diff --git a/hosts b/hosts index 62256e4..0997c32 100644 --- a/hosts +++ b/hosts @@ -245,6 +245,7 @@ chromie.pyrocufflink.blue [servarr:children] prowlarr radarr +sonarr [smtp-relay] smtp1.pyrocufflink.blue @@ -252,6 +253,8 @@ smtp1.pyrocufflink.blue [smtp-relay:children] nextcloud +[sonarr] + [squid] [sudo] diff --git a/roles/sonarr/defaults/main.yml b/roles/sonarr/defaults/main.yml new file mode 100644 index 0000000..d5d1657 --- /dev/null +++ b/roles/sonarr/defaults/main.yml @@ -0,0 +1,4 @@ +sonarr_container_image: git.pyrocufflink.net/packages/sonarr +sonarr_version: 4.0.16.2944 + +sonarr_path_mounts: [] diff --git a/roles/sonarr/handlers/main.yml b/roles/sonarr/handlers/main.yml new file mode 100644 index 0000000..5e4af87 --- /dev/null +++ b/roles/sonarr/handlers/main.yml @@ -0,0 +1,11 @@ +- name: relocate sonarr logs + shell: | + if [ ! -h /var/lib/sonarr/logs ]; then + mv /var/lib/sonarr/logs/*.txt /var/log/sonarr/ + rmdir /var/lib/sonarr/logs + fi + +- name: restart sonarr + service: + name: sonarr + state: restarted diff --git a/roles/sonarr/meta/main.yml b/roles/sonarr/meta/main.yml new file mode 100644 index 0000000..25967ae --- /dev/null +++ b/roles/sonarr/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: +- role: systemd-base +- role: apache-base diff --git a/roles/sonarr/tasks/main.yml b/roles/sonarr/tasks/main.yml new file mode 100644 index 0000000..222072b --- /dev/null +++ b/roles/sonarr/tasks/main.yml @@ -0,0 +1,125 @@ +- name: ensure media group exists + group: + name: media + gid: 9000 + system: true + state: present + tags: + - user + - group +- name: ensure sonarr group exists + group: + name: sonarr + gid: 8989 + system: true + state: present + tags: + - user + - group +- name: ensure sonarr user exists + user: + name: sonarr + uid: 8989 + group: sonarr + groups: + - media + system: true + home: /var/lib/sonarr + createhome: false + state: present + tags: + - user + +- name: ensure sonarr data directory exists + file: + path: /var/lib/sonarr + owner: sonarr + group: sonarr + mode: u=rwx,og=rx + setype: container_file_t + state: directory + tags: + - datadir +- name: ensure sonarr log directory exists + file: + path: /var/log/sonarr + owner: sonarr + group: sonarr + mode: u=rwx,og=rx + setype: container_file_t + state: directory + notify: + - relocate sonarr logs + tags: + - logdir +- meta: flush_handlers +- name: ensure sonarr logs directory symlink exists + file: + path: /var/lib/sonarr/logs + src: /var/log/sonarr + state: link + tags: + - logdir + +- name: ensure podman is installed + package: + name: + - container-selinux + - podman + state: present + tags: + - install + +- name: ensure sonarr container image is present + podman_image: + name: '{{ sonarr_container_image }}:{{ sonarr_version }}' + username: '{{ sonarr_image_pull_username | d(omit) }}' + password: '{{ sonarr_image_pull_password | d(omit) }}' + force: '{{ sonarr_force_pull_image | d(false) }}' + state: present + notify: + - restart sonarr + tags: + - container-image + +- name: ensure sonarr.container systemd unit exists + template: + src: sonarr.container.j2 + dest: /etc/containers/systemd/sonarr.container + owner: root + group: root + mode: u=rw,go=r + notify: + - reload systemd + - restart sonarr + tags: + - systemd + - container + +- name: flush handlers + meta: flush_handlers + +- name: ensure sonarr starts at boot + systemd: + name: sonarr + enabled: true + tags: + - service +- name: ensure sonarr is running + systemd: + name: sonarr + state: started + tags: + - service + +- name: ensure apache is configured to proxy for sonarr + template: + src: sonarr.httpd.conf.j2 + dest: /etc/httpd/conf.d/sonarr.conf + owner: root + group: root + mode: u=rw,go=r + notify: + - reload httpd + tags: + - apache-config diff --git a/roles/sonarr/templates/sonarr.container.j2 b/roles/sonarr/templates/sonarr.container.j2 new file mode 100644 index 0000000..dc06b75 --- /dev/null +++ b/roles/sonarr/templates/sonarr.container.j2 @@ -0,0 +1,37 @@ +{#- vim: set ft=systemd.jinja : #} +[Unit] +Description=Sonarr TV Library Manager +Wants=network.target +After=network.target + +[Container] +Image={{ sonarr_container_image }}:{{ sonarr_version }} +Volume=/var/log/sonarr:/var/log/sonarr:rw +Volume=/var/lib/sonarr:/var/lib/sonarr:rw +{% for mount in sonarr_path_mounts %} +Mount={{ mount }} +{% endfor %} +GroupAdd=media +ReadOnly=true +ReadOnlyTmpfs=true +Network=host +NoNewPrivileges=yes + +[Service] +Restart=always +PrivateTmp=yes +ProtectClock=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=full +TemporaryFileSystem=/etc/containers/networks +RestrictRealtime=yes +RestrictSUIDSGID=yes +SuccessExitStatus=0 143 +UMask=0022 + +[Install] +WantedBy=multi-user.target diff --git a/roles/sonarr/templates/sonarr.httpd.conf.j2 b/roles/sonarr/templates/sonarr.httpd.conf.j2 new file mode 100644 index 0000000..10091e5 --- /dev/null +++ b/roles/sonarr/templates/sonarr.httpd.conf.j2 @@ -0,0 +1,20 @@ +# vim: set ft=apache.jinja : + + ServerName sonarr.pyrocufflink.blue + + SSLCertificateFile /etc/pki/tls/certs/localhost.crt + SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt + + ProxyPreserveHost On + ProxyRequests Off + + RewriteEngine On + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /(.*) ws://localhost:8989/$1 [P,L] + RewriteRule /(.*) http://localhost:8989/$1 [P,L] + ProxyPassReverse / http://localhost:8989/ + + Header always set \ + Strict-Transport-Security "max-age=63072000; includeSubDomains" + diff --git a/servarr.yml b/servarr.yml index f19d646..d731add 100644 --- a/servarr.yml +++ b/servarr.yml @@ -1,2 +1,3 @@ - import_playbook: prowlarr.yml - import_playbook: radarr.yml +- import_playbook: sonarr.yml diff --git a/sonarr.yml b/sonarr.yml new file mode 100644 index 0000000..1400c44 --- /dev/null +++ b/sonarr.yml @@ -0,0 +1,5 @@ +- hosts: sonarr + roles: + - role: sonarr + tags: + - sonarr