From b6c0c1efc54eba4e918259a5fee661bad97f21c6 Mon Sep 17 00:00:00 2001
From: Chris <stofflees@gmail.com>
Date: Sun, 23 Jul 2023 14:12:06 +0100
Subject: [PATCH] Working on TTRSS

---
 db/init/01-databases.sql  |   1 +
 docker-compose.yml        |  38 +++++++++++
 nginx/nginx.conf.template |  46 ++++++++++++++
 tt-rss/Dockerfile         |  84 ++++++++++++++++++++++++
 tt-rss/index.php          |   4 ++
 tt-rss/startup.sh         | 130 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 303 insertions(+)
 create mode 100644 tt-rss/Dockerfile
 create mode 100644 tt-rss/index.php
 create mode 100644 tt-rss/startup.sh

diff --git a/db/init/01-databases.sql b/db/init/01-databases.sql
index b4e94f4..a0ef6f6 100644
--- a/db/init/01-databases.sql
+++ b/db/init/01-databases.sql
@@ -1,5 +1,6 @@
 CREATE DATABASE IF NOT EXISTS `monica`;
 CREATE DATABASE IF NOT EXISTS `gitea`;
+CREATE DATABASE IF NOT EXISTS `tt-rss`;
 # Nextcloud will automatically create a database on setup
 #CREATE DATABASE IF NOT EXISTS `nextcloud`;
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 857766b..ea5b461 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -129,6 +129,28 @@ services:
     depends_on:
       - db
 
+  tt-rss:
+    <<: *logging
+    image: cthulhoo/ttrss-fpm-pgsql-static:latest
+    restart: unless-stopped
+    environment:
+      - TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
+      - TTRSS_DB_USER=${DB_USER}
+      - TTRSS_DB_NAME=scarif
+      - TTRSS_DB_PASS=${DB_PASSWORD}
+      - TTRSS_DB_HOST=psqldb
+      #- AUTO_CREATE_USER=${TTRSS_USER}
+      #- AUTO_CREATE_USER_PASS=${TTRSS_USER_PASS}
+      #- AUTO_CREATE_USER_ACCESS_LEVEL:
+    volumes:
+      - tt-rss:/var/www/html
+      - ./tt-rss/config.d:/opt/tt-rss/config.d:ro
+    depends_on:
+      - psqldb
+    networks:
+      - db
+      - nginx
+
   pihole:
     <<: *logging
     image: pihole/pihole:latest
@@ -505,6 +527,19 @@ services:
     networks:
       - db
 
+  psqldb:
+    <<: *logging
+    image: postgres:12-alpine
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=${DB_USER}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - POSTGRES_DB=scarif
+    volumes:
+      - psqldb:/var/lib/postgresql/data
+    networks:
+      - db
+
   redis:
     image: redis:alpine
     restart: always
@@ -521,6 +556,7 @@ services:
       - ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh
       - nextcloud:/var/www/html/nextcloud:ro
       - ./christmas:/var/www/html/christmas:ro
+      - tt-rss:/var/www/html/tt-rss:ro
     environment:
       - DOMAIN=${DOMAIN}
     depends_on:
@@ -545,6 +581,8 @@ services:
 
 volumes:
   db:
+  psqldb:
+  tt-rss:
   gitea:
   nextcloud:
   foundry:
diff --git a/nginx/nginx.conf.template b/nginx/nginx.conf.template
index 7e1fb84..5c0749f 100644
--- a/nginx/nginx.conf.template
+++ b/nginx/nginx.conf.template
@@ -282,6 +282,52 @@ http {
         }
     }
 
+    upstream tt-rss-handler {
+        server tt-rss:9000;
+    }
+
+    server {
+        listen 443 ssl http2;
+
+        ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
+        ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
+
+        root /var/www/html/tt-rss;
+
+        server_name intel.${DOMAIN};
+
+	location /cache {
+            aio threads;
+	    internal;
+	}
+
