anubis-el: rework config to hopefully work with el podman and add key

Right now, podman on el9 isn't reading the policy correctly.
This is because the env for the unit isn't getting picked up
by podman, so instead pass --env-file to read it from a file.
Also, we want to setup a private key for the download servers
so they all have the same challenge creation (so if you hit 01
you want your challenge to be good on 02, etc).

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

roles/anubis-el/files/anubis.service

@@ -3,19 +3,13 @@ Description=Anubis Container
 
 [Service]
 User=anubis
-Environment=DIFFICULTY=4
-Environment=METRICS_BIND=":9090"
-Environment=SERVE_ROBOTS_TXT="true"
-Environment=TARGET=http://localhost:3001
-Environment=POLICY_FNAME="/data/cfg/botPolicy.yaml"
-Environment=OG_PASSTHROUGH="true"
-Environment=OG_EXPIRY_TIME="24h"
 ExecStartPre=-/usr/bin/podman stop -t 1 %n
 ExecStartPre=-/usr/bin/podman rm %n --force
 ExecStart=/usr/bin/podman run \
             --net=host --userns=keep-id \
             --rm=true --name %n \
-            -v /srv/anubis:/data/ \
+            -v /srv/anubis:/srv/anubis \
+            --env-file=/srv/anubis/cfg/env \
             --publish 8923:8923 \
             ghcr.io/techarohq/anubis:latest
 ExecStop=/usr/bin/podman stop -t 1 %n

roles/anubis-el/tasks/main.yml

@@ -100,6 +100,16 @@
   notify:
   - Reload systemd
 
+- name: Add the anubis env file
+  ansible.builtin.template:
+    src: env.j2
+    dest: /srv/anubis/cfg/env
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    Restart anubis-el
+
 - name: Enable and make sure pod is started
   ansible.builtin.systemd:
     name: anubis

roles/anubis-el/templates/env.j2

@@ -0,0 +1,10 @@
+DIFFICULTY=4
+METRICS_BIND=:9090
+SERVE_ROBOTS_TXT=true
+TARGET=http://localhost:3923
+POLICY_FNAME=/srv/anubis/cfg/botPolicy.yaml
+OG_PASSTHROUGH=true
+OG_EXPIRY_TIME=24h
+{% if inventory_hostname in groups['download'] %}
+ED25519_PRIVATE_KEY_HEX={{ anubis_dl_ed25519_key }}
+{% endif %}