feat: add Fresh RSS service

2024-12-11 12:03:50 -03:00 · 2024-12-11 12:03:50 -03:00 · 6afeea39f2
commit 6afeea39f2
parent 7ebbac3870
5 changed files with 115 additions and 60 deletions
--- a/.justfile
+++ b/.justfile
@ -1,5 +1,10 @@
 export ANSIBLE_VAULT_PASSWORD_FILE := ".decrypt-pass.txt"

+# Debug output, disabled in CI
+export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' }
+export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' }
+
+
 play +ARGS:
  ansible-playbook {{ ARGS }}

--- a/files/docker/rss/docker-stack.yaml
+++ b/files/docker/rss/docker-stack.yaml
@ -0,0 +1,50 @@
+networks:
+  reverse-proxy:
+    external: true
+
+volumes:
+  fresh_rss_data:
+  fresh_rss_extensions:
+
+services:
+  freshrss:
+    image: freshrss/freshrss:latest
+    container_name: freshrss
+    hostname: freshrss
+    restart: unless-stopped
+    networks:
+        - reverse-proxy
+    logging:
+      options:
+        max-size: 10m
+    volumes:
+      - fresh_rss_data:/var/www/FreshRSS/data
+      - fresh_rss_extensions:/var/www/FreshRSS/extensions
+    environment:
+      TZ: America/Santiago
+      CRON_MIN: '3,33'
+      TRUSTED_PROXY: 10.0.10.0/24
+
+      OIDC_ENABLED: 1
+      OIDC_PROVIDER_METADATA_URL: https://auth.alecodes.page/.well-known/openid-configuration
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
+      OIDC_CLIENT_CRYPTO_KEY: ${OIDC_CLIENT_CRYPTO_KEY}
+      OIDC_REMOTE_USER_CLAIM: preferred_username
+      OIDC_SCOPES: openid groups email profile
+      OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
+
+    deploy:
+      rollback_config:
+        failure_action: continue
+      update_config:
+        delay: 2s
+        failure_action: rollback
+        order: start-first
+      placement:
+        constraints:
+          - node.labels.services_kind==${SERVICE_KIND:-common}
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.freshrss.rule=Host(`rss.alecodes.page`)
+        - traefik.http.services.freshrss.loadbalancer.server.port=80
--- a/files/docker/stack-rss.yaml
+++ b/files/docker/stack-rss.yaml
@ -1,54 +0,0 @@
-networks:
-  reverse-proxy:
-    external: true
-
-volumes:
-  fresh-rss-data:
-  fresh-rss-extensions:
-  fresh-rss-db:
-
-services:
-  freshrss:
-    image: freshrss/freshrss:latest
-    container_name: freshrss
-    hostname: freshrss
-    restart: unless-stopped
-    logging:
-      options:
-        max-size: 10m
-    volumes:
-      - data:/var/www/FreshRSS/data
-      - extensions:/var/www/FreshRSS/extensions
-    environment:
-      TZ: America/Santiago
-      CRON_MIN: '3,33'
-      TRUSTED_PROXY: 10.0.10.0
-    deploy:
-      rollback_config:
-        failure_action: continue
-      update_config:
-        delay: 2s
-        failure_action: rollback
-        order: start-first
-      placement:
-        constraints:
-          - node.labels.services_kind==common
-      labels:
-        - traefik.enable=true
-        - traefik.http.routers.personal-page.rule=Host(`rss.alecodes.page`)
-        - traefik.http.services.personal-page.loadbalancer.server.port=80
-
-  freshrss-db:
-    image: postgres:17
-    container_name: freshrss-db
-    hostname: freshrss-db
-    restart: unless-stopped
-    logging:
-      options:
-        max-size: 10m
-    volumes:
-      - fresh-rss-db:/var/lib/postgresql/data
-    environment:
-      POSTGRES_DB: ${DB_BASE:-freshrss}
-      POSTGRES_USER: ${DB_USER:-freshrss}
-      POSTGRES_PASSWORD: ${DB_PASSWORD:-freshrss}
--- a/playbooks/docker/services.yaml
+++ b/playbooks/docker/services.yaml
@ -3,9 +3,62 @@
 - name: Deploy homelab services
  hosts: 10.0.10.50
  tasks:
-    - name: Deploy RSS Feed
-      community.docker.docker_stack:
-        state: present
-        name: rss
-        compose:
-          - files/docker/stack-rss.yml
+    - name: Deploy RSS Services
+      vars:
+        project_name: rss
+      block:
+      # - name: Generate random hash
+      #   no_log: true
+      #   community.crypto.openssl_random:
+      #     length: 32
+      #     hex: false
+      #   register: random_hash
+      #
+      # - name: Create Docker secret for PostgreSQL password
+      #   no_log: true
+      #   community.docker.docker_secret:
+      #     state: present
+      #     name: "{{ project_name + '_db_password'}}"
+      #     secret: "{{ random_hash.stdout }}"
+
+      - name: Deploy RSS Feed
+        environment:
+          SERVICE_KIND: common
+          OIDC_CLIENT_ID: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            64373465396361306338353037613339383136643235633433396436313265343565343335386439
+            6364653962636630393031326266626631353163656364620a366663306633623163306631323836
+            31666165343039613838656236333232336631373139626230633266306134613665366135363763
+            6239303930306435390a326263653938343931323962343935323136386633376437666231333163
+            62623366393664643136393638323665313263383934646565366331663163653862386635333562
+            63396636646663326637333563303734313336653038323334646164306336393562313030353063
+            61643537393062336438623762633331666562303335393434666437336636613935626435363631
+            33386337336365353733
+          OIDC_CLIENT_SECRET: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            31666165626661336330303635343437313563343234383966383862653735643734633130626631
+            3335656237326535333132666432646563386131303636350a626534653338343236313636623234
+            34323364333834376334383431323434643634363336363333306634383232393132316662333134
+            6266653032646635380a313633363439613637303636316436383030636132356233306661323734
+            35663535373663373364616130333334613366616432616162323961666136383236353466373831
+            61386464313533643464323762333639316631393364393062666566666233623364376334376139
+            31366363376564353135646134396666373166386461376162656231323335396539323533643734
+            39306533333436363361
+          OIDC_CLIENT_CRYPTO_KEY: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            65353837666236363262613131653664633166646236363133356335636263363361373934626166
+            3935346135393061346566326130643134383363323433370a316131376666626139373430393135
+            65653464646336316135323965363734306131313430646164363533343465633231363865333062
+            3061383330383435650a363338666164336663383462333130623963376332333964306565326262
+            30616562333734363938373739636262363461313636386634373565373236383835383336376435
+            31633938643738303464633133363365316365376237313237376436393835623366346665303964
+            38323132643665613361643565636130303166386339363264306234616366313462616461316632
+            34633339613264353632303232633962303361343630653633383234663536323361646639383933
+            37333837383538613866663564616334636330636431663936373238613862316239663566333737
+            65333264666234643765623636393832363763343339386266316365623331333132303361336566
+            613766343761383861323138623536366431
+        community.docker.docker_stack:
+          state: present
+          name: "{{ project_name }}"
+          compose:
+            - "{{ lookup('file', '../../files/docker/rss/docker-stack.yaml') | from_yaml }}"
--- a/roles/docker/tasks/docker_alpine.yaml
+++ b/roles/docker/tasks/docker_alpine.yaml
@ -9,6 +9,7 @@
      - py3-yaml
      - py3-pip
      - py3-docker-py
+      - py3-jsondiff

 - name: Copy openrc.sh to /etc/init.d/docker
  copy: