ip_cidr | replace('/.*', '')}}"
|
||
when:
|
||
- (is_vpn_used is defined)
|
||
|
||
- name: put a JSON terminator to avoid a trailing comma
|
||
lineinfile:
|
||
path: /var/lib/transmission/.config/transmission-daemon/settings.json
|
||
regexp: '^\s*"zzz"'
|
||
line: ' "zzz": false'
|
||
insertbefore: '^}'
|
||
|
||
- name: send Transmission configuration
|
||
lineinfile:
|
||
path: /var/lib/transmission/.config/transmission-daemon/settings.json
|
||
regexp: '^\s*"{{item.key}}"'
|
||
line: ' "{{item.key}}": {{item.value}},'
|
||
insertbefore: '"zzz"'
|
||
with_dict:
|
||
speed-limit-up: '500'
|
||
speed-limit-up-enabled: 'true'
|
||
download-dir: '"/var/lib/transmission/Done"'
|
||
incomplete-dir: '"/var/lib/transmission/Doing"'
|
||
incomplete-dir-enabled: 'true'
|
||
rename-partial-files: 'false'
|
||
trash-original-torrent-files: 'true'
|
||
umask: '7'
|
||
watch-dir: '"/var/lib/transmission/Todo"'
|
||
watch-dir-enabled: 'true'
|
||
encryption: '2'
|
||
message-level: '1'
|
||
bind-address-ipv4: '"{{no_vpn_front_IP}}"'
|
||
peer-port: '{{transmission_bt_port}}'
|
||
peer-port-random-on-start: 'false'
|
||
port-forwarding-enabled: '{{is_vpn_used is defined}}'
|
||
queue-stalled-minutes: '5'
|
||
rpc-authentication-required: 'false'
|
||
rpc-bind-address: '"unix:/run/shared_sockets/transmission-rpc.sock"'
|
||
rpc-socket-mode: '"0777"'
|
||
rpc-port: '{{transmission_rpc_port}}'
|
||
rpc-url: '"{{http_pfx_transmission}}/"'
|
||
rpc-whitelist-enabled: 'false'
|
||
|
||
- name: start transmission.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: transmission.service
|
||
state: started
|
||
|
||
- name: configure nginx for Transmission
|
||
copy:
|
||
content: |
|
||
location {{http_pfx_transmission}}/web {
|
||
alias /usr/share/transmission/public_html;
|
||
}
|
||
location ~ ^{{http_pfx_transmission}}/?$ {
|
||
return 307 https://{{net_soa}}{{http_pfx_transmission}}/web/;
|
||
}
|
||
location ~ ^{{http_pfx_transmission}}.*$(?<!\.css|\.js)$ {
|
||
proxy_pass http://unix:/run/shared_sockets/transmission-rpc.sock;
|
||
proxy_pass_header X-Transmission-Session-Id;
|
||
proxy_hide_header ETag;
|
||
proxy_hide_header Cache-Control;
|
||
add_header Cache-Control "no-cache";
|
||
}
|
||
dest: /etc/nginx/inc.d/transmission.https.inc
|
||
mode: 0440
|
||
owner: http
|
||
group: http
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
- name: enable transmission.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: transmission.service
|
||
enabled: true
|
||
|
||
- name: configure SSO
|
||
copy:
|
||
content: |
|
||
{ "patterns": [{
|
||
"lua_regex": ["^{{http_pfx_transmission}}"],
|
||
"allow": ["me"],
|
||
"portal": {"{{http_pfx_transmission}}": "BitTorrent"}
|
||
}]
|
||
}
|
||
dest: /etc/nginx/ssso/sites/transm.json
|
||
when: (is_sso_used is defined)
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: Transmission
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|