From cc400eb5efa737404acc758f28af071f31b5a951 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon, 8 Mar 2021 15:00:08 +0100
Subject: [PATCH] Update to 2021-03-08 15:00

---
 roles/lemonldap_ng/files/logos/miniflux.png  | Bin 0 -> 5946 bytes
 roles/miniflux/defaults/main.yml             |  43 +++++++++++++++++
 roles/miniflux/handlers/main.yml             |   5 ++
 roles/miniflux/meta/main.yml                 |   5 ++
 roles/miniflux/tasks/archive_post.yml        |  10 ++++
 roles/miniflux/tasks/archive_pre.yml         |  22 +++++++++
 roles/miniflux/tasks/cleanup.yml             |   7 +++
 roles/miniflux/tasks/conf.yml                |   5 ++
 roles/miniflux/tasks/directories.yml         |  17 +++++++
 roles/miniflux/tasks/facts.yml               |  29 +++++++++++
 roles/miniflux/tasks/install.yml             |  69 +++++++++++++++++++++++++++
 roles/miniflux/tasks/iptables.yml            |   8 ++++
 roles/miniflux/tasks/main.yml                |  16 +++++++
 roles/miniflux/tasks/services.yml            |   6 +++
 roles/miniflux/tasks/user.yml                |   5 ++
 roles/miniflux/tasks/write_version.yml       |   5 ++
 roles/miniflux/templates/miniflux.conf.j2    |  17 +++++++
 roles/miniflux/templates/miniflux.service.j2 |  23 +++++++++
 roles/miniflux/templates/post-backup.j2      |   3 ++
 roles/miniflux/templates/pre-backup.j2       |   9 ++++
 20 files changed, 304 insertions(+)
 create mode 100644 roles/lemonldap_ng/files/logos/miniflux.png
 create mode 100644 roles/miniflux/defaults/main.yml
 create mode 100644 roles/miniflux/handlers/main.yml
 create mode 100644 roles/miniflux/meta/main.yml
 create mode 100644 roles/miniflux/tasks/archive_post.yml
 create mode 100644 roles/miniflux/tasks/archive_pre.yml
 create mode 100644 roles/miniflux/tasks/cleanup.yml
 create mode 100644 roles/miniflux/tasks/conf.yml
 create mode 100644 roles/miniflux/tasks/directories.yml
 create mode 100644 roles/miniflux/tasks/facts.yml
 create mode 100644 roles/miniflux/tasks/install.yml
 create mode 100644 roles/miniflux/tasks/iptables.yml
 create mode 100644 roles/miniflux/tasks/main.yml
 create mode 100644 roles/miniflux/tasks/services.yml
 create mode 100644 roles/miniflux/tasks/user.yml
 create mode 100644 roles/miniflux/tasks/write_version.yml
 create mode 100644 roles/miniflux/templates/miniflux.conf.j2
 create mode 100644 roles/miniflux/templates/miniflux.service.j2
 create mode 100644 roles/miniflux/templates/post-backup.j2
 create mode 100644 roles/miniflux/templates/pre-backup.j2

diff --git a/roles/lemonldap_ng/files/logos/miniflux.png b/roles/lemonldap_ng/files/logos/miniflux.png
new file mode 100644
index 0000000000000000000000000000000000000000..bdfc87a94a217332e323fb08fe458c95e0eb19de
GIT binary patch
literal 5946
zcmeHLXH-+!7QP@&6a_^=5C~C<O2|z@C>cVLfCLC7bP?s|<_01m2`LboWw3#wC}Ke@
z2r7z<f`hC<X#!#&9AOwxl(B+kfG3s#%ex7P_{Qfv*Lw3$SSjb6Z-0BA@9ez~mkfX3
zMOvB$ng9T3(LHHQ^b;e0X{e#^;^gE(08lYZ4hoYnp+t;OB;as)2u6}5L@<bq%K-pc
z=d;l8^84o6ZyxD7DZ2+)HA7kbTB)fPn2StjZq;{=`{yjyjli*Y#Lz2NzWd`be#yFn
zAt9;4>ke6$Jq#HO=k!Pqh3A|;wQpy~;g;G>CGfeZ4W>!b^qar--IM5tVGGPG+zNQp
z|D@<V<2awy@0>lbA%+%U=N3<D<S<$|n9?||Ub?fuw9@QJP0mR^dH&1TCug>{*Sv5!
