Add FreshRSS packer/terraform

prod/freshrss/packer/.envrc

@@ -0,0 +1,8 @@
+source_up
+
+if [ -f ".env.local" ]; then
+    echo "sourcing .env.local"
+    set -a
+    source ".env.local"
+    set +a
+fi

prod/freshrss/packer/.gitignore

@@ -0,0 +1,2 @@
+tmp/
+certbot/

prod/freshrss/packer/Makefile

@@ -0,0 +1,35 @@
+.PHONY: reissue-certs
+
+packer-manifest.json: freshrss.json \
+                      scripts/dependencies.sh \
+                      files/freshrss.timer \
+                      files/freshrss.service \
+                      scripts/freshrss.sh \
+                      files/freshrss-nginx.conf \
+                      scripts/nginx.sh \
+                      certbot/live/rss.jeremydormitzer.com/fullchain.pem \
+		      certbot/live/rss.jeremydormitzer.com/privkey.pem
+	packer build freshrss.json
+
+certbot/live/rss.jeremydormitzer.com/fullchain.pem certbot/live/rss.jeremydormitzer.com/privkey.pem &: tmp/do.ini
+	certbot certonly -n \
+                         --agree-tos \
+                         --email ${CERTBOT_EMAIL} \
+                         --dns-digitalocean \
+                         --dns-digitalocean-credentials tmp/do.ini \
+                         --config-dir ./certbot \
+                         --work-dir ./certbot \
+                         --logs-dir ./certbot \
+                         -d rss.jeremydormitzer.com
+
+
+tmp/do.ini: templates/do.ini.template tmp
+	sigil -p -f templates/do.ini.template > tmp/do.ini
+	chmod 600 tmp/do.ini
+
+tmp:
+	mkdir tmp
+
+reissue-certs:
+	rm -rf certbot
+	make

prod/freshrss/packer/files/freshrss-nginx.conf

@@ -0,0 +1,49 @@
+server {
+	listen [::]:443 ssl ipv6only=on;
+        listen 443 ssl;
+
+        ssl_certificate /var/www/freshrss/fullchain.pem;
+        ssl_certificate_key /var/www/freshrss/privkey.pem;
+
+        ssl_session_cache shared:le_nginx_SSL:1m;
+        ssl_session_timeout 1440m;
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_prefer_server_ciphers on;
+
+        ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+
+
+	root /var/www/html/p/;
+
+	index index.php index.html index.htm;
+
+	# nginx log files
+	access_log /var/log/nginx/rss.access.log;
+	error_log /var/log/nginx/rss.error.log;
+
+	# php files handling
+	# this regex is mandatory because of the API
+	location ~ ^.+?\.php(/.*)?$ {
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		fastcgi_split_path_info ^(.+\.php)(/.*)$;
+		# By default, the variable PATH_INFO is not set under PHP-FPM
+		# But FreshRSS API greader.php need it. If you have a “Bad Request” error, double check this var!
+		# NOTE: the separate $path_info variable is required. For more details, see:
+		# https://trac.nginx.org/nginx/ticket/321
+		set $path_info $fastcgi_path_info;
+		fastcgi_param PATH_INFO $path_info;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	}
+
+	location / {
+		try_files $uri $uri/ index.php;
+	}
+}
+
+server {
+       listen 80;
+       listen [::]:80;
+       return 301 https://$host$request_uri;
+}

prod/freshrss/packer/files/freshrss.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=Refresh FreshRSS feeds
+Wants=freshrss.timer
+
+[Service]
+User=www-data
+Type=simple
+ExecStart=/usr/bin/php /usr/share/FreshRSS/app/actualize_script.php

prod/freshrss/packer/files/freshrss.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Refresh FreshRSS feeds
+
+[Timer]
+OnBootSec=30s
+OnCalendar=*:0/20
+
+[Install]
+WantedBy=timers.target

