From a41a3fa3d071479c607fed4a167da36fa69b43ee Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 3 Dec 2025 22:06:02 -0600 Subject: [PATCH] radarr: Deploy Radarr in a Podman container The `radarr.yml` playbook and corresponding role deploy Radarr, the movie library/download manager, in a Podman container. Note that we're relocating the log files from the Radarr AppData directory to `/var/log/radarr` so they can be picked up by Fluent Bit. --- hosts | 5 + radarr.yml | 5 + roles/radarr/defaults/main.yml | 4 + roles/radarr/handlers/main.yml | 11 ++ roles/radarr/meta/main.yml | 3 + roles/radarr/tasks/main.yml | 126 ++++++++++++++++++++ roles/radarr/templates/radarr.container.j2 | 37 ++++++ roles/radarr/templates/radarr.httpd.conf.j2 | 20 ++++ servarr.yml | 1 + 9 files changed, 212 insertions(+) create mode 100644 radarr.yml create mode 100644 roles/radarr/defaults/main.yml create mode 100644 roles/radarr/handlers/main.yml create mode 100644 roles/radarr/meta/main.yml create mode 100644 roles/radarr/tasks/main.yml create mode 100644 roles/radarr/templates/radarr.container.j2 create mode 100644 roles/radarr/templates/radarr.httpd.conf.j2 create mode 100644 servarr.yml diff --git a/hosts b/hosts index 83bf22d..8773eb2 100644 --- a/hosts +++ b/hosts @@ -203,6 +203,8 @@ pyrocufflink [pyrocufflink-dhcp] +[radarr] + [radius:children] samba-dc @@ -238,6 +240,9 @@ dc-grumbly.pyrocufflink.blue [serterm] chromie.pyrocufflink.blue +[servarr:children] +radarr + [smtp-relay] smtp1.pyrocufflink.blue diff --git a/radarr.yml b/radarr.yml new file mode 100644 index 0000000..003c2b7 --- /dev/null +++ b/radarr.yml @@ -0,0 +1,5 @@ +- hosts: radarr + roles: + - role: radarr + tags: + - radarr diff --git a/roles/radarr/defaults/main.yml b/roles/radarr/defaults/main.yml new file mode 100644 index 0000000..52bad5f --- /dev/null +++ b/roles/radarr/defaults/main.yml @@ -0,0 +1,4 @@ +radarr_container_image: git.pyrocufflink.net/packages/radarr +radarr_version: 6.0.4.10291 + +radarr_path_mounts: [] diff --git a/roles/radarr/handlers/main.yml b/roles/radarr/handlers/main.yml new file mode 100644 index 0000000..863f1b2 --- /dev/null +++ b/roles/radarr/handlers/main.yml @@ -0,0 +1,11 @@ +- name: relocate radarr logs + shell: | + if [ ! -h /var/lib/radarr/logs ]; then + mv /var/lib/radarr/logs/*.txt /var/log/radarr/ + rmdir /var/lib/radarr/logs + fi + +- name: restart radarr + service: + name: radarr + state: restarted diff --git a/roles/radarr/meta/main.yml b/roles/radarr/meta/main.yml new file mode 100644 index 0000000..25967ae --- /dev/null +++ b/roles/radarr/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: +- role: systemd-base +- role: apache-base diff --git a/roles/radarr/tasks/main.yml b/roles/radarr/tasks/main.yml new file mode 100644 index 0000000..a665377 --- /dev/null +++ b/roles/radarr/tasks/main.yml @@ -0,0 +1,126 @@ +- name: ensure media group exists + group: + name: media + gid: 9000 + system: true + state: present + tags: + - user + - group +- name: ensure radarr group exists + group: + name: radarr + gid: 7878 + system: true + state: present + tags: + - user + - group +- name: ensure radarr user exists + user: + name: radarr + uid: 7878 + group: radarr + groups: + - media + system: true + home: /var/lib/radarr + createhome: false + state: present + tags: + - user + +- name: ensure radarr data directory exists + file: + path: /var/lib/radarr + owner: radarr + group: radarr + mode: u=rwx,og=rx + setype: container_file_t + state: directory + tags: + - datadir + +- name: ensure radarr log directory exists + file: + path: /var/log/radarr + owner: radarr + group: radarr + mode: u=rwx,og=rx + setype: container_file_t + state: directory + notify: + - relocate radarr logs + tags: + - logdir +- meta: flush_handlers +- name: ensure radarr logs directory symlink exists + file: + path: /var/lib/radarr/logs + src: /var/log/radarr + state: link + tags: + - logdir + +- name: ensure podman is installed + package: + name: + - container-selinux + - podman + state: present + tags: + - install + +- name: ensure radarr container image is present + podman_image: + name: '{{ radarr_container_image }}:{{ radarr_version }}' + username: '{{ radarr_image_pull_username | d(omit) }}' + password: '{{ radarr_image_pull_password | d(omit) }}' + force: '{{ radarr_force_pull_image | d(false) }}' + state: present + notify: + - restart radarr + tags: + - container-image + +- name: ensure radarr.container systemd unit exists + template: + src: radarr.container.j2 + dest: /etc/containers/systemd/radarr.container + owner: root + group: root + mode: u=rw,go=r + notify: + - reload systemd + - restart radarr + tags: + - systemd + - container + +- name: flush handlers + meta: flush_handlers + +- name: ensure radarr starts at boot + systemd: + name: radarr + enabled: true + tags: + - service +- name: ensure radarr is running + systemd: + name: radarr + state: started + tags: + - service + +- name: ensure apache is configured to proxy for radarr + template: + src: radarr.httpd.conf.j2 + dest: /etc/httpd/conf.d/radarr.conf + owner: root + group: root + mode: u=rw,go=r + notify: + - reload httpd + tags: + - apache-config diff --git a/roles/radarr/templates/radarr.container.j2 b/roles/radarr/templates/radarr.container.j2 new file mode 100644 index 0000000..1e93c94 --- /dev/null +++ b/roles/radarr/templates/radarr.container.j2 @@ -0,0 +1,37 @@ +{#- vim: set ft=systemd.jinja : #} +[Unit] +Description=Radarr Movie Library Manager +Wants=network.target +After=network.target + +[Container] +Image={{ radarr_container_image }}:{{ radarr_version }} +Volume=/var/log/radarr:/var/log/radarr:rw +Volume=/var/lib/radarr:/var/lib/radarr:rw +{% for mount in radarr_path_mounts %} +Mount={{ mount }} +{% endfor %} +GroupAdd=media +ReadOnly=true +ReadOnlyTmpfs=true +Network=host +NoNewPrivileges=yes + +[Service] +Restart=always +PrivateTmp=yes +ProtectClock=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=full +TemporaryFileSystem=/etc/containers/networks +RestrictRealtime=yes +RestrictSUIDSGID=yes +SuccessExitStatus=0 143 +UMask=0022 + +[Install] +WantedBy=multi-user.target diff --git a/roles/radarr/templates/radarr.httpd.conf.j2 b/roles/radarr/templates/radarr.httpd.conf.j2 new file mode 100644 index 0000000..8c1292a --- /dev/null +++ b/roles/radarr/templates/radarr.httpd.conf.j2 @@ -0,0 +1,20 @@ +# vim: set ft=apache.jinja : + + ServerName radarr.pyrocufflink.blue + + SSLCertificateFile /etc/pki/tls/certs/localhost.crt + SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt + + ProxyPreserveHost On + ProxyRequests Off + + RewriteEngine On + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /(.*) ws://localhost:7878/$1 [P,L] + RewriteRule /(.*) http://localhost:7878/$1 [P,L] + ProxyPassReverse / http://localhost:7878/ + + Header always set \ + Strict-Transport-Security "max-age=63072000; includeSubDomains" + diff --git a/servarr.yml b/servarr.yml new file mode 100644 index 0000000..afda8c5 --- /dev/null +++ b/servarr.yml @@ -0,0 +1 @@ +- import_playbook: radarr.yml