Deploy Radarr, Sonarr, Prowlarr on file0.p.b

I had originally intended to deploy Radarr, Sonarr, and Prowlarr on
Kubernetes.  Unfortunately, this turned out to be problematic, as I
would need a way to share the download directory between Radarr/Sonar
and Aria2, and the media directory between Radarr/Sonarr and Jellyfin.
The only way I could fathom to do this would be to expose both
directories via NFS and mount that share into the pods.  I decided this
would be too much of a hassle for no real gain, at least not in the
short term.  Instead, it makes more sense to deploy the *arr suite on
the same server as Aria2 and Jellyfin, which is essentially what the
community expects.

The recommended images for deploying the applications in containers are
pretty crappy. I didn't really want to mess with trying to get the
them to work natively on Fedora, nor deal with installing them from
tarballs with Ansible, so I created my own Debian-based container images
for them and deployed those via Podman+Quadlet.  These images are
published to the _Packages_ organization in Gitea, which is not public
and requires authentication.  We can use the Kubernetes Secret to obtain
the authentication token to use to pull the image.

group_vars/private-oci-registry.yml

@@ -0,0 +1,16 @@
+oci_registry_auth_secret: >-
+  {{ lookup(
+    "cache",
+    "kubernetes.core.k8s",
+    kind="Secret",
+    namespace="default",
+    resource_name="imagepull-gitea"
+  ) }}
+
+oci_registry_auth: >-
+  {{ (oci_registry_auth_secret
+       .data[".dockerconfigjson"]
+       | b64decode
+       | from_json
+     ).auths["git.pyrocufflink.net"]
+  }}

group_vars/prowlarr.yml

@@ -0,0 +1,4 @@
+prowlarr_image_pull_username: >-
+  {{ oci_registry_auth.username }}
+prowlarr_image_pull_password: >-
+  {{ oci_registry_auth.password }}

group_vars/radarr.yml

@@ -0,0 +1,8 @@
+radarr_path_mounts:
+- type=bind,src=/srv/cifs/Downloads/00aria2,dst=/media/downloads
+- type=bind,src=/srv/cifs/Movies,dst=/media/Movies
+
+radarr_image_pull_username: >-
+  {{ oci_registry_auth.username }}
+radarr_image_pull_password: >-
+  {{ oci_registry_auth.password }}

group_vars/servarr.yml

@@ -0,0 +1,9 @@
+fluent_bit_output_servarr:
+  name: http
+  alias: vlogs.servarr
+  match: servarr
+  uri: /insert/jsonline?_stream_fields=hostname,filename&_msg_field=log&_time_field=date
+
+fluent_bit_servarr_outputs:
+- >-
+  {{ fluent_bit_output_servarr | combine(fluent_bit_output_template_victorialogs) }}

group_vars/sonarr.yml

@@ -0,0 +1,8 @@
+sonarr_path_mounts:
+- type=bind,src=/srv/cifs/Downloads/00aria2,dst=/media/downloads
+- type=bind,src='/srv/cifs/TV Shows',dst='/media/TV Shows'
+
+sonarr_image_pull_username: >-
+  {{ oci_registry_auth.username }}
+sonarr_image_pull_password: >-
+  {{ oci_registry_auth.password }}

hosts

@@ -178,6 +178,14 @@ nvr2.pyrocufflink.blue
 [postgresql]
 db0.pyrocufflink.blue
 
+[private-oci-registry:children]
+prowlarr
+radarr
+sonarr
+
+[prowlarr]
+file0.pyrocufflink.blue
+
 [public-web]
 web0.pyrocufflink.blue
 
@@ -203,6 +211,9 @@ pyrocufflink
 
 [pyrocufflink-dhcp]
 
+[radarr]
+file0.pyrocufflink.blue
+
 [radius:children]
 samba-dc
 
@@ -238,12 +249,20 @@ dc-grumbly.pyrocufflink.blue
 [serterm]
 chromie.pyrocufflink.blue
 
+[servarr:children]
+prowlarr
+radarr
+sonarr
+
 [smtp-relay]
 smtp1.pyrocufflink.blue
 
 [smtp-relay:children]
 nextcloud
 
+[sonarr]
+file0.pyrocufflink.blue
+
 [squid]
 
