mustard/proxmox-vms
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: fix gvisor for radicale, add isolated networks for jellyfin / radicale

Browse source
This commit is contained in:
mustard 2025-11-09 19:50:58 +01:00
parent b7a31a899c
commit bed7bcf4fd
7 changed files with 31 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
roles/jellyfin/files/jellyfin.container
View file

@ -3,8 +3,8 @@ Description=jellyfin container
[Container] [Container]
ContainerName=jellyfin ContainerName=jellyfin
Image=ghcr.io/jellyfin/jellyfin Image=ghcr.io/jellyfin/jellyfin:latest
Network=frontend.network Network=jellyfin.network
Volume=/srv/jellyfin/config:/config:Z Volume=/srv/jellyfin/config:/config:Z
Volume=/srv/jellyfin/cache:/cache:Z Volume=/srv/jellyfin/cache:/cache:Z
Volume=/srv/jellyfin/media:/media:z,ro Volume=/srv/jellyfin/media:/media:z,ro

3
roles/jellyfin/files/jellyfin.network Normal file
View file

@ -0,0 +1,3 @@
[Network]
Internal=true
Options=isolate=true

8
roles/jellyfin/tasks/main.yaml
View file

@ -36,6 +36,14 @@
group: root group: root
mode: '0644' mode: '0644'
- name: Copy over jellyfin.network file
ansible.builtin.copy:
src: ./files/jellyfin.network
dest: /etc/containers/systemd/jellyfin.network
owner: root
group: root
mode: '0644'
- name: Copy over jellyfin nginx config - name: Copy over jellyfin nginx config
ansible.builtin.copy: ansible.builtin.copy:
src: ./files/jellyfin.conf src: ./files/jellyfin.conf

1
roles/nginx/templates/nginx.container.j2
View file

@ -9,6 +9,7 @@ Image=ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim
PublishPort=80:8080 PublishPort=80:8080
PublishPort=443:8443 PublishPort=443:8443
Network=frontend.network Network=frontend.network
Network={{ nginx_dependent_service }}.network
Volume=/srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro Volume=/srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
Volume=/srv/nginx/conf.d:/etc/nginx/conf.d:ro Volume=/srv/nginx/conf.d:/etc/nginx/conf.d:ro
Volume=/srv/certs:/etc/nginx/ssl:Z Volume=/srv/certs:/etc/nginx/ssl:Z

12
roles/radicale/files/radicale.container
View file

@ -6,19 +6,19 @@ ContainerName=radicale
RunInit=true RunInit=true
DropCapability=ALL DropCapability=ALL
AddCapability=SETUID SETGID CHOWN KILL AddCapability=SETUID SETGID CHOWN KILL
Image=docker.io/tomsquest/docker-radicale Image=docker.io/tomsquest/docker-radicale:latest
Network=frontend.network Network=radicale.network
Volume=/srv/radicale/config:/config:Z,ro Volume=/srv/radicale/config:/config:Z,ro
Volume=/srv/radicale/data:/data:Z Volume=/srv/radicale/data:/data:Z
#PodmanArgs=--runtime runsc --security-opt label:disable PodmanArgs=--runtime runsc --security-opt label:disable
#Label=disable Label=disable
AutoUpdate=registry AutoUpdate=registry
[Install] [Install]
WantedBy=multi-user.target default.target WantedBy=multi-user.target default.target
[Service] [Service]
TasksMax=50 TasksMax=100
MemoryHigh=256M MemoryHigh=512M
Restart=always Restart=always

3
roles/radicale/files/radicale.network Normal file
View file

@ -0,0 +1,3 @@
[Network]
Internal=true
Options=isolate=true

8
roles/radicale/tasks/main.yaml
View file

@ -24,6 +24,14 @@
group: root group: root
mode: '0644' mode: '0644'
- name: Copy over radicale.network file
ansible.builtin.copy:
src: ./files/radicale.network
dest: /etc/containers/systemd/radicale.network
owner: root
group: root
mode: '0644'
- name: Copy over radicale config - name: Copy over radicale config
ansible.builtin.copy: ansible.builtin.copy:
src: ./files/config src: ./files/config