From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/ttrss/defaults/main.yml                      | 16 ++++
 roles/ttrss/handlers/main.yml                      |  4 +
 roles/ttrss/tasks/database.yml                     | 26 ++++++
 roles/ttrss/tasks/freeipa.yml                      | 46 +++++++++++
 roles/ttrss/tasks/main.yml                         | 96 ++++++++++++++++++++++
 .../templates/etc/systemd/system/ttrss.service.j2  | 18 ++++
 .../templates/usr/local/sbin/ttrss-update.sh.j2    | 27 ++++++
 roles/ttrss/templates/var/www/ttrss/config.php.j2  | 23 ++++++
 roles/ttrss/vars/main.yml                          | 47 +++++++++++
 9 files changed, 303 insertions(+)
 create mode 100644 roles/ttrss/defaults/main.yml
 create mode 100644 roles/ttrss/handlers/main.yml
 create mode 100644 roles/ttrss/tasks/database.yml
 create mode 100644 roles/ttrss/tasks/freeipa.yml
 create mode 100644 roles/ttrss/tasks/main.yml
 create mode 100644 roles/ttrss/templates/etc/systemd/system/ttrss.service.j2
 create mode 100644 roles/ttrss/templates/usr/local/sbin/ttrss-update.sh.j2
 create mode 100644 roles/ttrss/templates/var/www/ttrss/config.php.j2
 create mode 100644 roles/ttrss/vars/main.yml

(limited to 'roles/ttrss')

diff --git a/roles/ttrss/defaults/main.yml b/roles/ttrss/defaults/main.yml
new file mode 100644
index 0000000..02c9b2e
--- /dev/null
+++ b/roles/ttrss/defaults/main.yml
@@ -0,0 +1,16 @@
+ttrss_freeipa_plugin_version: HEAD
+
+ttrss_update_on_calendar: weekly
+
+ttrss_server_name: '{{ ansible_fqdn }}'
+ttrss_url: https://{{ ttrss_server_name }}
+
+ttrss_user: s-ttrss
+ttrss_db_host: '{{ postgresql_host }}'
+ttrss_db_name: ttrss
+ttrss_session_lifetime_sec: 604800
+ttrss_email_from_name: Tiny Tiny RSS
+ttrss_email_from_address: ttrss-noreply@{{ email_domain }}
+
+ttrss_access_group: role-ttrss-access
+ttrss_admin_group: role-ttrss-admin
diff --git a/roles/ttrss/handlers/main.yml b/roles/ttrss/handlers/main.yml
new file mode 100644
index 0000000..f644426
--- /dev/null
+++ b/roles/ttrss/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart php-fpm
+  systemd:
+    name: php-fpm
+    state: restarted
diff --git a/roles/ttrss/tasks/database.yml b/roles/ttrss/tasks/database.yml
new file mode 100644
index 0000000..ca20eeb
--- /dev/null
+++ b/roles/ttrss/tasks/database.yml
@@ -0,0 +1,26 @@
+- name: create database
+  postgresql_db:
+    name: '{{ ttrss_db_name }}'
+    state: present
+  delegate_to: "{{ postgresql_inventory_host }}"
+  become: yes
+  become_user: postgres
+
+- name: create database user
+  postgresql_user:
+    name: '{{ ttrss_user }}'
+    db: '{{ ttrss_db_name }}'
+    priv: ALL
+    state: present
+  delegate_to: "{{ postgresql_inventory_host }}"
+  become: yes
+  become_user: postgres
+
+- name: update database schema
+  command: php {{ ttrss_home }}/update.php --update-schema=force-yes
+  become: yes
+  become_user: apache
+  environment:
+    GSS_USE_PROXY: 'yes'
+  register: ttrss_update_schema
+  changed_when: ttrss_update_schema.stdout is not search('Database schema is already at latest version')
diff --git a/roles/ttrss/tasks/freeipa.yml b/roles/ttrss/tasks/freeipa.yml
new file mode 100644
index 0000000..a8d4ddf
--- /dev/null
+++ b/roles/ttrss/tasks/freeipa.yml
@@ -0,0 +1,46 @@
+- name: create user
+  ipauser:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ ttrss_user }}'
+    loginshell: /sbin/nologin
+    homedir: '{{ ttrss_home }}'
+    givenname: TinyTinyRSS
+    sn: Service Account
+    state: present
+  run_once: yes
+