zp{drf>wKd@1$0WeJ3i;`8nvG(QKn_?dme50J<S`qKgA*~)2q5%^kWb7X02{Q>=LM3
z^YC}~pV?oezFxjC^<P&W^rz0MbRTYi_B64NTzvaxXJq-5?5eoH;SkQGNhF_vAhD%!
z<$-6>8J4c5DU*IXTGg|OX}L`ax7RAztMw=&yck1^%^S!*ud7WyubeWS0hOBjS+-_9
zx{y2JxA_Nl5|(cciy6wg5m^8<=brpUd((AKRr0Yr0mfP{oS6GO*H2i`h<HrHZmPdk
zT&B6k|ITwy^SYFzYPA!S)sS<uPu3SbCvIJP`j$abV@}NZg{zlrQT?-O7C`IAX{^(q
z9J9#kzGn*Ts3V-*ZBg$J@)&BWb6N8b+U)39J=>AcuVv&XF4Z};E}pYm18O#IrTKPW
zx*O&8PG*?xMh`o_!G2)cTrbhn<I^AIC*JG#-dFwN?%r2UuX_T!qtaFMQZ?o`W*^Mh
z)DUoRqtiNl*h`of<>2}q<m%PIzGmy4(D5i6_Eqf-<ZZp1iFeHnW0G?hT+4WT>_ox&
zJOgqO^Asa5wr1_jh{v84*SZpVe;77Se%c$A)q3#7qCfM=o#CXMqh&27$6ecoyHv97
z(bS@&u7oMyTLG?GW1CJgy0ExVO^SZTZ!XiP%}dYsN+*CZhO>Gl!dE6@z1!O>-fy%!
zMLMD;txb0z7pFx1VIi<P-Zmfzv?;mRBAcvUoHy_q3Lq*uzp+TOZmZN>IXTU$c|l!_
z=t<hk){5bp(6q}>Me{syV1DwY;4`;cSC-f<vVL*v*25b0w7q6UmV=S>s|`z}H}ZED
zb>sH#T{c4`fJxl57LgAm@dix0SYtEe{YYbHtHUx*TVZFW+GZsefdFRiZ~E6#C;dy4
zN*@f)Eb#*=N2Te}#(kF24X=6+ap2IdUuyz#lDrt}dpEdtsSlmJdi|_#T)^=)t%6;{
z1(G9$Aqh0Q8)enJ^qcs7l?^?TBiBeN{k3(2+uw)c+G-mHb(qrn!7Clq!&|bC;R$JL
zg3>a2wTeoP-aasN;H9`?$e?XKE%<Fjkcmt1vclw5nL9H&Pc?-e!7o1FJa9Cn7wN6h
z%rZV^riw3tvsSkG+o?HD{&ByWhf0<p^5Btck#uE4X0t`HkKumr7p3P++)TVvquPq!
