prowlarr: Deploy Prowlarr in a Podman container

The `prowlarr.yml` playbook and corresponding role deploy Prowlarr, the
indexer manager for the *arr suite, in a Podman container.

Note that we're relocating the log files from the Prowlarr AppData
directory to `/var/log/prowlarr` so they can be picked up by Fluent Bit.

roles/prowlarr/templates/prowlarr.container.j2

@@ -0,0 +1,33 @@
+{#- vim: set ft=systemd.jinja : #}
+[Unit]
+Description=Prowlarr Indexer Manager
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ prowlarr_container_image }}:{{ prowlarr_version }}
+Volume=/var/log/prowlarr:/var/log/prowlarr:rw
+Volume=/var/lib/prowlarr:/var/lib/prowlarr:rw
+ReadOnly=true
+ReadOnlyTmpfs=true
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+Restart=always
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SuccessExitStatus=0 143
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

roles/prowlarr/templates/prowlarr.httpd.conf.j2

@@ -0,0 +1,20 @@
+# vim: set ft=apache.jinja :
+<VirtualHost _default_:443>
+    ServerName prowlarr.pyrocufflink.blue
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:9696/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:9696/$1 [P,L]
+    ProxyPassReverse / http://localhost:9696/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>