From 4af806bebd505cea3f3799614cad4ff4429bf262 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Fri, 8 Jan 2021 15:05:13 -0500
Subject: [PATCH] Add freshrss to docker+nomad

---
 docker/freshrss/Dockerfile                    | 10 +++
 docker/freshrss/files/MaskedName_Root_CA.crt  | 43 +++++++++
 nomad/freshrss/files/config.php.tpl           | 49 +++++++++++
 nomad/freshrss/freshrss.nomad                 | 87 +++++++++++++++++++
 nomad/{ => jenkins}/jenkins.nomad             |  0
 ...mad-server-policy.hcl => nomad-server.hcl} |  0
 6 files changed, 189 insertions(+)
 create mode 100644 docker/freshrss/Dockerfile
 create mode 100755 docker/freshrss/files/MaskedName_Root_CA.crt
 create mode 100644 nomad/freshrss/files/config.php.tpl
 create mode 100644 nomad/freshrss/freshrss.nomad
 rename nomad/{ => jenkins}/jenkins.nomad (100%)
 rename vault/policies/{nomad-server-policy.hcl => nomad-server.hcl} (100%)

diff --git a/docker/freshrss/Dockerfile b/docker/freshrss/Dockerfile
new file mode 100644
index 0000000..3686783
--- /dev/null
+++ b/docker/freshrss/Dockerfile
@@ -0,0 +1,10 @@
+FROM freshrss/freshrss:alpine
+
+# add ca-certificates package
+RUN apk add --no-cache ca-certificates
+
+# Copy masked.name root cert
+COPY files/MaskedName_Root_CA.crt /usr/local/share/ca-certificates/MaskedName_Root_CA.crt
+
+# update ca certs
+RUN update-ca-certificates 2>/dev/null
diff --git a/docker/freshrss/files/MaskedName_Root_CA.crt b/docker/freshrss/files/MaskedName_Root_CA.crt
new file mode 100755
index 0000000..31f76a9
--- /dev/null
+++ b/docker/freshrss/files/MaskedName_Root_CA.crt
@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyMzEyWhcNMzAw
+ODI3MTkyMzQyWjAWMRQwEgYDVQQDEwttYXNrZWQubmFtZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMI7oR+KHvvznfnaAXDMO5qpSTCAYCyfjFEohYJf
+lOcnLONXb3f6sP5d1eltL+UTq0RVU5UP0aNW7hqDTa41MRw0JCDtB68yKdYq2hZf
+97gA+lj3MEJU6RTAKLrg75GRh/AbNEIgwvPuHKW6hMbtwOyM9DFU//W3xpusalXy
+RMFzAHfSDj9ci+UygUt9HINWd/SmMGG/8PghaRhfE44wRFMqYezeliIt2JIs43BV
+7HqG0Oev9WPeXmiaZUYKQetHiQqR14Mxiv1IGzCmwwN+9b4tZtZTa58oM5dPXfbb
+lrELQE5OsPaNtMtER3MgxovDN3VSCGH/O/GyaEWVanY5UF8CAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBY8jW3fDVUp
+URt1prhmDMjkVikgMB8GA1UdIwQYMBaAFBY8jW3fDVUpURt1prhmDMjkVikgMBYG
+A1UdEQQPMA2CC21hc2tlZC5uYW1lMA0GCSqGSIb3DQEBCwUAA4IBAQAWQz4d3QzE
+W8NGA16ZPamlVubOLB5DtZz2qrSrn3DeObLIDShInV3qtRlDx9HYJLTCA75Ket0J
+NTsyMcTy2txd4I8hgdF30XJeEciN9wZ0mKEeP/YKDwe8V2XwWq4XYkDechlWHpZo
+PfWcoLprKwVUI4HzaqkNmwcmMUI4xAsC+SLe1mrebseKm49oOwdQs/oPVLK+0nEp
+RvD0aOvohILIa/2ZtKczvhB/L3fo5pg9Ex/0JDBdDHIedMabD3qn8Idse+P5Dfwa
+Ju2Ctyb+n1TTPxRDMxs2cFbA5irr+2ARJd8jtGS+1fyxogjOWS1RR523F+qIS3su
+KibGel+gFPpq
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID0zCCArugAwIBAgIUM52uhXSeTCim1pmzucm/cnIgNp8wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyNzAwWhcNMjUw
+ODI4MTkyNzMwWjAtMSswKQYDVQQDEyJtYXNrZWQubmFtZSBJbnRlcm1lZGlhdGUg
+QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8LuGo+As
+ICYWdJjBCY0snF/X+jF1tdcrQzNiRKESEb5dsDiy979bugCblPQDQ+g5WGqXX4pj
+UyZZE3ZwhOufISlGK0ow1aMjqS+pFlQ85KRD/jUtLPRUJuQF+m2YwId/Mg6/B7Qk
+d166uJkNxS+MGZCi2OYXeoivnOY7Q0Kj/0vIbc5Vt3kCRVg2ljLSQhoBd+85AHMR
+jeRjZMeYEYF2HTVwrg4DrC/r00MVtDcNqs6+M7YZ/rzny73GvfJWfWoB1C4piZlg
+fvUcSDL5HAhjiu5cSeIR7DTuVx7t4PoK6AqUkPygDtq1ZaLybXT7X6d072dR5AXO
+nWFLPaaGJ979iwIDAQABo4IBADCB/TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUIkhVYBaK9CcvXG8FM2jKVZ16oZAwHwYDVR0jBBgw
+FoAUFjyNbd8NVSlRG3WmuGYMyORWKSAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUF
+BzAChjVodHRwOi8vdmF1bHQuY29sdW1iaWEubWFza2VkLm5hbWU6ODIwMC92MS9w
+a2lfcm9vdC9jYTBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vdmF1bHQuY29sdW1i
+aWEubWFza2VkLm5hbWU6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJKoZIhvcNAQEL
+BQADggEBAK6HMgR+hpwjZCmf5NszDSHr7dYKZXP4LrcHPWs94nLM33UZ572ubGHs
+dKjRw8YD0cncrsypsYmEgR57U+DHkys394wkb7UOwy1Zvd5IIRXdP0cDylz0QzqM
+APnQYN+ismkoljhk9ey0Qbo3CmPjM+UQcAxuZQtA4M+riC1+jkude1uYL0szC6Y9
+4KetfvbNkedSaV5yJaRKCBhRcC4/GjpBG/odQ/5AfBPAFjZqhcIJWBrVYbTQVC79
+hMA1iwWJPmT9LsjMSUfxFTPzxRnNXQiKFz5kT2OiS1nqh8aOcyU9YC928pkifNJV
+KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
+-----END CERTIFICATE-----
diff --git a/nomad/freshrss/files/config.php.tpl b/nomad/freshrss/files/config.php.tpl
new file mode 100644
index 0000000..302d168
--- /dev/null
+++ b/nomad/freshrss/files/config.php.tpl
@@ -0,0 +1,49 @@
+<?php
+return array (
+  'environment' => 'production',
+  'salt' => '{{ freshrss_salt }}',
+  'base_url' => 'http://192.168.122.71/FreshRSS',
+  'auto_update_url' => 'https://update.freshrss.org',
+  'language' => 'en',
+  'title' => 'RSS - Minhas.io',
+  'meta_description' => '',
+  'default_user' => 'asara',
+  'allow_anonymous' => false,
+  'allow_anonymous_refresh' => false,
+  'auth_type' => 'form',
+  'api_enabled' => true,
+  'unsafe_autologin_enabled' => false,
+  'simplepie_syslog_enabled' => true,
+  'pubsubhubbub_enabled' => true,
+  'allow_robots' => false,
+  'allow_referrer' => false,
+  'limits' => 
+  array (
+    'cookie_duration' => 2592000,
+    'cache_duration' => 800,
+    'timeout' => 15,
+    'max_inactivity' => 9223372036854775807,
+    'max_feeds' => 16384,
+    'max_categories' => 16384,
+    'max_registrations' => 1,
+  ),
+  'curl_options' => 
+  array (
+  ),
+  'db' => 
+  array (
+    'type' => 'pgsql',
+    'host' => '192.168.122.101',
+    'user' => 'freshrss',
+    'password' => '{{ freshrss_db_pw }}',
+    'base' => 'freshrss',
+    'prefix' => 'freshrss_',
+    'pdo_options' => 
+    array (
+    ),
+  ),
+  'extensions_enabled' => 
+  array (
+  ),
