Update to 2021-12-01 19:13

roles/unmaintained/ttrss/defaults/main.yml

@@ -0,0 +1,32 @@
+---
+
+ttrss_id: "1"
+ttrss_root_dir: /opt/ttrss_{{ ttrss_id }}
+ttrss_version: master
+ttrss_git_uri: https://tt-rss.org/git/tt-rss.git
+ttrss_create_db: True
+ttrss_mysql_db: ttrss_{{ ttrss_id }}
+ttrss_mysql_user: ttrss_{{ ttrss_id }}
+ttrss_mysql_server: "{{ mysql_server | default('localhost') }}"
+# ttrss_mysql_pass: S3cr3t.P@ssw0rd
+
+# To create an alias on the main vhost. If unset, you must create a vhost pointing on
+# ttrss_root_dir
+# ttrss_alias: ttrss
+
+# User under which the PHP pool is running
+ttrss_php_user: php-ttrss_{{ ttrss_id }}
+
+# If set, will use the following PHP FPM pool. If unset, will deploy it's own pool
+# ttrss_php_fpm_pool: ttrss7.0
+
+# When using our own pool, which version of PHP should be used
+ttrss_php_version: 74
+
+# If set, access will only be allowed for the following IP
+# ttrss_src_ip:
+#   - 10.32.0.0/16
+#   - 192.168.1.0/24
+
+# Public URL to access Tiny Tiny RSS
+ttrss_public_url: https://{{ inventory_hostname }}/

roles/unmaintained/ttrss/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- include: ../common/handlers/main.yml
+- include: ../httpd_common/handlers/main.yml
+- include: ../httpd_php/handlers/main.yml
+- name: restart ttrss-updater
+  service: name=ttrss-updater_{{ ttrss_id }} state=restarted

