initial commit

8 files changed, 298 insertions, 0 deletions

diff --git a/roles/teddit/defaults/main.yml b/roles/teddit/defaults/main.yml
new file mode 100644
index 0000000..35557ef
--- /dev/null
+++ b/roles/teddit/defaults/main.yml
@@ -0,0 +1,24 @@
+teddit_version: main
+teddit_user: teddit
+teddit_port: 8080
+teddit_server_name: '{{ ansible_fqdn }}'
+
+teddit_update_on_calendar: weekly
+
+teddit_use_reddit_oauth: no
+teddit_theme: auto
+teddit_clean_homepage: yes
+teddit_flairs_enabled: no
+teddit_highlight_controversial: yes
+teddit_videos_muted: yes
+teddit_comments_sort: confidence
+teddit_show_upvotes: yes
+teddit_show_upvote_percentage: yes
+teddit_suggested_subreddits:
+  - All
+  - Saved
+
+teddit_redis_host: 127.0.0.1
+teddit_redis_password: ''
+teddit_redis_port: 6379
+teddit_cache_control_interval: 24
diff --git a/roles/teddit/handlers/main.yml b/roles/teddit/handlers/main.yml
new file mode 100644
index 0000000..3b0ce8a
--- /dev/null
+++ b/roles/teddit/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart teddit
+  systemd:
+    name: teddit
+    state: restarted
diff --git a/roles/teddit/meta/main.yml b/roles/teddit/meta/main.yml
new file mode 100644
index 0000000..7422a2b
--- /dev/null
+++ b/roles/teddit/meta/main.yml
@@ -0,0 +1,10 @@
+dependencies:
+  - role: yum
+    yum_repositories:
+      - epel
+      - rpmfusion-free
+    tags: yum
+
+  - role: redis
+    redis_port: '{{ teddit_redis_port }}'
+    tags: redis
diff --git a/roles/teddit/tasks/main.yml b/roles/teddit/tasks/main.yml
new file mode 100644
index 0000000..a26370f
--- /dev/null
+++ b/roles/teddit/tasks/main.yml
@@ -0,0 +1,104 @@
+- name: install packages
+  dnf:
+    name: '{{ teddit_packages }}'
+    state: present
+
+- name: create local user
+  user:
+    name: '{{ teddit_user }}'
+    system: yes
+    home: '{{ teddit_home }}'
+    shell: /sbin/nologin
+    create_home: no
+
+- name: create home directory
+  file:
+    path: '{{ teddit_home }}'
+    owner: '{{ teddit_user }}'
+    group: '{{ teddit_user }}'
+    mode: 0755
+    state: directory
+
+- name: disable npm package lock
+  lineinfile:
+    regexp: ^package-lock=
+    line: package-lock=false
+    path: '{{ teddit_home }}/.npmrc'
+    create: yes
+    owner: '{{ teddit_user }}'
+    group: '{{ teddit_user }}'
+    mode: 0600
+    state: present
+
+- name: clone git repository
+  git:
+    repo: '{{ teddit_git_repo }}'
+    dest: '{{ teddit_install_dir }}'
+    version: '{{ teddit_version }}'
+    force: yes
+    update: yes
+  become: yes
+  become_user: '{{ teddit_user }}'
+  register: teddit_git
+  notify: restart teddit
+
+- name: install npm dependencies
+  npm:
+    path: '{{ teddit_install_dir }}'
+    production: yes
+    no_optional: yes
+  become: yes
+  become_user: '{{ teddit_user }}'
+  when: teddit_git.changed
+  notify: restart teddit
+
+- name: create teddit systemd unit
+  template:
+    src: etc/systemd/system/teddit.service.j2