zsphXXDdJ~SWB{PFhU@0$Pj_?s&?eC4ke{}d>e=8jyJ=Zq6BaimL0jjF|6Z#NnfA+P
zWcr)7YL-%VEg4c}7;MwkTU1}s-QCP;t8WSqRS$L5egnjd#Z1Z8Y43OHE^d?wZ*56@
zWt`Xt6a+wdZR9C2RdI)NCKC2U%t%?PL(|ZiJja}Lc~?%6ZfbKoRXMeK<8!O`;+2~>
z<W=fxYiC67hB_M!8*l76U7xhy{*qU@SE{cg=NHuslb?Q&y*d9=Pk9}wkYi5un{768
zqtS5*xL~)zfNs1`o8*#Sxp7H;rG0F!L2Oq}EtuaPy5lEbu?F3WHE|lvvbbQACa;m(
zMlZ`g{C3Tjl`Sv4?=vq1tIcUvKGuRcv!dVmbysQduKfOO=O!K)Zi;vEShX+mKzL$)
zAKc8{2h>M*dkKb1w4xs73?@fxG*U{tS=S_u2z<HfvQbp`#cW1L?)Nrp7b?k|3k8>y
z-d4Kw<+Vq|njD$xvaZUj3s7HQ7qhjzJ?*y9<EPK=kV@aJ0Q`Oy?G9fy7XpB(8@XuP
z4rBOGU_qQU#1^m+YgwESZR-Hw=qwXLa4aIhu#jjjpNj1}Q;WrL*;H&OnE^6{Zb%H*
zGg*WLCi@1#$+55l8|&<(=_sS11aXK2!pP!yd@)5v#VU9y=y&-v9*a>xB(YR%7{edq
zCJ-SQ8*3YD5a%xACJ?bsnixkBn?qsJJVq(d5fvLFkq9Yxd}3mvbt1`HAd1El92^|*
zAQ4X_;!p%moWz$vG8|t#M@})qK|{o_h%1zE1$>O06JiOZ5-Jvpu46{Y(N)-8hE9$;
zkdGDgVhI~hM+Y|Oeoz3O2!i%FkccBX;K$pes|?1NHD5fcBC01|1_|*5YY-n7_lbpA
z;-2u)-)AkvLFny?XCh*OR0JdL2?$>@XS`D(PbwboQz}N}Q;N8GYz`g`O5u6D%_2I(
zf6PWMV>CBTsIZWu$0OPB7)~e^@e~*~j7NA#92$riWhQ)rmvA{B59pKq$XEUn2<mQ(
z{}c2Fy%e!1bfwS)uvG4pPNQPw@lx0Vn9HUpzJfN018m1)<A_9vjk6(xb~uP=&%qHn
z4rDUSvbVJ-A>*j%e6a-L!-$*;CAa3HJP;8gl5ANJ&W1!L;%s1oEsn)z6LBn}tu32u
z4}vhkW*mi|h>KPN#2X)#oQjQ7*%M(Bi3M_S92SD$Z0tZbj%CXs;vDSkNCXZUBHKZ1
z1(p09D6al=Dwb#sew^{=K@yHY6i3DSaQRZ%$Autn91<vj<f0L531lJxv;j#(q8(^M
z_y`I?L}E0_<(vf2nn+ZvuwjY^$_Sy!#*Krb5xkHetyqvB3kBT_Dl8<g4U}0ikM4!y
zCPE;IKolep@TgdMtQa|^qNFg6qs2n;5x@#V1sGw=>ut2+7DCZ@#n2J|CGcOE0%HV;
z{Qr&TBXo?#RU}Cih+_RjeyrsPEcr6e=fGo3OtjaDC88wy-)!nXaE>GC>WSJ4L`mcP
z2O{w!qmhQh<0_=WU=&S&0>LBli=hN$Bs)+YN0#6ih#!rh-FCFpKFo7Jlg0!#i^$>F
zI-r$6K+~875peb(3&D}>Y+)E=fh2^$Q5^6XyI8=HBtjy@H5$zU^qkSsQk*l!QjvZ0
zK1C<SAZU&(00|Tj#Eu*<#t|=Xs2{fHC~r9o24%bej`Eg7q02KbP%0GixQOUeVLl|v
zf5DBjA5F@?GanBdv33&(lhC4#k@zL@zv%umz!3%?E{yQSf-i+W9x@`!xO)eUd1MZ~
z&(P};KXyNkriHw6{=uKobo&QApw!=-e3ic6<oYJpS1IsS;BVRWO|Gv};H$vjvg`jQ
zm*&SOY=n>gp_hn0KXXnVt45!_)mYw(Xux~<?}6$gIq1wpp=Y=l047bBzm$Nye0_9M
zT|#HLt3Q~ap=GK!wJW{@{Rc}Do#q-8*6?h{8Q%s_cU^7HcCT9$m9l;nN5B)D6QaNC
zn3Fn-^}A7aw`$b7S>`jdDFoB_S(gB2x;E3&hRd3%XSTyF#~QhS56|>lVY1Tq?sT_9