+- name: retrieve user keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: '{{ ttrss_user }}'
+    keytab_path: '{{ ttrss_keytab }}'
+
+- name: configure gssproxy for kerberized postgres
+  include_role:
+    name: gssproxy_client
+  vars:
+    gssproxy_name: ttrss
+    gssproxy_section: service/php-fpm
+    gssproxy_client_keytab: '{{ ttrss_keytab }}'
+    gssproxy_cred_usage: initiate
+    gssproxy_euid: apache
+
+- name: create access group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ ttrss_access_group }}'
+    nonposix: yes
+    state: present
+  run_once: yes
+
+- name: create admin group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ ttrss_admin_group }}'
+    nonposix: yes
+    state: present
+  run_once: yes
diff --git a/roles/ttrss/tasks/main.yml b/roles/ttrss/tasks/main.yml
new file mode 100644
index 0000000..13cd9b0
--- /dev/null
+++ b/roles/ttrss/tasks/main.yml
@@ -0,0 +1,96 @@
+- name: install packages
+  dnf:
+    name: '{{ ttrss_packages }}'
+    state: present
+
+- name: create webroot
+  file:
+    path: '{{ ttrss_home }}'
+    state: directory
+
+- name: clone git repository
+  git:
+    repo: '{{ ttrss_git_repo }}'
+    dest: '{{ ttrss_home }}'
+    version: '{{ ttrss_version }}'
+    update: yes
+
+- name: set httpd_sys_rw_content_t selinux context for writable directories
+  sefcontext:
+    target: '{{ ttrss_home }}/{{ item }}(/.*)?'
+    setype: httpd_sys_rw_content_t
+    state: present
+  loop: '{{ ttrss_writable_dirs }}'
+  register: ttrss_writeable_sefcontext
+
+- name: apply selinux context to writeable directories
+  command: 'restorecon -R {{ ttrss_home }}/{{ item }}'
+  when: ttrss_writeable_sefcontext.results[index].changed
+  loop: '{{ ttrss_writable_dirs }}'
+  loop_control:
+    index_var: index
+
+- name: set permissions on writable directories
+  file:
+    path: '{{ ttrss_home }}/{{ item }}'
+    mode: 0775
+    owner: root
+    group: apache
+    setype: httpd_sys_rw_content_t
+  loop: '{{ ttrss_writable_dirs }}'
+
+- import_tasks: freeipa.yml
+  tags: freeipa
+
+- name: create auth_freeipa plugin directory
+  file:
+    path: '{{ ttrss_home }}/plugins.local/auth_freeipa'
+    state: directory
+
+- name: download auth_freeipa plugin
+  get_url:
+    url: '{{ ttrss_freeipa_plugin_url }}'
+    dest: '{{ ttrss_home }}/plugins.local/auth_freeipa/init.php'
+
+- name: generate config file
+  template:
+    src: '{{ ttrss_home[1:] }}/config.php.j2'
+    dest: '{{ ttrss_home }}/config.php'
+
+- import_tasks: database.yml
+  tags: database
+
+- name: generate systemd unit for updating feeds
+  template:
+    src: etc/systemd/system/ttrss.service.j2
+    dest: /etc/systemd/system/ttrss.service
+  register: ttrss_unit
+
+- name: reload systemd units
+  systemd:
+    name: ttrss
+    state: restarted
+    daemon_reload: yes
+  when: ttrss_unit.changed
+
+- name: start background feed updates
+  systemd:
+    name: ttrss
+    enabled: yes
+    state: started
+
+- name: generate update script
+  template:
+    src: 'usr/local/sbin/ttrss-update.sh.j2'
+    dest: '/usr/local/sbin/ttrss-update.sh'
+    mode: 0555
+
+- name: create ttrss-update timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: ttrss-update
+    timer_description: Update ttrss
+    timer_after: network.target
+    timer_on_calendar: '{{ ttrss_update_on_calendar }}'
+    timer_exec: /usr/local/sbin/ttrss-update.sh
diff --git a/roles/ttrss/templates/etc/systemd/system/ttrss.service.j2 b/roles/ttrss/templates/etc/systemd/system/ttrss.service.j2
new file mode 100644
index 0000000..53fef07
--- /dev/null
