diff --git a/files/transmission/Dockerfile b/files/transmission/Dockerfile deleted file mode 100644 index 793f2cb..0000000 --- a/files/transmission/Dockerfile +++ /dev/null @@ -1,25 +0,0 @@ -FROM alpine:latest - -ENV TRANSMISSION_HOME=/app/ - -RUN apk add --no-cache --update transmission transmission-daemon - -RUN mkdir --parents \ - /app/config/torrents \ - /app/config/resume \ - /app/config/blocklists \ - /app/downloads \ - /app/incomplete_downloads - -WORKDIR /app - -VOLUME ["/app/config", "/app/downloads", "/app/incomplete_downloads"] - -ENTRYPOINT /usr/bin/transmission-daemon \ - --config-dir /app/config \ - --log-level info \ - --foreground \ - --download-dir /app/downloads \ - --incomplete-dir /app/incomplete_downloads - -EXPOSE 9091 51413/tcp 51413/udp diff --git a/handlers.yml b/handlers.yml index f9cc874..d151e17 100644 --- a/handlers.yml +++ b/handlers.yml @@ -5,13 +5,6 @@ state: restarted enabled: true -- name: restart systemd-resolved - become: true - systemd: - name: systemd-resolved - state: restarted - enabled: true - - name: regenerate initramfs become: true command: update-initramfs -u -k all diff --git a/playbook.yml b/playbook.yml index f171dcb..68d4a1a 100644 --- a/playbook.yml +++ b/playbook.yml @@ -56,7 +56,9 @@ - 'vars/vpn.yml' - 'vars/vpn_media.yml' - 'vars/network.yml' + - 'vars/nginx.yml' - 'vars/transmission.yml' - 'vars/syncthing.yml' - 'vars/mpd.yml' - 'vars/radicale.yml' + - 'vars/jellyfin.yml' diff --git a/tasks/network.yml b/tasks/network.yml index a12e47a..4a60382 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -37,7 +37,6 @@ dest: '/etc/systemd/resolved.conf' mode: '0644' owner: root - notify: restart systemd-resolved - name: Copy firewall template become: true diff --git a/tasks/transmission.yml b/tasks/transmission.yml index c96f69f..4244ded 100644 --- a/tasks/transmission.yml +++ b/tasks/transmission.yml @@ -1,93 +1,60 @@ -# Note: requires an up-to-date ansible version to make us of docker compose file -## TODO: use tracker blocklist -# - -- name: Disable system process +# transmission's configuration file does not change while the service is +# still running +- name: stop transmission daemon become: true - ansible.builtin.systemd: + systemd: name: transmission-daemon state: stopped -- name: Create Transmission directories +- name: create transmission directories become: true - ansible.builtin.file: + file: path: '{{ item.path }}' + mode: '{{ item.mode }}' owner: '{{ item.owner }}' group: '{{ item.group }}' - mode: '0755' state: directory loop: - - path: '{{ transmission_app_dir }}' - owner: root - group: root - - path: '{{ transmission_app_dir }}/config' - owner: root - group: root - - path: '{{ transmission_app_dir }}/nginx.conf.d' - owner: sonny - group: sonny - - path: '{{ transmission_download_dir }}' - owner: sonny - group: sonny - - path: '{{ transmission_incomplete_dir }}' - owner: sonny - group: sonny + - { + path: '{{ ansible_env.HOME }}/.config/transmission-daemon', + mode: 755, + owner: 'sonny', + group: 'sonny', + } + - { + path: '/etc/systemd/system/transmission-daemon.service.d', + mode: 755, + owner: 'root', + group: 'root', + } -- name: Remove previous transmission configurations +- name: copy transmission templates become: true - ansible.builtin.file: - path: '{{ item }}' - state: absent + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + mode: '{{ item.mode }}' + owner: '{{ item.owner }}' + group: '{{ item.group }}' loop: - - '/etc/systemd/system/transmission-daemon.service.d' - - '{{ ansible_env.HOME }}/.config/transmission-daemon' + - { + src: 'templates/systemd/transmission.j2', + dest: '/etc/systemd/system/transmission-daemon.service.d/override.conf', + mode: '755', + owner: 'root', + group: 'root', + } + - { + src: 'templates/transmission.j2', + dest: '{{ ansible_env.HOME }}/.config/transmission-daemon/settings.json', + mode: '0600', + owner: 'sonny', + group: 'sonny', + } -- name: Copy Dockerfile +- name: start transmission daemon become: true - ansible.builtin.copy: - src: 'files/transmission/Dockerfile' - dest: '{{ transmission_app_dir }}/Dockerfile' - owner: sonny - group: sonny - mode: '0755' - -- name: Copy docker compose configuration - become: true - ansible.builtin.template: - src: 'templates/transmission/docker-compose.j2' - dest: '{{ transmission_app_dir }}/docker-compose.yml' - owner: sonny - group: sonny - mode: '0755' - -# Prevents Tranmission from overwiting configuration files -- name: Stop docker compose containers - community.docker.docker_compose_v2: - project_src: '{{ transmission_app_dir }}' - state: stopped - -- name: Copy Transmission configuration - become: true - ansible.builtin.template: - src: 'templates/transmission/config.j2' - dest: '{{ transmission_app_dir }}/config/settings.json' - owner: sonny - group: sonny - mode: '0755' - -- name: Copy NGINX configuration - become: true - ansible.builtin.template: - src: 'templates/transmission/nginx.j2' - dest: '{{ transmission_app_dir }}/nginx.conf.d/default.conf' - owner: sonny - group: sonny - mode: '0755' - -- name: Start container - community.docker.docker_compose_v2: - project_src: '{{ transmission_app_dir }}' - build: always - remove_orphans: true - state: restarted - pull: always + systemd: + name: transmission-daemon + state: started + enabled: true diff --git a/templates/network/hosts.j2 b/templates/network/hosts.j2 index 1027169..3e3c6cd 100644 --- a/templates/network/hosts.j2 +++ b/templates/network/hosts.j2 @@ -5,7 +5,6 @@ {{ lan_ip }} {{ domain_name }} {{ hostname }} {{ vpn_listen_address }} {{ vpn_domain }} {{ vpn_media_listen_address }} {{ vpn_media_domain }} -{{ transmission_nginx_ip }} {{ transmission_domain }} # The following lines are desirable for IPv6 capable hosts #::1 localhost ip6-localhost ip6-loopback diff --git a/templates/network/link1.network.j2 b/templates/network/link1.network.j2 index 972b252..efbfdff 100644 --- a/templates/network/link1.network.j2 +++ b/templates/network/link1.network.j2 @@ -4,7 +4,7 @@ Name={{ network_interface }} [Network] -Address={{ lan_ip }}/{{ lan_prefix }} +Address={{ lan_ip }}/24 Gateway={{ lan_gateway }} DNS={{ lan_dns }} IgnoreCarrierLoss=true diff --git a/templates/network/wireguard/default/mobile.wireguard.j2 b/templates/network/wireguard/default/mobile.wireguard.j2 index 1241b66..65ab6c1 100644 --- a/templates/network/wireguard/default/mobile.wireguard.j2 +++ b/templates/network/wireguard/default/mobile.wireguard.j2 @@ -1,14 +1,12 @@ # {{ ansible_managed }} [Interface] -Address={{ vpn_peers.mobile.ip }}/{{ vpn_prefix }} +Address={{ vpn_peers.mobile.ip }}/24 DNS={{ vpn_listen_address }} PrivateKey={{ lookup("file", vpn_peers.mobile.private_key_source_path) }} [Peer] PublicKey={{ lookup("file", vpn_server_public_key_source_path) }} PresharedKey={{ lookup("file", vpn_peers.mobile.preshared_key_source_path) }} -{% for ip in vpn_peers.mobile.allowed_ips %} -AllowedIPs={{ ip }} -{% endfor %} +AllowedIPs={{ vpn_listen_address }}/32 Endpoint={{ domain_name }}:{{ vpn_port }} diff --git a/templates/network/wireguard/default/wg0.netdev.j2 b/templates/network/wireguard/default/wg0.netdev.j2 index 7947c14..39b0ec4 100644 --- a/templates/network/wireguard/default/wg0.netdev.j2 +++ b/templates/network/wireguard/default/wg0.netdev.j2 @@ -13,7 +13,7 @@ PrivateKeyFile={{ vpn_server_key_path }} [WireGuardPeer] PublicKey={{ properties.public_key }} PresharedKeyFile={{ properties.preshared_key_path }} -AllowedIPs={{ properties.ip }} +AllowedIPs={{ properties.ip }}/32 {% if not loop.last %} {% endif %} diff --git a/templates/network/wireguard/default/wg0.network.j2 b/templates/network/wireguard/default/wg0.network.j2 index 8d4665c..0532830 100644 --- a/templates/network/wireguard/default/wg0.network.j2 +++ b/templates/network/wireguard/default/wg0.network.j2 @@ -4,4 +4,4 @@ Name={{ vpn_interface }} [Network] -Address={{ vpn_listen_address }}/{{ vpn_prefix }} +Address={{ vpn_listen_address }}/{{ vpn_subnet }} diff --git a/templates/network/wireguard/media/mobile_1.wireguard.j2 b/templates/network/wireguard/media/mobile_1.wireguard.j2 index ceeddc0..fc6459d 100644 --- a/templates/network/wireguard/media/mobile_1.wireguard.j2 +++ b/templates/network/wireguard/media/mobile_1.wireguard.j2 @@ -1,14 +1,12 @@ # {{ ansible_managed }} [Interface] -Address={{ vpn_media_peers.mobile_peer_1.ip }}/{{ vpn_media_prefix }} +Address={{ vpn_media_peers.mobile_peer_1.ip }}/24 DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_1.private_key_source_path) }} [Peer] PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} PresharedKey={{ lookup('file', vpn_media_peers.mobile_peer_1.preshared_key_source_path) }} -{% for ip in vpn_media_peers.mobile_peer_1.allowed_ips %} -AllowedIPs={{ ip }} -{% endfor %} +AllowedIPs={{ vpn_media_listen_address }}/32 Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/mobile_2.wireguard.j2 b/templates/network/wireguard/media/mobile_2.wireguard.j2 index 9d65fac..1c88376 100644 --- a/templates/network/wireguard/media/mobile_2.wireguard.j2 +++ b/templates/network/wireguard/media/mobile_2.wireguard.j2 @@ -1,14 +1,12 @@ # {{ ansible_managed }} [Interface] -Address={{ vpn_media_peers.mobile_peer_2.ip }}/{{ vpn_media_prefix }} +Address={{ vpn_media_peers.mobile_peer_2.ip }}/24 DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_2.private_key_source_path) }} [Peer] PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} PresharedKey={{ lookup('file', vpn_media_peers.mobile_peer_2.preshared_key_source_path) }} -{% for ip in vpn_media_peers.mobile_peer_2.allowed_ips %} -AllowedIPs={{ ip }} -{% endfor %} +AllowedIPs={{ vpn_media_listen_address }}/32 Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/tv.wireguard.j2 b/templates/network/wireguard/media/tv.wireguard.j2 index 987fac0..104bd16 100644 --- a/templates/network/wireguard/media/tv.wireguard.j2 +++ b/templates/network/wireguard/media/tv.wireguard.j2 @@ -1,14 +1,12 @@ # {{ ansible_managed }} [Interface] -Address={{ vpn_media_peers.tv.ip }}/{{ vpn_media_prefix }} +Address={{ vpn_media_peers.tv.ip }}/24 DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.tv.private_key_source_path) }} [Peer] PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} PresharedKey={{ lookup('file', vpn_media_peers.tv.preshared_key_source_path) }} -{% for ip in vpn_media_peers.tv.allowed_ips %} -AllowedIPs={{ ip }} -{% endfor %} +AllowedIPs={{ vpn_media_listen_address }}/32 Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/wg1.netdev.j2 b/templates/network/wireguard/media/wg1.netdev.j2 index 91c7fe1..8e5a55f 100644 --- a/templates/network/wireguard/media/wg1.netdev.j2 +++ b/templates/network/wireguard/media/wg1.netdev.j2 @@ -13,7 +13,7 @@ PrivateKeyFile={{ vpn_media_server_key_path }} [WireGuardPeer] PublicKey={{ properties.public_key }} PresharedKeyFile={{ properties.preshared_key_path }} -AllowedIPs={{ properties.ip }} +AllowedIPs={{ properties.ip }}/32 {% if not loop.last %} {% endif %} diff --git a/templates/network/wireguard/media/wg1.network.j2 