zUb*I0grSJKvpQ##DRt9YltU^W>DZrWf1(HJo7YZspShjMh%yROS-Q$l$069OdW&+^
zgzeW8R>gH+72%b9Y3z_KcU1P_oDS)g5vSCdwp^xDc+GWc{SN2ab#zWxxooT2ES|RB
zrM=(G;dWO!peY0LhIIZ=N_TddvWoncN)2~xN0gMKI{G6Y0#6NVb~N3Xv9-6Le%{Hz
zYc^qvD`zePX3r`+y~2olRf&WEojZ03GP<7hVM?b?a^Vc?Dak4thg8#~-lZ3dHC$pc
z=6OF&$@l8<snQJvX4Ew*E%$iu{r>td<ukTjxVusGuxHluLGjeNoA3GTE{tr?Dzx+>
zwpQfj%+1(CpL_7Gy>Sto<>B@{2Gq-Vlr-Vat6-_|@u1#iJ?gnjOSBo8l%?po0Caa>
K+7An(zW+DtrqDzH

literal 0
HcmV?d00001

diff --git a/roles/miniflux/defaults/main.yml b/roles/miniflux/defaults/main.yml
new file mode 100644
index 0000000..3709158
--- /dev/null
+++ b/roles/miniflux/defaults/main.yml
@@ -0,0 +1,43 @@
+---
+
+# Version to install
+miniflux_version: 2.0.28
+# URL of the binary to install
+miniflux_bin_url: https://github.com/miniflux/v2/releases/download/{{ miniflux_version }}/miniflux-linux-amd64
+# Expected sha1 of the binary
+miniflux_bin_sha1: 9e3ad863c1529d43828748b427f8bfb89b37fc08
+# Should ansible handle upgrades ? If false, only initial install will be done
+miniflux_manage_upgrade: True
+
+# Top dir where miniflux will be installed
+miniflux_root_dir: /opt/miniflux
+# User account under which miniflux will run
+miniflux_user: miniflux
+
+miniflux_db_server: "{{ pg_server | default('localhost') }}"
+miniflux_db_port: 5432
+miniflux_db_name: miniflux
+miniflux_db_user: miniflux
+# A random one will be created and stored in the meta sub dir
+# if not defined
+# miniflux_db_pass: S3cR3t.
+
+# Port on which miniflux will bind
+miniflux_port: 8085
+# List of IP / CIDR for which miniflux_port will be accessible (if ansible manage iptables)
+miniflux_src_ip: []
+
+# Public URL. Must be adapted if you use a reverse proxy
+miniflux_public_url: http://{{ inventory_hostname }}:{{ miniflux_port }}/
+
+# Ansible will create a default admin account, you can set the password
+# If not defined, a random one will be created and store in meta/ansible_admin_pass
+# miniflux_admin_pass: p@ssw0rd
+
+# OpenID Connect auth
+miniflux_oidc: False
+# miniflux_oidc_id: miniflux
+# miniflux_oidc_secret: S3cr3T.
