Add tor and bitcoin-daemon steps

Add step to enable ufw rules
Add UFW task
2025-09-05 17:03:39 -04:00 · 2025-09-05 16:11:25 -04:00 · 2025-09-05 15:54:07 -04:00
12 changed files with 105 additions and 50 deletions
--- a/README.md
+++ b/README.md
@@ -23,13 +23,12 @@ Having Plex and Jellyfin separate from the rest of my docker infrastructure allo
 **Storage:**
 * `/`: 1 TB NVME SSD
 * `/vm_storage`: 2x 240 GB SSD in ZFS mirror for config and data files
-* `/mnt/storage`: mergerfs + SnapRAID pool totaling 150 TiB usable storage with single disk parity (YOLO). Drives run btrfs allowing me to utilize [snapraid-btrfs](https://wiki.selfhosted.show/tools/snapraid-btrfs/) for instant snapshotting
+* `/mnt/storage`: mergerfs + SnapRAID pool totaling ~90 TiB usable storage. Currently single parity disk but hoping to add a second one soon. Drives run btrfs allowing me to utilize [snapraid-btrfs](https://wiki.selfhosted.show/tools/snapraid-btrfs/) for instant snapshotting

 ## Roadmap

 * Flesh out backup strategy with btrfs snapshots and restic (separately)
-* Potentially migrate media pool to ZFS. I've been lucky so far with no drive failures but realistically if I did have one fail, it would take ages to rebuild with single disk parity and I'd be wishing I had a more robust setup.
-* Move everything to Arch LXCs on Proxmox
+* Move everything to Arch VMs on Proxmox
 * Possibly set up second Proxmox node for backups
 * Immich for photo management
 * Look into [Wazuh](https://github.com/wazuh/wazuh) for threat prevention/detection
--- a/ansible/roles/beets/files/config.yaml
+++ b/ansible/roles/beets/files/config.yaml
@@ -1,7 +1,7 @@
 directory: /music
 per_disc_numbering: yes

-plugins: fetchart embedart web inline lyrics musicbrainz scrub lastgenre replaygain
+plugins: fetchart web inline lyrics

 paths:
    default: $albumartist/$album%aunique{}/%if{$multidisc,$disc}$track - $title
@@ -12,7 +12,7 @@ item_fields:
        
 import:
    write: yes
-    move: yes
+    hardlink: yes
    resume: ask
    incremental: yes
    quiet_fallback: skip
@@ -28,32 +28,13 @@ embedart:
 fetchart:
    auto: yes
    high_resolution: yes
-    source:
-      - filesystem
-      - itunes
-      - coverart
-      - amazon
-
-match:
-    strong_rec_thresh: 0.10
-    ignored_media: ['12" Vinyl']

 lyrics:
-    sources: [lrclib, genius, tekstowo]
+    sources: [lrclib, genius]
    
 scrub:
    auto: yes

-replaygain:
-    auto: yes
-    backend: ffmpeg
-
-# Consider directory empty even if files matching the below patterns are present
-clutter:
-  - "*.jpg"
-  - "*.png"
-  - "*.nfo"
-
 replace:
    '^\.': _
    '[\x00-\x1f]': _
--- a/ansible/roles/btc/tasks/bitcoin.yml
+++ b/ansible/roles/btc/tasks/bitcoin.yml
@@ -0,0 +1,11 @@
+- name: Install bitcoin daemon
+  ansible.builtin.package:
+    name: bitcoin-daemon
+    state: present
+  become: true
+
+- name: Enable bitcoind
+  ansible.builtin.service:
+    name: bitcoind
+    state: started
+    enabled: yes
--- a/ansible/roles/btc/tasks/tor.yml
+++ b/ansible/roles/btc/tasks/tor.yml
@@ -0,0 +1,6 @@
+- name: Install tor
+  ansible.builtin.package:
+    name: tor
+    state: present
+
+
--- a/ansible/roles/btc/tasks/ufw.yml
+++ b/ansible/roles/btc/tasks/ufw.yml
@@ -0,0 +1,32 @@
+- name: Install Uncomplicated Firewall
+  ansible.builtin.package:
+    name: ufw
+    state: present
+
+# UFW logging can full up the kernel (dmesg) and message logs
+- name: Disable logging
+  community.general.ufw:
+    logging: 'off'
+
+- name: Allow OpenSSH inbound
+  community.general.ufw:
+    rule: allow
+    name: OpenSSH # Uses standard profile located in /etc/ufw/applications.d
+
+- name: Apply rate limiting to ssh inbound
+  community.general.ufw:
+    rule: limit
+    port: ssh
+    proto: tcp
+  
+- name: Enable ufw system service
+  ansible.builtin.service:
+    name: ufw
+    state: started
+    enabled: yes
+
+# This is necessary in addition to enabling the system service
+- name: Enable ufw rules
+  community.general.ufw:
+    state: enabled
+    policy: deny
--- a/ansible/roles/qbittorrent/tasks/main.yml
+++ b/ansible/roles/qbittorrent/tasks/main.yml
@@ -30,6 +30,7 @@
    dest: "{{ data_dir }}/qbitmanage/config.yml"
    owner: "{{ service_user.uid }}"
    mode: "{{ docker_compose_file_mask }}"
+  notify: restart qbittorrent
  become: true

