diff --git a/files/transmission/Dockerfile b/files/transmission/Dockerfile new file mode 100644 index 0000000..793f2cb --- /dev/null +++ b/files/transmission/Dockerfile @@ -0,0 +1,25 @@ +FROM alpine:latest + +ENV TRANSMISSION_HOME=/app/ + +RUN apk add --no-cache --update transmission transmission-daemon + +RUN mkdir --parents \ + /app/config/torrents \ + /app/config/resume \ + /app/config/blocklists \ + /app/downloads \ + /app/incomplete_downloads + +WORKDIR /app + +VOLUME ["/app/config", "/app/downloads", "/app/incomplete_downloads"] + +ENTRYPOINT /usr/bin/transmission-daemon \ + --config-dir /app/config \ + --log-level info \ + --foreground \ + --download-dir /app/downloads \ + --incomplete-dir /app/incomplete_downloads + +EXPOSE 9091 51413/tcp 51413/udp diff --git a/playbook.yml b/playbook.yml index 68d4a1a..f171dcb 100644 --- a/playbook.yml +++ b/playbook.yml @@ -56,9 +56,7 @@ - 'vars/vpn.yml' - 'vars/vpn_media.yml' - 'vars/network.yml' - - 'vars/nginx.yml' - 'vars/transmission.yml' - 'vars/syncthing.yml' - 'vars/mpd.yml' - 'vars/radicale.yml' - - 'vars/jellyfin.yml' diff --git a/tasks/transmission.yml b/tasks/transmission.yml index 4244ded..c96f69f 100644 --- a/tasks/transmission.yml +++ b/tasks/transmission.yml @@ -1,60 +1,93 @@ -# transmission's configuration file does not change while the service is -# still running -- name: stop transmission daemon +# Note: requires an up-to-date ansible version to make us of docker compose file +## TODO: use tracker blocklist +# + +- name: Disable system process become: true - systemd: + ansible.builtin.systemd: name: transmission-daemon state: stopped -- name: create transmission directories +- name: Create Transmission directories become: true - file: + ansible.builtin.file: path: '{{ item.path }}' - mode: '{{ item.mode }}' owner: '{{ item.owner }}' group: '{{ item.group }}' + mode: '0755' state: directory loop: - - { - path: '{{ ansible_env.HOME }}/.config/transmission-daemon', - mode: 755, - owner: 'sonny', - group: 'sonny', - } - - { - path: '/etc/systemd/system/transmission-daemon.service.d', - mode: 755, - owner: 'root', - group: 'root', - } + - path: '{{ transmission_app_dir }}' + owner: root + group: root + - path: '{{ transmission_app_dir }}/config' + owner: root + group: root + - path: '{{ transmission_app_dir }}/nginx.conf.d' + owner: sonny + group: sonny + - path: '{{ transmission_download_dir }}' + owner: sonny + group: sonny + - path: '{{ transmission_incomplete_dir }}' + owner: sonny + group: sonny -- name: copy transmission templates +- name: Remove previous transmission configurations become: true - template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - mode: '{{ item.mode }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' + ansible.builtin.file: + path: '{{ item }}' + state: absent loop: - - { - src: 'templates/systemd/transmission.j2', - dest: '/etc/systemd/system/transmission-daemon.service.d/override.conf', - mode: '755', - owner: 'root', - group: 'root', - } - - { - src: 'templates/transmission.j2', - dest: '{{ ansible_env.HOME }}/.config/transmission-daemon/settings.json', - mode: '0600', - owner: 'sonny', - group: 'sonny', - } + - '/etc/systemd/system/transmission-daemon.service.d' + - '{{ ansible_env.HOME }}/.config/transmission-daemon' -- name: start transmission daemon +- name: Copy Dockerfile become: true - systemd: - name: transmission-daemon - state: started - enabled: true + ansible.builtin.copy: + src: 'files/transmission/Dockerfile' + dest: '{{ transmission_app_dir }}/Dockerfile' + owner: sonny + group: sonny + mode: '0755' + +- name: Copy docker compose configuration + become: true + ansible.builtin.template: + src: 'templates/transmission/docker-compose.j2' + dest: '{{ transmission_app_dir }}/docker-compose.yml' + owner: sonny + group: sonny + mode: '0755' + +# Prevents Tranmission from overwiting configuration files +- name: Stop docker compose containers + community.docker.docker_compose_v2: + project_src: '{{ transmission_app_dir }}' + state: stopped + +- name: Copy Transmission configuration + become: true + ansible.builtin.template: + src: 'templates/transmission/config.j2' + dest: '{{ transmission_app_dir }}/config/settings.json' + owner: sonny + group: sonny + mode: '0755' + +- name: Copy NGINX configuration + become: true + ansible.builtin.template: + src: 'templates/transmission/nginx.j2' + dest: '{{ transmission_app_dir }}/nginx.conf.d/default.conf' + owner: sonny + group: sonny + mode: '0755' + +- name: Start container + community.docker.docker_compose_v2: + project_src: '{{ transmission_app_dir }}' + build: always + remove_orphans: true + state: restarted + pull: always diff --git a/templates/network/hosts.j2 b/templates/network/hosts.j2 index 3e3c6cd..1027169 100644 --- a/templates/network/hosts.j2 +++ b/templates/network/hosts.j2 @@ -5,6 +5,7 @@ {{ lan_ip }} {{ domain_name }} {{ hostname }} {{ vpn_listen_address }} {{ vpn_domain }} {{ vpn_media_listen_address }} {{ vpn_media_domain }} +{{ transmission_nginx_ip }} {{ transmission_domain }} # The following lines are desirable for IPv6 capable hosts #::1 localhost ip6-localhost ip6-loopback diff --git a/templates/network/link1.network.j2 b/templates/network/link1.network.j2 index efbfdff..972b252 100644 --- a/templates/network/link1.network.j2 +++ b/templates/network/link1.network.j2 @@ -4,7 +4,7 @@ Name={{ network_interface }} [Network] -Address={{ lan_ip }}/24 +Address={{ lan_ip }}/{{ lan_prefix }} Gateway={{ lan_gateway }} DNS={{ lan_dns }} IgnoreCarrierLoss=true diff --git a/templates/network/wireguard/default/mobile.wireguard.j2 b/templates/network/wireguard/default/mobile.wireguard.j2 index 65ab6c1..1241b66 100644 --- a/templates/network/wireguard/default/mobile.wireguard.j2 +++ b/templates/network/wireguard/default/mobile.wireguard.j2 @@ -1,12 +1,14 @@ # {{ ansible_managed }} [Interface] -Address={{ vpn_peers.mobile.ip }}/24 +Address={{ vpn_peers.mobile.ip }}/{{ vpn_prefix }} DNS={{ vpn_listen_address }} PrivateKey={{ lookup("file", vpn_peers.mobile.private_key_source_path) }} [Peer] PublicKey={{ lookup("file", vpn_server_public_key_source_path) }} PresharedKey={{ lookup("file", vpn_peers.mobile.preshared_key_source_path) }} -AllowedIPs={{ vpn_listen_address }}/32 +{% for ip in vpn_peers.mobile.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} Endpoint={{ domain_name }}:{{ vpn_port }} diff --git a/templates/network/wireguard/default/wg0.netdev.j2 b/templates/network/wireguard/default/wg0.netdev.j2 index 39b0ec4..7947c14 100644 --- a/templates/network/wireguard/default/wg0.netdev.j2 +++ b/templates/network/wireguard/default/wg0.netdev.j2 @@ -13,7 +13,7 @@ PrivateKeyFile={{ vpn_server_key_path }} [WireGuardPeer] PublicKey={{ properties.public_key }} PresharedKeyFile={{ properties.preshared_key_path }} -AllowedIPs={{ properties.ip }}/32 +AllowedIPs={{ properties.ip }} {% if not loop.last %} {% endif %} diff --git a/templates/network/wireguard/default/wg0.network.j2 b/templates/network/wireguard/default/wg0.network.j2 index 0532830..8d4665c 