summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain Porte <microjoe@microjoe.org>2017-07-14 17:53:51 +0200
committerRomain Porte <microjoe@microjoe.org>2017-07-14 17:53:51 +0200
commitace3fdadab5a3a1bfb3c88f957fefb99e815020c (patch)
tree3be8af97817a44dc53c2eb3b91aed73aad63b0b4
downloadMicroJoe.ttrss-ace3fdadab5a3a1bfb3c88f957fefb99e815020c.tar.gz
MicroJoe.ttrss-ace3fdadab5a3a1bfb3c88f957fefb99e815020c.zip
Initial commit
-rw-r--r--README.md38
-rw-r--r--defaults/main.yml20
-rw-r--r--handlers/main.yml2
-rw-r--r--meta/main.yml20
-rw-r--r--tasks/main.yml98
-rw-r--r--templates/config.php.j2197
-rw-r--r--templates/nginx.j267
-rw-r--r--templates/ttrss-update.service.j210
-rw-r--r--tests/inventory2
-rw-r--r--tests/test.yml5
-rw-r--r--vars/main.yml2
11 files changed, 461 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9b696e1
--- /dev/null
+++ b/README.md
@@ -0,0 +1,38 @@
+TT-RSS
+======
+
+TinyTinyRSS role for nginx with letsencrypt support.
+
+Requirements
+------------
+
+- LetsEncrypt
+- Postgresql
+- Nginx
+- Debian Stretch
+
+Role Variables
+--------------
+
+TBD
+
+Example Playbook
+----------------
+
+ - hosts: servers
+ roles:
+ - role: MicroJoe.ttrss
+ nginx_server_name: tt-rss.example.com
+ letsencrypt_activate: true
+ letsencrypt_https: true
+ tags: [ttrss]
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+Romain Porte
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..9badfde
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,20 @@
+---
+# defaults file for MicroJoe.ttrss
+ttrss_repository: https://git.tt-rss.org/git/tt-rss.git
+
+ttrss_base: /var/www/ttrss
+
+ttrss_user: ttrss
+ttrss_group: www-data
+
+ttrss_db_user: ttrss
+ttrss_db_password: ttrss
+ttrss_db_name: ttrss
+
+nginx_server_name: ttrss.localhost
+nginx_filename: ttrss-{{ nginx_server_name }}
+
+letsencrypt_wellknown: /var/www/letsencrypt
+letsencrypt_activate: false
+letsencrypt_https: false
+letsencrypt_domain: "{{ nginx_server_name }}"
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..14a8e5a
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for MicroJoe.ttrss \ No newline at end of file
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..186139f
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,20 @@
+galaxy_info:
+ author: Romain Porte
+ description: TinyTinyRSS role for nginx with letsencrypt support
+
+ license: MIT
+
+ min_ansible_version: 2.0
+
+ platforms:
+ - name: Debian
+ versions:
+ - stretch
+
+ galaxy_tags:
+ - tt-rss
+ - ttrss
+ - nginx
+ - letsencrypt
+
+dependencies: []
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..66c7848
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,98 @@
+---
+# tasks file for MicroJoe.ttrss
+
+
+- name: Ensure user exists
+ user:
+ name: "{{ ttrss_user }}"
+
+- name: Install dependencies
+ apt:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - python-psycopg2
+ - postgresql
+ - php-pgsql
+ - php-curl
+
+- name: Create ttrss base directory
+ file:
+ path: "{{ ttrss_base }}"
+ state: directory
+ owner: "{{ ttrss_user }}"
+ group: "{{ ttrss_group }}"
+
+- name: Clone upstream git repository
+ become: yes
+ become_user: "{{ ttrss_user }}"
+ git:
+ repo: "{{ ttrss_repository }}"
+ dest: "{{ ttrss_base }}"
+ register: git_updated
+
+# PostgreSQL commands
+
+- name: Create postgresql user
+ become: yes
+ become_user: postgres
+ postgresql_user:
+ name: "{{ ttrss_db_user }}"
+ password: "{{ ttrss_db_password }}"
+
+- name: Create postgresql database
+ become: yes
+ become_user: postgres
+ postgresql_db:
+ name: "{{ ttrss_db_name }}"
+ owner: "{{ ttrss_db_user }}"
+ encoding: UTF-8
+ template: template0
+