prod/freshrss/packer/freshrss.json

@@ -0,0 +1,75 @@
+{
+  "variables": {
+    "freshrss_user": "{{env `FRESHRSS_USER`}}",
+    "freshrss_password": "{{env `FRESHRSS_PASSWORD`}}",
+    "freshrss_api_password": "{{env `FRESHRSS_API_PASSWORD`}}",
+    "freshrss_email": "{{env `FRESHRSS_EMAIL`}}",
+    "freshrss_token": "{{env `FRESHRSS_TOKEN`}}"
+  },
+  "sensitive-variables": [
+    "freshrss_password",
+    "freshrss_api_password",
+    "freshrss_token"
+  ],
+  "builders": [
+    {
+      "type": "digitalocean",
+      "image": "ubuntu-20-04-x64",
+      "region": "nyc1",
+      "size": "s-1vcpu-1gb",
+      "snapshot_name": "packer-freshrss-{{timestamp}}",
+      "ssh_username": "root"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "script": "scripts/dependencies.sh"
+    },
+    {
+      "type": "file",
+      "source": "files/freshrss.timer",
+      "destination": "/tmp/freshrss.timer"
+    },
+    {
+      "type": "file",
+      "source": "files/freshrss.service",
+      "destination": "/tmp/freshrss.service"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/freshrss.sh",
+      "environment_vars": [
+        "FRESHRSS_USER={{user `freshrss_user`}}",
+        "FRESHRSS_PASSWORD={{user `freshrss_password`}}",
+        "FRESHRSS_API_PASSWORD={{user `freshrss_api_password`}}",
+        "FRESHRSS_EMAIL={{user `freshrss_email`}}",
+        "FRESHRSS_TOKEN={{user `freshrss_token`}}"
+      ]
+    },
+    {
+      "type": "file",
+      "source": "files/freshrss-nginx.conf",
+      "destination": "/tmp/freshrss.conf"
+    },
+    {
+      "type": "file",
+      "source": "certbot/live/rss.jeremydormitzer.com/fullchain.pem",
+      "destination": "/tmp/fullchain.pem"
+    },
+    {
+      "type": "file",
+      "source": "certbot/live/rss.jeremydormitzer.com/privkey.pem",
+      "destination": "/tmp/privkey.pem"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/nginx.sh"
+    }
+  ],
+  "post-processors": [
+    {
+      "type": "manifest"
+    }
+  ]
+}

prod/freshrss/packer/packer-manifest.json

@@ -0,0 +1,59 @@
+{
+  "builds": [
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1612361314,
+      "files": null,
+      "artifact_id": "nyc1:78078146",
+      "packer_run_uuid": "72a4e9c5-4af6-004f-16c0-78d3c1c3a042",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1612361796,
+      "files": null,
+      "artifact_id": "nyc1:78078261",
+      "packer_run_uuid": "8da75b0f-8ce0-3bc5-367c-747f5b9108c4",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1612362495,
+      "files": null,
+      "artifact_id": "nyc1:78078442",
+      "packer_run_uuid": "bd823de9-374d-5f08-0f0e-e356f06a0a9e",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1612364211,
+      "files": null,
+      "artifact_id": "nyc1:78078891",
+      "packer_run_uuid": "9882ebb5-7261-8f20-1e5e-0cd7ed85b50e",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1612364708,
+      "files": null,
+      "artifact_id": "nyc1:78079287",
+      "packer_run_uuid": "fa3af97a-429b-19f8-e8e6-d2f506a28837",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1612366050,
+      "files": null,
+      "artifact_id": "nyc1:78079747",
+      "packer_run_uuid": "4c4f7792-865e-3caa-3051-eb2d34fb234b",
+      "custom_data": null
+    }
+  ],
+  "last_run_uuid": "4c4f7792-865e-3caa-3051-eb2d34fb234b"
+}

prod/freshrss/packer/scripts/dependencies.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -ex
+
+sudo apt-get update
+
+sudo apt-get install -y \
+     nginx \
+     sqlite3 \
+     php-fpm \
+     php-curl \
+     php-gmp \
+     php-intl \
+     php-mbstring \
+     php-sqlite3 \
+     php-xml \
+     php-zip

prod/freshrss/packer/scripts/freshrss.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+set -ex
+
+VERSION=1.17.0
+
+wget -O /tmp/freshrss.tar.gz "https://github.com/FreshRSS/FreshRSS/archive/$VERSION.tar.gz"
+
+cd /usr/share
+
+sudo tar -xzvf /tmp/freshrss.tar.gz
+sudo mv "FreshRSS-$VERSION" FreshRSS
+sudo chown -R :www-data FreshRSS
+sudo chmod -R g+r FreshRSS
+sudo chmod g+w FreshRSS/data
+
+sudo ln -s /usr/share/FreshRSS/p /var/www/html/
+
+sudo usermod --shell /bin/bash www-data
+sudo -i -u www-data bash << EOF
+set -ex
+cd /usr/share/FreshRSS
+./cli/prepare.php
+./cli/do-install.php --default_user '$FRESHRSS_USER' \
+                     --base_url https://rss.jeremydormitzer.com \
+                     --api_enabled \
+                     --db-type sqlite \
+                     --db-prefix freshrss
+./cli/create-user.php --user '$FRESHRSS_USER' \
+                      --password '$FRESHRSS_PASSWORD' \
+                      --api_password '$FRESHRSS_API_PASSWORD' \
+                      --language en \
+                      --email '$FRESHRSS_EMAIL' \
+                      --token '$FRESHRSS_TOKEN'
+./cli/actualize-user.php --user '$FRESHRSS_USER'
+EOF
+
+sudo mv /tmp/freshrss.timer /etc/systemd/system/
+sudo mv /tmp/freshrss.service /etc/systemd/system/
+sudo systemctl enable freshrss.timer

