prowlarr: Deploy Prowlarr in a Podman container

The `prowlarr.yml` playbook and corresponding role deploy Prowlarr, the
indexer manager for the *arr suite, in a Podman container.

Note that we're relocating the log files from the Prowlarr AppData
directory to `/var/log/prowlarr` so they can be picked up by Fluent Bit.

hosts

@@ -178,6 +178,8 @@ nvr2.pyrocufflink.blue
 [postgresql]
 db0.pyrocufflink.blue
 
+[prowlarr]
+
 [public-web]
 web0.pyrocufflink.blue
 
@@ -241,6 +243,7 @@ dc-grumbly.pyrocufflink.blue
 chromie.pyrocufflink.blue
 
 [servarr:children]
+prowlarr
 radarr
 
 [smtp-relay]

prowlarr.yml

@@ -0,0 +1,5 @@
+- hosts: prowlarr
+  roles:
+  - role: prowlarr
+    tags:
+    - prowlarr

roles/prowlarr/defaults/main.yml

@@ -0,0 +1,2 @@
+prowlarr_container_image: git.pyrocufflink.net/packages/prowlarr
+prowlarr_version: 2.3.0.5236

roles/prowlarr/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: relocate prowlarr logs
+  shell: |
+    if [ ! -h /var/lib/prowlarr/logs ]; then
+        mv /var/lib/prowlarr/logs/*.txt /var/log/prowlarr/
+        rmdir /var/lib/prowlarr/logs
+    fi
+
+- name: restart prowlarr
+  service:
+    name: prowlarr
+    state: restarted

roles/prowlarr/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: systemd-base
+- role: apache-base

roles/prowlarr/tasks/main.yml

@@ -0,0 +1,112 @@
+- name: ensure prowlarr group exists
+  group:
+    name: prowlarr
+    gid: 9696
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure prowlarr user exists
+  user:
+    name: prowlarr
+    uid: 9696
+    group: prowlarr
+    system: true
+    home: /var/lib/prowlarr
+    createhome: false
+    state: present
+  tags:
+   - user
+
+- name: ensure prowlarr data directory exists
+  file:
+    path: /var/lib/prowlarr
+    owner: prowlarr
+    group: prowlarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure prowlarr log directory exists
+  file:
+    path: /var/log/prowlarr
+    owner: prowlarr
+    group: prowlarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  notify:
+  - relocate prowlarr logs
+  tags:
+  - logdir
+- meta: flush_handlers
+- name: ensure prowlarr logs directory symlink exists
+  file:
+    path: /var/lib/prowlarr/logs
+    src: /var/log/prowlarr
+    state: link
+  tags:
+  - logdir
+
+- name: ensure podman is installed
+  package:
+    name:
+    - container-selinux
+    - podman
+    state: present
+  tags:
+  - install
+
+- name: ensure prowlarr container image is present
+  podman_image:
+    name: '{{ prowlarr_container_image }}:{{ prowlarr_version }}'
+    username: '{{ prowlarr_image_pull_username | d(omit) }}'
+    password: '{{ prowlarr_image_pull_password | d(omit) }}'
+    state: present
+  tags:
+  - container-image
+
+- name: ensure prowlarr.container systemd unit exists
+  template:
+    src: prowlarr.container.j2
+    dest: /etc/containers/systemd/prowlarr.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart prowlarr
+  tags:
+  - systemd
+  - container
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure prowlarr starts at boot
+  systemd:
+    name: prowlarr
+    enabled: true
+  tags:
+  - service
+- name: ensure prowlarr is running
+  systemd:
+    name: prowlarr
+    state: started
+  tags:
+  - service
+
+- name: ensure apache is configured to proxy for prowlarr
+  template:
+    src: prowlarr.httpd.conf.j2
+    dest: /etc/httpd/conf.d/prowlarr.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload httpd
+  tags:
+  - apache-config

roles/prowlarr/templates/prowlarr.container.j2

@@ -0,0 +1,33 @@
+{#- vim: set ft=systemd.jinja : #}
+[Unit]
+Description=Prowlarr Indexer Manager
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ prowlarr_container_image }}:{{ prowlarr_version }}
+Volume=/var/log/prowlarr:/var/log/prowlarr:rw
+Volume=/var/lib/prowlarr:/var/lib/prowlarr:rw
+ReadOnly=true
+ReadOnlyTmpfs=true
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+Restart=always
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SuccessExitStatus=0 143
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

roles/prowlarr/templates/prowlarr.httpd.conf.j2

@@ -0,0 +1,20 @@
+# vim: set ft=apache.jinja :
+<VirtualHost _default_:443>
+    ServerName prowlarr.pyrocufflink.blue
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:9696/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:9696/$1 [P,L]
+    ProxyPassReverse / http://localhost:9696/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>

servarr.yml

@@ -1 +1,2 @@
+- import_playbook: prowlarr.yml
 - import_playbook: radarr.yml