+# TODO: We currently have to remove the config.php file and enter the config
+# by hand in order to initialize the SQL database
+
+- name: Install ttrss configuration file
+ template:
+ src: templates/config.php.j2
+ dest: "{{ ttrss_base }}/config.php"
+ owner: ttrss
+ group: www-data
+
+- name: Set access for writeable directories
+ file:
+ path: "{{ ttrss_base }}/{{ item }}"
+ state: directory
+ mode: 0775
+ owner: "{{ ttrss_user }}"
+ group: "{{ ttrss_group }}"
+ with_items:
+ - cache/images
+ - cache/upload
+ - cache/export
+ - cache/js
+ - feed-icons
+ - lock
+
+- name: Install nginx configuration file {{ nginx_filename }}
+ template:
+ src: templates/nginx.j2
+ dest: /etc/nginx/sites-available/{{ nginx_filename }}
+ owner: root
+ group: root
+ notify: restart nginx
+
+# Install update feed systemd service
+
+- name: Install systemd update service
+ template:
+ src: templates/ttrss-update.service.j2
+ dest: /etc/systemd/system/ttrss-update.service
+ mode: 0664
+
+- name: Enable systemd update service
+ systemd:
+ name: ttrss-update
+ state: started
+ enabled: yes
+ daemon_reload: yes
diff --git a/templates/config.php.j2 b/templates/config.php.j2
new file mode 100644
index 0000000..e73f8bf
--- /dev/null
+++ b/templates/config.php.j2
@@ -0,0 +1,197 @@
+<?php
+ // *******************************************
+ // *** Database configuration (important!) ***
+ // *******************************************
+
+ define('DB_TYPE', "pgsql"); // or mysql
+ define('DB_HOST', "localhost");
+ define('DB_USER', "{{ ttrss_db_user }}");
+ define('DB_NAME', "{{ ttrss_db_name }}");
+ define('DB_PASS', "{{ ttrss_db_password }}");
+ define('DB_PORT', ''); // usually 5432 for PostgreSQL, 3306 for MySQL
+
+ define('MYSQL_CHARSET', 'UTF8');
+ // Connection charset for MySQL. If you have a legacy database and/or experience
+ // garbage unicode characters with this option, try setting it to a blank string.
+
+ // ***********************************
+ // *** Basic settings (important!) ***
+ // ***********************************
+
+ define('SELF_URL_PATH', 'http{% if letsencrypt_https %}s{% endif %}://{{ nginx_server_name }}');
+ // Full URL of your tt-rss installation. This should be set to the
+ // location of tt-rss directory, e.g. http://example.org/tt-rss/
+ // You need to set this option correctly otherwise several features
+ // including PUSH, bookmarklets and browser integration will not work properly.
+
+ define('FEED_CRYPT_KEY', '');
+ // WARNING: mcrypt is deprecated in php 7.1. This directive exists for backwards
+ // compatibility with existing installs, new passwords are NOT going to be encrypted.
+ // Use update.php --decrypt-feeds to decrypt existing passwords in the database while
+ // mcrypt is still available.
+
+ // Key used for encryption of passwords for password-protected feeds
+ // in the database. A string of 24 random characters. If left blank, encryption
+ // is not used. Requires mcrypt functions.
+ // Warning: changing this key will make your stored feed passwords impossible
+ // to decrypt.
+
+ define('SINGLE_USER_MODE', false);
+ // Operate in single user mode, disables all functionality related to
+ // multiple users and authentication. Enabling this assumes you have
+ // your tt-rss directory protected by other means (e.g. http auth).
+
+ define('SIMPLE_UPDATE_MODE', false);
+ // Enables fallback update mode where tt-rss tries to update feeds in
+ // background while tt-rss is open in your browser.
+ // If you don't have a lot of feeds and don't want to or can't run
+ // background processes while not running tt-rss, this method is generally
+ // viable to keep your feeds up to date.
