feat(deluge): added role to install deluge and deluge web

ansible_collections/nullified/infrastructure/roles/deluge/templates/core.conf.j2

@@ -0,0 +1,95 @@
+{
+"file": 1,
+"format": 1
+}{
+"add_paused": false,
+"allow_remote": false,
+"auto_manage_prefer_seeds": false,
+"auto_managed": true,
+"cache_expiry": 60,
+"cache_size": 512,
+"copy_torrent_file": false,
+"daemon_port": {{ deluge_daemon_control_port }},
+"del_copy_torrent_file": false,
+"dht": false,
+"dont_count_slow_torrents": false,
+"download_location": "{{ deluge_download_dir }}",
+"download_location_paths_list": [],
+"enabled_plugins": [],
+"enc_in_policy": 1,
+"enc_level": 2,
+"enc_out_policy": 1,
+"geoip_db_location": "/usr/share/GeoIP/GeoIP.dat",
+"ignore_limits_on_local_network": true,
+"info_sent": 0.0,
+"listen_interface": "",
+"listen_ports": [
+{{ deluge_daemon_incoming_port }},
+{{ deluge_daemon_incoming_port }}
+],
+"listen_random_port": null,
+"listen_reuse_port": true,
+"listen_use_sys_port": false,
+"lsd": false,
+"max_active_downloading": 20,
+"max_active_limit": 50,
+"max_active_seeding": 50,
+"max_connections_global": 200,
+"max_connections_per_second": 20,
+"max_connections_per_torrent": -1,
+"max_download_speed": -1.0,
+"max_download_speed_per_torrent": -1,
+"max_half_open_connections": 50,
+"max_upload_slots_global": 20,
+"max_upload_slots_per_torrent": -1,
+"max_upload_speed": -1.0,
+"max_upload_speed_per_torrent": -1,
+"move_completed": true,
+"move_completed_path": "{{ deluge_completed_dir }}",
+"move_completed_paths_list": [],
+"natpmp": true,
+"new_release_check": true,
+"outgoing_interface": "",
+"outgoing_ports": [
+{{ deluge_daemon_outgoing_port_lo }},
+{{ deluge_daemon_outgoing_port_hi }}
+],
+"path_chooser_accelerator_string": "Tab",
+"path_chooser_auto_complete_enabled": true,
+"path_chooser_max_popup_rows": 20,
+"path_chooser_show_chooser_button_on_localhost": true,
+"path_chooser_show_hidden_files": false,
+"peer_tos": "0x00",
+"plugins_location": "{{ deluge_plugins_dir }}",
+"pre_allocate_storage": true,
+"prioritize_first_last_pieces": false,
+"proxy": {
+"anonymous_mode": false,
+"force_proxy": false,
+"hostname": "",
+"password": "",
+"port": 8080,
+"proxy_hostnames": true,
+"proxy_peer_connections": true,
+"proxy_tracker_connections": true,
+"type": 0,
+"username": ""
+},
+"queue_new_to_top": false,
+"random_outgoing_ports": false,
+"random_port": false,
+"rate_limit_ip_overhead": true,
+"remove_seed_at_ratio": false,
+"seed_time_limit": -1,
+"seed_time_ratio_limit": -1.0,
+"send_info": false,
+"sequential_download": false,
+"share_ratio_limit": -1.0,
+"shared": false,
+"stop_seed_at_ratio": false,
+"stop_seed_ratio": 2.0,
+"super_seeding": false,
+"torrentfiles_location": "{{ deluge_torrentfiles_dir }}",
+"upnp": true,
+"utpex": false
+}

ansible_collections/nullified/infrastructure/roles/deluge/templates/nftables.d/deluge.nft.j2

@@ -0,0 +1,24 @@
+table inet filter {
+    chain input {
+{% if deluge_web_expose_client %}
+        meta nfproto { ipv4, ipv6 } tcp dport {{ deluge_web_port }} accept
+{% else %}
+        meta nfproto { ipv4, ipv6 } iifname "lo" tcp dport {{ deluge_web_port }} accept
+{% endif %}
+        iifname "lo" tcp dport {{ deluge_daemon_control_port }} accept
+        meta l4proto { tcp, udp } th dport {{ deluge_daemon_incoming_port }} accept
+        meta l4proto { tcp, udp } th dport { {{ deluge_daemon_outgoing_port_lo }}-{{ deluge_daemon_outgoing_port_hi }} } accept
+    }
+
+    chain output {
+{% if deluge_web_expose_client %}
+        meta nfproto { ipv4, ipv6 } tcp sport {{ deluge_web_port }} accept
+{% else %}
+        meta nfproto { ipv4, ipv6 } oifname "lo" tcp sport {{ deluge_web_port }} accept
+{% endif %}
+        meta l4proto { tcp, udp } th sport { {{ deluge_daemon_outgoing_port_lo }}-{{ deluge_daemon_outgoing_port_hi }} } accept
+        oifname "lo" tcp sport {{ deluge_daemon_control_port }} accept
+        udp dport { 1900, 5351 } accept
+        tcp dport 6969 accept
+    }
+}

ansible_collections/nullified/infrastructure/roles/deluge/templates/systemd/deluge-web.service.j2

