README: add Radarr

Create a single external network called "external".
Create container-specific networks.
Only a few containers need access to these.
So far: openldap, postgres.

README.adoc

@@ -12,12 +12,14 @@ homelab.
 
 === Containers
 
-* NGINX
-* Jellyfin
-* OpenLDAP
-* PostgreSQL
-* Keycloak
 * Authelia
+* Jellyfin
+* Keycloak
+* NGINX
+* OpenLDAP
+* Portainer
+* PostgreSQL
+* Radarr
 
 === Testing
 To run locally, specify the inventory file with `-i hosts`.

group_vars/all

@@ -13,4 +13,9 @@ pgid: "1000"
 tz: "Europe/Prague"
 media:
   tv: "{{ data_folder }}/media/tv"
-  movies: "{{ data_folder }}/media/movies"
+  movies: "{{ data_folder }}/media/movies"
+downloads:
+  nzb: "{{ data_folder }}/downloads/nzb"
+  torrent: "{{ data_folder }}/downloads/torrent"
+  torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
+  music: "{{ data_folder }}/downloads/music"

playbook.yml

@@ -3,11 +3,13 @@
   roles:
     - docker
     - nginx
-    - jellyfin
     - openldap
+    - portainer
+    - jellyfin
     - postgres
     - authelia
     - keycloak
+    - radarr
   vars_files:
     - vault/certs/{{ base_domain }}.yml
     - vault/passwords.yml

roles/authelia/tasks/main.yml

@@ -17,8 +17,8 @@
     ports:
       - "9091:9091"
     networks:
-      - name: bridge
-      - name: nginx-internal
+      - name: external
+      - name: openldap
     volumes:
       - "{{ data_folder }}/authelia:/config"
 - name: copy nginx endpoint conf

roles/authelia/templates/authelia.conf.j2

@@ -1,7 +1,7 @@
 server {
-    listen 80;
     server_name auth.{{ base_domain }};
-    return 301 https://$host$request_uri;
+    listen 80;
+    return 301 https://$server_name$request_uri;
 }
 
 server {

roles/authelia/templates/configuration.yml.j2

@@ -26,9 +26,22 @@ authentication_backend:
     password: {{ vault_openldap_admin_password }}
 access_control:
   default_policy: deny
+  networks:
+    - name: local
+      networks:
+        - 192.168.0.0/24
   rules:
     - domain: "*.{{ base_domain }}"
+      networks:
+        - local
       policy: bypass
+    - domain: portainer.{{ base_domain }}
+      policy: one_factor
+    - domain: keycloak.{{ base_domain }}
+      policy: one_factor
+    - domain: radarr.{{ base_domain }}
+      policy: two_factor
+session:
   name: authelia_session
   secret: somerandomsecret
   expiration: 1h

roles/docker/tasks/main.yml

@@ -3,6 +3,9 @@
     name:
       - docker
       - python-pip
+      - neovim
+      - fish
+      - curlie
     state: present
     update_cache: true
 - name: start
@@ -12,8 +15,9 @@
 - name: add user to group
   user:
     name: lukas
-    groups: docker
+    groups: docker,wheel
     append: true
+    shell: /usr/bin/fish
 - name: install python docker
   pip:
     name:

roles/jellyfin/tasks/main.yml

@@ -12,7 +12,7 @@
     name: 'jellyfin'
     image: linuxserver/jellyfin
     networks:
-      - name: nginx-internal
+      - name: external
     volumes:
       - "{{ data_folder }}/jellyfin:/config"
       - "{{ media.tv }}:/data/tv"
@@ -29,7 +29,6 @@
     devices:
       - /dev/dri:/dev/dri
     state: started
-    restart: yes
 - name: copy jellyfin nginx config
   template:
     src: jellyfin.conf.j2

roles/jellyfin/templates/jellyfin.conf.j2

@@ -1,6 +1,7 @@
 server {
+    server_name "jellyfin.{{ base_domain }}";
     listen 80;
-    return 301 https://$host$request_uri;
+    return 301 https://$server_name$request_uri;
 }
 
 server {

roles/keycloak/tasks/main.yml

@@ -5,8 +5,9 @@
     ports:
       - "8080:8080"
     networks:
+      - name: external
       - name: postgres
-      - name: nginx-internal
+      - name: openldap
     env:
       "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
       "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
@@ -20,6 +21,6 @@
 - name: copy nginx conf
   template:
     src: "keycloak.conf.j2"
-    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
     mode: "755"
   notify: reload nginx

