Use generic configuration where possible

dist/arch/PKGBUILD

@@ -7,11 +7,13 @@ arch=("any")
 url="https://thearsse.com/"
 license=("MIT")
 depends=()
-makedepends=("git" "php" "php-intl" "composer")
+makedepends=()
 checkdepends=()
-optdepends=("php-pgsql: PostgreSQL database support"
-            "nginx: HTTP server"
-            "apache: HTTP server")
+optdepends=("nginx: HTTP server"
+            "apache: HTTP server"
+            "percona-server: Alternate database"
+            "postgresql: Alternate database"
+            "php-pgsql: PostgreSQL database support")
 backup=("etc/webapps/arsse/config.php" "etc/php/php-fpm.d/arsse.conf")
 install=
 changelog=
@@ -19,23 +21,32 @@ source=("arsse-0.9.1.tar.gz")
 md5sums=("SKIP")
 
 package() {
+    # define runtime dependencies
     depends=("php" "php-intl" "php-sqlite" "php-fpm")
+    # create most directories necessary forn the final package
     cd "$pkgdir"
     mkdir -p "usr/share/webapps/arsse" "usr/share/doc/arsse" "usr/share/licenses/arsse" "usr/lib/systemd/system" "usr/lib/sysusers.d" "usr/lib/tmpfiles.d" "etc/php/php-fpm.d/" "etc/webapps/arsse" "etc/webapps/arsse/nginx"
+    #copy requisite files
     cd "$srcdir/arsse"
     cp -r lib locale sql vendor www CHANGELOG UPGRADING README.md arsse.php "$pkgdir/usr/share/webapps/arsse"
     cp -r manual/* "$pkgdir/usr/share/doc/arsse"
     cp LICENSE AUTHORS "$pkgdir/usr/share/licenses/arsse"
-    cp dist/arch/*.service "$pkgdir/usr/lib/systemd/system"
-    cp dist/arch/sysuser.conf "$pkgdir/usr/lib/sysusers.d/arsse.conf"
-    cp dist/arch/tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/arsse.conf"
-    cp dist/arch/php-fpm.conf "$pkgdir/etc/php/php-fpm.d/arsse.conf"
-    cp -r dist/arch/nginx config.defaults.php "$pkgdir/etc/webapps/arsse"
+    cp dist/systemd/* "$pkgdir/usr/lib/systemd/system"
+    cp dist/sysuser.conf "$pkgdir/usr/lib/sysusers.d/arsse.conf"
+    cp dist/tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/arsse.conf"
+    cp dist/php-fpm.conf "$pkgdir/etc/php/php-fpm.d/arsse.conf"
+    cp -r dist/nginx config.defaults.php "$pkgdir/etc/webapps/arsse"
     cd "$pkgdir"
+    # adjust permissions, just in case
     chmod -R u=rwX,g=rX,o=rX *
-    chmod u=r etc/webapps/arsse/
+    # create a symbolic link for the configuration file
     ln -sT "/etc/webapps/arsse/config.php" "usr/share/webapps/arsse/config.php"
+    # copy files requiring special permissions
     cd "$srcdir/arsse"
-    install -DTm755 dist/arch/arsse.sh "$pkgdir/usr/bin/arsse"
+    install -Dm755 dist/arsse "$pkgdir/usr/bin"
     install -Dm640 dist/arch/config.php "$pkgdir/etc/webapps/arsse"
+    # patch generic configuration files to use Arch-specific paths and identifiers
+    sed -ise 's/\/\(etc\|usr\/share\)\/arsse\//\/\1\/webapps\/arsse\//' "$pkgdir/etc/webapps/arsse/nginx/"* "$pkgdir/usr/lib/tmpfiles.d/arsse.conf" "$pkgdir/usr/lib/systemd/system/"* "$pkgdir/usr/bin/"*
+    sed -ise 's/\/var\/run\/php\//\/run\/php-fpm\//' "$pkgdir/etc/webapps/arsse/nginx/"* "$pkgdir/etc/php/php-fpm.d/arsse.conf"
+    sed -ise 's/www-data/http/' "$pkgdir/etc/php/php-fpm.d/arsse.conf"
 }