 - name: Create cross-seed config directory
@@ -46,6 +47,7 @@
    dest: "{{ data_dir }}/cross-seed/config.js"
    owner: "{{ service_user.uid }}"
    mode: "{{ docker_compose_file_mask }}"
+  notify: restart qbittorrent
  become: true

 - name: Start docker containers
--- a/ansible/roles/qbittorrent/templates/cross-seed/config.js
+++ b/ansible/roles/qbittorrent/templates/cross-seed/config.js
@@ -4,10 +4,10 @@ module.exports = {
    delay: 30,

    torznab: [
+	    "http://prowlarr.local.{{ personal_domain }}/3/api?apikey={{ prowlarr_api_key }}", // ImmortalSeed
 	    "http://prowlarr.local.{{ personal_domain }}/6/api?apikey={{ prowlarr_api_key }}", // Aither
 	    "http://prowlarr.local.{{ personal_domain }}/7/api?apikey={{ prowlarr_api_key }}", // Reelflix
 	    "http://prowlarr.local.{{ personal_domain }}/9/api?apikey={{ prowlarr_api_key }}", // LST
-	    "http://prowlarr.local.{{ personal_domain }}/10/api?apikey={{ prowlarr_api_key }}", // MyAnonaMouse
 	    "http://prowlarr.local.{{ personal_domain }}/12/api?apikey={{ prowlarr_api_key }}", // Blutopia
 	    "http://prowlarr.local.{{ personal_domain }}/13/api?apikey={{ prowlarr_api_key }}", // hawke-uno
 	    "http://prowlarr.local.{{ personal_domain }}/16/api?apikey={{ prowlarr_api_key }}", // AlphaRatio
@@ -15,9 +15,6 @@ module.exports = {
 	    "http://prowlarr.local.{{ personal_domain }}/19/api?apikey={{ prowlarr_api_key }}", // Cathode-Ray.Tube
 	    "http://prowlarr.local.{{ personal_domain }}/25/api?apikey={{ prowlarr_api_key }}", // seedpool
 	    "http://prowlarr.local.{{ personal_domain }}/27/api?apikey={{ prowlarr_api_key }}", // Upload.cx
-	    "http://prowlarr.local.{{ personal_domain }}/30/api?apikey={{ prowlarr_api_key }}", // DocsPedia
-	    "http://prowlarr.local.{{ personal_domain }}/31/api?apikey={{ prowlarr_api_key }}", // OnlyEncodes+
-	    "http://prowlarr.local.{{ personal_domain }}/32/api?apikey={{ prowlarr_api_key }}", // Anthelion
    ],

    outputDir: null,
@@ -27,7 +24,8 @@ module.exports = {
    excludeOlder: "12w",
    excludeRecentSearch: "3w",
    action: "inject",
-    torrentClients: ["qbittorrent:https://admin:password@qbittorrent.local.{{ personal_domain }}"],
+    rtorrentRpcUrl: undefined,
+    qbittorrentUrl: "https://qbittorrent.local.{{ personal_domain }}",
    sonarr: ["https://sonarr.local.{{ personal_domain }}/?apikey={{ sonarr_api_key }}"],
    radarr: ["https://radarr.local.{{ personal_domain }}/?apikey={{ radarr_api_key }}"],
    seasonsFromEpisodes: 0.8,
@@ -38,7 +36,4 @@ module.exports = {
    port: 2468,
    rssCadence: "16min",
    searchCadence: "1w",
-    blockList: [
-	    "category:upload",
-    ],
 };
--- a/ansible/roles/qbittorrent/templates/docker-compose.yml
+++ b/ansible/roles/qbittorrent/templates/docker-compose.yml
@@ -5,7 +5,7 @@ networks:
 services:
  qbittorrent:
    container_name: qbittorrent
-    image: lscr.io/linuxserver/qbittorrent:5.1.4
+    image: lscr.io/linuxserver/qbittorrent:5.1.2
    restart: unless-stopped
    network_mode: "container:gluetun"
    environment:
@@ -52,3 +52,26 @@ services:
      - "{{ media_storage_mnt }}/data/torrents:/data/torrents" # Necessary for partial matching
    command: daemon
    restart: unless-stopped
+
+  unpackerr:
+    container_name: unpackerr
+    image: ghcr.io/hotio/unpackerr
+    networks:
+      - starr
+    environment:
+      - "PUID={{ service_user.uid }}"
+      - "PGID={{ media_gid }}"
+      - UMASK=002
+      - TZ={{ timezone }}
+      - UN_INTERVAL=5m
+      - UN_FILE_MODE=0664
+      - UN_DIR_MODE=0775
+      - UN_SONARR_0_URL=http://sonarr:8989
+      - "UN_SONARR_0_API_KEY={{ sonarr_api_key }}"
+      - UN_SONARR_0_PATHS_0=/data/torrents/tv
+      - UN_RADARR_0_URL=http://radarr:7878
+      - "UN_RADARR_0_API_KEY={{ radarr_api_key }}"
+      - UN_RADARR_0_PATHS_0=/data/torrents/movies
+    volumes:
+      - "{{ data_dir }}/unpackerr:/config"
+      - "{{ media_storage_mnt }}/data/torrents:/data/torrents"
--- a/ansible/roles/qbittorrent/templates/qbitmanage/config.yml
+++ b/ansible/roles/qbittorrent/templates/qbitmanage/config.yml
@@ -5,7 +5,7 @@ commands:
  recheck: True
  tag_update: True
  rem_unregistered: True
-  rem_orphaned: True
+  remove_orphaned: True
  tag_nohardlinks: True

