Capture london-b media stack and systemd services

Add the full media automation stack (sonarr, radarr, prowlarr, lidarr,
readarr, whisparr), media servers (jellyfin, plex), and supporting
services (transmission, samba, ollama, promtail, cloudflared, vsftpd)
to the repo as a media_stack Ansible role.

Includes:
- Custom systemd unit files for non-package-managed services
- Config files for promtail, samba, transmission, vsftpd
- Cron jobs for movie-rename-fix, sonarr/radarr midnight restarts
- Updated deploy.yml to wire the role into london-b's stage
- Updated london-b docs with full service inventory

Backup script (backup.sh) already covered by the existing backup role.
Node/systemd exporters already covered by existing monitoring roles.

Closes PESO-92

ansible/deploy.yml

@@ -54,12 +54,13 @@
     - role: caddy
     - role: status_page
 
-# london-b: Docker services (storage, apps) + backups
-- name: "Stage 4b: Docker services (london-b)"
+# london-b: Docker services (storage, apps) + media stack + backups
+- name: "Stage 4b: Services (london-b)"
   hosts: london-b
   tags: [services, london-b]
   roles:
     - role: docker_services
+    - role: media_stack
     - role: backup
 
 # nuremberg-a: Mail (poste.io via Docker)

ansible/roles/media_stack/handlers/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Reload systemd daemon
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart promtail
+  ansible.builtin.systemd:
+    name: promtail
+    state: restarted
+
+- name: Restart smbd
+  ansible.builtin.systemd:
+    name: smbd
+    state: restarted
+
+- name: Restart transmission
+  ansible.builtin.systemd:
+    name: transmission-daemon
+    state: restarted
+
+- name: Restart vsftpd
+  ansible.builtin.systemd:
+    name: vsftpd
+    state: restarted

ansible/roles/media_stack/tasks/main.yml

@@ -0,0 +1,128 @@
+---
+# media_stack role — deploys the full media stack on london-b
+# Manages: *arr suite, jellyfin, plex, transmission, samba,
+#           ollama, promtail, cloudflared, vsftpd, and cron jobs.
+
+# ── Systemd service units (custom, not package-managed) ──
+
+- name: Deploy custom systemd unit files
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/services/{{ item }}/{{ item }}.service"
+    dest: "/etc/systemd/system/{{ item }}.service"
+    mode: '0644'
+  loop:
+    - radarr
+    - prowlarr
+    - lidarr
+    - readarr
+    - whisparr
+    - ollama
+    - promtail
+  notify: Reload systemd daemon
+
+- name: Enable and start custom systemd services
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop:
+    - radarr
+    - prowlarr
+    - lidarr
+    - readarr
+    - ollama
+    - promtail
+
+# Whisparr is installed but disabled (kept as-is)
+- name: Ensure whisparr unit is present but disabled
+  ansible.builtin.systemd:
+    name: whisparr
+    enabled: false
+
+# ── Package-managed services (ensure enabled) ──
+
+- name: Ensure package-managed services are enabled
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop:
+    - sonarr
+    - jellyfin
+    - plexmediaserver
+    - transmission-daemon
+    - smbd
+    - vsftpd
+    - cloudflared
+
+# ── Configuration files ──
+
+- name: Deploy promtail config
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/services/promtail/config/london-b.yml"
+    dest: /etc/promtail/config.yml
+    mode: '0644'
+  notify: Restart promtail
+
+- name: Deploy samba config
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/services/samba/config/london-b.conf"
+    dest: /etc/samba/smb.conf
+    mode: '0644'
+    backup: true
+  notify: Restart smbd
+
+- name: Deploy transmission settings
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/services/transmission/config/settings.json"
+    dest: /etc/transmission-daemon/settings.json
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0600'
+  notify: Restart transmission
+
+- name: Deploy vsftpd config
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/services/vsftpd/config/london-b.conf"
+    dest: /etc/vsftpd.conf
+    mode: '0644'
+  notify: Restart vsftpd
+
+# ── Scripts ──
+
+- name: Ensure scripts directory exists
+  ansible.builtin.file:
+    path: /root/scripts
+    state: directory
+    mode: '0755'
+
+- name: Deploy movie-rename-fix script
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/scripts/movie-rename-fix.fish"
+    dest: /root/scripts/movie-rename-fix.fish
+    mode: '0755'
+
+# ── Cron jobs ──
+
+- name: Movie rename fix (hourly)
+  ansible.builtin.cron:
+    name: "Movie rename fix"
+    minute: "0"
+    job: "/root/scripts/movie-rename-fix.fish"
+    user: root
+
+- name: Restart radarr at midnight
+  ansible.builtin.cron:
+    name: "Restart radarr"
+    minute: "0"
+    hour: "0"
+    job: "systemctl restart radarr"
+    user: root
+
+- name: Restart sonarr at midnight
+  ansible.builtin.cron:
+    name: "Restart sonarr"
+    minute: "0"
+    hour: "0"
+    job: "systemctl restart sonarr"
+    user: root

