initial commit

8 files changed, 255 insertions, 0 deletions

diff --git a/roles/nitter/defaults/main.yml b/roles/nitter/defaults/main.yml
new file mode 100644
index 0000000..bac10c0
--- /dev/null
+++ b/roles/nitter/defaults/main.yml
@@ -0,0 +1,21 @@
+nitter_version: master
+
+nitter_server_name: '{{ ansible_fqdn }}'
+
+nitter_port: 8080
+nitter_user: nitter
+
+nitter_update_on_calendar: weekly
+
+nitter_hmac_key: secretKey
+
+nitter_max_connections: 100
+nitter_token_count: 10
+
+nitter_cache_list_minutes: 240
+nitter_cache_rss_minutes: 10
+nitter_redis_host: localhost
+nitter_redis_port: 6379
+nitter_redis_password: ''
+nitter_redis_connections: 20
+nitter_redis_max_connections: 30
diff --git a/roles/nitter/handlers/main.yml b/roles/nitter/handlers/main.yml
new file mode 100644
index 0000000..67fb6a4
--- /dev/null
+++ b/roles/nitter/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart nitter
+  systemd:
+    name: nitter
+    state: restarted
diff --git a/roles/nitter/meta/main.yml b/roles/nitter/meta/main.yml
new file mode 100644
index 0000000..c60a259
--- /dev/null
+++ b/roles/nitter/meta/main.yml
@@ -0,0 +1,7 @@
+dependencies:
+  - role: nim
+    tags: nim
+
+  - role: redis
+    redis_port: '{{ nitter_redis_port }}'
+    tags: redis
diff --git a/roles/nitter/tasks/main.yml b/roles/nitter/tasks/main.yml
new file mode 100644
index 0000000..68c8190
--- /dev/null
+++ b/roles/nitter/tasks/main.yml
@@ -0,0 +1,97 @@
+- name: install dependencies
+  dnf:
+    name: '{{ nitter_packages }}'
+    state: present
+
+- name: create local user
+  user:
+    name: '{{ nitter_user }}'
+    system: yes
+    home: '{{ nitter_home }}'
+    shell: /sbin/nologin
+    create_home: no
+
+- name: create home directory
+  file:
+    path: '{{ nitter_home }}'
+    owner: '{{ nitter_user }}'
+    group: '{{ nitter_user }}'
+    mode: 0755
+    state: directory
+
+- name: clone repository
+  git:
+    repo: '{{ nitter_git_repo }}'
+    dest: '{{ nitter_install_dir }}'
+    version: '{{ nitter_version }}'
+    force: yes
+    update: yes
+  register: nitter_git
+  become: yes
+  become_user: '{{ nitter_user }}'
+
+- name: build nitter
+  command:
+    chdir: '{{ nitter_install_dir }}'
+    cmd: 'nimble --accept {{ item }}'
+  environment:
+    PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:{{ nim_install_dir }}/bin
+  loop:
+    - build -d:release
+    - scss
+    - md
+  become: yes
+  become_user: '{{ nitter_user }}'
+  when: nitter_git.changed
+  notify: restart nitter
+
+- name: generate config file
+  template:
+    src: '{{ nitter_install_dir[1:] }}/nitter.conf.j2'
+    dest: '{{ nitter_install_dir }}/nitter.conf'
+    owner: '{{ nitter_user }}'
+    group: '{{ nitter_user }}'
+    mode: 0600
+  notify: restart nitter
+
+- name: create systemd unit
+  template:
+    src: etc/systemd/system/nitter.service.j2
+    dest: /etc/systemd/system/nitter.service
+  register: nitter_unit
+  notify: restart nitter
+
+- name: reload systemd daemons
+  systemd:
+    daemon_reload: yes
+  when: nitter_unit.changed
+
+- name: start nitter
+  systemd:
+    name: nitter
+    enabled: yes
+    state: started
+
+- name: set http_port_t context for nitter port
+  seport:
+    ports: '{{ nitter_port }}'
+    proto: tcp
+    setype: http_port_t
+    state: present
+  tags: selinux
+
+- name: generate update script
+  template:
+    src: '{{ nitter_home[1:] }}/nitter-update.sh.j2'
+    dest: '{{ nitter_home }}/nitter-update.sh'
+    mode: 0555
+
+- name: create nitter-update systemd timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: nitter-update
+    timer_description: Update nitter
+    timer_after: network.target