100644 --- a/templates/network/wireguard/default/wg0.network.j2 +++ b/templates/network/wireguard/default/wg0.network.j2 @@ -4,4 +4,4 @@ Name={{ vpn_interface }} [Network] -Address={{ vpn_listen_address }}/{{ vpn_subnet }} +Address={{ vpn_listen_address }}/{{ vpn_prefix }} diff --git a/templates/network/wireguard/media/mobile_1.wireguard.j2 b/templates/network/wireguard/media/mobile_1.wireguard.j2 index fc6459d..ceeddc0 100644 --- a/templates/network/wireguard/media/mobile_1.wireguard.j2 +++ b/templates/network/wireguard/media/mobile_1.wireguard.j2 @@ -1,12 +1,14 @@ # {{ ansible_managed }} [Interface] -Address={{ vpn_media_peers.mobile_peer_1.ip }}/24 +Address={{ vpn_media_peers.mobile_peer_1.ip }}/{{ vpn_media_prefix }} DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_1.private_key_source_path) }} [Peer] PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} PresharedKey={{ lookup('file', vpn_media_peers.mobile_peer_1.preshared_key_source_path) }} -AllowedIPs={{ vpn_media_listen_address }}/32 +{% for ip in vpn_media_peers.mobile_peer_1.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/mobile_2.wireguard.j2 b/templates/network/wireguard/media/mobile_2.wireguard.j2 index 1c88376..9d65fac 100644 --- a/templates/network/wireguard/media/mobile_2.wireguard.j2 +++ b/templates/network/wireguard/media/mobile_2.wireguard.j2 @@ -1,12 +1,14 @@ # {{ ansible_managed }} [Interface] -Address={{ vpn_media_peers.mobile_peer_2.ip }}/24 +Address={{ vpn_media_peers.mobile_peer_2.ip }}/{{ vpn_media_prefix }} DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_2.private_key_source_path) }} [Peer] PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} PresharedKey={{ lookup('file', vpn_media_peers.mobile_peer_2.preshared_key_source_path) }} -AllowedIPs={{ vpn_media_listen_address }}/32 +{% for ip in vpn_media_peers.mobile_peer_2.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/tv.wireguard.j2 b/templates/network/wireguard/media/tv.wireguard.j2 index 104bd16..987fac0 100644 --- a/templates/network/wireguard/media/tv.wireguard.j2 +++ b/templates/network/wireguard/media/tv.wireguard.j2 @@ -1,12 +1,14 @@ # {{ ansible_managed }} [Interface] -Address={{ vpn_media_peers.tv.ip }}/24 +Address={{ vpn_media_peers.tv.ip }}/{{ vpn_media_prefix }} DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.tv.private_key_source_path) }} [Peer] PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} PresharedKey={{ lookup('file', vpn_media_peers.tv.preshared_key_source_path) }} -AllowedIPs={{ vpn_media_listen_address }}/32 +{% for ip in vpn_media_peers.tv.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/wg1.netdev.j2 b/templates/network/wireguard/media/wg1.netdev.j2 index 8e5a55f..91c7fe1 100644 --- a/templates/network/wireguard/media/wg1.netdev.j2 +++ b/templates/network/wireguard/media/wg1.netdev.j2 @@ -13,7 +13,7 @@ PrivateKeyFile={{ vpn_media_server_key_path }} [WireGuardPeer] PublicKey={{ properties.public_key }} PresharedKeyFile={{ properties.preshared_key_path }} -AllowedIPs={{ properties.ip }}/32 +AllowedIPs={{ properties.ip }} {% if not loop.last %} {% endif %} diff --git a/templates/network/wireguard/media/wg1.network.j2 b/templates/network/wireguard/media/wg1.network.j2 index 8038f9d..0334683 100644 --- a/templates/network/wireguard/media/wg1.network.j2 +++ b/templates/network/wireguard/media/wg1.network.j2 @@ -4,4 +4,4 @@ Name={{ vpn_media_interface }} [Network] -Address={{ vpn_media_listen_address }}/{{ vpn_media_subnet }} +Address={{ vpn_media_listen_address }}/{{ vpn_media_prefix }} diff --git a/templates/nftables.j2 b/templates/nftables.j2 index 81883fe..b660a5c 100644 --- a/templates/nftables.j2 +++ b/templates/nftables.j2 @@ -4,6 +4,7 @@ flush ruleset table ip filter { + chain input { type filter hook input priority 0; policy drop; @@ -19,32 +20,53 @@ table ip filter { # allow icmp ip protocol icmp accept - iifname "{{ network_interface }}" tcp dport {{ ssh_port }} accept comment "SSH" - iifname "{{ network_interface }}" tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH" - iifname "{{ network_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS" - iifname "{{ network_interface }}" tcp dport {{ transmission_port }} accept comment "Transmission" - - iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard" - iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media" - - # TODO: create combined rule - iifname "{{ vpn_interface }}" tcp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS TCP" - iifname "{{ vpn_interface }}" udp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS UDP" - - iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS" - iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web" - iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing" - - iifname "{{ vpn_interface }}" tcp dport {{ mpd_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD" - iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream" - iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_mobile_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP mobile stream" - - # TODO: create combined rule - iifname "{{ vpn_media_interface }}" tcp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS TCP" - iifname "{{ vpn_media_interface }}" udp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS UDP" - - iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP" + iifname vmap { + {{ network_interface }} : goto wlan-chain, + {{ vpn_interface }} : goto vpn-chain, + {{ vpn_media_interface }} : goto media-vpn-chain + } log } + + chain wlan-chain { + tcp dport {{ ssh_port }} accept comment "SSH" + tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH" + tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS" + + udp dport {{ vpn_port }} accept comment "Wireguard" + udp dport {{ vpn_media_port }} accept comment "Wireguard media" + } + + set vpn_set { + typeof ip saddr . ip daddr + flags interval + elements = { {{ vpn_subnet }} . {{ vpn_listen_address }}/{{ vpn_prefix }} } + } + + chain vpn-chain { + meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS" + + tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS" + + tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web" + + tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr . ip daddr @vpn_set accept comment "Syncthing" + + tcp dport {{ mpd_port }} ip saddr . ip daddr @vpn_set accept comment "MPD" + tcp dport {{ mpd_http_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP stream" + tcp dport {{ mpd_http_mobile_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP mobile stream" + } + + set vpn_media_set { + typeof ip saddr . ip daddr + flags interval + elements = { {{ vpn_media_subnet }} . {{ vpn_media_listen_address }}/{{ vpn_media_prefix }} } + } + + chain media-vpn-chain { + meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS" + + tcp dport {{ jellyfin_http_port }} ip saddr . ip daddr @vpn_media_set accept comment "Jellyfin HTTP" + } } diff --git a/templates/transmission.j2 b/templates/transmission.j2 deleted file mode 100644 