ansible/scripts/movie-rename-fix.fish

@@ -0,0 +1,7 @@
+#!/usr/bin/env fish
+
+cd /hdd/movies
+
+for i in (find . -name "*www.UIndex.org    -    *")
+    mv $i (echo $i | sed 's/www.UIndex.org    -    //')
+end

ansible/services/lidarr/lidarr.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Lidarr Daemon
+After=syslog.target network.target
+
+[Service]
+User=root
+Group=root
+UMask=0002
+Type=simple
+ExecStart=/opt/Lidarr/Lidarr -nobrowser -data=/var/lib/lidarr/
+TimeoutStopSec=20
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

ansible/services/ollama/ollama.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Ollama Service
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/ollama serve
+User=ollama
+Group=ollama
+Restart=always
+RestartSec=3
+Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
+
+[Install]
+WantedBy=default.target

ansible/services/promtail/config/london-b.yml

@@ -0,0 +1,31 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://192.168.1.254:3100/loki/api/v1/push
+
+scrape_configs:
+- job_name: london-b
+  static_configs:
+  - targets:
+      - localhost
+    labels:
+      job: varlogs
+      instance: london-b
+      __path__: /var/log/*log
+  - targets:
+      - localhost
+    labels:
+      job: plex
+      instance: london-b
+      __path__: /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Logs/*log
+  - targets:
+      - localhost
+    labels:
+      job: jellyfin
+      instance: london-b
+      __path__: /var/log/jellyfin/*log

ansible/services/promtail/promtail.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Promtail service
+After=network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/promtail -config.file /etc/promtail/config.yml
+TimeoutSec=60
+Restart=on-failure
+RestartSec=2
+
+[Install]
+WantedBy=multi-user.target

ansible/services/prowlarr/prowlarr.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Prowlarr Daemon
+After=syslog.target network.target
+
+[Service]
+User=root
+Group=root
+UMask=0002
+Type=simple
+ExecStart=/opt/Prowlarr/Prowlarr -nobrowser -data=/var/lib/prowlarr/
+TimeoutStopSec=20
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

ansible/services/radarr/radarr.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Radarr Daemon
+After=syslog.target network.target
+
+[Service]
+User=root
+Group=root
+UMask=0002
+Type=simple
+ExecStart=/opt/Radarr/Radarr -nobrowser -data=/var/lib/radarr/
+TimeoutStopSec=20
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

ansible/services/readarr/readarr.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Readarr Daemon
+After=syslog.target network.target
+
+[Service]
+User=root
+Group=root
+UMask=0002
+Type=simple
+ExecStart=/opt/Readarr/Readarr -nobrowser -data=/var/lib/readarr/
+TimeoutStopSec=20
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