dist/arch/nginx/arsse.conf

@@ -1,17 +0,0 @@
-root /usr/share/webapps/arsse/www;
-
-location @arsse {
-    # HTTP authentication may be enabled for this location, though this may impact some features
-    fastcgi_pass unix:/run/php-fpm/arsse.sock;
-    fastcgi_param SCRIPT_FILENAME /usr/share/webapps/arsse/arsse.php;
-    include /etc/webapps/arsse/nginx/arsse-fcgi.conf;
-}
-
-location @arsse_public {
-    # HTTP authentication should not be enabled for this location
-    fastcgi_pass unix:/run/php-fpm/arsse.sock;
-    fastcgi_param SCRIPT_FILENAME /usr/share/webapps/arsse/arsse.php;
-    include /etc/webapps/arsse/nginx/arsse-fcgi.conf;
-}
-
-include /etc/webapps/arsse/nginx/arsse-loc.conf;

dist/arch/sysuser.conf

@@ -1 +0,0 @@
-u arsse - "The Arsse" /usr/lib/arsse -

dist/arch/tmpfiles.conf

@@ -1 +0,0 @@
-z /etc/webapps/arsse/config.php - root arsse - -

dist/arch/arsse.sh → dist/arsse

@@ -7,4 +7,4 @@ if (posix_geteuid() == 0) {
         posix_setuid($info['uid']);
     }
 }
-require "/usr/share/webapps/arsse/arsse.php";
+require "/usr/share/arsse/arsse.php";

dist/arsse.service

@@ -1,15 +0,0 @@
-[Unit]
-Description=The Arsse feed fetching service
-After=network.target mysql.service postgresql.service
-
-[Service]
-User=www-data
-Group=www-data
-WorkingDirectory=/usr/share/arsse
-Type=simple
-StandardOutput=null
-StandardError=syslog
-ExecStart=/usr/bin/env php /usr/share/arsse/arsse.php daemon
-
-[Install]
-WantedBy=multi-user.target

dist/nginx.conf

@@ -1,75 +0,0 @@
-server {
-    server_name example.com;
-    listen 80; # adding HTTPS configuration is highly recommended
-    root /usr/share/arsse/www; # adjust according to your installation path
-
-    location / {
-        try_files $uri $uri/ =404;
-    }
-
-    location @arsse {
-        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; # adjust according to your system configuration
-        fastcgi_pass_header Authorization; # required if the Arsse is to perform its own HTTP authentication
-        fastcgi_pass_request_body on;
-        fastcgi_pass_request_headers on;
-        fastcgi_intercept_errors off;
-        fastcgi_buffering off;
-        fastcgi_param SCRIPT_FILENAME /usr/share/arsse/arsse.php; # adjust according to your installation path
-        fastcgi_param REQUEST_METHOD  $request_method;
-        fastcgi_param CONTENT_TYPE    $content_type;
-        fastcgi_param CONTENT_LENGTH  $content_length;
-        fastcgi_param REQUEST_URI     $uri;
-        fastcgi_param QUERY_STRING    $query_string;
-        fastcgi_param HTTPS           $https if_not_empty;
-        fastcgi_param REMOTE_USER     $remote_user;
-    }
-
-    # Nextcloud News protocol
-    location /index.php/apps/news/api {
-        try_files $uri @arsse;
-
-        location ~ ^/index\.php/apps/news/api/?$ {
-            # this path should not be behind HTTP authentication
-            try_files $uri @arsse;
-        }
-    }
-
-    # Tiny Tiny RSS protocol
-    location /tt-rss/api {
-        try_files $uri @arsse;
-    }
-
-    # Tiny Tiny RSS feed icons
-    location /tt-rss/feed-icons/ {
-        try_files $uri @arsse;
-    }
-
-    # Tiny Tiny RSS special-feed icons; these are static files
-    location /tt-rss/images/ {
-        # this path should not be behind HTTP authentication
-        try_files $uri =404;
-    }
-
-    # Fever protocol
-    location /fever/ {
-        # this path should not be behind HTTP authentication
-        try_files $uri @arsse;
-    }
-
-    # Miniflux protocol
-    location /v1/ {
-        try_files $uri @arsse;
-    }
-
-    # Miniflux version number
-    location /version {
-        # this path should not be behind HTTP authentication
-        try_files $uri @arsse;
-    }
-
-    # Miniflux "health check"
-    location /healthcheck {
-        # this path should not be behind HTTP authentication
-        try_files $uri @arsse;
-    }
-}