+    timer_on_calendar: '{{ nitter_update_on_calendar }}'
+    timer_exec: '{{ nitter_home }}/nitter-update.sh'
diff --git a/roles/nitter/templates/etc/systemd/system/nitter.service.j2 b/roles/nitter/templates/etc/systemd/system/nitter.service.j2
new file mode 100644
index 0000000..59b0ba6
--- /dev/null
+++ b/roles/nitter/templates/etc/systemd/system/nitter.service.j2
@@ -0,0 +1,34 @@
+[Unit]
+Description=nitter twitter proxy
+After=network.target redis@{{ nitter_redis_port }}.service
+Requires=redis@{{ nitter_redis_port }}.service
+AssertPathExists={{ nitter_install_dir }}
+
+[Service]
+Type=simple
+ExecStart={{ nitter_install_dir }}/nitter
+WorkingDirectory={{ nitter_install_dir }}
+User={{ nitter_user }}
+Group={{ nitter_user }}
+Restart=always
+RestartSec=15
+
+# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# for details
+DevicePolicy=closed
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
+
+ProtectSystem=full
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/nitter/templates/opt/nitter/nitter-update.sh.j2 b/roles/nitter/templates/opt/nitter/nitter-update.sh.j2
new file mode 100644
index 0000000..8d5782e
--- /dev/null
+++ b/roles/nitter/templates/opt/nitter/nitter-update.sh.j2
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+set -eu
+
+SRCDIR={{ nitter_install_dir | quote }}
+NITTER_USER={{ nitter_user | quote }}
+
+export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:{{ nim_install_dir }}/bin'
+
+as-nitter() {
+  runuser -u "$NITTER_USER" -- "$@"
+}
+
+if (( $EUID != 0 )); then
+  echo 'must be superuser' 1>&2
+  exit 1
+fi
+
+cd "$SRCDIR"
+
+as-nitter git fetch
+
+local_rev=$(git rev-parse HEAD)
+upstream_rev=$(git rev-parse '@{u}')
+
+echo "local: $local_rev"
+echo "upstream: $upstream_rev"
+
+if [ "$local_rev" != "$upstream_rev" ]; then
+  as-nitter git pull --ff-only
+
+  echo "building nitter..."
+  as-nitter nimble --accept build -d:release
+  as-nitter nimble --accept scss
+  as-nitter nimble --accept md
+
+  systemctl restart nitter
+else
+  echo "nitter is already up to date"
+fi
diff --git a/roles/nitter/templates/opt/nitter/nitter/nitter.conf.j2 b/roles/nitter/templates/opt/nitter/nitter/nitter.conf.j2
new file mode 100644
index 0000000..83deef3
--- /dev/null
+++ b/roles/nitter/templates/opt/nitter/nitter/nitter.conf.j2
@@ -0,0 +1,38 @@
+[Server]
+address = "127.0.0.1"
+port = {{ nitter_port }}
+https = true
+httpMaxConnections = {{ nitter_max_connections }}
+staticDir = "./public"
+title = "nitter"
+hostname = "{{ nitter_server_name }}"
+
+[Cache]
+listMinutes = 240
+rssMinutes = 10
+redisHost = "127.0.0.1"
+redisPort = {{ nitter_redis_port }}
+redisPassword = ""
+redisConnections = 20
+redisMaxConnections = 30
+
+[Config]
+hmacKey = "{{ nitter_hmac_key }}"
+base64Media = false
+enableRSS = true
+enableDebug = false
+
+proxy = ""
+proxyAuth = ""
+
+tokenCount = {{ nitter_token_count }}
+
+[Preferences]
+theme = "Nitter"
+replaceTwitter = ""
+replaceYouTube = ""
+replaceReddit = ""
+replaceInstagram = ""
+proxyVideos = true
+hlsPlayback = true
+infiniteScroll = true
diff --git a/roles/nitter/vars/main.yml b/roles/nitter/vars/main.yml
new file mode 100644
index 0000000..a7b0f3f
--- /dev/null
+++ b/roles/nitter/vars/main.yml
@@ -0,0 +1,14 @@
+nitter_git_repo: https://github.com/zedeus/nitter
+nitter_home: /opt/nitter
+nitter_install_dir: '{{ nitter_home }}/nitter'
+
+nitter_packages:
+  - libsass
+  - libsass-devel
+  - pcre
+
+nitter_apache_config: |
+  AllowEncodedSlashes On
+  ProxyPass        / http://127.0.0.1:{{ nitter_port }}/ nocanon
+  ProxyPassReverse / http://127.0.0.1:{{ nitter_port }}/
+  {{ apache_proxy_config }}