radarr: Deploy Radarr in a Podman container

The `radarr.yml` playbook and corresponding role deploy Radarr, the movie library/download manager, in a Podman container. Note that we're relocating the log files from the Radarr AppData directory to `/var/log/radarr` so they can be picked up by Fluent Bit.
2025-12-03 22:06:02 -06:00
parent 6ad76e4b33
commit a41a3fa3d0
9 changed files with 212 additions and 0 deletions
--- a/5
+++ b/5
@@ -203,6 +203,8 @@ pyrocufflink

 [pyrocufflink-dhcp]

+[radarr]
+
 [radius:children]
 samba-dc

@@ -238,6 +240,9 @@ dc-grumbly.pyrocufflink.blue
 [serterm]
 chromie.pyrocufflink.blue

+[servarr:children]
+radarr
+
 [smtp-relay]
 smtp1.pyrocufflink.blue

--- a/radarr.yml
+++ b/radarr.yml
@@ -0,0 +1,5 @@
+- hosts: radarr
+  roles:
+  - role: radarr
+    tags:
+    - radarr
--- a/roles/radarr/defaults/main.yml
+++ b/roles/radarr/defaults/main.yml
@@ -0,0 +1,4 @@
+radarr_container_image: git.pyrocufflink.net/packages/radarr
+radarr_version: 6.0.4.10291
+
+radarr_path_mounts: []
--- a/roles/radarr/handlers/main.yml
+++ b/roles/radarr/handlers/main.yml
@@ -0,0 +1,11 @@
+- name: relocate radarr logs
+  shell: |
+    if [ ! -h /var/lib/radarr/logs ]; then
+        mv /var/lib/radarr/logs/*.txt /var/log/radarr/
+        rmdir /var/lib/radarr/logs
+    fi
+
+- name: restart radarr
+  service:
+    name: radarr
+    state: restarted
--- a/roles/radarr/meta/main.yml
+++ b/roles/radarr/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+- role: systemd-base
+- role: apache-base
--- a/roles/radarr/tasks/main.yml
+++ b/roles/radarr/tasks/main.yml
@@ -0,0 +1,126 @@
+- name: ensure media group exists
+  group:
+    name: media
+    gid: 9000
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure radarr group exists
+  group:
+    name: radarr
+    gid: 7878
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure radarr user exists
+  user:
+    name: radarr
+    uid: 7878
+    group: radarr
+    groups:
+    - media
+    system: true
+    home: /var/lib/radarr
+    createhome: false
+    state: present
+  tags:
+   - user
+
+- name: ensure radarr data directory exists
+  file:
+    path: /var/lib/radarr
+    owner: radarr
+    group: radarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure radarr log directory exists
+  file:
+    path: /var/log/radarr
+    owner: radarr
+    group: radarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  notify:
+  - relocate radarr logs
+  tags:
+  - logdir
+- meta: flush_handlers
+- name: ensure radarr logs directory symlink exists
+  file:
+    path: /var/lib/radarr/logs
+    src: /var/log/radarr
+    state: link
+  tags:
+  - logdir
+
+- name: ensure podman is installed
+  package:
+    name:
+    - container-selinux
+    - podman
+    state: present
+  tags:
+  - install
+
+- name: ensure radarr container image is present
+  podman_image:
+    name: '{{ radarr_container_image }}:{{ radarr_version }}'
+    username: '{{ radarr_image_pull_username | d(omit) }}'
+    password: '{{ radarr_image_pull_password | d(omit) }}'
+    force: '{{ radarr_force_pull_image | d(false) }}'
+    state: present
+  notify:
+  - restart radarr
+  tags:
+  - container-image
+
+- name: ensure radarr.container systemd unit exists
+  template:
+    src: radarr.container.j2
+    dest: /etc/containers/systemd/radarr.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart radarr
+  tags:
+  - systemd
+  - container
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure radarr starts at boot
+  systemd:
+    name: radarr
+    enabled: true
+  tags:
+  - service
+- name: ensure radarr is running
+  systemd:
+    name: radarr
+    state: started
+  tags:
+  - service
+
+- name: ensure apache is configured to proxy for radarr
+  template:
+    src: radarr.httpd.conf.j2
+    dest: /etc/httpd/conf.d/radarr.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload httpd
+  tags:
+  - apache-config
--- a/roles/radarr/templates/radarr.container.j2
+++ b/roles/radarr/templates/radarr.container.j2
@@ -0,0 +1,37 @@
+{#- vim: set ft=systemd.jinja : #}
+[Unit]
+Description=Radarr Movie Library Manager
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ radarr_container_image }}:{{ radarr_version }}
+Volume=/var/log/radarr:/var/log/radarr:rw
+Volume=/var/lib/radarr:/var/lib/radarr:rw
+{% for mount in radarr_path_mounts %}
+Mount={{ mount }}
+{% endfor %}
+GroupAdd=media
+ReadOnly=true
+ReadOnlyTmpfs=true
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+Restart=always
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SuccessExitStatus=0 143
+UMask=0022
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/radarr/templates/radarr.httpd.conf.j2
+++ b/roles/radarr/templates/radarr.httpd.conf.j2
@@ -0,0 +1,20 @@
+# vim: set ft=apache.jinja :
+<VirtualHost _default_:443>
+    ServerName radarr.pyrocufflink.blue
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:7878/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:7878/$1 [P,L]
+    ProxyPassReverse / http://localhost:7878/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>
--- a/servarr.yml
+++ b/servarr.yml
@@ -0,0 +1 @@
+- import_playbook: radarr.yml