 [sudo]

prowlarr.yml

@@ -0,0 +1,5 @@
+- hosts: prowlarr
+  roles:
+  - role: prowlarr
+    tags:
+    - prowlarr

radarr.yml

@@ -0,0 +1,5 @@
+- hosts: radarr
+  roles:
+  - role: radarr
+    tags:
+    - radarr

roles/apache-base/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: restart httpd
+  service:
+    name: httpd
+    state: restarted
+
+- name: reload httpd
+  service:
+    name: httpd
+    state: reloaded

roles/apache/handlers/main.yml

@@ -1,11 +1,3 @@
-- name: restart httpd
-  service:
-    name=httpd
-    state=restarted
-- name: reload httpd
-  service:
-    name=httpd
-    state=reloaded
 - name: save firewalld configuration
   command:
     firewall-cmd --runtime-to-permanent

roles/apache/meta/main.yml

@@ -2,3 +2,4 @@ dependencies:
 - role: logrotate
   tags:
   - logrotate
+- role: apache-base

roles/fluent-bit-servarr/defaults/main.yml

@@ -0,0 +1 @@
+fluent_bit_servarr_outputs: []

roles/fluent-bit-servarr/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart fluent-bit
+  service:
+    name: fluent-bit
+    state: restarted

roles/fluent-bit-servarr/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+- role: systemd-base

roles/fluent-bit-servarr/tasks/main.yml

@@ -0,0 +1,12 @@
+- name: ensure fluent-bit configuration for servarr is in place
+  copy:
+    content: |+
+      {{ fluent_bit_servarr_config | to_nice_yaml(indent=2) }}
+    dest: /etc/fluent-bit/include/servarr.yml
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - restart fluent-bit
+  tags:
+  - config

roles/fluent-bit-servarr/vars/main.yml

@@ -0,0 +1,45 @@
+servarr_logs:
+- /var/log/prowlarr/*.txt
+- /var/log/radarr/*.txt
+- /var/log/sonarr/*.txt
+
+fluent_bit_servarr_config:
+  multiline_parsers:
+  - name: multiline_servarr
+    type: regex
+    flush_timeout: 500
+    rules:
+    - state: start_state
+      regex: ^\d{4}-\d{2}-\d{2} [ 0-2]?\d:\d{2}:\d{2}\.\d+\|
+      next_state: cont
+    - state: cont
+      regex: ^(?!\d{4}-\d{2}-\d{2} [ 0-2]?\d:\d{2}:\d{2}\.\d+\|).*
+      next_state: cont
+
+  parsers:
+  - name: servarr
+    format: regex
+    regex: /^(?<timestamp>\d{4}-\d{2}-\d{2} [ 0-2]?\d:\d{2}:\d{2}\.\d+)\|(?<level>[^|]+)\|(?<logger>[^|]+)\|(?<log>.*)/m
+    time_key: timestamp
+    time_format: '%Y-%m-%d %H:%M:%S.%L'
+
+  pipeline:
+    inputs:
+    - name: tail
+      alias: servarr
+      tag: servarr
+      path: '{{ servarr_logs | join(",") }}'
+      path_key: filename
+      multiline.parser: multiline_servarr
+      db: /var/lib/fluent-bit/servarr.db
+      read_from_head: true
+
+    filters:
+    - name: parser
+      alias: servarr
+      match: servarr
+      key_name: log
+      parser: servarr
+      reserve_data: true
+
+    outputs: '{{ fluent_bit_servarr_outputs }}'

roles/fluent-bit/defaults/main.yml

@@ -1,4 +1,6 @@
 fluent_bit_config:
+  includes:
+  - /etc/fluent-bit/include/*.yml
   service: '{{ fluent_bit_config_service }}'
   parsers: '{{ fluent_bit_parsers }}'
   multiline_parsers: '{{ fluent_bit_multiline_parsers }}'

roles/fluent-bit/tasks/main.yml

@@ -5,6 +5,29 @@
   tags:
   - install
 
+- name: ensure fluent-bit config include directory exists
+  file:
+    path: /etc/fluent-bit/include
+    owner: root
+    group: root
+    mode: u=rwx,go=
+    state: directory
+  tags:
+  - config
+# fluent-bit will fail to start if a glob pattern listed in `includes` does not
+# match any files.  To allow roles to drop additiona configuration files in the
+# include directory without modifying the main configuration file, we need to
+# have an empty file in the include directory all the time.
+- name: ensure fluent-bit empty include file exists
+  copy:
+    dest: /etc/fluent-bit/include/_.yml
+    content: ''
+    owner: root
+    group: root
+    mode: u=rwx,go=
+  tags:
+  - config
+
 - name: ensure fluent-bit is configured
   copy:
     dest: /etc/fluent-bit/fluent-bit.yml

