From 95e483c2fb6ecaf679ff16d59225edf0bd4328a3 Mon Sep 17 00:00:00 2001
From: NaeiKinDus <git@0x2a.ninja>
Date: Sun, 13 Apr 2025 00:00:00 +0000
Subject: [PATCH] feat(deluge): add configuration to allow remote connection to
 deluge daemon

---
 .../roles/deluge/defaults/main.yml            |  2 ++
 .../roles/deluge/templates/core.conf.j2       |  2 +-
 .../deluge/templates/nftables.d/deluge.nft.j2 | 31 +++++++++++++++++++
 inventory/host_vars/lithium/vars.yml          |  2 ++
 4 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/ansible_collections/nullified/infrastructure/roles/deluge/defaults/main.yml b/ansible_collections/nullified/infrastructure/roles/deluge/defaults/main.yml
index a436aa1..b2c5550 100644
--- a/ansible_collections/nullified/infrastructure/roles/deluge/defaults/main.yml
+++ b/ansible_collections/nullified/infrastructure/roles/deluge/defaults/main.yml
@@ -17,3 +17,5 @@ deluge_daemon_incoming_port: 6881
 deluge_daemon_outgoing_port_lo: 6889
 deluge_daemon_outgoing_port_hi: 6899
 deluge_web_expose_client: false
+deluge_allow_remote_control: false
+deluge_allowed_remotes: []
diff --git a/ansible_collections/nullified/infrastructure/roles/deluge/templates/core.conf.j2 b/ansible_collections/nullified/infrastructure/roles/deluge/templates/core.conf.j2
index 8cd4e87..0edc993 100644
--- a/ansible_collections/nullified/infrastructure/roles/deluge/templates/core.conf.j2
+++ b/ansible_collections/nullified/infrastructure/roles/deluge/templates/core.conf.j2
@@ -3,7 +3,7 @@
 "format": 1
 }{
 "add_paused": false,
-"allow_remote": false,
+"allow_remote": {{ 'true' if deluge_allow_remote_control is truthy else 'false' }},
 "auto_manage_prefer_seeds": false,
 "auto_managed": true,
 "cache_expiry": 60,
diff --git a/ansible_collections/nullified/infrastructure/roles/deluge/templates/nftables.d/deluge.nft.j2 b/ansible_collections/nullified/infrastructure/roles/deluge/templates/nftables.d/deluge.nft.j2
index 231ec0d..a2c1cce 100644
--- a/ansible_collections/nullified/infrastructure/roles/deluge/templates/nftables.d/deluge.nft.j2
+++ b/ansible_collections/nullified/infrastructure/roles/deluge/templates/nftables.d/deluge.nft.j2
@@ -1,3 +1,18 @@
+{% set deluge_allowed_remotes_ip4 = deluge_allowed_remotes | default([]) | ansible.utils.ipv4 %}
+{% set deluge_allowed_remotes_ip6 = deluge_allowed_remotes | default([]) | ansible.utils.ipv6 %}
+
+{% if deluge_allow_remote_control and deluge_allowed_remotes_ip4 | length > 0 %}
+define allowed_controllers4 = {
+    {{ deluge_allowed_remotes_ip4 | join(", ") | wordwrap(40, wrapstring="\n    ", break_long_words=False) }}
+}
+{% endif %}
+
+{% if deluge_allow_remote_control and deluge_allowed_remotes_ip6 | length > 0 %}
+define allowed_controllers6 = {
+    {{ deluge_allowed_remotes_ip6 | join(", ") | wordwrap(40, wrapstring="\n    ", break_long_words=False) }}
+}
+{% endif %}
+
 table inet filter {
     chain input {
 {% if deluge_web_expose_client %}
@@ -6,6 +21,14 @@ table inet filter {
         meta nfproto { ipv4, ipv6 } iifname "lo" tcp dport {{ deluge_web_port }} accept
 {% endif %}
         iifname "lo" tcp dport {{ deluge_daemon_control_port }} accept
+{% if deluge_allow_remote_control %}
+{% if deluge_allowed_remotes_ip4 | length > 0 %}
+        ip saddr $allowed_controllers4 meta l4proto { tcp, udp } th dport {{ deluge_daemon_control_port }} accept
+{% endif %}
+{% if deluge_allowed_remotes_ip6 | length > 0 %}
+        ip6 saddr $allowed_controllers6 meta l4proto { tcp, udp } th dport {{ deluge_daemon_control_port }} accept
+{% endif %}
+{% endif %}
         meta l4proto { tcp, udp } th dport {{ deluge_daemon_incoming_port }} accept
         meta l4proto { tcp, udp } th dport { {{ deluge_daemon_outgoing_port_lo }}-{{ deluge_daemon_outgoing_port_hi }} } accept
     }
@@ -15,6 +38,14 @@ table inet filter {
         meta nfproto { ipv4, ipv6 } tcp sport {{ deluge_web_port }} accept
 {% else %}
         meta nfproto { ipv4, ipv6 } oifname "lo" tcp sport {{ deluge_web_port }} accept
+{% endif %}
+{% if deluge_allow_remote_control %}
+{% if deluge_allowed_remotes_ip4 | length > 0 %}
+        ip saddr $allowed_controllers4 meta l4proto { tcp, udp } th dport {{ deluge_daemon_control_port }} accept
+{% endif %}
+{% if deluge_allowed_remotes_ip6 | length > 0 %}
+        ip6 saddr $allowed_controllers6 meta l4proto { tcp, udp } th dport {{ deluge_daemon_control_port }} accept
+{% endif %}
 {% endif %}
         meta l4proto { tcp, udp } th sport { {{ deluge_daemon_outgoing_port_lo }}-{{ deluge_daemon_outgoing_port_hi }} } accept
         oifname "lo" tcp sport {{ deluge_daemon_control_port }} accept
diff --git a/inventory/host_vars/lithium/vars.yml b/inventory/host_vars/lithium/vars.yml
index f1491a3..fc0f50d 100644
--- a/inventory/host_vars/lithium/vars.yml
+++ b/inventory/host_vars/lithium/vars.yml
@@ -6,5 +6,7 @@ nginx_sites: "{{ vault_nginx_sites }}"
 nginx_streams: "{{ vault_nginx_streams }}"
 deluge_web_password: '{{ vault_deluge_web_password }}'
 deluge_web_password_salt: '{{ vault_deluge_web_password_salt }}'
+deluge_allow_remote_control: '{{ vault_deluge_allow_remote_control }}'
+deluge_allowed_remotes: '{{ vault_deluge_allowed_remotes }}'
 global_dns_udp_dns4: "{{ vault_global_dns_udp_dns4 }}"
 global_dns_udp_dns6: "{{ vault_global_dns_udp_dns6 }}"