+    dest: /etc/systemd/system/teddit.service
+  register: teddit_unit
+  notify: restart teddit
+
+- name: reload systemd daemons
+  systemd:
+    daemon_reload: yes
+  when: teddit_unit.changed
+
+- name: generate config file
+  template:
+    src: '{{ teddit_install_dir[1:] }}/config.js.j2'
+    dest: '{{ teddit_install_dir }}/config.js'
+    owner: '{{ teddit_user }}'
+    group: '{{ teddit_user }}'
+    mode: 0600
+  notify: restart teddit
+
+- name: start teddit
+  systemd:
+    name: teddit
+    enabled: yes
+    state: started
+
+- name: set http_port_t selinux contect on teddit port
+  seport:
+    ports: '{{ teddit_port }}'
+    proto: tcp
+    setype: http_port_t
+    state: present
+  tags: selinux
+
+- name: generate update script
+  template:
+    src: '{{ teddit_home[1:] }}/teddit-update.sh.j2'
+    dest: '{{ teddit_home }}/teddit-update.sh'
+    mode: 0555
+
+- name: set up teddit-update timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: teddit-update
+    timer_description: Update teddit
+    timer_after: network.target
+    timer_on_calendar: '{{ teddit_update_on_calendar }}'
+    timer_exec: '{{ teddit_home }}/teddit-update.sh'
diff --git a/roles/teddit/templates/etc/systemd/system/teddit.service.j2 b/roles/teddit/templates/etc/systemd/system/teddit.service.j2
new file mode 100644
index 0000000..35e3d9d
--- /dev/null
+++ b/roles/teddit/templates/etc/systemd/system/teddit.service.j2
@@ -0,0 +1,36 @@
+[Unit]
+Description=teddit reddit proxy
+After=network.target redis@{{ teddit_redis_port }}.service
+Requires=redis@{{ teddit_redis_port }}.service
+AssertPathExists={{ teddit_install_dir }}
+
+[Service]
+Type=simple
+Environment="LISTEN_ADDRESS=127.0.0.1"
+Environment="NODE_ENV=production"
+EnvironmentFile=-/etc/sysconfig/teddit
+ExecStart=/usr/bin/node app.js
+WorkingDirectory={{ teddit_install_dir }}
+User={{ teddit_user }}
+Group={{ teddit_user }}
+Restart=on-failure
+
+# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# for details
+DevicePolicy=closed
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
+
+ProtectSystem=full
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/teddit/templates/opt/teddit/teddit-update.sh.j2 b/roles/teddit/templates/opt/teddit/teddit-update.sh.j2
new file mode 100644
index 0000000..07de718
--- /dev/null
+++ b/roles/teddit/templates/opt/teddit/teddit-update.sh.j2
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -eu
+
+SRCDIR={{ teddit_install_dir | quote }}
+TEDDIT_USER={{ teddit_user | quote }}
+
+as-teddit() {
+  runuser -u "$TEDDIT_USER" -- "$@"
+}
+
+if (( $EUID != 0 )); then
+  echo 'must be superuser' 1>&2
+  exit 1
+fi
+
+cd "$SRCDIR"
+
+as-teddit git fetch
+
+local_rev=$(git rev-parse HEAD)
+upstream_rev=$(git rev-parse '@{u}')
+
+echo "local: $local_rev"
+echo "upstream: $upstream_rev"
+
+if [ "$local_rev" != "$upstream_rev" ]; then
+  as-teddit git reset --hard HEAD
+
+  echo "installing dependencies..."
