feat(deluge): add configuration to allow remote connection to deluge daemon

ansible_collections/nullified/infrastructure/roles/deluge/defaults/main.yml

@@ -17,3 +17,5 @@ deluge_daemon_incoming_port: 6881
 deluge_daemon_outgoing_port_lo: 6889
 deluge_daemon_outgoing_port_hi: 6899
 deluge_web_expose_client: false
+deluge_allow_remote_control: false
+deluge_allowed_remotes: []

ansible_collections/nullified/infrastructure/roles/deluge/templates/core.conf.j2

@@ -3,7 +3,7 @@
 "format": 1
 }{
 "add_paused": false,
-"allow_remote": false,
+"allow_remote": {{ 'true' if deluge_allow_remote_control is truthy else 'false' }},
 "auto_manage_prefer_seeds": false,
 "auto_managed": true,
 "cache_expiry": 60,

ansible_collections/nullified/infrastructure/roles/deluge/templates/nftables.d/deluge.nft.j2

@@ -1,3 +1,18 @@
+{% set deluge_allowed_remotes_ip4 = deluge_allowed_remotes | default([]) | ansible.utils.ipv4 %}
+{% set deluge_allowed_remotes_ip6 = deluge_allowed_remotes | default([]) | ansible.utils.ipv6 %}
+
+{% if deluge_allow_remote_control and deluge_allowed_remotes_ip4 | length > 0 %}
+define allowed_controllers4 = {
+    {{ deluge_allowed_remotes_ip4 | join(", ") | wordwrap(40, wrapstring="\n    ", break_long_words=False) }}
+}
+{% endif %}
+
+{% if deluge_allow_remote_control and deluge_allowed_remotes_ip6 | length > 0 %}
+define allowed_controllers6 = {
+    {{ deluge_allowed_remotes_ip6 | join(", ") | wordwrap(40, wrapstring="\n    ", break_long_words=False) }}
+}
+{% endif %}
+
 table inet filter {
     chain input {
 {% if deluge_web_expose_client %}
@@ -6,6 +21,14 @@ table inet filter {
         meta nfproto { ipv4, ipv6 } iifname "lo" tcp dport {{ deluge_web_port }} accept
 {% endif %}
         iifname "lo" tcp dport {{ deluge_daemon_control_port }} accept
+{% if deluge_allow_remote_control %}
+{% if deluge_allowed_remotes_ip4 | length > 0 %}
+        ip saddr $allowed_controllers4 meta l4proto { tcp, udp } th dport {{ deluge_daemon_control_port }} accept
+{% endif %}
+{% if deluge_allowed_remotes_ip6 | length > 0 %}
+        ip6 saddr $allowed_controllers6 meta l4proto { tcp, udp } th dport {{ deluge_daemon_control_port }} accept
+{% endif %}
+{% endif %}
         meta l4proto { tcp, udp } th dport {{ deluge_daemon_incoming_port }} accept
         meta l4proto { tcp, udp } th dport { {{ deluge_daemon_outgoing_port_lo }}-{{ deluge_daemon_outgoing_port_hi }} } accept
     }
@@ -15,6 +38,14 @@ table inet filter {
         meta nfproto { ipv4, ipv6 } tcp sport {{ deluge_web_port }} accept
 {% else %}
         meta nfproto { ipv4, ipv6 } oifname "lo" tcp sport {{ deluge_web_port }} accept
+{% endif %}
+{% if deluge_allow_remote_control %}
+{% if deluge_allowed_remotes_ip4 | length > 0 %}
+        ip saddr $allowed_controllers4 meta l4proto { tcp, udp } th dport {{ deluge_daemon_control_port }} accept
+{% endif %}
+{% if deluge_allowed_remotes_ip6 | length > 0 %}
+        ip6 saddr $allowed_controllers6 meta l4proto { tcp, udp } th dport {{ deluge_daemon_control_port }} accept
+{% endif %}
 {% endif %}
         meta l4proto { tcp, udp } th sport { {{ deluge_daemon_outgoing_port_lo }}-{{ deluge_daemon_outgoing_port_hi }} } accept
         oifname "lo" tcp sport {{ deluge_daemon_control_port }} accept

inventory/host_vars/lithium/vars.yml

@@ -6,5 +6,7 @@ nginx_sites: "{{ vault_nginx_sites }}"
 nginx_streams: "{{ vault_nginx_streams }}"
 deluge_web_password: '{{ vault_deluge_web_password }}'
 deluge_web_password_salt: '{{ vault_deluge_web_password_salt }}'
+deluge_allow_remote_control: '{{ vault_deluge_allow_remote_control }}'
+deluge_allowed_remotes: '{{ vault_deluge_allowed_remotes }}'
 global_dns_udp_dns4: "{{ vault_global_dns_udp_dns4 }}"
 global_dns_udp_dns6: "{{ vault_global_dns_udp_dns6 }}"