+++ b/roles/ttrss/templates/etc/systemd/system/ttrss.service.j2
@@ -0,0 +1,18 @@
+[Unit]
+Description=Tiny Tiny RSS background feed updates
+Wants=gssproxy.service
+After=network-online.target nss-lookup.target gssproxy.service
+StartLimitIntervalSec=200
+StartLimitBurst=5
+
+[Service]
+Type=simple
+User=apache
+Group=apache
+Environment=GSS_USE_PROXY=yes
+ExecStart=php {{ ttrss_home }}/update_daemon2.php
+Restart=on-failure
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/ttrss/templates/usr/local/sbin/ttrss-update.sh.j2 b/roles/ttrss/templates/usr/local/sbin/ttrss-update.sh.j2
new file mode 100644
index 0000000..663558c
--- /dev/null
+++ b/roles/ttrss/templates/usr/local/sbin/ttrss-update.sh.j2
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -eu
+
+SRCDIR={{ ttrss_home | quote }}
+
+if (( $EUID != 0 )); then
+  echo 'must be superuser' 1>&2
+  exit 1
+fi
+
+cd "$SRCDIR"
+
+git fetch
+
+local_rev=$(git rev-parse HEAD)
+upstream_rev=$(git rev-parse '@{u}')
+
+echo "local: $local_rev"
+echo "upstream: $upstream_rev"
+
+if [ "$local_rev" != "$upstream_rev" ]; then
+  git reset --hard HEAD
+  systemctl restart ttrss
+else
+  echo "ttrss is already up to date"
+fi
diff --git a/roles/ttrss/templates/var/www/ttrss/config.php.j2 b/roles/ttrss/templates/var/www/ttrss/config.php.j2
new file mode 100644
index 0000000..9b5e108
--- /dev/null
+++ b/roles/ttrss/templates/var/www/ttrss/config.php.j2
@@ -0,0 +1,23 @@
+<?php
+putenv('TTRSS_SELF_URL_PATH={{ ttrss_url }}');
+
+putenv('TTRSS_DB_TYPE=pgsql');
+putenv('TTRSS_DB_HOST={{ ttrss_db_host }}');
+putenv('TTRSS_DB_USER={{ ttrss_user }}');
+putenv('TTRSS_DB_NAME={{ ttrss_db_name }}');
+
+putenv('TTRSS_SESSION_COOKIE_LIFETIME={{ ttrss_session_lifetime_sec }}');
+
+putenv('TTRSS_SMTP_FROM_NAME={{ ttrss_email_from_name }}');
+putenv('TTRSS_SMTP_FROM_ADDRESS={{ ttrss_email_from_address }}');
+
+putenv('TTRSS_PHP_EXECUTABLE=/usr/bin/php');
+
+putenv('TTRSS_LOG_DESTINATION=syslog');
+
+putenv('TTRSS_CHECK_FOR_UPDATES=false');
+
+putenv('TTRSS_PLUGINS=auth_freeipa');
+
+putenv('TTRSS_AUTH_FREEIPA_ALLOW_GROUPS={{ ttrss_access_group }}');
+putenv('TTRSS_AUTH_FREEIPA_ADMIN_GROUPS={{ ttrss_admin_group }}');
diff --git a/roles/ttrss/vars/main.yml b/roles/ttrss/vars/main.yml
new file mode 100644
index 0000000..15145d4
--- /dev/null
+++ b/roles/ttrss/vars/main.yml
@@ -0,0 +1,47 @@
+ttrss_packages:
+  - php
+  - php-pdo
+  - php-pgsql
+  - php-cli
+  - php-json
+  - php-xml
+  - php-intl
+  - php-mbstring
+  - php-process
+  - php-gd
+  - php-opcache
+  - php-ldap
+  - git
+
+ttrss_home: /var/www/ttrss
+ttrss_keytab: /var/lib/gssproxy/clients/{{ ttrss_user }}.keytab
+
+ttrss_git_repo: https://git.tt-rss.org/fox/tt-rss
+ttrss_version: HEAD
+
+ttrss_freeipa_plugin_url: https://raw.githubusercontent.com/sacredheartsc/ttrss-freeipa/master/auth_freeipa/init.php
+
+ttrss_writable_dirs:
+  - lock
+  - cache
+  - feed-icons
+  - cache/images
+  - cache/upload
+  - cache/export
+
+ttrss_php_environment:
+  GSS_USE_PROXY: 'yes'
+
+ttrss_apache_config: |
+  <LocationMatch "^/(index.php)?$">
+    <If "%{QUERY_STRING} != 'noext=1'">
+      AuthType GSSAPI
+      AuthName "FreeIPA Single Sign-On"
+      GssapiLocalName On
+      {{ apache_gssapi_session_config }}
+      {{ apache_ldap_config }}
+      Require ldap-attribute memberof=cn={{ ttrss_access_group }},{{ freeipa_group_basedn }}
+      Require ldap-attribute memberof=cn={{ ttrss_admin_group }},{{ freeipa_group_basedn }}
+      ErrorDocument 401 /index.php?noext=1
+    </If>
+  </LocationMatch>
-- 
cgit