roles/keycloak/templates/keycloak.conf.j2

@@ -1,6 +1,7 @@
 server {
-  listen 80;
-  return 301 https://$host$request_uri;
+    server_name "keycloak.{{ base_domain }}";
+    listen 80;
+    return 301 https://$server_name$request_uri;
 }
 
 server {

roles/nginx/tasks/main.yml

@@ -14,11 +14,11 @@
 - name: generate self-signed certs
   import_tasks: self-signed.yml
   when: self_signed
-- name: create nginx bridge network
+- name: create external bridge network
   docker_network:
-    name: nginx-internal
+    name: external
     attachable: true
-    internal: true
+    internal: false
     state: present
 - name: copy nginx.conf
   template:
@@ -37,8 +37,7 @@
     name: 'nginx'
     image: nginx
     networks:
-      - name: bridge
-      - name: nginx-internal
+      - name: external
     volumes:
       - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
       - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@@ -53,5 +52,4 @@
     env:
       NGINX_HOST: "{{ base_domain }}"
       NGINX_PORT: '80'
-    state: started
-    restart: yes
+    state: started

roles/nginx/templates/nginx.conf.j2

@@ -13,6 +13,8 @@ events {
 http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
+    
+    log_subrequest on;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '

roles/openldap/tasks/main.yml

@@ -6,13 +6,19 @@
   loop:
     - "{{ data_folder }}/openldap"
     - "{{ data_folder }}/openldap/data"
+- name: create network
+  docker_network:
+    name: openldap
+    attachable: true
+    internal: true
+    state: present
 - name: run container
   docker_container:
     name: "openldap"
     image: osixia/openldap
     hostname: openldap
     networks:
-      - name: nginx-internal
+      - name: openldap
     ports:
       - "389:389"
       - "636:636"
@@ -23,5 +29,4 @@
       LDAP_DOMAIN: "kucharczyk.xyz"
       LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
       LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
-    state: started
-    restart: yes
+    state: started

roles/openldap/templates/base.ldif.j2

@@ -1,6 +0,0 @@
-dn: dc=kucharczyk,dc=xyz
-objectclass: top
-objectclass: dcObject
-objectclass: organization
-dc: kucharczyk
-o: Homelab

roles/portainer/tasks/main.yml

@@ -0,0 +1,19 @@
+- name: run container
+  docker_container:
+    name: 'portainer'
+    image: portainer/portainer-ce
+    networks:
+      - name: external
+      - name: openldap
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    ports:
+      - "8000:8000"
+      - "9000:9000"
+    state: started
+- name: copy nginx conf
+  template:
+    src: portainer.conf.j2
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx

roles/portainer/templates/portainer.conf.j2

@@ -0,0 +1,20 @@
+server {
+    server_name portainer.{{ base_domain }};
+    listen 80;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    server_name portainer.{{ base_domain }};
+    listen 443 ssl http2;
+
+    include /etc/nginx/snippets/authelia-endpoint.conf;
+
+    location / {
+        include /etc/nginx/snippets/proxy.conf;
+        include /etc/nginx/snippets/authelia-auth.conf;
+
+        set $upstream http://portainer:9000; # This example assumes a Docker deployment
+        proxy_pass $upstream;
+    }
+}

roles/radarr/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ data_folder }}/radarr"
+    - "{{ media.tv }}"
+    - "{{ media.movies }}"
+    - "{{ downloads.nzb }}"
+- name: run container
+  docker_container:
+    name: "{{ role_name }}"
+    image: "linuxserver/radarr"
+    networks:
+      - name: external
+    env:
+      "TZ": "{{ tz }}"
+      "PUID": "{{ puid }}"
+      "PGID": "{{  pgid }}"
+      "UMASK": "022"
+    volumes:
+      - "{{ data_folder }}/radarr:/config"
+      - "{{ downloads.nzb }}:/downloads"
+      - "{{ media.movies }}:/movies"
+    ports:
+      - "7878:7878"
+    state: started
+- name: copy nginx conf
+  template:
+    src: "{{ role_name }}.conf.j2"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx

roles/radarr/templates/radarr.conf.j2

@@ -0,0 +1,20 @@
+server {
+    server_name {{ role_name }}.{{ base_domain }};
+    listen 80;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    server_name {{ role_name }}.{{ base_domain }};
+    listen 443 ssl http2;
+
+    include /etc/nginx/snippets/authelia-endpoint.conf;
+
+    location / {
+        include /etc/nginx/snippets/proxy.conf;
+        include /etc/nginx/snippets/authelia-auth.conf;
+
+        set $upstream http://{{ role_name }}:7878;
+        proxy_pass $upstream;
+    }
+}