From 3847c12b42d50920afd33cabcc030a05c863643b Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Wed, 14 Jan 2026 13:03:46 -0800
Subject: [PATCH] Fix transmission config to prevent perpetual ansible diffs

- Expand settings.json template to include all transmission defaults
- Use static pre-hashed rpc-password so transmission doesn't regenerate
- Change file mode from 0644 to 0600 to match transmission's default
- Add Jinja comment explaining the RPC password workaround

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 ansible/roles/transmission/tasks/main.yml     |  4 +-
 .../transmission/templates/settings.json.j2   | 82 +++++++++++++++++--
 2 files changed, 77 insertions(+), 9 deletions(-)

diff --git a/ansible/roles/transmission/tasks/main.yml b/ansible/roles/transmission/tasks/main.yml
index 463ecd8..9b941ca 100644
--- a/ansible/roles/transmission/tasks/main.yml
+++ b/ansible/roles/transmission/tasks/main.yml
@@ -27,7 +27,7 @@
   ansible.builtin.template:
     src: settings.json.j2
     dest: "{{ transmission_config_dir }}/settings.json"
-    mode: '0644'
+    mode: '0600'
   check_mode: true
   register: settings_check
 
@@ -42,7 +42,7 @@
   ansible.builtin.template:
     src: settings.json.j2
     dest: "{{ transmission_config_dir }}/settings.json"
-    mode: '0644'
+    mode: '0600'
   notify: restart transmission
 
 - name: Ensure transmission service is started
diff --git a/ansible/roles/transmission/templates/settings.json.j2 b/ansible/roles/transmission/templates/settings.json.j2
index 6875415..36b0513 100644
--- a/ansible/roles/transmission/templates/settings.json.j2
+++ b/ansible/roles/transmission/templates/settings.json.j2
@@ -1,21 +1,89 @@
+{#
+  RPC is required for transmission-remote CLI to manage torrents.
+  Config is secure: bound to localhost only, no auth needed.
+
+  rpc-password uses a static hash starting with '{' so transmission
+  recognizes it as pre-hashed and won't regenerate it on restart.
+  Without this, transmission writes a new hash each startup causing
+  perpetual ansible diffs.
+#}
 {
     "_comment": "{{ ansible_managed }}",
+    "alt-speed-down": 50,
+    "alt-speed-enabled": false,
+    "alt-speed-time-begin": 540,
+    "alt-speed-time-day": 127,
+    "alt-speed-time-enabled": false,
+    "alt-speed-time-end": 1020,
+    "alt-speed-up": 50,
+    "announce-ip": "",
+    "announce-ip-enabled": false,
+    "anti-brute-force-enabled": false,
+    "anti-brute-force-threshold": 100,
+    "bind-address-ipv4": "0.0.0.0",
+    "bind-address-ipv6": "::",
+    "blocklist-enabled": false,
+    "blocklist-url": "http://www.example.com/blocklist",
+    "cache-size-mb": 4,
+    "default-trackers": "",
+    "dht-enabled": {{ transmission_dht_enabled | lower }},
     "download-dir": "{{ transmission_download_dir }}",
+    "download-queue-enabled": true,
+    "download-queue-size": 5,
+    "encryption": {{ transmission_encryption }},
+    "idle-seeding-limit": 30,
+    "idle-seeding-limit-enabled": false,
     "incomplete-dir": "{{ transmission_incomplete_dir }}",
     "incomplete-dir-enabled": true,
-    "dht-enabled": {{ transmission_dht_enabled | lower }},
+    "lpd-enabled": true,
+    "message-level": 4,
+    "peer-congestion-algorithm": "",
+    "peer-limit-global": 200,
+    "peer-limit-per-torrent": 50,
+    "peer-port": 51413,
+    "peer-port-random-high": 65535,
+    "peer-port-random-low": 49152,
+    "peer-port-random-on-start": false,
+    "peer-socket-tos": "le",
     "pex-enabled": {{ transmission_pex_enabled | lower }},
-    "encryption": {{ transmission_encryption }},
-    "rpc-enabled": {{ transmission_rpc_enabled | lower }},
-    "rpc-port": {{ transmission_rpc_port }},
-    "rpc-bind-address": "{{ transmission_rpc_bind_address }}",
+    "port-forwarding-enabled": true,
+    "preallocation": 1,
+    "prefetch-enabled": true,
+    "queue-stalled-enabled": true,
+    "queue-stalled-minutes": 30,
+    "ratio-limit": 2,
+    "ratio-limit-enabled": false,
+    "rename-partial-files": false,
     "rpc-authentication-required": {{ transmission_rpc_authentication_required | lower }},
-    "rpc-whitelist-enabled": {{ transmission_rpc_whitelist_enabled | lower }},
+    "rpc-bind-address": "{{ transmission_rpc_bind_address }}",
+    "rpc-enabled": {{ transmission_rpc_enabled | lower }},
+    "rpc-host-whitelist": "",
+    "rpc-host-whitelist-enabled": true,
+    "rpc-password": "{00000000000000000000000000000000000000000000000e",
+    "rpc-port": {{ transmission_rpc_port }},
+    "rpc-socket-mode": "0750",
+    "rpc-url": "/transmission/",
+    "rpc-username": "",
     "rpc-whitelist": "{{ transmission_rpc_whitelist }}",
+    "rpc-whitelist-enabled": {{ transmission_rpc_whitelist_enabled | lower }},
+    "scrape-paused-torrents-enabled": true,
+    "script-torrent-added-enabled": false,
+    "script-torrent-added-filename": "",
+    "script-torrent-done-enabled": false,
+    "script-torrent-done-filename": "",
+    "script-torrent-done-seeding-enabled": false,
+    "script-torrent-done-seeding-filename": "",
+    "seed-queue-enabled": false,
+    "seed-queue-size": 10,
     "speed-limit-down": {{ transmission_speed_limit_down }},
     "speed-limit-down-enabled": {{ (transmission_speed_limit_down > 0) | lower }},
     "speed-limit-up": {{ transmission_speed_limit_up }},
     "speed-limit-up-enabled": {{ (transmission_speed_limit_up > 0) | lower }},
     "start-added-torrents": true,
-    "trash-original-torrent-files": false
+    "tcp-enabled": true,
+    "torrent-added-verify-mode": "fast",
+    "trash-original-torrent-files": false,
+    "umask": "022",
+    "upload-slots-per-torrent": 8,
+    "utp-enabled": true
 }