+# miniflux_oidc_callback_url: https://flux.example.org/oidc/oidc/callback
+# miniflux_oidc_disco_url: https://sso.example.org/.well-known/openid-configuration
+
diff --git a/roles/miniflux/handlers/main.yml b/roles/miniflux/handlers/main.yml
new file mode 100644
index 0000000..f50450a
--- /dev/null
+++ b/roles/miniflux/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: restart miniflux
+  service: name=miniflux state=restarted
+  when: not miniflux_started.changed
diff --git a/roles/miniflux/meta/main.yml b/roles/miniflux/meta/main.yml
new file mode 100644
index 0000000..0cb7a04
--- /dev/null
+++ b/roles/miniflux/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: postgresql_server
+    when: miniflux_db_server in ['localhost', '127.0.0.1']
diff --git a/roles/miniflux/tasks/archive_post.yml b/roles/miniflux/tasks/archive_post.yml
new file mode 100644
index 0000000..817b087
--- /dev/null
+++ b/roles/miniflux/tasks/archive_post.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}.tar.zst --use-compress-program=zstd ./
+  args:
+    chdir: "{{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}"
+    warn: False
+  environment:
+    ZSTD_CLEVEL: 10
+  tags: miniflux
diff --git a/roles/miniflux/tasks/archive_pre.yml b/roles/miniflux/tasks/archive_pre.yml
new file mode 100644
index 0000000..eef7234
--- /dev/null
+++ b/roles/miniflux/tasks/archive_pre.yml
@@ -0,0 +1,22 @@
+---
+
+- name: Create the archive dir
+  file: path={{ miniflux_root_dir }}/archives/{{ miniflux_current_version }} state=directory
+  tags: miniflux
+
+- name: Backup previous version
+  copy: src={{ miniflux_root_dir }}/bin/miniflux dest={{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}/ remote_src=True
+  tags: miniflux
+
+- name: Backup the database
+  command: >
+    /usr/pgsql-13/bin/pg_dump
+    --clean
+    --host={{ miniflux_db_server }}
+    --port={{ miniflux_db_port }}
+    --username={{ miniflux_db_user }}
+    {{ miniflux_db_name }}
+    --file={{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}/{{ miniflux_db_name }}.sql
+  environment:
+    - PGPASSWORD: "{{ miniflux_db_pass }}"
+  tags: miniflux
diff --git a/roles/miniflux/tasks/cleanup.yml b/roles/miniflux/tasks/cleanup.yml
new file mode 100644
index 0000000..fff3eaa
--- /dev/null
+++ b/roles/miniflux/tasks/cleanup.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}"
+  tags: miniflux
diff --git a/roles/miniflux/tasks/conf.yml b/roles/miniflux/tasks/conf.yml
new file mode 100644
index 0000000..2c352b5
--- /dev/null
+++ b/roles/miniflux/tasks/conf.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Deploy configuration
+  template: src=miniflux.conf.j2 dest={{ miniflux_root_dir }}/etc/miniflux.conf group={{ miniflux_user }} mode=640
+  tags: miniflux
diff --git a/roles/miniflux/tasks/directories.yml b/roles/miniflux/tasks/directories.yml
new file mode 100644
index 0000000..957da39
--- /dev/null
+++ b/roles/miniflux/tasks/directories.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Create needed directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ miniflux_root_dir }}/bin"
+    - dir: "{{ miniflux_root_dir }}/etc"
+      group: "{{ miniflux_user }}"
+      mode: 750
+    - dir: "{{ miniflux_root_dir }}/tmp"
+    - dir: "{{ miniflux_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ miniflux_root_dir }}/archives"
+      mode: 700
+    - dir: "{{ miniflux_root_dir }}/backup"
+      mode: 700
+  tags: miniflux
diff --git a/roles/miniflux/tasks/facts.yml b/roles/miniflux/tasks/facts.yml
