From 8104cee874bae4c5a3e98bab110585b74ac9c80b Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 11 Feb 2026 12:24:03 -0800
Subject: [PATCH] anubis-el: rework config to hopefully work with el podman and
 add key

Right now, podman on el9 isn't reading the policy correctly.
This is because the env for the unit isn't getting picked up
by podman, so instead pass --env-file to read it from a file.
Also, we want to setup a private key for the download servers
so they all have the same challenge creation (so if you hit 01
you want your challenge to be good on 02, etc).

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/anubis-el/files/anubis.service | 10 ++--------
 roles/anubis-el/tasks/main.yml       | 10 ++++++++++
 roles/anubis-el/templates/env.j2     | 10 ++++++++++
 3 files changed, 22 insertions(+), 8 deletions(-)
 create mode 100644 roles/anubis-el/templates/env.j2

diff --git a/roles/anubis-el/files/anubis.service b/roles/anubis-el/files/anubis.service
index 72f28d141a..2b323ac693 100644
--- a/roles/anubis-el/files/anubis.service
+++ b/roles/anubis-el/files/anubis.service
@@ -3,19 +3,13 @@ Description=Anubis Container
 
 [Service]
 User=anubis
-Environment=DIFFICULTY=4
-Environment=METRICS_BIND=":9090"
-Environment=SERVE_ROBOTS_TXT="true"
-Environment=TARGET=http://localhost:3001
-Environment=POLICY_FNAME="/data/cfg/botPolicy.yaml"
-Environment=OG_PASSTHROUGH="true"
-Environment=OG_EXPIRY_TIME="24h"
 ExecStartPre=-/usr/bin/podman stop -t 1 %n
 ExecStartPre=-/usr/bin/podman rm %n --force
 ExecStart=/usr/bin/podman run \
             --net=host --userns=keep-id \
             --rm=true --name %n \
-            -v /srv/anubis:/data/ \
+            -v /srv/anubis:/srv/anubis \
+            --env-file=/srv/anubis/cfg/env \
             --publish 8923:8923 \
             ghcr.io/techarohq/anubis:latest
 ExecStop=/usr/bin/podman stop -t 1 %n
diff --git a/roles/anubis-el/tasks/main.yml b/roles/anubis-el/tasks/main.yml
index 3c4f9e3688..70401c1911 100644
--- a/roles/anubis-el/tasks/main.yml
+++ b/roles/anubis-el/tasks/main.yml
@@ -100,6 +100,16 @@
   notify:
   - Reload systemd
 
+- name: Add the anubis env file
+  ansible.builtin.template:
+    src: env.j2
+    dest: /srv/anubis/cfg/env
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    Restart anubis-el
+
 - name: Enable and make sure pod is started
   ansible.builtin.systemd:
     name: anubis
diff --git a/roles/anubis-el/templates/env.j2 b/roles/anubis-el/templates/env.j2
new file mode 100644
index 0000000000..54a989d449
--- /dev/null
+++ b/roles/anubis-el/templates/env.j2
@@ -0,0 +1,10 @@
+DIFFICULTY=4
+METRICS_BIND=:9090
+SERVE_ROBOTS_TXT=true
+TARGET=http://localhost:3923
+POLICY_FNAME=/srv/anubis/cfg/botPolicy.yaml
+OG_PASSTHROUGH=true
+OG_EXPIRY_TIME=24h
+{% if inventory_hostname in groups['download'] %}
+ED25519_PRIVATE_KEY_HEX={{ anubis_dl_ed25519_key }}
+{% endif %}