+ // Still, there are more robust (and recommended) updating methods
+ // available, you can read about them here: http://tt-rss.org/wiki/UpdatingFeeds
+
+ // *****************************
+ // *** Files and directories ***
+ // *****************************
+
+ define('PHP_EXECUTABLE', '/usr/bin/php');
+ // Path to PHP *COMMAND LINE* executable, used for various command-line tt-rss
+ // programs and update daemon. Do not try to use CGI binary here, it won't work.
+ // If you see HTTP headers being displayed while running tt-rss scripts,
+ // then most probably you are using the CGI binary. If you are unsure what to
+ // put in here, ask your hosting provider.
+
+ define('LOCK_DIRECTORY', 'lock');
+ // Directory for lockfiles, must be writable to the user you run
+ // daemon process or cronjobs under.
+
+ define('CACHE_DIR', 'cache');
+ // Local cache directory for RSS feed content.
+
+ define('ICONS_DIR', "feed-icons");
+ define('ICONS_URL', "feed-icons");
+ // Local and URL path to the directory, where feed favicons are stored.
+ // Unless you really know what you're doing, please keep those relative
+ // to tt-rss main directory.
+
+ // **********************
+ // *** Authentication ***
+ // **********************
+
+ // Please see PLUGINS below to configure various authentication modules.
+
+ define('AUTH_AUTO_CREATE', true);
+ // Allow authentication modules to auto-create users in tt-rss internal
+ // database when authenticated successfully.
+
+ define('AUTH_AUTO_LOGIN', true);
+ // Automatically login user on remote or other kind of externally supplied
+ // authentication, otherwise redirect to login form as normal.
+ // If set to true, users won't be able to set application language
+ // and settings profile.
+
+ // *********************
+ // *** Feed settings ***
+ // *********************
+
+ define('FORCE_ARTICLE_PURGE', 0);
+ // When this option is not 0, users ability to control feed purging
+ // intervals is disabled and all articles (which are not starred)
+ // older than this amount of days are purged.
+
+ // ****************************
+ // *** Sphinx search plugin ***
+ // ****************************
+
+ define('SPHINX_SERVER', 'localhost:9312');
+ // Hostname:port combination for the Sphinx server.
+
+ define('SPHINX_INDEX', 'ttrss, delta');
+ // Index name in Sphinx configuration. You can specify multiple indexes
+ // as a comma-separated string.
+ // Example configuration files are available on tt-rss wiki.
+
+ // ***********************************
+ // *** Self-registrations by users ***
+ // ***********************************
+
+ define('ENABLE_REGISTRATION', false);
+ // Allow users to register themselves. Please be aware that allowing
+ // random people to access your tt-rss installation is a security risk
+ // and potentially might lead to data loss or server exploit. Disabled
+ // by default.
+
+ define('REG_NOTIFY_ADDRESS', 'user@your.domain.dom');
+ // Email address to send new user notifications to.
+
+ define('REG_MAX_USERS', 10);
+ // Maximum amount of users which will be allowed to register on this
+ // system. 0 - no limit.
+
+ // **********************************
+ // *** Cookies and login sessions ***
+ // **********************************
+
+ define('SESSION_COOKIE_LIFETIME', 86400);
+ // Default lifetime of a session (e.g. login) cookie. In seconds,
+ // 0 means cookie will be deleted when browser closes.
+
+ // *********************************
+ // *** Email and digest settings ***
+ // *********************************
+
+ define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
+ define('SMTP_FROM_ADDRESS', 'noreply@your.domain.dom');
+ // Name, address and subject for sending outgoing mail. This applies
+ // to password reset notifications, digest emails and any other mail.
+
+ define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
+ // Subject line for email digests
+
+ define('SMTP_SERVER', '');
+ // Hostname:port combination to send outgoing mail (i.e. localhost:25).
+ // Blank - use system MTA.
+
+ define('SMTP_LOGIN', '');
+ define('SMTP_PASSWORD', '');
+ // These two options enable SMTP authentication when sending
+ // outgoing mail. Only used with SMTP_SERVER.