new file mode 100644
index 0000000..cde3197
--- /dev/null
+++ b/roles/miniflux/tasks/facts.yml
@@ -0,0 +1,29 @@
+---
+
+- name: Detect installed version
+  block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ miniflux_root_dir }}"
+        - version: "{{ miniflux_version }}"
+    - set_fact: miniflux_install_mode={{ (install_mode == 'upgrade' and not miniflux_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: miniflux_current_version={{ current_version | default('') }}
+  tags: miniflux
+
+- when: miniflux_db_pass is not defined
+  name: Generate a random pass for the database
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ miniflux_root_dir }}/meta/ansible_dbpass"
+    - set_fact: miniflux_db_pass={{ rand_pass }}
+  tags: miniflux
+
+- when: miniflux_admin_pass is not defined
+  name: Generate a random pass for the admin account
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ miniflux_root_dir }}/meta/ansible_admin_pass"
+    - set_fact: miniflux_admin_pass={{ rand_pass }}
+  tags: miniflux
diff --git a/roles/miniflux/tasks/install.yml b/roles/miniflux/tasks/install.yml
new file mode 100644
index 0000000..0607d1c
--- /dev/null
+++ b/roles/miniflux/tasks/install.yml
@@ -0,0 +1,69 @@
+---
+
+- name: Install needed tools
+  package:
+    name:
+      - tar
+      - zstd
+      - postgresql13
+  tags: miniflux
+
+- name: Download miniflux
+  get_url:
+    url: "{{ miniflux_bin_url }}"
+    dest: "{{ miniflux_root_dir }}/bin/miniflux"
+    checksum: sha1:{{ miniflux_bin_sha1 }}
+    mode: 755
+  when: miniflux_install_mode != 'none'
+  tags: miniflux
+
+- name: Install systemd unit
+  template: src=miniflux.service.j2 dest=/etc/systemd/system/miniflux.service
+  register: miniflux_unit
+  tags: miniflux
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: miniflux_unit.changed
+  tags: miniflux
+
+- name: Create the PostgreSQL role
+  postgresql_user:
+    db: postgres
+    name: "{{ miniflux_db_user }}"
+    password: "{{ miniflux_db_pass }}"
+    login_host: "{{ miniflux_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: miniflux
+
+- name: Create the PostgreSQL database
+  postgresql_db:
+    name: "{{ miniflux_db_name }}"
+    encoding: UTF-8
+    lc_collate: C
+    lc_ctype: C
+    template: template0
+    owner: "{{ miniflux_db_user }}"
+    login_host: "{{ miniflux_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: miniflux
+
+- name: Enable required PostgreSQL extensions
+  postgresql_ext:
+    name: "{{ item }}"
+    db: "{{ miniflux_db_name }}"
+    login_host: "{{ miniflux_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  loop:
+    - hstore
+  tags: miniflux
+
+- name: Install backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/miniflux mode=700
+  loop:
+    - pre
+    - post
+  tags: miniflux
diff --git a/roles/miniflux/tasks/iptables.yml b/roles/miniflux/tasks/iptables.yml
new file mode 100644
index 0000000..ceb819b
--- /dev/null
+++ b/roles/miniflux/tasks/iptables.yml
@@ -0,0 +1,8 @@
+---
+
+- name:  Handle miniflux port in the firewall
+  iptables_raw:
+    name: miniflux_port
+    state: "{{ (miniflux_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ miniflux_port }} -s {{ miniflux_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,miniflux
diff --git a/roles/miniflux/tasks/main.yml b/roles/miniflux/tasks/main.yml
new file mode 100644
index 0000000..9b77e6a
--- /dev/null