index 3d9ac95..0000000 --- a/templates/transmission.j2 +++ /dev/null @@ -1,73 +0,0 @@ -{ - "alt-speed-down": 50, - "alt-speed-enabled": false, - "alt-speed-time-begin": 540, - "alt-speed-time-day": 127, - "alt-speed-time-enabled": false, - "alt-speed-time-end": 1020, - "alt-speed-up": 50, - "bind-address-ipv4": "", - "bind-address-ipv6": "", - "blocklist-enabled": false, - "blocklist-url": "http://www.example.com/blocklist", - "cache-size-mb": 4, - "dht-enabled": true, - "download-dir": "{{ transmission_download_folder }}", - "download-limit": 100, - "download-limit-enabled": 0, - "download-queue-enabled": true, - "download-queue-size": 5, - "encryption": 1, - "idle-seeding-limit": 30, - "idle-seeding-limit-enabled": false, - "incomplete-dir": "{{ transmission_incomplete_folder }}", - "incomplete-dir-enabled": true, - "lpd-enabled": true, - "max-peers-global": 200, - "message-level": 1, - "peer-congestion-algorithm": "", - "peer-id-ttl-hours": 6, - "peer-limit-global": 200, - "peer-limit-per-torrent": 50, - "peer-port": {{ transmission_port }}, - "peer-port-random-high": 65535, - "peer-port-random-low": 49152, - "peer-port-random-on-start": false, - "peer-socket-tos": "default", - "pex-enabled": true, - "port-forwarding-enabled": true, - "preallocation": 1, - "prefetch-enabled": true, - "queue-stalled-enabled": true, - "queue-stalled-minutes": 30, - "ratio-limit": {{ transmission_ratelimit_ratio }}, - "ratio-limit-enabled": false, - "rename-partial-files": true, - "rpc-authentication-required": false, - "rpc-bind-address": "{{ vpn_listen_address }}", - "rpc-enabled": true, - "rpc-host-whitelist": "", - "rpc-host-whitelist-enabled": false, - "rpc-password": "{6d8c6eafffb8ae980db6f2d7e2c36dbf8d111479Z/5l3mfq", - "rpc-port": {{ transmission_web_port }}, - "rpc-url": "/transmission/", - "rpc-username": "transmission", - "rpc-whitelist": "127.0.0.1, {{ vpn_listen_address[:-1] }}*", - "rpc-whitelist-enabled": true, - "scrape-paused-torrents-enabled": true, - "script-torrent-done-enabled": false, - "script-torrent-done-filename": "", - "seed-queue-enabled": false, - "seed-queue-size": 10, - "speed-limit-down": 100, - "speed-limit-down-enabled": false, - "speed-limit-up": 5, - "speed-limit-up-enabled": true, - "start-added-torrents": true, - "trash-original-torrent-files": false, - "umask": 18, - "upload-limit": 1, - "upload-limit-enabled": 1, - "upload-slots-per-torrent": 14, - "utp-enabled": true -} diff --git a/templates/transmission/config.j2 b/templates/transmission/config.j2 new file mode 100644 index 0000000..57a58f4 --- /dev/null +++ b/templates/transmission/config.j2 @@ -0,0 +1,13 @@ +{ + "download-dir": "/app/downloads", + "incomplete-dir": "/app/incomplete_downloads", + "incomplete-dir-enabled": true, + "peer-port": {{ transmission_peer_port }}, + "rpc-port": {{ transmission_web_port }}, + "rpc-host-whitelist-enabled": false, + "rpc-whitelist-enabled": false, + "ratio-limit": {{ transmission_ratelimit_ratio }}, + "ratio-limit-enabled": true, + "speed-limit-up": 5, + "speed-limit-up-enabled": true +} diff --git a/templates/transmission/docker-compose.j2 b/templates/transmission/docker-compose.j2 new file mode 100644 index 0000000..33d437c --- /dev/null +++ b/templates/transmission/docker-compose.j2 @@ -0,0 +1,32 @@ +# {{ ansible_managed }} + +networks: + transmission-net: + ipam: + config: + - subnet: '{{ transmission_subnet }}' + +services: + transmission: + image: alpine:latest + build: + context: . + dockerfile: Dockerfile + restart: always + networks: + transmission-net: + volumes: + - {{ transmission_download_dir }}:/app/downloads + - {{ transmission_incomplete_dir }}:/app/incomplete_downloads + - {{ transmission_app_dir }}/config:/app/config + + nginx: + image: nginx:mainline-alpine + depends_on: + - transmission + restart: always + networks: + transmission-net: + ipv4_address: '{{ transmission_nginx_ip }}' + volumes: + - '{{ transmission_app_dir }}/nginx.conf.d:/etc/nginx/conf.d' diff --git a/templates/transmission/nginx.j2 b/templates/transmission/nginx.j2 new file mode 100644 index 0000000..db6996c --- /dev/null +++ b/templates/transmission/nginx.j2 @@ -0,0 +1,20 @@ +# {{ ansible_managed }} + +upstream transmission-upstream { + server transmission:9091; +} + +server { + listen 80; + server_name {{ transmission_domain }}; + + location / { + proxy_read_timeout 300; + proxy_pass_header X-Transmission-Session-Id; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://transmission-upstream; + } +} diff --git a/vars/jellyfin.yml b/vars/jellyfin.yml deleted file mode 100644 index 4445d1d..0000000 --- a/vars/jellyfin.yml +++ /dev/null @@ -1,3 +0,0 @@ -jellyfin_http_port: 8096 -jellyfin_service_port: 1900 -jellyfin_client_port: 7359 diff --git a/vars/network.yml b/vars/network.yml index 74081f0..1185b32 100644 --- a/vars/network.yml +++ b/vars/network.yml @@ -4,31 +4,61 @@ network_mac: '00:1b:21:3b:50:e2' lan_ip: '192.168.2.1' lan_gateway: '192.168.2.254' lan_dns: '192.168.2.254' +lan_prefix: 24 domain_name: 'fudiggity.nl' http_port: 80 https_port: 443 ssh_port: 39901 +vpn_listen_address: '10.0.0.1' +vpn_prefix: 24 +vpn_subnet: '10.0.0.0/{{ vpn_prefix }}' +vpn_port: 51902 +vpn_interface: 'wg0' +vpn_domain: 'vpn.{{ domain_name }}' + +vpn_media_listen_address: '10.0.1.1' +vpn_media_prefix: 24 +vpn_media_subnet: '10.0.1.0/{{ vpn_media_prefix }}' +vpn_media_port: 51903 +vpn_media_interface: 'wg1' +vpn_media_domain: 'media-vpn.{{ domain_name }}' + mpd_port: 21000 mpd_http_stream_port: 8000 mpd_http_mobile_stream_port: 8001 forgejo_ip: '127.0.0.1' -forgejo_port: '3000' -forgejo_ssh_port: '22' +forgejo_port: 3000 +forgejo_ssh_port: 22 +forgejo_domain: 'forgejo.fudiggity.nl' woodpecker_ip: '127.0.0.1' -woodpecker_port: '7000' +woodpecker_port: 7000 +woodpecker_domain: 'woodpecker.fudiggity.nl' newsreader_ip: '127.0.0.1' -newsreader_port: '5000' +newsreader_port: 5000 +newsreader_domain: 'rss.fudiggity.nl' glitchtip_ip: '127.0.0.1' -glitchtip_port: '7200' +glitchtip_port: 7200 +glitchtip_domain: 'glitchtip.fudiggity.nl' syncthing_gui_port: 8384 syncthing_protocol_port: 22000 radicale_listen_addres: '127.0.0.1' radicale_port: 5232 + +transmission_domain: 'transmission.{{ domain_name }}' +transmission_prefix: 24 +transmission_subnet: '172.16.238.0/{{ transmission_prefix }}' +transmission_web_port: 9091 +transmission_peer_port: 51413 +transmission_nginx_ip: '172.16.238.10' + +jellyfin_http_port: 8096 +jellyfin_service_port: 1900 +jellyfin_client_port: 7359 diff --git a/vars/nginx.yml b/vars/nginx.yml deleted file mode 100644 index 6b1ed93..0000000 --- a/vars/nginx.yml +++ /dev/null @@ -1,4 +0,0 @@ -forgejo_domain: 'forgejo.fudiggity.nl' -woodpecker_domain: 'woodpecker.fudiggity.nl' -glitchtip_domain: 'glitchtip.fudiggity.nl' -newsreader_domain: 'rss.fudiggity.nl' diff --git a/vars/transmission.yml b/vars/transmission.yml index 4f71637..d308c7d 100644 --- a/vars/transmission.yml +++ b/vars/transmission.yml @@ -1,5 +1,5 @@ -transmission_port: 50409 -transmission_web_port: 9091 -transmission_download_folder: '/home/sonny/downloads' -transmission_incomplete_folder: '/home/sonny/downloads/Incompleet' +transmission_app_dir: '/srv/docker/tranmission' +transmission_download_dir: '/home/sonny/downloads' +transmission_incomplete_dir: '/home/sonny/downloads/incomplete_downloads' + transmission_ratelimit_ratio: 2 diff --git a/vars/vpn.yml b/vars/vpn.yml index c170ddf..e6c3f08 100644 --- a/vars/vpn.yml +++ b/vars/vpn.yml @@ -1,12 +1,3 @@ -vpn_listen_address: '10.0.0.1' -vpn_domain: 'vpn.