README: add Radarr

Create a single external network called "external".
Create container-specific networks.
Only a few containers need access to these.
So far: openldap, postgres.

README.adoc

@@ -12,8 +12,14 @@ homelab.
 
 === Containers
 
-* NGINX
+* Authelia
 * Jellyfin
+* Keycloak
+* NGINX
+* OpenLDAP
+* Portainer
+* PostgreSQL
+* Radarr
 
 === Testing
 To run locally, specify the inventory file with `-i hosts`.

group_vars/all

@@ -13,4 +13,9 @@ pgid: "1000"
 tz: "Europe/Prague"
 media:
   tv: "{{ data_folder }}/media/tv"
-  movies: "{{ data_folder }}/media/movies"
+  movies: "{{ data_folder }}/media/movies"
+downloads:
+  nzb: "{{ data_folder }}/downloads/nzb"
+  torrent: "{{ data_folder }}/downloads/torrent"
+  torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
+  music: "{{ data_folder }}/downloads/music"

playbook.yml

@@ -3,6 +3,13 @@
   roles:
     - docker
     - nginx
+    - openldap
+    - portainer
     - jellyfin
+    - postgres
+    - authelia
+    - keycloak
+    - radarr
   vars_files:
     - vault/certs/{{ base_domain }}.yml
+    - vault/passwords.yml

provision.sh

@@ -0,0 +1,2 @@
+#!/bin/env fish
+ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision

roles/authelia/tasks/main.yml

@@ -0,0 +1,39 @@
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ data_folder }}/authelia"
+- name: copy configuration.yml
+  template:
+    src: "configuration.yml.j2"
+    dest: "{{ data_folder }}/authelia/configuration.yml"
+    mode: "755"
+- name: run container
+  docker_container:
+    name: "authelia"
+    image: "authelia/authelia"
+    ports:
+      - "9091:9091"
+    networks:
+      - name: external
+      - name: openldap
+    volumes:
+      - "{{ data_folder }}/authelia:/config"
+- name: copy nginx endpoint conf
+  template:
+    src: "authelia-endpoint.conf.j2"
+    dest: "{{ data_folder }}/nginx/snippets/authelia-endpoint.conf"
+    mode: "755"
+- name: copy nginx auth conf
+  template:
+    src: "authelia-auth.conf.j2"
+    dest: "{{ data_folder }}/nginx/snippets/authelia-auth.conf"
+    mode: "755"
+- name: copy nginx conf
+  template:
+    src: "authelia.conf.j2"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx

roles/authelia/templates/authelia-auth.conf.j2

@@ -0,0 +1,11 @@
+auth_request /authelia/api/verify;
+auth_request_set $target_url $scheme://$http_host$request_uri;
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Name $name;
+proxy_set_header Remote-Email $email;
+error_page 401 =302 https://$http_host/authelia/?rd=$target_url;

roles/authelia/templates/authelia-endpoint.conf.j2

@@ -0,0 +1,47 @@
+location ^~ /authelia {
+    include /etc/nginx/snippets/proxy.conf;
+    set $upstream_authelia authelia;
+    proxy_pass http://$upstream_authelia:9091;
+}
+
+location = /authelia/api/verify {
+    internal;
+    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
+        return 401;
+    }
+    set $upstream_authelia authelia;
+    proxy_pass_request_body off;
+    proxy_pass http://$upstream_authelia:9091;
+    proxy_set_header Content-Length "";
+
+    # Timeout if the real server is dead
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
+    # Provide either X-Original-URL and X-Forwarded-Proto or
+    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
+    # Those headers will be used by Authelia to deduce the target url of the user.
+    # Basic Proxy Config
+    client_body_buffer_size 128k;
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Method $request_method;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+
+    # Advanced Proxy Config
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}

roles/authelia/templates/authelia.conf.j2

@@ -0,0 +1,16 @@
+server {
+    server_name auth.{{ base_domain }};
+    listen 80;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    server_name auth.{{ base_domain }};
+    listen 443 ssl http2;
+
+    location / {
+        include /etc/nginx/snippets/proxy.conf;
+        set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment
+        proxy_pass $upstream_authelia;
+    }
+}