roles/unmaintained/ttrss/meta/main.yml

@@ -0,0 +1,2 @@
+---
+allow_duplicates: true

roles/unmaintained/ttrss/tasks/main.yml

@@ -0,0 +1,223 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+
+- name: Set default install mode
+  set_fact: ttrss_install_mode='none'
+
+- name: Set php executable
+  set_fact: ttrss_php_bin=/usr/bin/php{{ ttrss_php_version }}
+
+- name: Install packages
+  yum: name={{ ttrss_packages }}
+
+- name: Create user account for PHP
+  user:
+    name: "{{ ttrss_php_user }}"
+    comment: "PHP FPM {{ ttrss_php_user }}"
+    system: True
+    shell: /sbin/nologin
+
+- name: Check if ttrss is already installed
+  stat: path={{ ttrss_root_dir }}/meta/ansible_version
+  register: ttrss_version_file
+
+- name: Check installed version
+  command: cat {{ ttrss_root_dir }}/meta/ansible_version
+  register: ttrss_current_version
+  changed_when: False
+  when: ttrss_version_file.stat.exists
+
+- name: Set install mode to install
+  set_fact: ttrss_install_mode='install'
+  when: not ttrss_version_file.stat.exists
+
+- name: Create directory structure
+  file: name={{ item }} state=directory
+  with_items:
+    - "{{ ttrss_root_dir }}"
+    - "{{ ttrss_root_dir }}/web"
+    - "{{ ttrss_root_dir }}/archives"
+    - "{{ ttrss_root_dir }}/sessions"
+    - "{{ ttrss_root_dir }}/cache"
+    - "{{ ttrss_root_dir }}/data"
+    - "{{ ttrss_root_dir }}/data/icons"
+    - "{{ ttrss_root_dir }}/tmp"
+    - "{{ ttrss_root_dir }}/meta"
+    - "{{ ttrss_root_dir }}/db_dumps"
+
+- name: Check if already checked out
+  stat: path={{ ttrss_root_dir }}/web/.git
+  register: ttrss_git_checked
+
+- name: Clone GIT repo
+  git:
+    repo: "{{ ttrss_git_uri }}"
+    dest: "{{ ttrss_root_dir }}/web"
+    version: "{{ ttrss_version }}"
+    force: True
+  register: ttrss_git
+  notify: restart ttrss-updater
+
+- name: Get new git commit
+  command: git rev-parse HEAD
+  args:
+    chdir: "{{ ttrss_root_dir }}/web"
+  register: ttrss_git_commit
+  changed_when: False
+
+- name: Set install mode to upgrade
+  set_fact: ttrss_install_mode='upgrade'
+  when:
+    - ttrss_install_mode == 'none'
+    - ttrss_git_commit.stdout != ttrss_current_version.stdout
+
+- name: Create the archive dir
+  file: path={{ ttrss_root_dir }}/archives/{{ ttrss_git_commit.stdout }} state=directory
+  when: ttrss_install_mode == 'upgrade'
+
+- name: Save the database
+  mysql_db:
+    state: dump
+    name: "{{ ttrss_mysql_db }}"
+    target: "{{ ttrss_root_dir }}/archives/{{ ttrss_git_commit.stdout }}/{{ ttrss_mysql_db }}.sql.xz"
+    login_host: "{{ ttrss_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    quick: True
+    single_transaction: True
+  when: ttrss_install_mode == 'upgrade'
+
+- name: Populate the cache directory
+  synchronize:
+    src: "{{ ttrss_root_dir }}/web/cache/"
+    dest: "{{ ttrss_root_dir }}/cache/"
+    recursive: True
+  delegate_to: "{{ inventory_hostname }}"
+  changed_when: False
+
+- name: Deploy permission script
+  template: src=perms.sh.j2 dest={{ ttrss_root_dir }}/perms.sh mode=755
+
+- name: Apply permissions
+  shell: "{{ ttrss_root_dir }}/perms.sh"
+  changed_when: False
+
+- name: Deploy httpd configuration
+  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/10-ttrss_{{ ttrss_id }}.conf
+  notify: reload httpd
+
+- name: Deploy PHP configuration
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ ttrss_php_version }}/php-fpm.d/ttrss_{{ ttrss_id }}.conf
+  notify: restart php-fpm
+
+- name: Remove PHP configuration from other versions
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/ttrss_{{ ttrss_id }}.conf state=absent
+  with_items: "{{ httpd_php_versions | difference([ ttrss_php_version ]) }}"
+  notify: restart php-fpm
+
+- name: Remove PHP configuration (using a custom pool)
+  file: path=/etc/opt/remi/php{{ ttrss_php_version }}/php-fpm.d/ttrss_{{ ttrss_id }}.conf state=absent
+  when: ttrss_php_fpm_pool is defined
+  notify: restart php-fpm
+
+- name: Generate a random pass for the database
+  shell: openssl rand -base64 45 > {{ ttrss_root_dir }}/meta/ansible_dbpass
+  args:
+    creates: "{{ ttrss_root_dir }}/meta/ansible_dbpass"
+  when: ttrss_mysql_pass is not defined
+
+- name: Read database password
+  command: cat {{ ttrss_root_dir }}/meta/ansible_dbpass
+  register: ttrss_rand_pass
+  when: ttrss_mysql_pass is not defined
+  changed_when: False
+
+- name: Set database pass
+  set_fact: ttrss_mysql_pass={{ ttrss_rand_pass.stdout }}
+  when: ttrss_mysql_pass is not defined
+
+- name: Create MySQL database
+  mysql_db:
+    name: "{{ ttrss_mysql_db }}"
+    login_host: "{{ ttrss_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    state: present
+  register: ttrss_mysql_created
+
+- name: Create MySQL User
+  mysql_user:
+    name: "{{ ttrss_mysql_user }}"
+    password: "{{ ttrss_mysql_pass }}"
+    priv: "{{ ttrss_mysql_db }}.*:ALL"
+    host: "{{ (ttrss_mysql_server == 'localhost' ) | ternary('localhost', item ) }}"
+    login_host: "{{ ttrss_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    state: present
+  with_items: "{{ ansible_all_ipv4_addresses }}"
+
+- name: Create a safer MySQL schema file
+  shell: grep -vi 'drop table' {{ ttrss_root_dir }}/web/schema/ttrss_schema_mysql.sql > {{ ttrss_root_dir }}/tmp/ttrss.sql
+  when: ttrss_install_mode == 'install'
+
+- name: Inject SQL structure
+  mysql_db:
+    name: "{{ ttrss_mysql_db }}"
+    state: import
+    target: "{{ ttrss_root_dir }}/tmp/ttrss.sql"
+    login_host: "{{ ttrss_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  when:
+    - ttrss_install_mode == 'install'
+    - ttrss_mysql_created.changed
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  with_items:
+    "{{ ttrss_root_dir }}/tmp/ttrss.sql"
+
+- name: Deploy Tiny Tiny RSS configuration
+  template: src=config.php.j2 dest={{ ttrss_root_dir }}/web/config.php group={{ ttrss_php_user }} mode=640
+
+- name: Write current version
+  copy: content={{ ttrss_git_commit.stdout }} dest={{ ttrss_root_dir }}/meta/ansible_version
+  when: ttrss_install_mode != 'none'
+
+- name: Update the database
+  shell: echo 'yes' | {{ ttrss_php_bin }} {{ ttrss_root_dir }}/web/update.php --update-schema
+  become_user: "{{ ttrss_php_user }}"
+  when: ttrss_install_mode == 'upgrade'
+
+- name: Deploy backup scripts
+  template: src={{ item.script }}.j2 dest=/etc/backup/{{ item.type }}.d/ttrss_{{ ttrss_id }}_{{ item.script }} mode=750
+  with_items:
+    - script: dump_db
+      type: pre
+    - script: rm_dump
+      type: post
+
+- name: Set correct SELinux context
+  sefcontext:
+    target: "{{ ttrss_root_dir }}(/.*)?"
+    setype: httpd_sys_content_t
+    state: present
+  when: ansible_selinux.status == 'enabled'
+
+- name: Deploy systemd unit
+  template: src=ttrss-updater.service.j2 dest=/etc/systemd/system/ttrss-updater_{{ ttrss_id }}.service
+  notify:
+    - reload systemd
+    - restart ttrss-updater
+
+- name: Start and enable the service
+  service: name=ttrss-updater_{{ ttrss_id }} state=started enabled=yes
+