+        location /backups {
+            internal;
+        }
+
+        location ~ \.php$ {
+            # regex to split $uri to $fastcgi_script_name and $fastcgi_path
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+
+            # Check that the PHP script exists before passing it
+            try_files $fastcgi_script_name =404;
+
+            # Bypass the fact that try_files resets $fastcgi_path_info
+            # see: http://trac.nginx.org/nginx/ticket/321
+            set $path_info $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
+
+            fastcgi_index index.php;
+            include fastcgi.conf;
+
+            fastcgi_pass tt-rss-handler;
+        }
+
+        location / {
+            try_files $uri $uri/ =404;
+        }
+    }
+
     upstream foundry-handler {
         server foundry:30000;
     }
diff --git a/tt-rss/Dockerfile b/tt-rss/Dockerfile
new file mode 100644
index 0000000..cfc3085
--- /dev/null
+++ b/tt-rss/Dockerfile
@@ -0,0 +1,84 @@
+FROM registry.fakecake.org/docker.io/alpine:3.18
+EXPOSE 9000/tcp
+
+ENV SCRIPT_ROOT=/opt/tt-rss
+ENV SRC_DIR=/src/tt-rss/
+
+RUN apk add --no-cache dcron php82 php82-fpm php82-phar php82-sockets php82-pecl-apcu \
+	php82-pdo php82-gd php82-mysql php82-pdo_mysql php82-xmlwriter php82-opcache \
+	php82-mbstring php82-intl php82-xml php82-curl php82-simplexml \
+	php82-session php82-tokenizer php82-dom php82-fileinfo php82-ctype \
+	php82-json php82-iconv php82-pcntl php82-posix php82-zip php82-exif \
+	php82-openssl git mysql mysql-client sudo php82-pecl-xdebug rsync tzdata && \
+	sed -i 's/\(memory_limit =\) 128M/\1 256M/' /etc/php82/php.ini && \
+	sed -i -e 's/^listen = 127.0.0.1:9000/listen = 9000/' \
+		-e 's/;\(clear_env\) = .*/\1 = no/i' \
+		-e 's/^\(user\|group\) = .*/\1 = app/i' \
+		-e 's/;\(php_admin_value\[error_log\]\) = .*/\1 = \/tmp\/error.log/' \
+		-e 's/;\(php_admin_flag\[log_errors\]\) = .*/\1 = on/' \
+			/etc/php82/php-fpm.d/www.conf && \
+	mkdir -p /var/www ${SCRIPT_ROOT}/config.d
+
+ARG CI_COMMIT_BRANCH
+ENV CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH}
+
+ARG CI_COMMIT_SHORT_SHA
+ENV CI_COMMIT_SHORT_SHA=${CI_COMMIT_SHORT_SHA}
+
+ARG CI_COMMIT_TIMESTAMP
+ENV CI_COMMIT_TIMESTAMP=${CI_COMMIT_TIMESTAMP}
+
+ARG CI_COMMIT_SHA
+ENV CI_COMMIT_SHA=${CI_COMMIT_SHA}
+
+ADD --chmod=0755 startup.sh ${SCRIPT_ROOT}
+
+ADD index.php ${SCRIPT_ROOT}
+ADD config.docker.php ${SCRIPT_ROOT}
+
+COPY --from=app-src . ${SRC_DIR}
+
+ARG ORIGIN_REPO_XACCEL=https://git.tt-rss.org/fox/ttrss-nginx-xaccel.git
+
+RUN git clone --depth=1 ${ORIGIN_REPO_XACCEL} ${SRC_DIR}/plugins.local/nginx_xaccel
+
+ENV OWNER_UID=1000
+ENV OWNER_GID=1000
+
+ENV PHP_WORKER_MAX_CHILDREN=5
+ENV PHP_WORKER_MEMORY_LIMIT=256M
+
+# these are applied on every startup, if set
+ENV ADMIN_USER_PASS=""
+# see classes/UserHelper.php ACCESS_LEVEL_*
+# setting this to -2 would effectively disable built-in admin user
+# unless single user mode is enabled
+ENV ADMIN_USER_ACCESS_LEVEL=""
+
+# these are applied unless user already exists
+ENV AUTO_CREATE_USER=""
+ENV AUTO_CREATE_USER_PASS=""
+ENV AUTO_CREATE_USER_ACCESS_LEVEL="0"
+
+# TODO: remove prefix from container variables not used by tt-rss itself:
+#
+# - TTRSS_NO_STARTUP_PLUGIN_UPDATES -> NO_STARTUP_PLUGIN_UPDATES
+# - TTRSS_XDEBUG_... -> XDEBUG_...
