FreshRSS

Table of Contents

1. Setup FreshRSS on Debian

1.1. Clone the repository latest branch

sudo git clone --depth=1 --branch latest https://github.com/FreshRSS/FreshRSS.git /opt/freshrss

1.2. Clone the extensions repository

sudo git clone --depth=1 https://github.com/FreshRSS/Extensions /opt/freshrss-extensions

1.3. Enable YouTube extension

sudo mv /opt/freshrss-extensions/xExtension-YouTube /opt/freshrss/extensions/xExtension-YouTube

1.4. Set repository permissions

cd /opt/freshrss && sudo cli/access-permissions.sh

1.5. Symlink the public directory

sudo ln -s /opt/freshrss/p /srv/freshrss

1.6. Install php-fpm first to avoid Apache dependencies

sudo apt install php-fpm

1.7. Install the main PHP packages

sudo apt install php php-curl php-gmp php-intl php-mbstring php-xml php-zip

1.8. Install php-sqlite3 to use the built-in database

sudo apt install php-sqlite3

1.9. Install nginx package

sudo apt install nginx

1.10. Create FreshRSS site configuration (remplace <DOMAIN>)

# /etc/nginx/sites-available/freshrss

server {
    server_name <DOMAIN>;

    root /srv/freshrss;

    index index.php index.html index.htm;

    location ~ ^.+?\.php(/.*)?$ {
        fastcgi_pass unix:/run/php/php-fpm.sock;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
        fastcgi_param PATH_INFO $path_info;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        # include /etc/nginx/conf.d/00-<HOST>.conf;
    }

    location / {
        try_files $uri $uri/ index.php;
        # include /etc/nginx/conf.d/00-<HOST>.conf;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/<DOMAIN>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/<DOMAIN>/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = <DOMAIN>) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name <DOMAIN>;
    return 404; # managed by Certbot
}

1.11. Enable FreshRSS site configuration

sudo ln -s /etc/nginx/sites-available/freshrss /etc/nginx/sites-enabled/freshrss

1.12. Disable nginx default site

sudo rm -i /etc/nginx/sites-enabled/default

1.13. Restart nginx service

sudo systemctl restart nginx

2. Setup FreshRSS on Debian with Ansible

3. Setup FreshRSS with HTTPS on LAN

The “copy /etc/letsencrypt from server A running certbot (using HTTP-01 challenge) to server B” method

3.1. Setup for server A (remote VPS: “deneb”)

Create a sudoers file to allow user from server B to download /etc/letsencrypt and nothing else from server A 

# /etc/sudoers.d/rsync

# Allow user to download one restricted directory on localhost over ssh
alan ALL = NOPASSWD: /usr/bin/rsync --server --sender * . /etc/letsencrypt

3.2. Setup for server B (server on LAN: “framboise”)

Create and start systemd service and timer units that run the script on a schedule

3.2.1. Timer unit

# /etc/systemd/system/framboise-update-letsencrypt.timer
[Unit]
Description=Run framboise-update-letsencrypt every 4 days

[Timer]
OnStartupSec=10minutes
OnUnitActiveSec=4days
RandomizedDelaySec=5minutes

[Install]
WantedBy=timers.target

3.2.2. Service unit

# /etc/systemd/system/framboise-update-letsencrypt.service
[Unit]
Description=Update framboise certificates
After=network.target

[Service]
ExecStart=/usr/local/bin/framboise-update-letsencrypt

3.2.3. Shell script

#!/bin/sh
# /usr/local/bin/framboise-update-letsencrypt

if [ "$(id -u)" -eq 0 ]
then
    if grep -qs '^Host deneb$' /root/.ssh/config
    then
        echo "Update certificates .."
        rsync -avh --safe-links --rsync-path='/usr/bin/sudo /usr/bin/rsync' deneb:/etc/letsencrypt /opt/ || exit 10

        if systemctl is-active --quiet nginx.service
        then
            echo "Reload nginx configuration .."
            systemctl reload nginx || exit 20
        fi
    else
        echo "Missing SSH configuration for deneb"
        exit 5
    fi
else
    echo "Requires elevated privileges"
    exit 1
fi

4. References