roles/unmaintained/ttrss/templates/config.php.j2

@@ -0,0 +1,43 @@
+<?php
+
+define('DB_TYPE', "mysql");
+define('DB_HOST', "{{ ttrss_mysql_server }}");
+define('DB_USER', "{{ ttrss_mysql_user }}");
+define('DB_NAME', "{{ ttrss_mysql_db }}");
+define('DB_PASS', "{{ ttrss_mysql_pass }}");
+define('DB_PORT', "{{ ttrss_mysql_port | default('') }}");
+define('MYSQL_CHARSET', 'UTF8');
+define('SELF_URL_PATH', '{{ ttrss_public_url }}');
+define('FEED_CRYPT_KEY', '');
+define('SINGLE_USER_MODE', false);
+define('SIMPLE_UPDATE_MODE', false);
+define('PHP_EXECUTABLE', '{{ ttrss_php_bin }}');
+define('LOCK_DIRECTORY', '{{ ttrss_root_dir }}/tmp/');
+define('CACHE_DIR', '{{ ttrss_root_dir }}/cache');
+define('ICONS_DIR', "{{ ttrss_root_dir }}/data/icons");
+define('ICONS_URL', "feed-icons");
+define('AUTH_AUTO_CREATE', true);
+define('AUTH_AUTO_LOGIN', true);
+define('FORCE_ARTICLE_PURGE', 0);
+define('ENABLE_REGISTRATION', false);
+define('SESSION_COOKIE_LIFETIME', 0);
+define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
+define('SMTP_FROM_ADDRESS', 'noreply@{{ ansible_domain }}');
+define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
+define('SMTP_SERVER', 'localhost:25');
+define('PLUGINS', 'auth_remote, auth_internal, note');
+define('LOG_DESTINATION', 'syslog');
+
+define('SPHINX_SERVER', 'localhost:9312');
+define('SPHINX_INDEX', 'ttrss, delta');
+define('REG_NOTIFY_ADDRESS', 'user@your.domain.dom');
+define('REG_MAX_USERS', 1);
+define('SMTP_LOGIN', '');
+define('SMTP_PASSWORD', '');
+define('SMTP_SECURE', '');
+define('CHECK_FOR_UPDATES', false);
+define('ENABLE_GZIP_OUTPUT', false);
+
+define('CONFIG_VERSION', 26);
+
+?>

roles/unmaintained/ttrss/templates/dump_db.j2

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+/usr/bin/mysqldump --user={{ ttrss_mysql_user }} \
+                   --password={{ ttrss_mysql_pass }} \
+                   --host={{ ttrss_mysql_server }} \
+                   --quick --single-transaction \
+                   --add-drop-table {{ ttrss_mysql_db }} | lz4 -c > {{ ttrss_root_dir }}/db_dumps/{{ ttrss_mysql_db }}.sql.lz4