roles/authelia/templates/configuration.yml.j2

@@ -0,0 +1,71 @@
+host: 0.0.0.0
+port: 9091
+server:
+  read_buffer_size: 4096
+  write_buffer_size: 4096
+  path: "authelia"
+log_level: debug
+jwt_secret: somethingsomethingrandomrecret
+default_redirection_url: https://{{ base_domain }}
+authentication_backend:
+  disable_reset_password: false
+  ldap:
+    implementation: custom
+    url: ldap://openldap
+    start_tls: false
+    tls:
+      server_name: openldap
+      skip_verify: false
+      minimum_version: TLS1.2
+    base_dn: dc=kucharczyk,dc=xyz
+    username_attribute: uid
+    users_filter: ({username_attribute}={input})
+    groups_filter: (member={dn})
+    mail_attribute: mail
+    user: cn=admin,dc=kucharczyk,dc=xyz
+    password: {{ vault_openldap_admin_password }}
+access_control:
+  default_policy: deny
+  networks:
+    - name: local
+      networks:
+        - 192.168.0.0/24
+  rules:
+    - domain: "*.{{ base_domain }}"
+      networks:
+        - local
+      policy: bypass
+    - domain: portainer.{{ base_domain }}
+      policy: one_factor
+    - domain: keycloak.{{ base_domain }}
+      policy: one_factor
+    - domain: radarr.{{ base_domain }}
+      policy: two_factor
+session:
+  name: authelia_session
+  secret: somerandomsecret
+  expiration: 1h
+  inactivity: 5m
+  remember_me_duration: 1M
+  domain: {{ base_domain }}
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 99y
+storage:
+  local:
+    path: /config/db.sqlite3
+notifier:
+  disable_startup_check: false
+  smtp:
+    username: kucharczyk.lukas@gmail.com
+    password: {{ vault_email_gmail_password }}
+    host: smtp.gmail.com
+    port: 587
+    sender: kucharczyk.lukas@gmail.com
+    subject: "[Authelia] {title}"
+    startup_check_address: test@authelia.com
+    disable_require_tls: false
+    tls:
+      skip_verify: false
+      minimum_version: TLS1.2

roles/docker/tasks/main.yml

@@ -3,6 +3,9 @@
     name:
       - docker
       - python-pip
+      - neovim
+      - fish
+      - curlie
     state: present
     update_cache: true
 - name: start
@@ -12,8 +15,9 @@
 - name: add user to group
   user:
     name: lukas
-    groups: docker
+    groups: docker,wheel
     append: true
+    shell: /usr/bin/fish
 - name: install python docker
   pip:
     name:

roles/jellyfin/tasks/main.yml

@@ -12,7 +12,7 @@
     name: 'jellyfin'
     image: linuxserver/jellyfin
     networks:
-      - name: nginx-internal
+      - name: external
     volumes:
       - "{{ data_folder }}/jellyfin:/config"
       - "{{ media.tv }}:/data/tv"
@@ -29,7 +29,6 @@
     devices:
       - /dev/dri:/dev/dri
     state: started
-    restart: yes
 - name: copy jellyfin nginx config
   template:
     src: jellyfin.conf.j2

roles/jellyfin/templates/jellyfin.conf.j2

@@ -1,6 +1,7 @@
 server {
+    server_name "jellyfin.{{ base_domain }}";
     listen 80;
-    return 301 https://$host$request_uri;
+    return 301 https://$server_name$request_uri;
 }
 
 server {

roles/keycloak/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: run container
+  docker_container:
+    name: "keycloak"
+    image: "quay.io/keycloak/keycloak"
+    ports:
+      - "8080:8080"
+    networks:
+      - name: external
+      - name: postgres
+      - name: openldap
+    env:
+      "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
+      "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
+      "DB_VENDOR": POSTGRES
+      "DB_ADDR": postgres
+      "DB_DATABASE": keycloak
+      "DB_USER": keycloak
+      "DB_SCHEMA": public
+      "DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}"
+      "PROXY_ADDRESS_FORWARDING": "true"
+- name: copy nginx conf
+  template:
+    src: "keycloak.conf.j2"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx

roles/keycloak/templates/keycloak.conf.j2

@@ -0,0 +1,30 @@
+server {
+    server_name "keycloak.{{ base_domain }}";
+    listen 80;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  server_name "keycloak.{{ base_domain }}";
+  set $keycloak keycloak;
+
+  # Security/XSS Mitigation Headers
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Content-Type-Options "nosniff";
+
+  include /etc/nginx/snippets/authelia-endpoint.conf;
+
+  location / {
+    proxy_pass http://$keycloak:8080;
+    include /etc/nginx/snippets/authelia-auth.conf;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Protocol $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_buffering off;
+  }
+}

roles/nginx/files/snippets/block-exploits.conf

@@ -134,3 +134,28 @@ if ($http_user_agent ~ "GrabNet") {
 if ($block_user_agents = 1) {
 	return 403;
 }
+
+# # read more here http://tautt.com/best-nginx-configuration-for-security/
+
+# # don't send the nginx version number in error pages and Server header
+# server_tokens off;
+
+# # config to don't allow the browser to render the page inside an frame or iframe
+# # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
+# # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
+# # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+# add_header X-Frame-Options SAMEORIGIN;
+
+# # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
+# # to disable content-type sniffing on some browsers.
+# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+# # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
+# # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
+# # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
+# add_header X-Content-Type-Options nosniff;
+
+# # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
+# # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
+# # this particular website if it was disabled by the user.
+# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+# add_header X-XSS-Protection "1; mode=block";