ansible/services/samba/config/london-b.conf

@@ -0,0 +1,53 @@
+[global]
+   workgroup = WORKGROUP
+   server string = %h server (Samba, Ubuntu)
+   log file = /var/log/samba/log.%m
+   max log size = 1000
+   logging = file
+   panic action = /usr/share/samba/panic-action %d
+   server role = standalone server
+   obey pam restrictions = yes
+   unix password sync = yes
+   passwd program = /usr/bin/passwd %u
+   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+   pam password change = yes
+   map to guest = bad user
+
+   # COCKPIT ZFS MANAGER
+   # WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION
+   include = /etc/cockpit/zfs/shares.conf
+
+[HDD]
+   comment = HDD
+   path = /hdd
+   valid users = pez root
+   public = no
+   writable = yes
+
+[Movies]
+   comment = Movies
+   path = /hdd/movies
+   public = yes
+   writable = no
+
+[TV Shows]
+   comment = TV Shows
+   path = /hdd/tv
+   public = yes
+   writable = no
+
+[printers]
+   comment = All Printers
+   browseable = no
+   path = /var/tmp
+   printable = yes
+   guest ok = no
+   read only = yes
+   create mask = 0700
+
+[print$]
+   comment = Printer Drivers
+   path = /var/lib/samba/printers
+   browseable = yes
+   read only = yes
+   guest ok = no

ansible/services/systemd/london-b/cloudflared.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=cloudflared
+After=network.target
+
+[Service]
+TimeoutStartSec=0
+Type=notify
+ExecStart=/usr/bin/cloudflared --no-autoupdate tunnel run
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target

ansible/services/transmission/config/settings.json

@@ -0,0 +1,84 @@
+{
+    "alt-speed-down": 0,
+    "alt-speed-enabled": false,
+    "alt-speed-time-begin": 540,
+    "alt-speed-time-day": 127,
+    "alt-speed-time-enabled": false,
+    "alt-speed-time-end": 1020,
+    "alt-speed-up": 0,
+    "announce-ip": "",
+    "announce-ip-enabled": false,
+    "anti-brute-force-enabled": false,
+    "anti-brute-force-threshold": 100,
+    "bind-address-ipv4": "0.0.0.0",
+    "bind-address-ipv6": "::",
+    "blocklist-enabled": false,
+    "blocklist-url": "http://www.example.com/blocklist",
+    "cache-size-mb": 4,
+    "default-trackers": "",
+    "dht-enabled": true,
+    "download-dir": "/hdd/downloads",
+    "download-limit": 100,
+    "download-limit-enabled": 0,
+    "download-queue-enabled": true,
+    "download-queue-size": 100,
+    "encryption": 1,
+    "idle-seeding-limit": 30,
+    "idle-seeding-limit-enabled": false,
+    "incomplete-dir": "/var/lib/transmission-daemon/Downloads",
+    "incomplete-dir-enabled": false,
+    "lpd-enabled": false,
+    "max-peers-global": 200,
+    "message-level": 4,
+    "peer-congestion-algorithm": "",
+    "peer-id-ttl-hours": 6,
+    "peer-limit-global": 200,
+    "peer-limit-per-torrent": 50,
+    "peer-port": 6881,
+    "peer-port-random-high": 65535,
+    "peer-port-random-low": 49152,
+    "peer-port-random-on-start": false,
+    "peer-socket-tos": "le",
+    "pex-enabled": true,
+    "port-forwarding-enabled": false,
+    "preallocation": 1,
+    "prefetch-enabled": true,
+    "queue-stalled-enabled": true,
+    "queue-stalled-minutes": 30,
+    "ratio-limit": 0,
+    "ratio-limit-enabled": true,
+    "rename-partial-files": true,
+    "rpc-authentication-required": false,
+    "rpc-bind-address": "0.0.0.0",
+    "rpc-enabled": true,
+    "rpc-host-whitelist": "127.0.0.1,localhost,london-b,download.pez.sh,download.pez.solutions",
+    "rpc-host-whitelist-enabled": false,
+    "rpc-port": 9091,
+    "rpc-socket-mode": "0750",
+    "rpc-url": "/transmission/",
+    "rpc-username": "transmission",
+    "rpc-whitelist": "127.0.0.1,localhost,london-b,download.pez.sh,download.pez.solutions",
+    "rpc-whitelist-enabled": false,
+    "scrape-paused-torrents-enabled": true,
+    "script-torrent-added-enabled": false,
+    "script-torrent-added-filename": "",
+    "script-torrent-done-enabled": false,
+    "script-torrent-done-filename": "",
+    "script-torrent-done-seeding-enabled": false,
+    "script-torrent-done-seeding-filename": "",
+    "seed-queue-enabled": false,
+    "seed-queue-size": 10,
+    "speed-limit-down": 50,
+    "speed-limit-down-enabled": false,
+    "speed-limit-up": 1000,
+    "speed-limit-up-enabled": true,
+    "start-added-torrents": true,
+    "tcp-enabled": true,
+    "torrent-added-verify-mode": "fast",
+    "trash-original-torrent-files": false,
+    "umask": "022",
+    "upload-limit": 100,
+    "upload-limit-enabled": 0,
+    "upload-slots-per-torrent": 14,
+    "utp-enabled": true
+}