b/templates/network/wireguard/media/wg1.network.j2 index 0334683..8038f9d 100644 --- a/templates/network/wireguard/media/wg1.network.j2 +++ b/templates/network/wireguard/media/wg1.network.j2 @@ -4,4 +4,4 @@ Name={{ vpn_media_interface }} [Network] -Address={{ vpn_media_listen_address }}/{{ vpn_media_prefix }} +Address={{ vpn_media_listen_address }}/{{ vpn_media_subnet }} diff --git a/templates/nftables.j2 b/templates/nftables.j2 index b660a5c..4014dad 100644 --- a/templates/nftables.j2 +++ b/templates/nftables.j2 @@ -4,7 +4,6 @@ flush ruleset table ip filter { - chain input { type filter hook input priority 0; policy drop; @@ -20,53 +19,34 @@ table ip filter { # allow icmp ip protocol icmp accept - iifname vmap { - {{ network_interface }} : goto wlan-chain, - {{ vpn_interface }} : goto vpn-chain, - {{ vpn_media_interface }} : goto media-vpn-chain - } + iifname "{{ network_interface }}" tcp dport {{ ssh_port }} accept comment "SSH" + iifname "{{ network_interface }}" tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH" + iifname "{{ network_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS" + iifname "{{ network_interface }}" tcp dport {{ transmission_port }} accept comment "Transmission" + + iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard" + iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media" + + # TODO: create combined rule + iifname "{{ vpn_interface }}" tcp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS TCP" + iifname "{{ vpn_interface }}" udp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS UDP" + + iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS" + iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web" + iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing" + + iifname "{{ vpn_interface }}" tcp dport {{ mpd_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD" + iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream" + iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_mobile_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP mobile stream" + + # TODO: create combined rule + iifname "{{ vpn_media_interface }}" tcp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS TCP" + iifname "{{ vpn_media_interface }}" udp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS UDP" + + iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP" + iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_service_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin service discovery" + iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_client_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin client discovery" log } - - chain wlan-chain { - tcp dport {{ ssh_port }} accept comment "SSH" - tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH" - tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS" - - udp dport {{ vpn_port }} accept comment "Wireguard" - udp dport {{ vpn_media_port }} accept comment "Wireguard media" - } - - set vpn_set { - typeof ip saddr . ip daddr - flags interval - elements = { {{ vpn_subnet }} . {{ vpn_listen_address }}/{{ vpn_prefix }} } - } - - chain vpn-chain { - meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS" - - tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS" - - tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web" - - tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr . ip daddr @vpn_set accept comment "Syncthing" - - tcp dport {{ mpd_port }} ip saddr . ip daddr @vpn_set accept comment "MPD" - tcp dport {{ mpd_http_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP stream" - tcp dport {{ mpd_http_mobile_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP mobile stream" - } - - set vpn_media_set { - typeof ip saddr . ip daddr - flags interval - elements = { {{ vpn_media_subnet }} . {{ vpn_media_listen_address }}/{{ vpn_media_prefix }} } - } - - chain media-vpn-chain { - meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS" - - tcp dport {{ jellyfin_http_port }} ip saddr . ip daddr @vpn_media_set accept comment "Jellyfin HTTP" - } } diff --git a/templates/transmission.j2 b/templates/transmission.j2 new file mode 100644 index 0000000..3d9ac95 --- /dev/null +++ b/templates/transmission.j2 @@ -0,0 +1,73 @@ +{ + "alt-speed-down": 50, + "alt-speed-enabled": false, + "alt-speed-time-begin": 540, + "alt-speed-time-day": 127, + "alt-speed-time-enabled": false, + "alt-speed-time-end": 1020, + "alt-speed-up": 50, + "bind-address-ipv4": "", + "bind-address-ipv6": "", + "blocklist-enabled": false, + "blocklist-url": "http://www.example.com/blocklist", + "cache-size-mb": 4, + "dht-enabled": true, + "download-dir": "{{ transmission_download_folder }}", + "download-limit": 100, + "download-limit-enabled": 0, + "download-queue-enabled": true, + "download-queue-size": 5, + "encryption": 1, + "idle-seeding-limit": 30, + "idle-seeding-limit-enabled": false, + "incomplete-dir": "{{ transmission_incomplete_folder }}", + "incomplete-dir-enabled": true, + "lpd-enabled": true, + "max-peers-global": 200, + "message-level": 1, + "peer-congestion-algorithm": "", + "peer-id-ttl-hours": 6, + "peer-limit-global": 200, + "peer-limit-per-torrent": 50, + "peer-port": {{ transmission_port }}, + "peer-port-random-high": 65535, + "peer-port-random-low": 49152, + "peer-port-random-on-start": false, + "peer-socket-tos": "default", + "pex-enabled": true, + "port-forwarding-enabled": true, + "preallocation": 1, + "prefetch-enabled": true, + "queue-stalled-enabled": true, + "queue-stalled-minutes": 30, + "ratio-limit": {{ transmission_ratelimit_ratio }}, + "ratio-limit-enabled": false, + "rename-partial-files": true, + "rpc-authentication-required": false, + "rpc-bind-address": "{{ vpn_listen_address }}", + "rpc-enabled": true, + "rpc-host-whitelist": "", + "rpc-host-whitelist-enabled": false, + "rpc-password": "{6d8c6eafffb8ae980db6f2d7e2c36dbf8d111479Z/5l3mfq", + "rpc-port": {{ transmission_web_port }}, + "rpc-url": "/transmission/", + "rpc-username": "transmission", + "rpc-whitelist": "127.0.0.1, {{ vpn_listen_address[:-1] }}*", + "rpc-whitelist-enabled": true, + "scrape-paused-torrents-enabled": true, + "script-torrent-done-enabled": false, + "script-torrent-done-filename": "", + "seed-queue-enabled": false, + "seed-queue-size": 10, + "speed-limit-down": 100, + "speed-limit-down-enabled": false, + "speed-limit-up": 5, + "speed-limit-up-enabled": true, + "start-added-torrents": true, + "trash-original-torrent-files": false, + "umask": 18, + "upload-limit": 1, + "upload-limit-enabled": 1, + "upload-slots-per-torrent": 14, + "utp-enabled": true +} diff --git a/templates/transmission/config.j2 b/templates/transmission/config.j2 deleted file mode 100644 index 57a58f4..0000000 --- a/templates/transmission/config.j2 +++ /dev/null @@ -1,13 +0,0 @@ -{ - "download-dir": "/app/downloads", - "incomplete-dir": "/app/incomplete_downloads", - "incomplete-dir-enabled": true, - "peer-port": {{ transmission_peer_port }}, - "rpc-port": {{ transmission_web_port }}, - "rpc-host-whitelist-enabled": false, - "rpc-whitelist-enabled": false, - "ratio-limit": {{ transmission_ratelimit_ratio }}, - "ratio-limit-enabled": true, - "speed-limit-up": 5, - "speed-limit-up-enabled": true -} diff --git a/templates/transmission/docker-compose.j2 b/templates/transmission/docker-compose.j2 deleted file mode 100644 index 33d437c..0000000 --- a/templates/transmission/docker-compose.j2 +++ /dev/null @@ -1,32 +0,0 @@ -# {{ ansible_managed }} - -networks: - transmission-net: - ipam: - config: - - subnet: '{{ transmission_subnet }}' - -services: - transmission: - image: alpine:latest - build: - context: . - dockerfile: Dockerfile - restart: always - networks: - transmission-net: - volumes: - - {{ transmission_download_dir }}:/app/downloads - - {{ transmission_incomplete_dir }}:/app/incomplete_downloads - - {{ transmission_app_dir }}/config:/app/config - - nginx: - image: nginx:mainline-alpine - depends_on: - - transmission - restart: always - networks: - transmission-net: - ipv4_address: '{{ transmission_nginx_ip }}' - volumes: - - '{{ transmission_app_dir }}/nginx.conf.d:/etc/nginx/conf.d' diff --git a/templates/transmission/nginx.j2 b/templates/transmission/nginx.j2 deleted file mode 100644 index db6996c..0000000 --- a/templates/transmission/nginx.j2 +++ /dev/null @@ -1,20 +0,0 @@ -# {{ ansible_managed }} - -upstream transmission-upstream { - server transmission:9091; -} - -server { - listen 80; - server_name {{ transmission_domain }}; - - location / { - proxy_read_timeout 300; - proxy_pass_header X-Transmission-Session-Id; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_pass http://transmission-upstream; - } -} diff --git a/vars/jellyfin.yml b/vars/jellyfin.yml new file mode 100644 index 0000000..4445d1d --- /dev/null +++ b/vars/jellyfin.yml @@ -0,0 +1,3 @@ +jellyfin_http_port: 8096 +jellyfin_service_port: 1900 +jellyfin_client_port: 7359 diff --git a/vars/network.yml b/vars/network.yml index 1185b32..74081f0 100644 --- a/vars/network.yml +++ b/vars/network.yml @@ -4,61 +4,31 @@ network_mac: '00:1b:21:3b:50:e2' lan_ip: '192.168.2.1' lan_gateway: '192.168.2.254' lan_dns: '192.168.2.254' -lan_prefix: 24 domain_name: 'fudiggity.nl' http_port: 80 https_port: 443 ssh_port: 39901 -vpn_listen_address: '10.0.0.1' -vpn_prefix: 24 -vpn_subnet: '10.0.0.0/{{ vpn_prefix }}' -vpn_port: 51902 -vpn_interface: 'wg0' -vpn_domain: 'vpn.{{ domain_name }}' - -vpn_media_listen_address: '10.0.1.1' -vpn_media_prefix: 24 -vpn_media_subnet: '10.0.1.0/{{ vpn_media_prefix }}' -vpn_media_port: 51903 -vpn_media_interface: 'wg1' -vpn_media_domain: 'media-vpn.{{ domain_name }}' - mpd_port: 21000 mpd_http_stream_port: 8000 mpd_http_mobile_stream_port: 8001 forgejo_ip: '127.0.0.1' -forgejo_port: 3000 -forgejo_ssh_port: 22 -forgejo_domain: 'forgejo.fudiggity.nl' +forgejo_port: '3000' +forgejo_ssh_port: '22' woodpecker_ip: '127.0.0.1' -woodpecker_port: 7000 -woodpecker_domain: 'woodpecker.fudiggity.nl' +woodpecker_port: '7000' newsreader_ip: '127.0.0.1' -newsreader_port: 5000 -newsreader_domain: 'rss.fudiggity.nl' +newsreader_port: '5000' glitchtip_ip: '127.0.0.1' -glitchtip_port: 7200 -glitchtip_domain: 'glitchtip.fudiggity.nl' +glitchtip_port: '7200' syncthing_gui_port: 8384 syncthing_protocol_port: 22000 radicale_listen_addres: '127.0.0.1' radicale_port: 5232 - -transmission_domain: 'transmission.{{ domain_name }}' -transmission_prefix: 24 -transmission_subnet: '172.16.238.0/{{ transmission_prefix }}' -transmission_web_port: 9091 -transmission_peer_port: 51413 -transmission_nginx_ip: '172.16.238.10' - -jellyfin_http_port: 8096 -jellyfin_service_port: 1900 -jellyfin_client_port: 7359 diff --git a/vars/nginx.yml b/vars/nginx.yml new file mode 100644 index 0000000..6b1ed93 --- /dev/null +++ b/vars/nginx.yml @@ -0,0 +1,4 @@ +forgejo_domain: 'forgejo.fudiggity.nl' +woodpecker_domain: 'woodpecker.fudiggity.nl' +glitchtip_domain: 'glitchtip.fudiggity.nl' +newsreader_domain: 'rss.fudiggity.nl' diff --git a/vars/transmission.yml b/vars/transmission.yml index d308c7d..4f71637 100644 --- a/vars/transmission.yml +++ b/vars/transmission.yml @@ -1,5 +1,5 @@ -transmission_app_dir: '/srv/docker/tranmission' -transmission_download_dir: '/home/sonny/downloads' -transmission_incomplete_dir: '/home/sonny/downloads/incomplete_downloads' - +transmission_port: 50409 +transmission_web_port: 9091 +transmission_download_folder: '/home/sonny/downloads' +transmission_incomplete_folder: '/home/sonny/downloads/Incompleet' transmission_ratelimit_ratio: 2 diff --git a/vars/vpn.yml b/vars/vpn.yml index e6c3f08..c170ddf 100644 --- a/vars/vpn.yml +++ b/vars/vpn.yml @@ -1,3 +1,12 @@ +vpn_listen_address: '10.0.0.1' +vpn_domain: 'vpn.{{ domain_name }}' +vpn_subnet: '24' +vpn_port: '51902' +vpn_interface: 'wg0' + +vpn_source_range: '10.0.0.0/24' +vpn_destination_range: '10.0.0.1/32' + vpn_server_public_key_path: '{{ vpn_config_dir }}/keys/public/server.pub' vpn_server_public_key_source_path: 'files/wireguard/default/server.pub' vpn_server_key_path: '{{ vpn_config_dir }}/keys/private/server.key' @@ -10,19 +19,13 @@ vpn_peers: public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-laptop.psk' preshared_key_source_path: 'files/wireguard/default/preshared-laptop.psk' - desktop: ip: '10.0.0.3' public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-desktop.psk' preshared_key_source_path: 'files/wireguard/default/preshared-desktop.psk' - - # has extra key to generate mobile configuration file mobile: ip: '10.0.0.4' - allowed_ips: - - '{{ vpn_subnet }}' - - '{{ transmission_subnet }}' public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-mobile.psk' preshared_key_source_path: 'files/wireguard/default/preshared-mobile.psk' diff --git a/vars/vpn_media.yml b/vars/vpn_media.yml index 82f7634..03ce582 100644 --- a/vars/vpn_media.yml +++ b/vars/vpn_media.yml @@ -1,3 +1,12 @@ +vpn_media_listen_address: '10.0.1.1' +vpn_media_domain: 'media-vpn.{{ domain_name }}' +vpn_media_subnet: '24' +vpn_media_port: '51903' +vpn_media_interface: 'wg1' + +vpn_media_source_range: '10.0.1.0/24' +vpn_media_destination_range: '10.0.1.1/32' + vpn_media_server_public_key_path: '{{ vpn_config_dir }}/keys/public/media_server.pub' vpn_media_server_public_key_source_path: 'files/wireguard/media/server.pub' vpn_media_server_key_path: '{{ vpn_config_dir }}/keys/private/media_server.key' @@ -10,35 +19,25 @@ vpn_media_peers: public_key: 'hI4rqlv2afs4RJkt5xR+dYxQODSd6lR0OqWJRlnQdjM=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-laptop.psk' preshared_key_source_path: 'files/wireguard/media/preshared-laptop.psk' - desktop: ip: '10.0.1.3' public_key: 'YDH5lZcxUHM4AU2ZxQrFqjDIV2Z7PSUQKMcYXLExV0E=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-desktop.psk' preshared_key_source_path: 'files/wireguard/media/preshared-desktop.psk' - mobile_peer_1: ip: '10.0.1.4' - allowed_ips: - - '{{ vpn_media_subnet }}' public_key: '6fj8FXvzT0IUlZLJjQ/+FhwwRDsJeQsUFHqKQcyXdwQ=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-mobile-1.psk' preshared_key_source_path: 'files/wireguard/media/preshared-mobile-1.psk' private_key_source_path: 'files/wireguard/media/mobile-1.key' - mobile_peer_2: ip: '10.0.1.5' - allowed_ips: - - '{{ vpn_media_subnet }}' public_key: 'w/pswNrAYFdEUoaLk3zSqOu4gg2s41BBCN02E//ai1c=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-mobile-2.psk' preshared_key_source_path: 'files/wireguard/media/preshared-mobile-2.psk' private_key_source_path: 'files/wireguard/media/mobile-2.key' - tv: ip: '10.0.1.6' - allowed_ips: - - '{{ vpn_media_subnet }}' public_key: '5+yz9C9PhaLhsvAZ1e3mDsTQpMZVrPZnSQa6ERJIKU0=' preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-media-tv.psk' preshared_key_source_path: 'files/wireguard/media/preshared-tv.psk'