Update to 2021-03-08 15:00

roles/miniflux/defaults/main.yml

@@ -0,0 +1,43 @@
+---
+
+# Version to install
+miniflux_version: 2.0.28
+# URL of the binary to install
+miniflux_bin_url: https://github.com/miniflux/v2/releases/download/{{ miniflux_version }}/miniflux-linux-amd64
+# Expected sha1 of the binary
+miniflux_bin_sha1: 9e3ad863c1529d43828748b427f8bfb89b37fc08
+# Should ansible handle upgrades ? If false, only initial install will be done
+miniflux_manage_upgrade: True
+
+# Top dir where miniflux will be installed
+miniflux_root_dir: /opt/miniflux
+# User account under which miniflux will run
+miniflux_user: miniflux
+
+miniflux_db_server: "{{ pg_server | default('localhost') }}"
+miniflux_db_port: 5432
+miniflux_db_name: miniflux
+miniflux_db_user: miniflux
+# A random one will be created and stored in the meta sub dir
+# if not defined
+# miniflux_db_pass: S3cR3t.
+
+# Port on which miniflux will bind
+miniflux_port: 8085
+# List of IP / CIDR for which miniflux_port will be accessible (if ansible manage iptables)
+miniflux_src_ip: []
+
+# Public URL. Must be adapted if you use a reverse proxy
+miniflux_public_url: http://{{ inventory_hostname }}:{{ miniflux_port }}/
+
+# Ansible will create a default admin account, you can set the password
+# If not defined, a random one will be created and store in meta/ansible_admin_pass
+# miniflux_admin_pass: p@ssw0rd
+
+# OpenID Connect auth
+miniflux_oidc: False
+# miniflux_oidc_id: miniflux
+# miniflux_oidc_secret: S3cr3T.
+# miniflux_oidc_callback_url: https://flux.example.org/oidc/oidc/callback
+# miniflux_oidc_disco_url: https://sso.example.org/.well-known/openid-configuration
+

roles/miniflux/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: restart miniflux
+  service: name=miniflux state=restarted
+  when: not miniflux_started.changed

roles/miniflux/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: postgresql_server
+    when: miniflux_db_server in ['localhost', '127.0.0.1']

roles/miniflux/tasks/archive_post.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}.tar.zst --use-compress-program=zstd ./
+  args:
+    chdir: "{{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}"
+    warn: False
+  environment:
+    ZSTD_CLEVEL: 10
+  tags: miniflux

roles/miniflux/tasks/archive_pre.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Create the archive dir
+  file: path={{ miniflux_root_dir }}/archives/{{ miniflux_current_version }} state=directory
+  tags: miniflux
+
+- name: Backup previous version
+  copy: src={{ miniflux_root_dir }}/bin/miniflux dest={{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}/ remote_src=True
+  tags: miniflux
+
+- name: Backup the database
+  command: >
+    /usr/pgsql-13/bin/pg_dump
+    --clean
+    --host={{ miniflux_db_server }}
+    --port={{ miniflux_db_port }}
+    --username={{ miniflux_db_user }}
+    {{ miniflux_db_name }}
+    --file={{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}/{{ miniflux_db_name }}.sql
+  environment:
+    - PGPASSWORD: "{{ miniflux_db_pass }}"
+  tags: miniflux

roles/miniflux/tasks/cleanup.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ miniflux_root_dir }}/archives/{{ miniflux_current_version }}"
+  tags: miniflux

roles/miniflux/tasks/conf.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Deploy configuration
+  template: src=miniflux.conf.j2 dest={{ miniflux_root_dir }}/etc/miniflux.conf group={{ miniflux_user }} mode=640
+  tags: miniflux

roles/miniflux/tasks/directories.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Create needed directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ miniflux_root_dir }}/bin"
+    - dir: "{{ miniflux_root_dir }}/etc"
+      group: "{{ miniflux_user }}"
+      mode: 750
+    - dir: "{{ miniflux_root_dir }}/tmp"
+    - dir: "{{ miniflux_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ miniflux_root_dir }}/archives"
+      mode: 700
+    - dir: "{{ miniflux_root_dir }}/backup"
+      mode: 700
+  tags: miniflux

roles/miniflux/tasks/facts.yml

@@ -0,0 +1,29 @@
+---
+
+- name: Detect installed version
+  block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ miniflux_root_dir }}"
+        - version: "{{ miniflux_version }}"
+    - set_fact: miniflux_install_mode={{ (install_mode == 'upgrade' and not miniflux_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: miniflux_current_version={{ current_version | default('') }}
+  tags: miniflux
+
+- when: miniflux_db_pass is not defined
+  name: Generate a random pass for the database
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ miniflux_root_dir }}/meta/ansible_dbpass"
+    - set_fact: miniflux_db_pass={{ rand_pass }}
+  tags: miniflux
+
+- when: miniflux_admin_pass is not defined
+  name: Generate a random pass for the admin account
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ miniflux_root_dir }}/meta/ansible_admin_pass"
+    - set_fact: miniflux_admin_pass={{ rand_pass }}
+  tags: miniflux