roles/prowlarr/defaults/main.yml

@@ -0,0 +1,2 @@
+prowlarr_container_image: git.pyrocufflink.net/packages/prowlarr
+prowlarr_version: 2.3.0.5236

roles/prowlarr/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: relocate prowlarr logs
+  shell: |
+    if [ ! -h /var/lib/prowlarr/logs ]; then
+        mv /var/lib/prowlarr/logs/*.txt /var/log/prowlarr/
+        rmdir /var/lib/prowlarr/logs
+    fi
+
+- name: restart prowlarr
+  service:
+    name: prowlarr
+    state: restarted

roles/prowlarr/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: systemd-base
+- role: apache-base

roles/prowlarr/tasks/main.yml

@@ -0,0 +1,112 @@
+- name: ensure prowlarr group exists
+  group:
+    name: prowlarr
+    gid: 9696
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure prowlarr user exists
+  user:
+    name: prowlarr
+    uid: 9696
+    group: prowlarr
+    system: true
+    home: /var/lib/prowlarr
+    createhome: false
+    state: present
+  tags:
+   - user
+
+- name: ensure prowlarr data directory exists
+  file:
+    path: /var/lib/prowlarr
+    owner: prowlarr
+    group: prowlarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure prowlarr log directory exists
+  file:
+    path: /var/log/prowlarr
+    owner: prowlarr
+    group: prowlarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  notify:
+  - relocate prowlarr logs
+  tags:
+  - logdir
+- meta: flush_handlers
+- name: ensure prowlarr logs directory symlink exists
+  file:
+    path: /var/lib/prowlarr/logs
+    src: /var/log/prowlarr
+    state: link
+  tags:
+  - logdir
+
+- name: ensure podman is installed
+  package:
+    name:
+    - container-selinux
+    - podman
+    state: present
+  tags:
+  - install
+
+- name: ensure prowlarr container image is present
+  podman_image:
+    name: '{{ prowlarr_container_image }}:{{ prowlarr_version }}'
+    username: '{{ prowlarr_image_pull_username | d(omit) }}'
+    password: '{{ prowlarr_image_pull_password | d(omit) }}'
+    state: present
+  tags:
+  - container-image
+
+- name: ensure prowlarr.container systemd unit exists
+  template:
+    src: prowlarr.container.j2
+    dest: /etc/containers/systemd/prowlarr.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart prowlarr
+  tags:
+  - systemd
+  - container
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure prowlarr starts at boot
+  systemd:
+    name: prowlarr
+    enabled: true
+  tags:
+  - service
+- name: ensure prowlarr is running
+  systemd:
+    name: prowlarr
+    state: started
+  tags:
+  - service
+
+- name: ensure apache is configured to proxy for prowlarr
+  template:
+    src: prowlarr.httpd.conf.j2
+    dest: /etc/httpd/conf.d/prowlarr.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload httpd
+  tags:
+  - apache-config

roles/prowlarr/templates/prowlarr.container.j2

@@ -0,0 +1,33 @@
+{#- vim: set ft=systemd.jinja : #}
+[Unit]
+Description=Prowlarr Indexer Manager
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ prowlarr_container_image }}:{{ prowlarr_version }}
+Volume=/var/log/prowlarr:/var/log/prowlarr:rw
+Volume=/var/lib/prowlarr:/var/lib/prowlarr:rw
+ReadOnly=true
+ReadOnlyTmpfs=true
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+Restart=always
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SuccessExitStatus=0 143
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

roles/prowlarr/templates/prowlarr.httpd.conf.j2

@@ -0,0 +1,20 @@
+# vim: set ft=apache.jinja :
+<VirtualHost _default_:443>
+    ServerName prowlarr.pyrocufflink.blue
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:9696/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:9696/$1 [P,L]
+    ProxyPassReverse / http://localhost:9696/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>