ansible/services/vsftpd/config/london-b.conf

@@ -0,0 +1,18 @@
+listen=NO
+listen_ipv6=YES
+anonymous_enable=YES
+local_enable=YES
+write_enable=NO
+anon_upload_enable=NO
+dirmessage_enable=YES
+use_localtime=YES
+xferlog_enable=YES
+connect_from_port_20=YES
+ftpd_banner=Welcome to the Pez Dispenser
+secure_chroot_dir=/var/run/vsftpd/empty
+pam_service_name=vsftpd
+rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+ssl_enable=NO
+anon_root=/hdd/ftp
+allow_writeable_chroot=YES

ansible/services/whisparr/whisparr.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Whisparr Daemon
+After=syslog.target network.target
+
+[Service]
+User=root
+Group=root
+UMask=0002
+Type=simple
+ExecStart=/opt/Whisparr/Whisparr -nobrowser -data=/var/lib/whisparr/
+TimeoutStopSec=20
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

docs/hosts/london-b.md

@@ -68,7 +68,49 @@ RAIDZ1 tolerates one drive failure per vdev. With this many drives and this much
 | smartctl_exporter | 9633 | (Prometheus scrape) |
 | prom-plex-exporter | — | (Prometheus scrape) |
 
-All services run in Docker. Media is served directly from the ZFS pool.
+### Systemd Services (non-Docker)
+
+The media automation suite and several supporting services run as native systemd units, not in Docker:
+
+| Service | Unit Name | Notes |
+|---------|-----------|-------|
+| Sonarr | sonarr | Package-managed (mono) |
+| Radarr | radarr | /opt/Radarr, custom unit |
+| Prowlarr | prowlarr | /opt/Prowlarr, custom unit |
+| Lidarr | lidarr | /opt/Lidarr, custom unit |
+| Readarr | readarr | /opt/Readarr, custom unit |
+| Whisparr | whisparr | /opt/Whisparr, custom unit (disabled) |
+| Plex | plexmediaserver | Package-managed |
+| Jellyfin | jellyfin | Package-managed |
+| Transmission | transmission-daemon | Package-managed |
+| Samba | smbd | Package-managed |
+| Ollama | ollama | /usr/local/bin, custom unit |
+| Promtail | promtail | Custom unit, ships logs to Loki |
+| Cloudflared | cloudflared | Tunnel to Cloudflare |
+| vsftpd | vsftpd | FTP server for /hdd/ftp |
+| systemd_exporter | systemd_exporter | Ansible-managed |
+| node_exporter | node_exporter | Ansible-managed |
+
+Docker services: Nextcloud AIO, Jellyseerr, Navidrome, slskd, Miniflux, smartctl-exporter, plex-exporter.
+
+### Cron Jobs
+
+| Schedule | Job |
+|----------|-----|
+| Every hour | `/root/scripts/movie-rename-fix.fish` |
+| Midnight daily | `systemctl restart radarr` |
+| Midnight daily | `systemctl restart sonarr` |
+| 22:00 daily | `/root/scripts/backup.sh` (rclone to B2) |
+
+### Samba Shares
+
+| Share | Path | Access |
+|-------|------|--------|
+| HDD | /hdd | pez, root (rw) |
+| Movies | /hdd/movies | public (ro) |
+| TV Shows | /hdd/tv | public (ro) |
+
+Media is served directly from the ZFS pool.
 
 ## Networking