+
+# don't try to update local plugins on startup
+ENV TTRSS_NO_STARTUP_PLUGIN_UPDATES=""
+
+# TTRSS_XDEBUG_HOST defaults to host IP if unset
+ENV TTRSS_XDEBUG_ENABLED=""
+ENV TTRSS_XDEBUG_HOST=""
+ENV TTRSS_XDEBUG_PORT="9000"
+
+ENV TTRSS_DB_TYPE="mysql"
+ENV TTRSS_DB_PORT="3306"
+
+ENV TTRSS_MYSQL_CHARSET="UTF8"
+ENV TTRSS_PHP_EXECUTABLE="/usr/bin/php82"
+ENV TTRSS_PLUGINS="auth_internal, note, nginx_xaccel"
+
+CMD ${SCRIPT_ROOT}/startup.sh
+
diff --git a/tt-rss/index.php b/tt-rss/index.php
new file mode 100644
index 0000000..0d49c29
--- /dev/null
+++ b/tt-rss/index.php
@@ -0,0 +1,4 @@
+<?php 
+   header("Location: /tt-rss/");
+   return;
+
diff --git a/tt-rss/startup.sh b/tt-rss/startup.sh
new file mode 100644
index 0000000..49767a9
--- /dev/null
+++ b/tt-rss/startup.sh
@@ -0,0 +1,130 @@
+#!/bin/sh -e
+
+# We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures)
+unset HTTP_PORT
+unset HTTP_HOST
+
+if ! id app >/dev/null 2>&1; then
+	addgroup -g $OWNER_GID app
+	adduser -D -h /var/www/html -G app -u $OWNER_UID app
+fi
+
+update-ca-certificates || true
+
+DST_DIR=/var/www/html/tt-rss
+
+[ -e $DST_DIR ] && rm -f $DST_DIR/.app_is_ready
+
+[ ! -e /var/www/html/index.php ] && cp ${SCRIPT_ROOT}/index.php /var/www/html
+
+if [ ! -d $DST_DIR ]; then
+	mkdir -p $DST_DIR
+	chown $OWNER_UID:$OWNER_GID $DST_DIR
+
+	sudo -u app rsync -a \
+		$SRC_DIR/ $DST_DIR/
+else
+	chown -R $OWNER_UID:$OWNER_GID $DST_DIR
+
+	sudo -u app rsync -a --delete \
+		--exclude /cache \
+		--exclude /lock \
+		--exclude /feed-icons \
+		--exclude /plugins/af_comics/filters.local \
+		--exclude /plugins.local \
+		--exclude /templates.local \
+		--exclude /themes.local \
+		$SRC_DIR/ $DST_DIR/
+
+	sudo -u app rsync -a --delete \
+		$SRC_DIR/plugins.local/nginx_xaccel \
+		$DST_DIR/plugins.local/nginx_xaccel
+fi
+
+for d in cache lock feed-icons plugins.local themes.local; do
+	sudo -u app mkdir -p $DST_DIR/$d
+done
+
+for d in cache lock feed-icons; do
+	chmod 777 $DST_DIR/$d
+	find $DST_DIR/$d -type f -exec chmod 666 {} \;
+done
+
+sudo -u app cp ${SCRIPT_ROOT}/config.docker.php $DST_DIR/config.php
+chmod 644 $DST_DIR/config.php
+
+chown -R $OWNER_UID:$OWNER_GID $DST_DIR \
+	/var/log/php82
+
+if [ -z "$TTRSS_NO_STARTUP_PLUGIN_UPDATES" ]; then
+	echo updating all local plugins...
