diff --git a/hosts b/hosts index 8773eb2..62256e4 100644 --- a/hosts +++ b/hosts @@ -178,6 +178,8 @@ nvr2.pyrocufflink.blue [postgresql] db0.pyrocufflink.blue +[prowlarr] + [public-web] web0.pyrocufflink.blue @@ -241,6 +243,7 @@ dc-grumbly.pyrocufflink.blue chromie.pyrocufflink.blue [servarr:children] +prowlarr radarr [smtp-relay] diff --git a/prowlarr.yml b/prowlarr.yml new file mode 100644 index 0000000..e590559 --- /dev/null +++ b/prowlarr.yml @@ -0,0 +1,5 @@ +- hosts: prowlarr + roles: + - role: prowlarr + tags: + - prowlarr diff --git a/roles/prowlarr/defaults/main.yml b/roles/prowlarr/defaults/main.yml new file mode 100644 index 0000000..856ec85 --- /dev/null +++ b/roles/prowlarr/defaults/main.yml @@ -0,0 +1,2 @@ +prowlarr_container_image: git.pyrocufflink.net/packages/prowlarr +prowlarr_version: 2.3.0.5236 diff --git a/roles/prowlarr/handlers/main.yml b/roles/prowlarr/handlers/main.yml new file mode 100644 index 0000000..4201dc1 --- /dev/null +++ b/roles/prowlarr/handlers/main.yml @@ -0,0 +1,11 @@ +- name: relocate prowlarr logs + shell: | + if [ ! -h /var/lib/prowlarr/logs ]; then + mv /var/lib/prowlarr/logs/*.txt /var/log/prowlarr/ + rmdir /var/lib/prowlarr/logs + fi + +- name: restart prowlarr + service: + name: prowlarr + state: restarted diff --git a/roles/prowlarr/meta/main.yml b/roles/prowlarr/meta/main.yml new file mode 100644 index 0000000..25967ae --- /dev/null +++ b/roles/prowlarr/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: +- role: systemd-base +- role: apache-base diff --git a/roles/prowlarr/tasks/main.yml b/roles/prowlarr/tasks/main.yml new file mode 100644 index 0000000..6db5f54 --- /dev/null +++ b/roles/prowlarr/tasks/main.yml @@ -0,0 +1,112 @@ +- name: ensure prowlarr group exists + group: + name: prowlarr + gid: 9696 + system: true + state: present + tags: + - user + - group +- name: ensure prowlarr user exists + user: + name: prowlarr + uid: 9696 + group: prowlarr + system: true + home: /var/lib/prowlarr + createhome: false + state: present + tags: + - user + +- name: ensure prowlarr data directory exists + file: + path: /var/lib/prowlarr + owner: prowlarr + group: prowlarr + mode: u=rwx,og=rx + setype: container_file_t + state: directory + tags: + - datadir + +- name: ensure prowlarr log directory exists + file: + path: /var/log/prowlarr + owner: prowlarr + group: prowlarr + mode: u=rwx,og=rx + setype: container_file_t + state: directory + notify: + - relocate prowlarr logs + tags: + - logdir +- meta: flush_handlers +- name: ensure prowlarr logs directory symlink exists + file: + path: /var/lib/prowlarr/logs + src: /var/log/prowlarr + state: link + tags: + - logdir + +- name: ensure podman is installed + package: + name: + - container-selinux + - podman + state: present + tags: + - install + +- name: ensure prowlarr container image is present + podman_image: + name: '{{ prowlarr_container_image }}:{{ prowlarr_version }}' + username: '{{ prowlarr_image_pull_username | d(omit) }}' + password: '{{ prowlarr_image_pull_password | d(omit) }}' + state: present + tags: + - container-image + +- name: ensure prowlarr.container systemd unit exists + template: + src: prowlarr.container.j2 + dest: /etc/containers/systemd/prowlarr.container + owner: root + group: root + mode: u=rw,go=r + notify: + - reload systemd + - restart prowlarr + tags: + - systemd + - container + +- name: flush handlers + meta: flush_handlers + +- name: ensure prowlarr starts at boot + systemd: + name: prowlarr + enabled: true + tags: + - service +- name: ensure prowlarr is running + systemd: + name: prowlarr + state: started + tags: + - service + +- name: ensure apache is configured to proxy for prowlarr + template: + src: prowlarr.httpd.conf.j2 + dest: /etc/httpd/conf.d/prowlarr.conf + owner: root + group: root + mode: u=rw,go=r + notify: + - reload httpd + tags: + - apache-config diff --git a/roles/prowlarr/templates/prowlarr.container.j2 b/roles/prowlarr/templates/prowlarr.container.j2 new file mode 100644 index 0000000..ca65a7a --- /dev/null +++ b/roles/prowlarr/templates/prowlarr.container.j2 @@ -0,0 +1,33 @@ +{#- vim: set ft=systemd.jinja : #} +[Unit] +Description=Prowlarr Indexer Manager +Wants=network.target +After=network.target + +[Container] +Image={{ prowlarr_container_image }}:{{ prowlarr_version }} +Volume=/var/log/prowlarr:/var/log/prowlarr:rw +Volume=/var/lib/prowlarr:/var/lib/prowlarr:rw +ReadOnly=true +ReadOnlyTmpfs=true +Network=host +NoNewPrivileges=yes + +[Service] +Restart=always +PrivateTmp=yes +ProtectClock=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=full +TemporaryFileSystem=/etc/containers/networks +RestrictRealtime=yes +RestrictSUIDSGID=yes +SuccessExitStatus=0 143 +UMask=0077 + +[Install] +WantedBy=multi-user.target diff --git a/roles/prowlarr/templates/prowlarr.httpd.conf.j2 b/roles/prowlarr/templates/prowlarr.httpd.conf.j2 new file mode 100644 index 0000000..52572f0 --- /dev/null +++ b/roles/prowlarr/templates/prowlarr.httpd.conf.j2 @@ -0,0 +1,20 @@ +# vim: set ft=apache.jinja : + + ServerName prowlarr.pyrocufflink.blue + + SSLCertificateFile /etc/pki/tls/certs/localhost.crt + SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt + + ProxyPreserveHost On + ProxyRequests Off + + RewriteEngine On + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /(.*) ws://localhost:9696/$1 [P,L] + RewriteRule /(.*) http://localhost:9696/$1 [P,L] + ProxyPassReverse / http://localhost:9696/ + + Header always set \ + Strict-Transport-Security "max-age=63072000; includeSubDomains" + diff --git a/servarr.yml b/servarr.yml index afda8c5..f19d646 100644 --- a/servarr.yml +++ b/servarr.yml @@ -1 +1,2 @@ +- import_playbook: prowlarr.yml - import_playbook: radarr.yml