roles/unmaintained/ttrss/templates/httpd.conf.j2

@@ -0,0 +1,45 @@
+{% if ttrss_alias is defined %}
+Alias /{{ ttrss_alias }}/feed-icons {{ ttrss_root_dir }}/data/icons
+Alias /{{ ttrss_alias }} {{ ttrss_root_dir }}/web
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+<Directory {{ ttrss_root_dir }}/web>
+  AllowOverride All
+  Options FollowSymLinks
+{% if ttrss_src_ip is defined %}
+  Require ip {{ ttrss_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ ttrss_php_fpm_pool | default('ttrss_' + ttrss_id) }}.sock|fcgi://localhost"
+  </FilesMatch>
+
+{% if httpd_src_ip is defined and httpd_src_ip | length > 0 and '0.0.0.0/0' not in httpd_src_ip %}
+  RewriteEngine On
+  RewriteCond %{HTTP:Auth-User} ^(\w+)$
+  RewriteRule .* - [E=REMOTE_USER:%1]
+{% endif %}
+
+  <FilesMatch "(\.ansible_version|\.git.*|config\.php)">
+    Require all denied
+  </FilesMatch>
+</Directory>
+<Directory {{ ttrss_root_dir }}/data/icons>
+  AllowOverride None
+  Options None
+  Require all granted
+</Directory>
+
+<Directory {{ ttrss_root_dir }}/web/.git>
+    Require all denied
+</Directory>
+<Directory {{ ttrss_root_dir }}/web/schema>
+    Require all denied
+</Directory>
+<Directory {{ ttrss_root_dir }}/web/cache>
+    Require all denied
+</Directory>
+

roles/unmaintained/ttrss/templates/perms.sh.j2

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+restorecon -R {{ ttrss_root_dir }}
+chown -R root:root {{ ttrss_root_dir }}/meta
+chmod 700 {{ ttrss_root_dir }}/meta
+chown -R {{ ttrss_php_user }}:apache {{ ttrss_root_dir }}/{cache,data}
+chmod 750 {{ ttrss_root_dir }}/{cache,data}
+chmod 700 {{ ttrss_root_dir }}
+chown -R {{ ttrss_php_user }} {{ ttrss_root_dir }}/{sessions,tmp}
+chmod 700 {{ ttrss_root_dir }}/{sessions,tmp}
+setfacl -k -b {{ ttrss_root_dir }}
+setfacl -m u:{{ ttrss_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ ttrss_root_dir }}
+restorecon -R {{ ttrss_root_dir }}

roles/unmaintained/ttrss/templates/php.conf.j2

@@ -0,0 +1,35 @@
+[ttrss_{{ ttrss_id }}]
+
+listen.owner = root
+listen.group = apache
+listen.mode = 0660
+listen = /run/php-fpm/ttrss_{{ ttrss_id }}.sock
+user = {{ ttrss_php_user }}
+group = {{ ttrss_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 5m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 128M
+php_admin_value[session.save_path] = {{ ttrss_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ ttrss_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ ttrss_root_dir }}/tmp
+php_admin_value[post_max_size] = 5M
+php_admin_value[upload_max_filesize] = 5M
+php_admin_value[disable_functions] = system, show_source, symlink, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ ttrss_root_dir }}
+php_admin_value[max_execution_time] = 60
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = on
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on

roles/unmaintained/ttrss/templates/rm_dump.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+rm -f {{ ttrss_root_dir }}/db_dump/*

roles/unmaintained/ttrss/templates/ttrss-updater.service.j2

@@ -0,0 +1,19 @@
+[Unit]
+Description=Update Tiny Tiny RSS feeds
+After=network.target mysql.service
+
+[Service]
+User={{ ttrss_php_user }}
+ExecStart={{ ttrss_php_bin }} {{ ttrss_root_dir }}/web/update_daemon2.php
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=256M
+SyslogIdentifier=ttrss_{{ ttrss_id }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+

roles/unmaintained/ttrss/vars/RedHat-7.yml

@@ -0,0 +1,6 @@
+---
+
+ttrss_packages:
+  - git
+  - MySQL-python
+  - mariadb

roles/unmaintained/ttrss/vars/RedHat-8.yml

@@ -0,0 +1,6 @@
+---
+
+ttrss_packages:
+  - git
+  - python3-mysql
+  - mariadb