created ansible-role-wallabag

defaults/main.yml

@@ -0,0 +1,197 @@
+---
+
+wallabag_enabled: true
+wallabag_identifier: wallabag
+
+wallabag_hostname: ''
+
+
+
+wallabag_uid: ''
+wallabag_gid: ''
+
+wallabag_base_path: "/{{ wallabag_identifier }}"
+wallabag_config_path: "{{ wallabag_base_path }}/config"
+wallabag_data_path: "{{ wallabag_base_path }}/data"
+wallabag_images_path: "{{ wallabag_base_path }}/images"
+wallabag_env_path: "{{ wallabag_config_path }}/env"
+
+wallabag_systemd_required_services_list: "{{ wallabag_systemd_required_services_list_default + wallabag_systemd_required_services_list_auto + wallabag_systemd_required_services_list_custom }}"
+wallabag_systemd_required_services_list_default: ['docker.service']
+wallabag_systemd_required_services_list_auto: []
+wallabag_systemd_required_services_list_custom: []
+
+wallabag_systemd_wanted_services_list: "{{ wallabag_systemd_wanted_services_list_default + wallabag_systemd_wanted_services_list_auto + wallabag_systemd_wanted_services_list_custom }}"
+wallabag_systemd_wanted_services_list_default: []
+wallabag_systemd_wanted_services_list_auto: []
+wallabag_systemd_wanted_services_list_custom: []
+
+wallabag_version: 2.6.8
+
+wallabag_container_image: "{{ wallabag_container_image_registry_prefix }}wallabag/wallabag:{{ wallabag_container_image_tag }}"
+wallabag_container_image_registry_prefix: docker.io/
+wallabag_container_image_tag: "{{ wallabag_version }}"
+wallabag_container_image_force_pull: "{{ wallabag_container_image.endswith(':latest') }}"
+
+wallabag_container_network: '{{ wallabag_identifier }}'
+
+
+# Controls whether the wallabag container exposes its HTTP port (as defined by `wallabag_container_http_port`).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8731"), or empty string to not expose.
+wallabag_container_http_host_bind_port: ""
+
+# A list of additional container networks that the container would be connected to.
+# The role does not create these networks, so make sure they already exist.
+# Use this to expose this container to a reverse proxy, which runs in a different container network.
+wallabag_container_additional_networks: "{{ wallabag_container_additional_networks_auto + wallabag_container_additional_networks_custom }}"
+wallabag_container_additional_networks_auto: []
+wallabag_container_additional_networks_custom: []
+
+wallabag_database_driver: 'pdo_sqlite'
+wallabag_database_hostname: ''
+wallabag_database_port: 5432
+wallabag_database_name: wallabag
+wallabag_database_username: wallabag
+wallabag_database_password: ''
+wallabag_database_charset: 'utf8'
+wallabag_database_table_prefix: 'wallabag_'
+
+wallabag_locale: 'en'
+
+# Put something random in here
+wallabag_secret: ''
+
+# See configuration in official documentation
+# https://doc.wallabag.org/en/admin/mailer
+wallabag_mailer_dsn: ''
+wallabag_from_email: '[email protected]'
+
+# defaults to "[email protected]", the address wallabag uses for two-factor emails
+wallabag_twofactor_sender: '[email protected]'
+
+# enable or disable public user registration
+wallabag_registration: 'false'
+
+# enable or disable registration confirmation
+wallabag_confirmation: 'true'
+
+# Redis settings
+# protocol to use to communicate with the target server (tcp, unix, or http)
+wallabag_redis_scheme: 'tcp'
+wallabag_redis_host: 'redis'
+wallabag_redis_port: '6379'
+# path of the unix socket file
+wallabag_redis_path: ''
+wallabag_redis_password: ''
+
+wallabag_sentry_dsn: ''
+
+# Will set GTS_TRUSTED_PROXIES
+# By default this is set to all private IPs (https://datatracker.ietf.org/doc/html/rfc1918#section-3)
+wallabag_trusted_proxies: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+
+# Additional environment variables to pass to the wallabag container.
+# You can use this to further influence the default configuration.
+#
+# Example:
+# wallabag_environment_variables_extension: |
+#   wallabag_STORAGE_BACKEND=s3
+#   wallabag_STORAGE_S3_ENDPOINT=minio:9000
+#   wallabag_STORAGE_S3_BUCKET=something
+#   wallabag_STORAGE_S3_SECRET_KEY=verysecret
+wallabag_environment_variables_extension: ''
+
+# wallabag_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `roles/custom/wallabag_wallabag/templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `wallabag_container_labels_additional_labels`.
+wallabag_container_labels_traefik_enabled: false
+wallabag_container_labels_traefik_docker_network: ""
+wallabag_container_labels_traefik_entrypoints: web-secure
+wallabag_container_labels_traefik_priority: 0
+wallabag_container_labels_traefik_tls: "{{ wallabag_container_labels_traefik_entrypoints != 'web' }}"
+wallabag_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP requests.
+# To add your own custom request headers, use `wallabag_container_labels_traefik_additional_response_headers_custom`
+wallabag_container_labels_traefik_additional_request_headers: "{{ wallabag_container_labels_traefik_additional_request_headers_auto | combine(wallabag_container_labels_traefik_additional_request_headers_custom) }}"
+wallabag_container_labels_traefik_additional_request_headers_auto: {}
+wallabag_container_labels_traefik_additional_request_headers_custom: {}
+
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own custom response headers, use `wallabag_container_labels_traefik_additional_response_headers_custom`
+wallabag_container_labels_traefik_additional_response_headers: "{{ wallabag_container_labels_traefik_additional_response_headers_auto | combine(wallabag_container_labels_traefik_additional_response_headers_custom) }}"
+wallabag_container_labels_traefik_additional_response_headers_auto: |
+  {{
+    {}
+    | combine ({'X-XSS-Protection': wallabag_http_header_xss_protection} if wallabag_http_header_xss_protection else {})
+    | combine ({'X-Frame-Options': wallabag_http_header_frame_options} if wallabag_http_header_frame_options else {})
+    | combine ({'X-Content-Type-Options': wallabag_http_header_content_type_options} if wallabag_http_header_content_type_options else {})
+    | combine ({'Content-Security-Policy': wallabag_http_header_content_security_policy} if wallabag_http_header_content_security_policy else {})
+    | combine ({'Permission-Policy': wallabag_http_header_content_permission_policy} if wallabag_http_header_content_permission_policy else {})
+    | combine ({'Strict-Transport-Security': wallabag_http_header_strict_transport_security} if wallabag_http_header_strict_transport_security and wallabag_container_labels_traefik_tls else {})
+  }}
+wallabag_container_labels_traefik_additional_response_headers_custom: {}
+
+# Specifies the value of the `X-XSS-Protection` header
+# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+#
+# Learn more about it is here:
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# - https://portswigger.net/web-security/cross-site-scripting/reflected
+wallabag_http_header_xss_protection: "1; mode=block"
+
+# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+wallabag_http_header_frame_options: SAMEORIGIN
+
+# Specifies the value of the `X-Content-Type-Options` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+wallabag_http_header_content_type_options: nosniff
+
+# Specifies the value of the `Content-Security-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+wallabag_http_header_content_security_policy: frame-ancestors 'self'
+
+# Specifies the value of the `Permission-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
+wallabag_http_header_content_permission_policy: "{{ 'interest-cohort=()' if wallabag_floc_optout_enabled else '' }}"
+
+# Specifies the value of the `Strict-Transport-Security` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+wallabag_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if wallabag_hsts_preload_enabled else '' }}"
+
+# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
+#
+# Learn more about what it is here:
+# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
+# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+# - https://amifloced.org/
+#
+# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
+# See: `wallabag_content_permission_policy`
+wallabag_floc_optout_enabled: true
+
+# Controls if HSTS preloading is enabled
+#
+# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
+# indicates a willingness to be "preloaded" into browsers:
+# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
+# For more information visit:
+# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# - https://hstspreload.org/#opt-in
+# See: `wallabag_http_header_strict_transport_security`
+wallabag_hsts_preload_enabled: false
+
+
+# wallabag_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `roles/custom/collabora_online/templates/labels.j2` for details.
+#
+# Example:
+# wallabag_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+wallabag_container_labels_additional_labels: ''