@@ -0,0 +1,53 @@
+[Unit]
+Description=Deluge Bittorrent Client Web Interface
+Documentation=man:deluge-web
+After=deluged.service
+Wants=deluged.service
+
+[Service]
+User=deluge
+Group=deluge
+Type=simple
+UMask=027
+ExecStart={{ deluge_git_dir }}/.venv/bin/deluge-web -d
+Restart=on-failure
+RestartSec=3
+
+# Security Hardening
+PrivateTmp=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+{% if systemd_version | int >= 187 %}
+NoNewPrivileges=true
+SystemCallFilter=@system-service
+{% endif %}
+{%+ if systemd_version | int >= 209 %}SystemCallArchitectures=native{%- endif +%}
+{% if systemd_version | int >= 214 %}
+ProtectHome=true
+ProtectSystem=true
+{% endif %}
+{% if systemd_version | int >= 231 %}
+ReadOnlyPaths=/
+ReadWritePaths={{ deluge_git_dir }} {{ deluge_install_dir }}
+RestrictRealtime=true
+{% endif %}
+{% if systemd_version | int >= 232 %}
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RemoveIPC=true
+{% endif %}
+{% if systemd_version | int >= 233 %}
+MountAPIVFS=true
+RestrictNamespaces=ipc net mnt pid
+{% endif %}
+{%+ if systemd_version | int >= 235 %}LockPersonality=true{%- endif +%}
+{% if systemd_version | int >= 242 %}
+ProtectHostname=true
+RestrictSUIDSGID=true
+{% endif %}
+{%+ if systemd_version | int >= 244 %}ProtectKernelLogs=true{%- endif +%}
+{%+ if systemd_version | int >= 245 %}ProtectClock=true{%- endif +%}
+{%+ if systemd_version | int >= 247 %}ProtectProc=invisible{%- endif +%}
+
+[Install]
+WantedBy=multi-user.target

ansible_collections/nullified/infrastructure/roles/deluge/templates/systemd/deluged.service.j2

@@ -0,0 +1,54 @@
+[Unit]
+Description=Deluge Bittorrent Client Daemon
+Documentation=man:deluged
+After=network-online.target
+
+[Service]
+User=deluge
+Group=deluge
+Type=simple
+UMask=007
+ExecStart={{ deluge_git_dir }}/.venv/bin/deluged -d -L warning
+Restart=on-failure
+RestartSec=3
+TimeoutStopSec=300
+WorkingDirectory=~
+
+# Security Hardening
+PrivateTmp=true
+CapabilityBoundingSet=CAP_SYS_RESOURCE
+{% if systemd_version | int >= 187 %}
+NoNewPrivileges=true
+SystemCallFilter=@system-service
+{% endif %}
+{%+ if systemd_version | int >= 209 %}SystemCallArchitectures=native{%- endif +%}
+{% if systemd_version | int >= 214 %}
+ProtectHome=true
+ProtectSystem=true
+{% endif %}
+{% if systemd_version | int >= 231 %}
+ReadOnlyPaths=/
+ReadWritePaths={{ deluge_git_dir }} {{ deluge_install_dir }}
+RestrictRealtime=true
+{% endif %}
+{% if systemd_version | int >= 232 %}
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RemoveIPC=true
+{% endif %}
+{% if systemd_version | int >= 233 %}
+MountAPIVFS=true
+RestrictNamespaces=ipc net mnt pid
+{% endif %}
+{%+ if systemd_version | int >= 235 %}LockPersonality=true{%- endif +%}
+{% if systemd_version | int >= 242 %}
+ProtectHostname=true
+RestrictSUIDSGID=true
+{% endif %}
+{%+ if systemd_version | int >= 244 %}ProtectKernelLogs=true{%- endif +%}
+{%+ if systemd_version | int >= 245 %}ProtectClock=true{%- endif +%}
+{%+ if systemd_version | int >= 247 %}ProtectProc=invisible{%- endif +%}
+
+[Install]
+WantedBy=multi-user.target

ansible_collections/nullified/infrastructure/roles/deluge/templates/web.conf.j2

@@ -0,0 +1,26 @@
+{
+    "file": 2,
+    "format": 1
+}{
+    "base": "/",
+    "cert": "ssl/daemon.cert",
+    "default_daemon": "",
+    "enabled_plugins": [
+    ],
+    "first_login": false,
+    "https": false,
+    "interface": "{{ '0.0.0.0' if deluge_web_expose_client is truthy else '127.0.0.1' }}",
+    "language": "",
+    "pkey": "ssl/daemon.pkey",
+    "port": {{ deluge_web_port }},
+    "pwd_salt": "{{ deluge_web_password_salt }}",
+    "pwd_sha1": "{{ deluge_web_password_hash }}",
+    "session_timeout": 3600,
+    "sessions": {
+    },
+    "show_session_speed": true,
+    "show_sidebar": true,
+    "sidebar_multiple_filters": true,
+    "sidebar_show_zero": false,
+    "theme": "gray"
+}