 qbt:
@@ -83,10 +83,6 @@ tracker:
    tag: ULCX
  archlinux:
    tag: archlinux
-  animebytes:
-    tag: AB
-  anthelion:
-    tag: ANT
  other:
    tag: other

@@ -103,7 +99,7 @@ share_limits:
    priority: 1
    include_all_tags:
      - noHL
-    max_seeding_time: 40320 # 4 weeks
+    max_seeding_time: 28800 # 20 days
    cleanup: true
    add_group_to_tag: false
  isos:
@@ -113,14 +109,28 @@ share_limits:
    max_seeding_time: 129600 # 90 days
    cleanup: true
    add_group_to_tag: false
-  big: # Set speed limit on bandwidth hogs
+  tl_cross-seed:
    priority: 9
-    include_any_tags:
+    include_all_tags:
+      - cross-seed
      - TorrentLeech
-      - FileList
-      - AlphaRatio
    limit_upload_speed: 100 # 100 KiBps
    add_group_to_tag: false
+  public_trackers:
+    priority: 10
+    include_any_tags:
+      - Nyaa
+      - AnimeTosho
+      - rutracker
+    categories:
+      - movies
+      - tv
+    max_ratio: 2
+    max_seeding_time: 21600 # 15 days
+    limit_upload_speed: 5000 # 5 MiBps
+    cleanup: true
+    add_group_to_tag: false
+

 recyclebin:
  enabled: true
--- a/ansible/roles/recyclarr/files/includes/radarr-anime-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/radarr-anime-custom_formats.yml
@@ -48,9 +48,3 @@ custom_formats:
    assign_scores_to:
      - name: Anime
        score: 10 # Prefer dual audio within the same tier but not over higher quality releases 
-
-  - trash_ids:
-      - 923b6abef9b17f937fab56cfcf89e1f1 # DV (w/o HDR fallback)
-    assign_scores_to:
-      - name: Anime
-        score: -10000
--- a/ansible/roles/recyclarr/files/includes/sonarr-old-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-old-custom_formats.yml
@@ -85,6 +85,7 @@ custom_formats:
      - fbcb31d8dabd2a319072b84fc0b7249c # Extras
      - 15a05bc7c1a36e2b57fd628f8977e2fc # AV1
      - 32b367365729d530ca1c124a0b180c64 # Bad Dual Groups
+      - 82d40da2bc6923f41e14394075dd4b03 # No-RlsGroup
      - e1a997ddb54e3ecbfe06341ad323c458 # Obfuscated
      - 06d66ab109d4d2eddb2794d21526d140 # Retags
      - b735f09d3c025cbb7d75a5d38325b73b # Upscaled
--- a/ansible/roles/recyclarr/files/includes/sonarr-old_season_pack-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-old_season_pack-custom_formats.yml
@@ -85,6 +85,7 @@ custom_formats:
      - fbcb31d8dabd2a319072b84fc0b7249c # Extras
      - 15a05bc7c1a36e2b57fd628f8977e2fc # AV1
      - 32b367365729d530ca1c124a0b180c64 # Bad Dual Groups
+      - 82d40da2bc6923f41e14394075dd4b03 # No-RlsGroup
      - e1a997ddb54e3ecbfe06341ad323c458 # Obfuscated
      - 06d66ab109d4d2eddb2794d21526d140 # Retags
      - b735f09d3c025cbb7d75a5d38325b73b # Upscaled
Author	SHA1	Message	Date
Mike Wilson	9ef90db07b	Add tor and bitcoin-daemon steps	2025-09-05 17:03:39 -04:00
Mike Wilson	458506e798	Add step to enable ufw rules	2025-09-05 16:11:25 -04:00
Mike Wilson	874c759f85	Add UFW task	2025-09-05 15:54:07 -04:00