initial commit

3 files changed, 168 insertions, 0 deletions

diff --git a/roles/ttrss/tasks/database.yml b/roles/ttrss/tasks/database.yml
new file mode 100644
index 0000000..ca20eeb
--- /dev/null
+++ b/roles/ttrss/tasks/database.yml
@@ -0,0 +1,26 @@
+- name: create database
+  postgresql_db:
+    name: '{{ ttrss_db_name }}'
+    state: present
+  delegate_to: "{{ postgresql_inventory_host }}"
+  become: yes
+  become_user: postgres
+
+- name: create database user
+  postgresql_user:
+    name: '{{ ttrss_user }}'
+    db: '{{ ttrss_db_name }}'
+    priv: ALL
+    state: present
+  delegate_to: "{{ postgresql_inventory_host }}"
+  become: yes
+  become_user: postgres
+
+- name: update database schema
+  command: php {{ ttrss_home }}/update.php --update-schema=force-yes
+  become: yes
+  become_user: apache
+  environment:
+    GSS_USE_PROXY: 'yes'
+  register: ttrss_update_schema
+  changed_when: ttrss_update_schema.stdout is not search('Database schema is already at latest version')
diff --git a/roles/ttrss/tasks/freeipa.yml b/roles/ttrss/tasks/freeipa.yml
new file mode 100644
index 0000000..a8d4ddf
--- /dev/null
+++ b/roles/ttrss/tasks/freeipa.yml
@@ -0,0 +1,46 @@
+- name: create user
+  ipauser:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ ttrss_user }}'
+    loginshell: /sbin/nologin
+    homedir: '{{ ttrss_home }}'
+    givenname: TinyTinyRSS
+    sn: Service Account
+    state: present
+  run_once: yes
+
+- name: retrieve user keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: '{{ ttrss_user }}'
+    keytab_path: '{{ ttrss_keytab }}'
+
+- name: configure gssproxy for kerberized postgres
+  include_role:
+    name: gssproxy_client
+  vars:
+    gssproxy_name: ttrss
+    gssproxy_section: service/php-fpm
+    gssproxy_client_keytab: '{{ ttrss_keytab }}'
+    gssproxy_cred_usage: initiate
+    gssproxy_euid: apache
+
+- name: create access group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ ttrss_access_group }}'
+    nonposix: yes
+    state: present
+  run_once: yes
+
+- name: create admin group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ ttrss_admin_group }}'
+    nonposix: yes
+    state: present
+  run_once: yes
diff --git a/roles/ttrss/tasks/main.yml b/roles/ttrss/tasks/main.yml
new file mode 100644
index 0000000..13cd9b0
--- /dev/null
+++ b/roles/ttrss/tasks/main.yml
@@ -0,0 +1,96 @@
+- name: install packages
+  dnf:
+    name: '{{ ttrss_packages }}'
+    state: present
+
+- name: create webroot
+  file:
+    path: '{{ ttrss_home }}'
+    state: directory
+
+- name: clone git repository
+  git:
+    repo: '{{ ttrss_git_repo }}'
+    dest: '{{ ttrss_home }}'
+    version: '{{ ttrss_version }}'
+    update: yes
+
+- name: set httpd_sys_rw_content_t selinux context for writable directories
+  sefcontext:
+    target: '{{ ttrss_home }}/{{ item }}(/.*)?'
+    setype: httpd_sys_rw_content_t
+    state: present
+  loop: '{{ ttrss_writable_dirs }}'
+  register: ttrss_writeable_sefcontext
+
+- name: apply selinux context to writeable directories
+  command: 'restorecon -R {{ ttrss_home }}/{{ item }}'
+  when: ttrss_writeable_sefcontext.results[index].changed
+  loop: '{{ ttrss_writable_dirs }}'
+  loop_control:
+    index_var: index
+
+- name: set permissions on writable directories
+  file:
+    path: '{{ ttrss_home }}/{{ item }}'
+    mode: 0775
+    owner: root
+    group: apache
+    setype: httpd_sys_rw_content_t
+  loop: '{{ ttrss_writable_dirs }}'
+
+- import_tasks: freeipa.yml
+  tags: freeipa
+
+- name: create auth_freeipa plugin directory
+  file:
+    path: '{{ ttrss_home }}/plugins.local/auth_freeipa'
+    state: directory
+
+- name: download auth_freeipa plugin
+  get_url:
+    url: '{{ ttrss_freeipa_plugin_url }}'
+    dest: '{{ ttrss_home }}/plugins.local/auth_freeipa/init.php'
+
+- name: generate config file
+  template:
+    src: '{{ ttrss_home[1:] }}/config.php.j2'
+    dest: '{{ ttrss_home }}/config.php'
+
+- import_tasks: database.yml
+  tags: database
+
+- name: generate systemd unit for updating feeds
+  template:
+    src: etc/systemd/system/ttrss.service.j2
+    dest: /etc/systemd/system/ttrss.service
+  register: ttrss_unit
+
+- name: reload systemd units
+  systemd:
+    name: ttrss
+    state: restarted
+    daemon_reload: yes
+  when: ttrss_unit.changed
+
+- name: start background feed updates
+  systemd:
+    name: ttrss
+    enabled: yes
+    state: started
+
+- name: generate update script
+  template:
+    src: 'usr/local/sbin/ttrss-update.sh.j2'
+    dest: '/usr/local/sbin/ttrss-update.sh'
+    mode: 0555
+
+- name: create ttrss-update timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: ttrss-update
+    timer_description: Update ttrss
+    timer_after: network.target
+    timer_on_calendar: '{{ ttrss_update_on_calendar }}'
+    timer_exec: /usr/local/sbin/ttrss-update.sh