+
+	find $DST_DIR/plugins.local -mindepth 1 -maxdepth 1 -type d | while read PLUGIN; do
+		if [ -d $PLUGIN/.git ]; then
+			echo updating $PLUGIN...
+
+			cd $PLUGIN && \
+				sudo -u app git config core.filemode false && \
+				sudo -u app git config pull.rebase false && \
+				sudo -u app git pull origin master || echo warning: attempt to update plugin $PLUGIN failed.
+		fi
+	done
+else
+	echo skipping local plugin updates, disabled.
+fi
+
+MSQL="mysql -q -h $TTRSS_DB_HOST -U $TTRSS_DB_USER -p $TTRSS_DB_PASS -D $TTRSS_DB_NAME"
+
+RESTORE_SCHEMA=${SCRIPT_ROOT}/restore-schema.sql.gz
+
+if [ -r $RESTORE_SCHEMA ]; then
+	$PSQL -c "drop schema public cascade; create schema public;"
+	zcat $RESTORE_SCHEMA | $PSQL
+fi
+
+# this was previously generated
+rm -f $DST_DIR/config.php.bak
+
+sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \
+	/etc/php82/php.ini
+
+sed -i.bak "s/^\(pm.max_children\) = \(.*\)/\1 = ${PHP_WORKER_MAX_CHILDREN}/" \
+	/etc/php82/php-fpm.d/www.conf
+
+sudo -Eu app php82 $DST_DIR/update.php --update-schema=force-yes
+
+if [ ! -z "$ADMIN_USER_PASS" ]; then
+	sudo -Eu app php82 $DST_DIR/update.php --user-set-password "admin:$ADMIN_USER_PASS"
+else
+	if sudo -Eu app php82 $DST_DIR/update.php --user-check-password "admin:password"; then
+		RANDOM_PASS=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16 ; echo '')
+
+		echo "*****************************************************************************"
+		echo "* Setting initial built-in admin user password to '$RANDOM_PASS'        *"
+		echo "* If you want to set it manually, use ADMIN_USER_PASS environment variable. *"
+		echo "*****************************************************************************"
+
+		sudo -Eu app php82 $DST_DIR/update.php --user-set-password "admin:$RANDOM_PASS"
+	fi
+fi
+
+if [ ! -z "$ADMIN_USER_ACCESS_LEVEL" ]; then
+	sudo -Eu app php82 $DST_DIR/update.php --user-set-access-level "admin:$ADMIN_USER_ACCESS_LEVEL"
+fi
+
+if [ ! -z "$AUTO_CREATE_USER" ]; then
+	sudo -Eu app /bin/sh -c "php82 $DST_DIR/update.php --user-exists $AUTO_CREATE_USER ||
+		php82 $DST_DIR/update.php --force-yes --user-add \"$AUTO_CREATE_USER:$AUTO_CREATE_USER_PASS:$AUTO_CREATE_USER_ACCESS_LEVEL\""
+fi
+
+rm -f /tmp/error.log && mkfifo /tmp/error.log && chown app:app /tmp/error.log
+
+(tail -q -f /tmp/error.log >> /proc/1/fd/2) &
+
+unset ADMIN_USER_PASS
+unset AUTO_CREATE_USER_PASS
+
+touch $DST_DIR/.app_is_ready
+
+exec /usr/sbin/php-fpm82 --nodaemonize --force-stderr
+