+  as-teddit npm install --production --no-optional
+
+  systemctl restart teddit
+else
+  echo "teddit is already up to date"
+fi
diff --git a/roles/teddit/templates/opt/teddit/teddit/config.js.j2 b/roles/teddit/templates/opt/teddit/teddit/config.js.j2
new file mode 100644
index 0000000..1f56f92
--- /dev/null
+++ b/roles/teddit/templates/opt/teddit/teddit/config.js.j2
@@ -0,0 +1,71 @@
+const config = {
+  domain: {{ teddit_server_name | to_json }},
+  use_reddit_oauth: {{ teddit_use_reddit_oauth | bool | to_json }},
+  cert_dir: '',
+  theme: {{ teddit_theme | to_json }},
+  clean_homepage: {{ teddit_clean_homepage | bool | to_json }},
+  flairs_enabled: {{ teddit_flairs_enabled | bool | to_json }},
+  highlight_controversial: {{ teddit_highlight_controversial | bool | to_json }},
+  api_enabled: true,
+  api_force_https: false,
+  video_enabled: true,
+  redis_enabled: true,
+  redis_db: 0,
+  redis_host: {{ teddit_redis_host | to_json }},
+  redis_password: {{ teddit_redis_password | to_json }},
+  redis_port: {{ teddit_redis_port | to_json }},
+  ssl_port: 0,
+  nonssl_port: {{ teddit_port }},
+  listen_address: '127.0.0.1',
+  https_enabled: false,
+  redirect_http_to_https: false,
+  redirect_www: false,
+  use_compression: true,
+  use_view_cache: false,
+  use_helmet: false,
+  use_helmet_hsts: false,
+  trust_proxy: true,
+  trust_proxy_address: '127.0.0.1',
+  http_proxy: '',
+  nsfw_enabled: true,
+  videos_muted: {{ teddit_videos_muted | bool | to_json }},
+  post_comments_sort: {{ teddit_comments_sort | to_json }},
+  reddit_app_id: {{ teddit_reddit_app_id | to_json }},
+  domain_replacements: [],
+  cache_control: true,
+  cache_control_interval: {{ teddit_cache_control_interval | int | to_json }},
+  show_upvoted_percentage: {{ teddit_show_upvote_percentage | bool | to_json }},
+  show_upvotes: {{ teddit_show_upvotes | bool | to_json }},
+  post_media_max_heights: {
+    'extra-small': 300,
+    'small': 415,
+    'medium': 600,
+    'large': 850,
+    'extra-large': 1200
+  },
+  setexs: {
+    frontpage: 600,
+    subreddit: 600,
+    posts: 600,
+    user: 600,
+    searches: 600,
+    sidebar: 60 * 60 * 24 * 7,
+    shorts: 60 * 60 * 24 * 31,
+    wikis: 60 * 60 * 24 * 7,
+    subreddits_explore: {
+      front: 60 * 60 * 24 * 1,
+      new_page: 60
+    },
+  },
+  rate_limiting: {
+    enabled: false,
+    initial_limit: 100,
+    limit_after_limited: 30
+  },
+  valid_media_domains: ['preview.redd.it', 'external-preview.redd.it', 'i.redd.it', 'v.redd.it', 'a.thumbs.redditmedia.com', 'b.thumbs.redditmedia.com', 'emoji.redditmedia.com', 'styles.redditmedia.com', 'www.redditstatic.com', 'thumbs.gfycat.com', 'i.ytimg.com', 'i.imgur.com'],
+  valid_embed_video_domains: ['gfycat.com', 'youtube.com'],
+  reddit_api_error_text: `Seems like your instance is either blocked (e.g. due to API rate limiting), reddit is currently down, or your API key is expired and not renewd properly. This can also happen for other reasons.`,
+  suggested_subreddits: {{ teddit_suggested_subreddits | to_json }}
+};
+
+module.exports = config;
diff --git a/roles/teddit/vars/main.yml b/roles/teddit/vars/main.yml
new file mode 100644
index 0000000..c294dfa
--- /dev/null
+++ b/roles/teddit/vars/main.yml
@@ -0,0 +1,13 @@
+teddit_packages:
+  - ffmpeg
+  - nodejs
+  - git
+
+teddit_git_repo: https://codeberg.org/teddit/teddit
+teddit_home: /opt/teddit
+teddit_install_dir: '{{ teddit_home }}/teddit'
+
+teddit_apache_config: |
+  {{ apache_proxy_config }}
+  ProxyPass        / http://127.0.0.1:{{ teddit_port }}/
+  ProxyPassReverse / http://127.0.0.1:{{ teddit_port }}/