+++ b/roles/miniflux/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: miniflux_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: miniflux_install_mode == 'upgrade'
+- include: cleanup.yml
diff --git a/roles/miniflux/tasks/services.yml b/roles/miniflux/tasks/services.yml
new file mode 100644
index 0000000..773b1c7
--- /dev/null
+++ b/roles/miniflux/tasks/services.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=miniflux state=started enabled=True
+  register: miniflux_started
+  tags: miniflux
diff --git a/roles/miniflux/tasks/user.yml b/roles/miniflux/tasks/user.yml
new file mode 100644
index 0000000..48128e2
--- /dev/null
+++ b/roles/miniflux/tasks/user.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Create user
+  user: name={{ miniflux_user }} system=True shell=/sbin/nologin home={{ miniflux_root_dir }}
+  tags: miniflux
diff --git a/roles/miniflux/tasks/write_version.yml b/roles/miniflux/tasks/write_version.yml
new file mode 100644
index 0000000..959fd26
--- /dev/null
+++ b/roles/miniflux/tasks/write_version.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Write installed version
+  copy: content={{ miniflux_version }} dest={{ miniflux_root_dir }}/meta/ansible_version
+  tags: miniflux
diff --git a/roles/miniflux/templates/miniflux.conf.j2 b/roles/miniflux/templates/miniflux.conf.j2
new file mode 100644
index 0000000..fca4960
--- /dev/null
+++ b/roles/miniflux/templates/miniflux.conf.j2
@@ -0,0 +1,17 @@
+DATABASE_URL="host={{ miniflux_db_server }} port={{ miniflux_db_port }} user={{ miniflux_db_user }} password='{{ miniflux_db_pass }}' dbname={{ miniflux_db_name }} sslmode=disable"
+LISTEN_ADDR=0.0.0.0
+PORT={{ miniflux_port }}
+BASE_URL={{ miniflux_public_url }}
+RUN_MIGRATIONS=1
+CREATE_ADMIN=1
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD={{ miniflux_admin_pass | quote }}
+PROXY_IMAGES=all
+{% if miniflux_oidc %}
+OAUTH2_PROVIDER=oidc
+OAUTH2_CLIENT_ID={{ miniflux_oidc_id | quote }}
+OAUTH2_CLIENT_SECRET={{ minifluxçoidc_secret | quote }}
+OAUTH2_REDIRECT_URL={{ miniflux_oidc_callback_url }}
+OAUTH2_OIDC_DISCOVERY_ENDPOINT={{ miniflux_oidc_disco_url }}
+OAUTH2_USER_CREATION=1
+{% endif %}
diff --git a/roles/miniflux/templates/miniflux.service.j2 b/roles/miniflux/templates/miniflux.service.j2
new file mode 100644
index 0000000..3c08dec
--- /dev/null
+++ b/roles/miniflux/templates/miniflux.service.j2
@@ -0,0 +1,23 @@
+[Unit]
+Description=Miniflux Feed Reader
+After=network.target postgresql.service
+
+[Service]
+Type=simple
+EnvironmentFile={{ miniflux_root_dir }}/etc/miniflux.conf
+User={{ miniflux_user }}
+ExecStart={{ miniflux_root_dir }}/bin/miniflux
+Restart=always
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictRealtime=true
+ReadWritePaths=/run
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/miniflux/templates/post-backup.j2 b/roles/miniflux/templates/post-backup.j2
new file mode 100644
index 0000000..a5ebcfb
--- /dev/null
+++ b/roles/miniflux/templates/post-backup.j2
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ miniflux_root_dir }}/backup/*
diff --git a/roles/miniflux/templates/pre-backup.j2 b/roles/miniflux/templates/pre-backup.j2
new file mode 100644
index 0000000..71ca1cc
--- /dev/null
+++ b/roles/miniflux/templates/pre-backup.j2
@@ -0,0 +1,9 @@
+#!/bin/bash -e
+
+PGPASSWORD='{{ miniflux_db_pass }}' /usr/pgsql-13/bin/pg_dump \
+  --clean \
+  --username={{ miniflux_db_user | quote }} \
+  --host={{ miniflux_db_server | quote }} \
+  {{ miniflux_db_name | quote }} | \
+  zstd -c > {{ miniflux_root_dir }}/backup/{{ miniflux_db_name | quote }}.sql.zst
+