roles/radarr/defaults/main.yml

@@ -0,0 +1,4 @@
+radarr_container_image: git.pyrocufflink.net/packages/radarr
+radarr_version: 6.0.4.10291
+
+radarr_path_mounts: []

roles/radarr/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: relocate radarr logs
+  shell: |
+    if [ ! -h /var/lib/radarr/logs ]; then
+        mv /var/lib/radarr/logs/*.txt /var/log/radarr/
+        rmdir /var/lib/radarr/logs
+    fi
+
+- name: restart radarr
+  service:
+    name: radarr
+    state: restarted

roles/radarr/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: systemd-base
+- role: apache-base

roles/radarr/tasks/main.yml

@@ -0,0 +1,126 @@
+- name: ensure media group exists
+  group:
+    name: media
+    gid: 9000
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure radarr group exists
+  group:
+    name: radarr
+    gid: 7878
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure radarr user exists
+  user:
+    name: radarr
+    uid: 7878
+    group: radarr
+    groups:
+    - media
+    system: true
+    home: /var/lib/radarr
+    createhome: false
+    state: present
+  tags:
+   - user
+
+- name: ensure radarr data directory exists
+  file:
+    path: /var/lib/radarr
+    owner: radarr
+    group: radarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure radarr log directory exists
+  file:
+    path: /var/log/radarr
+    owner: radarr
+    group: radarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  notify:
+  - relocate radarr logs
+  tags:
+  - logdir
+- meta: flush_handlers
+- name: ensure radarr logs directory symlink exists
+  file:
+    path: /var/lib/radarr/logs
+    src: /var/log/radarr
+    state: link
+  tags:
+  - logdir
+
+- name: ensure podman is installed
+  package:
+    name:
+    - container-selinux
+    - podman
+    state: present
+  tags:
+  - install
+
+- name: ensure radarr container image is present
+  podman_image:
+    name: '{{ radarr_container_image }}:{{ radarr_version }}'
+    username: '{{ radarr_image_pull_username | d(omit) }}'
+    password: '{{ radarr_image_pull_password | d(omit) }}'
+    force: '{{ radarr_force_pull_image | d(false) }}'
+    state: present
+  notify:
+  - restart radarr
+  tags:
+  - container-image
+
+- name: ensure radarr.container systemd unit exists
+  template:
+    src: radarr.container.j2
+    dest: /etc/containers/systemd/radarr.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart radarr
+  tags:
+  - systemd
+  - container
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure radarr starts at boot
+  systemd:
+    name: radarr
+    enabled: true
+  tags:
+  - service
+- name: ensure radarr is running
+  systemd:
+    name: radarr
+    state: started
+  tags:
+  - service
+
+- name: ensure apache is configured to proxy for radarr
+  template:
+    src: radarr.httpd.conf.j2
+    dest: /etc/httpd/conf.d/radarr.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload httpd
+  tags:
+  - apache-config

roles/radarr/templates/radarr.container.j2

@@ -0,0 +1,37 @@
+{#- vim: set ft=systemd.jinja : #}
+[Unit]
+Description=Radarr Movie Library Manager
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ radarr_container_image }}:{{ radarr_version }}
+Volume=/var/log/radarr:/var/log/radarr:rw
+Volume=/var/lib/radarr:/var/lib/radarr:rw
+{% for mount in radarr_path_mounts %}
+Mount={{ mount }}
+{% endfor %}
+GroupAdd=media
+ReadOnly=true
+ReadOnlyTmpfs=true
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+Restart=always
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SuccessExitStatus=0 143
+UMask=0022
+
+[Install]
+WantedBy=multi-user.target

roles/radarr/templates/radarr.httpd.conf.j2

@@ -0,0 +1,20 @@
+# vim: set ft=apache.jinja :
+<VirtualHost _default_:443>
+    ServerName radarr.pyrocufflink.blue
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:7878/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:7878/$1 [P,L]
+    ProxyPassReverse / http://localhost:7878/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>

roles/sonarr/defaults/main.yml

@@ -0,0 +1,4 @@
+sonarr_container_image: git.pyrocufflink.net/packages/sonarr
+sonarr_version: 4.0.16.2944
+
+sonarr_path_mounts: []

roles/sonarr/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: relocate sonarr logs
+  shell: |
+    if [ ! -h /var/lib/sonarr/logs ]; then
+        mv /var/lib/sonarr/logs/*.txt /var/log/sonarr/
+        rmdir /var/lib/sonarr/logs
+    fi
+
+- name: restart sonarr
+  service:
+    name: sonarr
+    state: restarted

roles/sonarr/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: systemd-base
+- role: apache-base

roles/sonarr/tasks/main.yml

@@ -0,0 +1,125 @@
+- name: ensure media group exists
+  group:
+    name: media
+    gid: 9000
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure sonarr group exists
+  group:
+    name: sonarr
+    gid: 8989
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure sonarr user exists
+  user:
+    name: sonarr
+    uid: 8989
+    group: sonarr
+    groups:
+    - media
+    system: true
+    home: /var/lib/sonarr
+    createhome: false
+    state: present
+  tags:
+  - user
+
+- name: ensure sonarr data directory exists
+  file:
+    path: /var/lib/sonarr
+    owner: sonarr
+    group: sonarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  tags:
+  - datadir
+- name: ensure sonarr log directory exists
+  file:
+    path: /var/log/sonarr
+    owner: sonarr
+    group: sonarr
+    mode: u=rwx,og=rx
+    setype: container_file_t
+    state: directory
+  notify:
+  - relocate sonarr logs
+  tags:
+  - logdir
+- meta: flush_handlers
+- name: ensure sonarr logs directory symlink exists
+  file:
+    path: /var/lib/sonarr/logs
+    src: /var/log/sonarr
+    state: link
+  tags:
+  - logdir
+
+- name: ensure podman is installed
+  package:
+    name:
+    - container-selinux
+    - podman
+    state: present
+  tags:
+  - install
+
+- name: ensure sonarr container image is present
+  podman_image:
+    name: '{{ sonarr_container_image }}:{{ sonarr_version }}'
+    username: '{{ sonarr_image_pull_username | d(omit) }}'
+    password: '{{ sonarr_image_pull_password | d(omit) }}'
+    force: '{{ sonarr_force_pull_image | d(false) }}'
+    state: present
+  notify:
+  - restart sonarr
+  tags:
+  - container-image
+
+- name: ensure sonarr.container systemd unit exists
+  template:
+    src: sonarr.container.j2
+    dest: /etc/containers/systemd/sonarr.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart sonarr
+  tags:
+  - systemd
+  - container
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure sonarr starts at boot
+  systemd:
+    name: sonarr
+    enabled: true
+  tags:
+  - service
+- name: ensure sonarr is running
+  systemd:
+    name: sonarr
+    state: started
+  tags:
+  - service
+
+- name: ensure apache is configured to proxy for sonarr
+  template:
+    src: sonarr.httpd.conf.j2
+    dest: /etc/httpd/conf.d/sonarr.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload httpd
+  tags:
+  - apache-config

roles/sonarr/templates/sonarr.container.j2

@@ -0,0 +1,37 @@
+{#- vim: set ft=systemd.jinja : #}
+[Unit]
+Description=Sonarr TV Library Manager
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ sonarr_container_image }}:{{ sonarr_version }}
+Volume=/var/log/sonarr:/var/log/sonarr:rw
+Volume=/var/lib/sonarr:/var/lib/sonarr:rw
+{% for mount in sonarr_path_mounts %}
+Mount={{ mount }}
+{% endfor %}
+GroupAdd=media
+ReadOnly=true
+ReadOnlyTmpfs=true
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+Restart=always
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SuccessExitStatus=0 143
+UMask=0022
+
+[Install]
+WantedBy=multi-user.target

roles/sonarr/templates/sonarr.httpd.conf.j2

@@ -0,0 +1,20 @@
+# vim: set ft=apache.jinja :
+<VirtualHost _default_:443>
+    ServerName sonarr.pyrocufflink.blue
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:8989/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:8989/$1 [P,L]
+    ProxyPassReverse / http://localhost:8989/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>

servarr.yml

@@ -0,0 +1,9 @@
+- import_playbook: prowlarr.yml
+- import_playbook: radarr.yml
+- import_playbook: sonarr.yml
+
+- hosts: servarr
+  roles:
+  - role: fluent-bit-servarr
+    tags:
+    - fluent-bit

sonarr.yml

@@ -0,0 +1,5 @@
+- hosts: sonarr
+  roles:
+  - role: sonarr
+    tags:
+    - sonarr