+  'disable_update' => false,
+);
diff --git a/nomad/freshrss/freshrss.nomad b/nomad/freshrss/freshrss.nomad
new file mode 100644
index 0000000..b678ea9
--- /dev/null
+++ b/nomad/freshrss/freshrss.nomad
@@ -0,0 +1,87 @@
+job "freshrss" {
+  datacenters = ["columbia"]
+  region      = "global"
+  type        = "service"
+
+  update {
+    stagger      = "30s"
+    max_parallel = 1
+  }
+
+  group "freshrss" {
+    count = 1
+
+    task "freshrss" {
+      vault {
+        policies    = ["default", "ansible"]
+        change_mode = "restart"
+      }
+      driver = "docker"
+      config {
+        image   = "docker.service.masked.name:8082/freshrss"
+        ports   = ["http"]
+        volumes = [
+            "/mnt/raid/rss:/var/www/FreshRSS/data"
+        ]
+      }
+
+      service {
+        name = "freshrss"
+        port = "http"
+
+        check {
+          name     = "freshrss"
+          type     = "tcp"
+          interval = "10s"
+          timeout  = "2s"
+          address_mode = "driver"
+        }
+      }
+
+      template {
+        data = <<EOH
+            {{- with secret "pki_int/issue/masked-dot-name" "common_name=freshrss.service.masked.name" "alt_names=freshrss.service.columbia.masked.name" -}}
+            {{- .Data.certificate -}}
+            {{- end -}}
+        EOH
+        destination   = "${NOMAD_SECRETS_DIR}/freshrss.crt"
+        change_mode   = "restart"
+      }
+
+      template {
+        data = <<EOH
+            {{- with secret "pki_int/issue/masked-dot-name" "common_name=freshrss.service.masked.name" "alt_names=freshrss.service.columbia.masked.name" -}}
+            {{- .Data.private_key -}}
+            {{- end -}}
+        EOH
+        destination   = "${NOMAD_SECRETS_DIR}/freshrss.key"
+        change_mode   = "restart"
+      }
+
+      template {
+        data = <<EOH
+          POSTGRES_DB       = "freshrss"
+          POSTGRES_USER     = "freshrss"
+          POSTGRES_PASSWORD = "{{ with secret "kv/data/freshrss" }}{{ .Data.data.db_pw }}{{ end }}"
+          POSTGRES_HOST     = "ivyking.node.masked.name"
+          ROOT_URL          = "${NOMAD_ADDR_http}"
+          JAVA_ARGS         = "-Xmx2048m"
+        EOH
+        destination = "secrets/freshrss.env"
+        env         = true
+      }
+
+      resources {
+        cpu    = 2000
+        memory = 2560
+      }
+    }
+
+    network {
+      port "http" {
+        to = 80
+       }
+    }
+
+  }
+}
diff --git a/nomad/jenkins.nomad b/nomad/jenkins/jenkins.nomad
similarity index 100%
rename from nomad/jenkins.nomad
rename to nomad/jenkins/jenkins.nomad
diff --git a/vault/policies/nomad-server-policy.hcl b/vault/policies/nomad-server.hcl
similarity index 100%
rename from vault/policies/nomad-server-policy.hcl
rename to vault/policies/nomad-server.hcl