+
+ define('SMTP_SECURE', '');
+ // Used to select a secure SMTP connection. Allowed values: ssl, tls,
+ // or empty.
+
+ // ***************************************
+ // *** Other settings (less important) ***
+ // ***************************************
+
+ define('CHECK_FOR_UPDATES', true);
+ // Check for updates automatically if running Git version
+
+ define('ENABLE_GZIP_OUTPUT', false);
+ // Selectively gzip output to improve wire performance. This requires
+ // PHP Zlib extension on the server.
+ // Enabling this can break tt-rss in several httpd/php configurations,
+ // if you experience weird errors and tt-rss failing to start, blank pages
+ // after login, or content encoding errors, disable it.
+
+ define('PLUGINS', 'auth_internal, note');
+ // Comma-separated list of plugins to load automatically for all users.
+ // System plugins have to be specified here. Please enable at least one
+ // authentication plugin here (auth_*).
+ // Users may enable other user plugins from Preferences/Plugins but may not
+ // disable plugins specified in this list.
+ // Disabling auth_internal in this list would automatically disable
+ // reset password link on the login form.
+
+ define('LOG_DESTINATION', 'sql');
+ // Log destination to use. Possible values: sql (uses internal logging
+ // you can read in Preferences -> System), syslog - logs to system log.
+ // Setting this to blank uses PHP logging (usually to http server
+ // error.log).
+
+ define('CONFIG_VERSION', 26);
+ // Expected config version. Please update this option in config.php
+ // if necessary (after migrating all new options from this file).
+
+ // vim:ft=php
diff --git a/templates/nginx.j2 b/templates/nginx.j2
new file mode 100644
index 0000000..2046c35
--- /dev/null
+++ b/templates/nginx.j2
@@ -0,0 +1,67 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name {{ nginx_server_name }};
+ access_log /var/log/nginx/{{ nginx_server_name }}.access.log;
+ error_log /var/log/nginx/{{ nginx_server_name }}.error.log;
+
+ {% if letsencrypt_activate %}
+ location .well-known {
+ root {{ letsencrypt_wellknown }};
+ }
+
+ {% if letsencrypt_https %}
+ location / {
+ rewrite ^(.*)$ https://{{ nginx_server_name }}$1 permanent;
+ }
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ server_name {{ nginx_server_name }};
+ access_log /var/log/nginx/{{ nginx_server_name }}.access.log;
+ error_log /var/log/nginx/{{ nginx_server_name }}.error.log;
+
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem;
+
+ include /etc/nginx/snippets/ssl.conf;
+
+ {% endif %}
+ {% endif %}
+
+ root {{ ttrss_base }};
+
+ location / {
+ index index.php;
+ }
+
+ location /cache {
+ deny all;
+ }
+
+ location = config.php {
+ deny all;
+ }
+
+ location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
+ # cache static assets
+ expires max;
+ add_header Pragma public;
+ add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+ }
+
+ location ~ \.php$ {
+ try_files $uri = 404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ # filter and proxy PHP requests to PHP-FPM
+ fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+ fastcgi_index index.php;
+ include fastcgi.conf;
+ }
+}
diff --git a/templates/ttrss-update.service.j2 b/templates/ttrss-update.service.j2
new file mode 100644
index 0000000..5ac8e37
--- /dev/null
+++ b/templates/ttrss-update.service.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=ttrss_backend
+After=network.target postgresql.service
+
+[Service]
+User={{ ttrss_user }}
+ExecStart={{ ttrss_base }}/update_daemon2.php
+
+[Install]
+WantedBy=multi-user.target
diff --git a/tests/inventory b/tests/inventory
new file mode 100644
index 0000000..878877b
--- /dev/null
+++ b/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/tests/test.yml b/tests/test.yml
new file mode 100644
index 0000000..05e6c1c
--- /dev/null
+++ b/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+ remote_user: root
+ roles:
+ - MicroJoe.ttrss \ No newline at end of file
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..fcd6522
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for MicroJoe.ttrss \ No newline at end of file