roles/miniflux/tasks/install.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Install needed tools
+  package:
+    name:
+      - tar
+      - zstd
+      - postgresql13
+  tags: miniflux
+
+- name: Download miniflux
+  get_url:
+    url: "{{ miniflux_bin_url }}"
+    dest: "{{ miniflux_root_dir }}/bin/miniflux"
+    checksum: sha1:{{ miniflux_bin_sha1 }}
+    mode: 755
+  when: miniflux_install_mode != 'none'
+  tags: miniflux
+
+- name: Install systemd unit
+  template: src=miniflux.service.j2 dest=/etc/systemd/system/miniflux.service
+  register: miniflux_unit
+  tags: miniflux
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: miniflux_unit.changed
+  tags: miniflux
+
+- name: Create the PostgreSQL role
+  postgresql_user:
+    db: postgres
+    name: "{{ miniflux_db_user }}"
+    password: "{{ miniflux_db_pass }}"
+    login_host: "{{ miniflux_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: miniflux
+
+- name: Create the PostgreSQL database
+  postgresql_db:
+    name: "{{ miniflux_db_name }}"
+    encoding: UTF-8
+    lc_collate: C
+    lc_ctype: C
+    template: template0
+    owner: "{{ miniflux_db_user }}"
+    login_host: "{{ miniflux_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: miniflux
+
+- name: Enable required PostgreSQL extensions
+  postgresql_ext:
+    name: "{{ item }}"
+    db: "{{ miniflux_db_name }}"
+    login_host: "{{ miniflux_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  loop:
+    - hstore
+  tags: miniflux
+
+- name: Install backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/miniflux mode=700
+  loop:
+    - pre
+    - post
+  tags: miniflux

roles/miniflux/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+
+- name:  Handle miniflux port in the firewall
+  iptables_raw:
+    name: miniflux_port
+    state: "{{ (miniflux_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ miniflux_port }} -s {{ miniflux_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,miniflux

roles/miniflux/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: miniflux_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: miniflux_install_mode == 'upgrade'
+- include: cleanup.yml

roles/miniflux/tasks/services.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=miniflux state=started enabled=True
+  register: miniflux_started
+  tags: miniflux

roles/miniflux/tasks/user.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Create user
+  user: name={{ miniflux_user }} system=True shell=/sbin/nologin home={{ miniflux_root_dir }}
+  tags: miniflux

roles/miniflux/tasks/write_version.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Write installed version
+  copy: content={{ miniflux_version }} dest={{ miniflux_root_dir }}/meta/ansible_version
+  tags: miniflux

roles/miniflux/templates/miniflux.conf.j2

@@ -0,0 +1,17 @@
+DATABASE_URL="host={{ miniflux_db_server }} port={{ miniflux_db_port }} user={{ miniflux_db_user }} password='{{ miniflux_db_pass }}' dbname={{ miniflux_db_name }} sslmode=disable"
+LISTEN_ADDR=0.0.0.0
+PORT={{ miniflux_port }}
+BASE_URL={{ miniflux_public_url }}
+RUN_MIGRATIONS=1
+CREATE_ADMIN=1
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD={{ miniflux_admin_pass | quote }}
+PROXY_IMAGES=all
+{% if miniflux_oidc %}
+OAUTH2_PROVIDER=oidc
+OAUTH2_CLIENT_ID={{ miniflux_oidc_id | quote }}
+OAUTH2_CLIENT_SECRET={{ minifluxçoidc_secret | quote }}
+OAUTH2_REDIRECT_URL={{ miniflux_oidc_callback_url }}
+OAUTH2_OIDC_DISCOVERY_ENDPOINT={{ miniflux_oidc_disco_url }}
+OAUTH2_USER_CREATION=1
+{% endif %}

roles/miniflux/templates/miniflux.service.j2

@@ -0,0 +1,23 @@
+[Unit]
+Description=Miniflux Feed Reader
+After=network.target postgresql.service
+
+[Service]
+Type=simple
+EnvironmentFile={{ miniflux_root_dir }}/etc/miniflux.conf
+User={{ miniflux_user }}
+ExecStart={{ miniflux_root_dir }}/bin/miniflux
+Restart=always
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictRealtime=true
+ReadWritePaths=/run
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

roles/miniflux/templates/post-backup.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ miniflux_root_dir }}/backup/*

roles/miniflux/templates/pre-backup.j2

@@ -0,0 +1,9 @@
+#!/bin/bash -e
+
+PGPASSWORD='{{ miniflux_db_pass }}' /usr/pgsql-13/bin/pg_dump \
+  --clean \
+  --username={{ miniflux_db_user | quote }} \
+  --host={{ miniflux_db_server | quote }} \
+  {{ miniflux_db_name | quote }} | \
+  zstd -c > {{ miniflux_root_dir }}/backup/{{ miniflux_db_name | quote }}.sql.zst
+