sonarr: Deploy Sonarr in a Podman container

The `sonarr.yml` playbook and corresponding role deploy Sonarr, the
indexer manager for the *arr suite, in a Podman container.

Note that we're relocating the log files from the Sonarr AppData
directory to `/var/log/sonarr` so they can be picked up by Fluent Bit.

hosts

@@ -245,6 +245,7 @@ chromie.pyrocufflink.blue
 [servarr:children]
 prowlarr
 radarr
+sonarr
 
 [smtp-relay]
 smtp1.pyrocufflink.blue
@@ -252,6 +253,8 @@ smtp1.pyrocufflink.blue
 [smtp-relay:children]
 nextcloud
 
+[sonarr]
+
 [squid]
 
 [sudo]

roles/sonarr/defaults/main.yml

@@ -0,0 +1,4 @@
+sonarr_container_image: git.pyrocufflink.net/packages/sonarr
+sonarr_version: 4.0.16.2944
+
+sonarr_path_mounts: []

roles/sonarr/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: relocate sonarr logs
+  shell: |
+    if [ ! -h /var/lib/sonarr/logs ]; then
+        mv /var/lib/sonarr/logs/*.txt /var/log/sonarr/
+        rmdir /var/lib/sonarr/logs
+    fi
+
+- name: restart sonarr
+  service:
+    name: sonarr
+    state: restarted

roles/sonarr/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: systemd-base
+- role: apache-base

roles/sonarr/tasks/main.yml

@@ -0,0 +1,125 @@
+- name: ensure media group exists
+  group:
+    name: media
+    gid: 9000
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure sonarr group exists
+  group:
+    name: sonarr
+    gid: 8989
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure sonarr user exists
+  user:
+    name: sonarr
+    uid: 8989
+    group: sonarr
+    groups:
+    - media
+    system: true
+    home: /var/lib/sonarr
+    createhome: false
+    state: present
+  tags:
+  - user
+
+- name: ensure sonarr data directory exists
+  file:
+    path: /var/lib/sonarr
+    owner: sonarr
+    group: sonarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  tags:
+  - datadir
+- name: ensure sonarr log directory exists
+  file:
+    path: /var/log/sonarr
+    owner: sonarr
+    group: sonarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  notify:
+  - relocate sonarr logs
+  tags:
+  - logdir
+- meta: flush_handlers
+- name: ensure sonarr logs directory symlink exists
+  file:
+    path: /var/lib/sonarr/logs
+    src: /var/log/sonarr
+    state: link
+  tags:
+  - logdir
+
+- name: ensure podman is installed
+  package:
+    name:
+    - container-selinux
+    - podman
+    state: present
+  tags:
+  - install
+
+- name: ensure sonarr container image is present
+  podman_image:
+    name: '{{ sonarr_container_image }}:{{ sonarr_version }}'
+    username: '{{ sonarr_image_pull_username | d(omit) }}'
+    password: '{{ sonarr_image_pull_password | d(omit) }}'
+    force: '{{ sonarr_force_pull_image | d(false) }}'
+    state: present
+  notify:
+  - restart sonarr
+  tags:
+  - container-image
+
+- name: ensure sonarr.container systemd unit exists
+  template:
+    src: sonarr.container.j2
+    dest: /etc/containers/systemd/sonarr.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart sonarr
+  tags:
+  - systemd
+  - container
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure sonarr starts at boot
+  systemd:
+    name: sonarr
+    enabled: true
+  tags:
+  - service
+- name: ensure sonarr is running
+  systemd:
+    name: sonarr
+    state: started
+  tags:
+  - service
+
+- name: ensure apache is configured to proxy for sonarr
+  template:
+    src: sonarr.httpd.conf.j2
+    dest: /etc/httpd/conf.d/sonarr.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload httpd
+  tags:
+  - apache-config

roles/sonarr/templates/sonarr.container.j2

@@ -0,0 +1,37 @@
+{#- vim: set ft=systemd.jinja : #}
+[Unit]
+Description=Sonarr TV Library Manager
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ sonarr_container_image }}:{{ sonarr_version }}
+Volume=/var/log/sonarr:/var/log/sonarr:rw
+Volume=/var/lib/sonarr:/var/lib/sonarr:rw
+{% for mount in sonarr_path_mounts %}
+Mount={{ mount }}
+{% endfor %}
+GroupAdd=media
+ReadOnly=true
+ReadOnlyTmpfs=true
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+Restart=always
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SuccessExitStatus=0 143
+UMask=0022
+
+[Install]
+WantedBy=multi-user.target

roles/sonarr/templates/sonarr.httpd.conf.j2

@@ -0,0 +1,20 @@
+# vim: set ft=apache.jinja :
+<VirtualHost _default_:443>
+    ServerName sonarr.pyrocufflink.blue
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:8989/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:8989/$1 [P,L]
+    ProxyPassReverse / http://localhost:8989/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>

servarr.yml

@@ -1,2 +1,3 @@
 - import_playbook: prowlarr.yml
 - import_playbook: radarr.yml
+- import_playbook: sonarr.yml

sonarr.yml

@@ -0,0 +1,5 @@
+- hosts: sonarr
+  roles:
+  - role: sonarr
+    tags:
+    - sonarr