prod/freshrss/packer/scripts/nginx.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -ex
+
+sudo mv /tmp/freshrss.conf /etc/nginx/sites-available/freshrss.conf
+sudo ln -s \
+     /etc/nginx/sites-available/freshrss.conf \
+     /etc/nginx/sites-enabled/
+sudo unlink /etc/nginx/sites-enabled/default
+
+sudo mkdir -p /var/www/freshrss
+sudo mv /tmp/fullchain.pem /var/www/freshrss/fullchain.pem
+sudo mv /tmp/privkey.pem /var/www/freshrss/privkey.pem
+chown www-data:www-data /var/www/freshrss/{fullchain,privkey}.pem
+
+sudo systemctl enable nginx

prod/freshrss/packer/templates/do.ini.template

@@ -0,0 +1 @@
+dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}

prod/freshrss/terraform/.terraform.lock.hcl

@@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.3.0"
+  constraints = "~> 2.3.0"
+  hashes = [
+    "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=",
+    "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9",
+    "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84",
+    "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca",
+    "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb",
+    "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6",
+    "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021",
+    "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907",
+    "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8",
+    "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6",
+    "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be",
+    "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5",
+    "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7",
+    "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.0.0"
+  hashes = [
+    "h1:pO1ANXtOCRfecKsY9Hn4UsXoPBLv6LFiDIEiS1MZ09E=",
+    "zh:34ce8b79493ace8333d094752b579ccc907fa9392a2c1d6933a6c95d0786d3f1",
+    "zh:5c5a19c4f614a4ffb68bae0b0563f3860115cf7539b8adc21108324cfdc10092",
+    "zh:67ddb1ca2cd3e1a8f948302597ceb967f19d2eeb2d125303493667388fe6330e",
+    "zh:68e6b16f3a8e180fcba1a99754118deb2d82331b51f6cca39f04518339bfdfa6",
+    "zh:8393a12eb11598b2799d51c9b0a922a3d9fadda5a626b94a1b4914086d53120e",
+    "zh:90daea4b2010a86f2aca1e3a9590e0b3ddcab229c2bd3685fae76a832e9e836f",
+    "zh:99308edc734a0ac9149b44f8e316ca879b2670a1cae387a8ae754c180b57cdb4",
+    "zh:c76594db07a9d1a73372a073888b672df64adb455d483c2426cc220eda7e092e",
+    "zh:dc09c1fb36c6a706bdac96cce338952888c8423978426a09f5df93031aa88b84",
+    "zh:deda88134e9780319e8de91b3745520be48ead6ec38cb662694d09185c3dac70",
+  ]
+}

prod/freshrss/terraform/main.tf

@@ -0,0 +1,13 @@
+provider "digitalocean" {
+  token             = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}
+
+module "packer_droplet" {
+  source            = "../../../terraform-modules/packer_droplet"
+  name              = "freshrss"
+  do_token          = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}

prod/freshrss/terraform/outputs.tf

@@ -0,0 +1,7 @@
+output "ip_address" {
+  value = module.packer_droplet.droplet_ip_address
+}
+
+output "droplet_urn" {
+  value = module.packer_droplet.droplet_urn
+}

prod/freshrss/terraform/terraform.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.3.0"
+    }
+  }
+
+  backend "s3" {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    # Need to specify an AWS region to stop Terraform complaining
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "prod/freshrss.tfstate"
+  }
+}

prod/freshrss/terraform/variables.tf

@@ -0,0 +1,11 @@
+variable "do_token" {
+  type = string
+}
+
+variable "spaces_access_id" {
+  type = string
+}
+
+variable "spaces_secret_key" {
+  type = string
+}