roles/nginx/files/snippets/cache-assets.conf

@@ -28,4 +28,10 @@ location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
 	access_log  off;
 
 	include conf.d/include/proxy.conf;
-}
+}
+
+# location ~* \.(?:ico|css|js|gif|jpe?g|png|svg|eot|ttf|woff|woff2)$ {
+#   expires 30d;
+#   add_header Pragma public;
+#   add_header Cache-Control "public";
+# }

roles/nginx/files/snippets/gzip.conf

@@ -0,0 +1,10 @@
+gzip on;
+gzip_disable "msie6";
+
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_buffers 16 8k;
+gzip_http_version 1.1;
+gzip_min_length 256;
+gzip_types application/javascript text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

roles/nginx/files/snippets/ssl-ciphers.conf

@@ -6,4 +6,22 @@ ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers 'EECDH+AESGCM:AES256+EECDH:AES256+EDH:EDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-
 ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
 S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES';
-ssl_prefer_server_ciphers on;
+ssl_prefer_server_ciphers on;
+
+# # from https://mozilla.github.io/server-side-tls/ssl-config-generator/
+
+# ssl_session_timeout 1d;
+# ssl_session_tickets off;
+
+# # modern configuration. tweak to your needs.
+# ssl_protocols TLSv1.2;
+# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+# ssl_prefer_server_ciphers on;
+
+# # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+# add_header Strict-Transport-Security max-age=15768000;
+
+# # OCSP Stapling ---
+# # fetch OCSP records from URL in ssl_certificate and cache them
+# ssl_stapling on;
+# ssl_stapling_verify on;

roles/nginx/tasks/main.yml

@@ -14,11 +14,11 @@
 - name: generate self-signed certs
   import_tasks: self-signed.yml
   when: self_signed
-- name: create nginx bridge network
+- name: create external bridge network
   docker_network:
-    name: nginx-internal
+    name: external
     attachable: true
-    internal: true
+    internal: false
     state: present
 - name: copy nginx.conf
   template:
@@ -37,8 +37,7 @@
     name: 'nginx'
     image: nginx
     networks:
-      - name: bridge
-      - name: nginx-internal
+      - name: external
     volumes:
       - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
       - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@@ -53,5 +52,4 @@
     env:
       NGINX_HOST: "{{ base_domain }}"
       NGINX_PORT: '80'
-    state: started
-    restart: yes
+    state: started

roles/nginx/templates/nginx.conf.j2

@@ -13,6 +13,8 @@ events {
 http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
+    
+    log_subrequest on;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '

roles/nginx/templates/snippets/proxy.conf.j2

@@ -0,0 +1,36 @@
+client_body_buffer_size 128k;
+
+#Timeout if the real server is dead
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+# Advanced Proxy Config
+send_timeout 5m;
+proxy_read_timeout 360;
+proxy_send_timeout 360;
+proxy_connect_timeout 360;
+
+# Basic Proxy Config
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_set_header Connection "";
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 64 256k;
+
+# If behind reverse proxy, forwards the correct IP
+set_real_ip_from 10.0.0.0/8;
+set_real_ip_from 172.16.0.0/12;
+set_real_ip_from 172.17.0.0/16;
+set_real_ip_from 172.18.0.0/16;
+set_real_ip_from 172.19.0.0/16;
+set_real_ip_from 192.168.0.0/16;
+set_real_ip_from fc00::/7;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;

roles/openldap/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ data_folder }}/openldap"
+    - "{{ data_folder }}/openldap/data"
+- name: create network
+  docker_network:
+    name: openldap
+    attachable: true
+    internal: true
+    state: present
+- name: run container
+  docker_container:
+    name: "openldap"
+    image: osixia/openldap
+    hostname: openldap
+    networks:
+      - name: openldap
+    ports:
+      - "389:389"
+      - "636:636"
+    volumes:
+      - "{{ data_folder }}/openldap/data:/var/lib/ldap"
+    env:
+      LDAP_ORGANISATION: "Homelab"
+      LDAP_DOMAIN: "kucharczyk.xyz"
+      LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
+    state: started

roles/portainer/tasks/main.yml

@@ -0,0 +1,19 @@
+- name: run container
+  docker_container:
+    name: 'portainer'
+    image: portainer/portainer-ce
+    networks:
+      - name: external
+      - name: openldap
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    ports:
+      - "8000:8000"
+      - "9000:9000"
+    state: started
+- name: copy nginx conf
+  template:
+    src: portainer.conf.j2
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx

roles/portainer/templates/portainer.conf.j2

@@ -0,0 +1,20 @@
+server {
+    server_name portainer.{{ base_domain }};
+    listen 80;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    server_name portainer.{{ base_domain }};
+    listen 443 ssl http2;
+
+    include /etc/nginx/snippets/authelia-endpoint.conf;
+
+    location / {
+        include /etc/nginx/snippets/proxy.conf;
+        include /etc/nginx/snippets/authelia-auth.conf;
+
+        set $upstream http://portainer:9000; # This example assumes a Docker deployment
+        proxy_pass $upstream;
+    }
+}

roles/postgres/tasks/main.yml

@@ -0,0 +1,36 @@
+- name: install psycopg2
+  pip:
+    name: psycopg2-binary
+    state: present
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ data_folder }}/postgres/data"
+    - "{{ data_folder }}/postgres/init"
+- name: copy init sql files
+  template:
+    src: "{{ item }}"
+    dest: "{{ data_folder }}/postgres/init/{{ item | basename | regex_replace('.j2$', '') }}"
+  with_fileglob:
+    - "../templates/*.sql.j2"
+- name: create network
+  docker_network:
+    name: postgres
+    attachable: true
+    internal: true
+    state: present
+- name: run container
+  docker_container:
+    name: "postgres"
+    image: "postgres:13"
+    networks:
+      - name: postgres
+    volumes:
+      - "{{ data_folder }}/postgres/data:/var/lib/postgresql/data"
+      - "{{ data_folder }}/postgres/init:/docker-entrypoint-initdb.d"
+    env:
+      POSTGRES_PASSWORD: "{{ vault_postgres_password }}"
+    state: started

roles/postgres/templates/keycloak.sql.j2

@@ -0,0 +1,3 @@
+CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}';
+CREATE DATABASE keycloak;
+GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;

roles/radarr/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ data_folder }}/radarr"
+    - "{{ media.tv }}"
+    - "{{ media.movies }}"
+    - "{{ downloads.nzb }}"
+- name: run container
+  docker_container:
+    name: "{{ role_name }}"
+    image: "linuxserver/radarr"
+    networks:
+      - name: external
+    env:
+      "TZ": "{{ tz }}"
+      "PUID": "{{ puid }}"
+      "PGID": "{{  pgid }}"
+      "UMASK": "022"
+    volumes:
+      - "{{ data_folder }}/radarr:/config"
+      - "{{ downloads.nzb }}:/downloads"
+      - "{{ media.movies }}:/movies"
+    ports:
+      - "7878:7878"
+    state: started
+- name: copy nginx conf
+  template:
+    src: "{{ role_name }}.conf.j2"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx

roles/radarr/templates/radarr.conf.j2

@@ -0,0 +1,20 @@
+server {
+    server_name {{ role_name }}.{{ base_domain }};
+    listen 80;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    server_name {{ role_name }}.{{ base_domain }};
+    listen 443 ssl http2;
+
+    include /etc/nginx/snippets/authelia-endpoint.conf;
+
+    location / {
+        include /etc/nginx/snippets/proxy.conf;
+        include /etc/nginx/snippets/authelia-auth.conf;
+
+        set $upstream http://{{ role_name }}:7878;
+        proxy_pass $upstream;
+    }
+}

show-pass.sh

@@ -0,0 +1,2 @@
+#!/bin/env fish
+ansible-vault view --vault-password-file (pass show ansible-homelab | psub) vault/passwords.yml

vault/passwords.yml

@@ -0,0 +1,19 @@
+$ANSIBLE_VAULT;1.1;AES256
+35356537316639386637316365393533643061363734323630393363313237643935666639653963
+3734376266353938653631323266663139306335646635660a373233663964623335663366333434
+34386136656530386639646234316238326132616131616632346537613963636637393839613661
+6366326639643632320a386436316165343166366134633464393461653434323934326238313430
+39323439306637306134326635323138616337646336653238636539643538613664303764303661
+39636661353538393532663937396363656664613334383261336664336237356366663334633430
+36356235383930653835393439373737623036613565313131626462363034303062323662663832
+66613833613336646633383835653161386363386136663764653734313763383231626434393864
+63313061346335383933623630396336336561633938613237643238616531343766613734666132
+32306362616131396266656162653563356137383239616464306662643032623438373764306361
+32363133626662633435626232653061373831626563323861626635383039613136303632613335
+61363265316534653033393763646565393330633063323634353932353936303638356433306362
+65383938306637333765383263653939633964613230613835326630313761323561376162646439
+62323035323634323766393233326363383364653531306432663263303831623936616139306639
+64303863386265343165666435363761653464386366636366323261353731643263356635383536
+66326666616339653731633530663161363933383334376238313637356331663431336433643338
+64313861306161373538363332663363623131303561373237326436373838393965306663333835
+3764356534323963303832653964666431626538316361613137