tasks/install.yml

@@ -0,0 +1,57 @@
+---
+
+- name: Ensure wallabag network is created in Docker
+  community.docker.docker_network:
+    name: "{{ wallabag_container_network }}"
+    driver: bridge
+
+
+- name: Ensure wallabag path exists
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0700
+    owner: "{{ wallabag_uid }}"
+    group: "{{ wallabag_gid }}"
+  with_items:
+    - {path: "{{ wallabag_base_path }}", when: true}
+    - {path: "{{ wallabag_config_path }}", when: true}
+
+- name: Ensure wallabag data and images path exists
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0755
+    owner: "{{ wallabag_uid }}"
+    group: "{{ wallabag_gid }}"
+  with_items:
+    - {path: "{{ wallabag_data_path }}", when: true}
+    - {path: "{{wallabag_images_path }}", when: true}
+
+
+- name: Ensure wallabag traefik labels are installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ wallabag_config_path }}/labels"
+    owner: "{{ wallabag_uid }}"
+    group: "{{ wallabag_gid }}"
+    mode: 0640
+
+- name: Ensure wallabag configuration is deployed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/env.j2"
+    dest: "{{ wallabag_config_path }}/env"
+    owner: "{{ wallabag_uid }}"
+    group: "{{ wallabag_gid }}"
+    mode: 0640
+
+- name: Ensure wallabag container image is pulled
+  community.docker.docker_image:
+    name: "{{ wallabag_container_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+
+- name: Ensure wallabag.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/wallabag.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ wallabag_identifier }}.service"
+    mode: 0644

tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- block:
+    - when: wallabag_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: wallabag_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+  tags:
+    - setup-all
+    - setup-wallabag
+    - install-all
+    - install-wallabag
+
+- block:
+    - when: not wallabag_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
+  tags:
+    - setup-all
+    - setup-wallabag

tasks/uninstall.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Check existence of wallabag systemd service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/{{ wallabag_identifier }}.service"
+  register: wallabag_service_stat
+
+- when: wallabag_service_stat.stat.exists | bool
+  block:
+    - name: Ensure wallabag service is stopped
+      ansible.builtin.service:
+        name: "{{ wallabag_identifier }}"
+        state: stopped
+        daemon_reload: true
+    - name: Ensure wallabag service doesn't exist
+      ansible.builtin.file:
+        dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ wallabag_identifier }}.service"
+        state: absent
+
+    - name: Ensure wallabag base path is files deleted (make sure to delete node data)
+      ansible.builtin.file:
+        path: "{{ wallabag_base_path }}"
+        state: absent

tasks/validate_config.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Fail if required wallabag settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) for using this role.
+  when: "vars[item] == ''"
+  with_items:
+    - wallabag_hostname
+    - wallabag_database_hostname
+    - wallabag_database_password
+    - wallabag_secret
+    - wallabag_uid
+    - wallabag_gid
+
+- name: Fail when SMTP settings are missing (and SMTP is enabled by setting host)
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) to correctly set up email via SMTP.
+  when: "wallabag_mailer_dsn !='' and vars[item] == ''"
+  with_items:
+    - wallabag_smtp_from

templates/env.j2

@@ -0,0 +1,41 @@
+SYMFONY__ENV__DATABASE_DRIVER={{ wallabag_database_driver}}
+
+{% if wallabag_database_driver != 'pdo_sqlite' %}
+SYMFONY__ENV__DATABASE_HOST={{ wallabag_database_hostname }}
+SYMFONY__ENV__DATABASE_PORT={{ wallabag_database_port }}
+SYMFONY__ENV__DATABASE_NAME={{ wallabag_database_name }}
+SYMFONY__ENV__DATABASE_USER={{ wallabag_database_username }}
+SYMFONY__ENV__DATABASE_PASSWORD={{ wallabag_database_password }}
+SYMFONY__ENV__DATABASE_CHARSET={{ wallabag_database_charset }}
+SYMFONY__ENV__DATABASE_TABLE_PREFIX={{ wallabag_database_table_prefix }}
+{% endif %}
+
+SYMFONY__ENV__SECRET={{ wallabag_secret }}
+SYMFONY__ENV__LOCALE={{ wallabag_locale }}
+
+{% if wallabag_mailser_dsn is defined %}
+SYMFONY__ENV__MAILER_DSN={{ wallabag_mailer_dsn }}
+SYMFONY__ENV__FROM_EMAIL={{ wallabag_from_email }}
+{% endif %}
+SYMFONY__ENV__TWOFACTOR_SENDER={{ wallabag_twofactor_sender }}
+SYMFONY__ENV__TWOFACTOR_SENDER={{ wallabag_twofactor_sender }}
+SYMFONY__ENV__FOSUSER_REGISTRATION={{ wallabag_registration }}
+SYMFONY__ENV__FOSUSER_CONFIRMATION={{ wallabag_confirmation }}
+
+SYMFONY__ENV__DOMAIN_NAME={{ wallabag_hostname }}
+
+SYMFONY__ENV__REDIS_SCHEME={{ wallabag_redis_scheme }}
+SYMFONY__ENV__REDIS_HOST={{ wallabag_redis_host }}
+SYMFONY__ENV__REDIS_PORT={{ wallabag_redis_port }}
+SYMFONY__ENV__REDIS_PASSWORD={{ wallabag_redis_password }}
+{% if wallabag_redis_scheme == 'unix' %}
+SYMFONY__ENV__REDIS_PATH={{ wallabag_redis_path }}
+{% endif %}
+
+{% if wallabag_sentry_dsn is defined %}
+SYMFONY__ENV__SENTRY_DSN={{ wallabag_sentry_dsn }}
+{% endif %}
+POPULATE_DATABASE={{ wallabag_populate_database }}
+SYMFONY__ENV__SERVER_NAME={{ wallabag_server_name }}
+
+{{ wallabag_environment_variables_extension }}