{{ domain_name }}' -vpn_subnet: '24' -vpn_port: '51902' -vpn_interface: 'wg0' - -vpn_source_range: '10.0.0.0/24' -vpn_destination_range: '10.0.0.1/32' - vpn_server_public_key_path: '{{ vpn_config_dir }}/keys/public/server.pub' vpn_server_public_key_source_path: 'files/wireguard/default/server.pub' vpn_server_key_path: '{{ vpn_config_dir }}/keys/private/server.key' @@ -19,13 +10,19 @@ vpn_peers: public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-laptop.psk' preshared_key_source_path: 'files/wireguard/default/preshared-laptop.psk' + desktop: ip: '10.0.0.3' public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-desktop.psk' preshared_key_source_path: 'files/wireguard/default/preshared-desktop.psk' + + # has extra key to generate mobile configuration file mobile: ip: '10.0.0.4' + allowed_ips: + - '{{ vpn_subnet }}' + - '{{ transmission_subnet }}' public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-mobile.psk' preshared_key_source_path: 'files/wireguard/default/preshared-mobile.psk' diff --git a/vars/vpn_media.yml b/vars/vpn_media.yml index 03ce582..82f7634 100644 --- a/vars/vpn_media.yml +++ b/vars/vpn_media.yml @@ -1,12 +1,3 @@ -vpn_media_listen_address: '10.0.1.1' -vpn_media_domain: 'media-vpn.{{ domain_name }}' -vpn_media_subnet: '24' -vpn_media_port: '51903' -vpn_media_interface: 'wg1' - -vpn_media_source_range: '10.0.1.0/24' -vpn_media_destination_range: '10.0.1.1/32' - vpn_media_server_public_key_path: '{{ vpn_config_dir }}/keys/public/media_server.pub' vpn_media_server_public_key_source_path: 'files/wireguard/media/server.pub' vpn_media_server_key_path: '{{ vpn_config_dir }}/keys/private/media_server.key' @@ -19,25 +10,35 @@ vpn_media_peers: public_key: 'hI4rqlv2afs4RJkt5xR+dYxQODSd6lR0OqWJRlnQdjM=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-laptop.psk' preshared_key_source_path: 'files/wireguard/media/preshared-laptop.psk' + desktop: ip: '10.0.1.3' public_key: 'YDH5lZcxUHM4AU2ZxQrFqjDIV2Z7PSUQKMcYXLExV0E=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-desktop.psk' preshared_key_source_path: 'files/wireguard/media/preshared-desktop.psk' + mobile_peer_1: ip: '10.0.1.4' + allowed_ips: + - '{{ vpn_media_subnet }}' public_key: '6fj8FXvzT0IUlZLJjQ/+FhwwRDsJeQsUFHqKQcyXdwQ=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-mobile-1.psk' preshared_key_source_path: 'files/wireguard/media/preshared-mobile-1.psk' private_key_source_path: 'files/wireguard/media/mobile-1.key' + mobile_peer_2: ip: '10.0.1.5' + allowed_ips: + - '{{ vpn_media_subnet }}' public_key: 'w/pswNrAYFdEUoaLk3zSqOu4gg2s41BBCN02E//ai1c=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-mobile-2.psk' preshared_key_source_path: 'files/wireguard/media/preshared-mobile-2.psk' private_key_source_path: 'files/wireguard/media/mobile-2.key' + tv: ip: '10.0.1.6' + allowed_ips: + - '{{ vpn_media_subnet }}' public_key: '5+yz9C9PhaLhsvAZ1e3mDsTQpMZVrPZnSQa6ERJIKU0=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-tv.psk' preshared_key_source_path: 'files/wireguard/media/preshared-tv.psk'