dist/nginx/arsse.conf

@@ -0,0 +1,17 @@
+root /usr/share/arsse/www;
+
+location @arsse {
+    # HTTP authentication may be enabled for this location, though this may impact some features
+    fastcgi_pass unix:/var/run/php/arsse.sock;
+    fastcgi_param SCRIPT_FILENAME /usr/share/arsse/arsse.php;
+    include /etc/arsse/nginx/arsse-fcgi.conf;
+}
+
+location @arsse_public {
+    # HTTP authentication should not be enabled for this location
+    fastcgi_pass unix:/var/run/php/arsse.sock;
+    fastcgi_param SCRIPT_FILENAME /usr/share/arsse/arsse.php;
+    include /etc/arsse/nginx/arsse-fcgi.conf;
+}
+
+include /etc/arsse/nginx/arsse-loc.conf;

dist/arch/nginx/example.conf → dist/nginx/example.conf

@@ -9,5 +9,5 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/news.example.com/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/news.example.com/chain.pem;
 
-    include /etc/webapps/arsse/nginx/arsse.conf;
+    include /etc/arsse/nginx/arsse.conf;
 }

dist/arch/php-fpm.conf → dist/php-fpm.conf

@@ -1,9 +1,9 @@
 [arsse]
 user = arsse
 group = arsse
-listen = /run/php-fpm/arsse.sock
+listen = /var/run/php/arsse.sock
 listen.owner = arsse
-listen.group = http
+listen.group = www-data
 pm = dynamic
 pm.max_children = 5
 pm.start_servers = 2

dist/arch/arsse-fetch.service → dist/systemd/arsse-fetch.service

@@ -3,11 +3,14 @@ Description=The Arsse newsfeed fetching service
 Documentation=https://thearsse.com/manual/
 PartOf=arsse.service
 
+[Install]
+WantedBy=multi-user.target
+
 [Service]
 User=arsse
 Group=arsse
 Type=simple
-WorkingDirectory=/usr/share/webapps/arsse
+WorkingDirectory=/usr/share/arsse
 ExecStart=/usr/bin/arsse daemon
 
 ProtectProc=invisible
@@ -15,11 +18,7 @@ NoNewPrivileges=true
 ProtectSystem=full
 ProtectHome=true
 StateDirectory=arsse
-ConfigurationDirectory=webapps/arsse
-ReadOnlyPaths=/
-ReadWriePaths=/var/lib/arsse
-NoExecPaths=/
-ExecPaths=/usr/bin/php /usr/bin/php7
+ConfigurationDirectory=arsse
 PrivateTmp=true
 PrivateDevices=true
 RestrictSUIDSGID=true
@@ -29,5 +28,9 @@ SyslogIdentifier=arsse
 Restart=on-failure
 RestartPreventStatus=
 
-[Install]
-WantedBy=multi-user.target
+# These directives can be used for extra security, but are disabled for now for compatibility
+
+#ReadOnlyPaths=/
+#ReadWriePaths=/var/lib/arsse
+#NoExecPaths=/
+#ExecPaths=/usr/bin/php /usr/bin/php7

dist/arch/arsse.service → dist/systemd/arsse.service

@@ -5,9 +5,9 @@ Requires=arsse-fetch.service
 BindsTo=php-fpm.service
 After=php-fpm.service
 
+[Install]
+WantedBy=multi-user.target
+
 [Service]
 Type=oneshot
 RemainAfterExit=true
-
-[Install]
-WantedBy=multi-user.target

dist/sysuser.conf

@@ -0,0 +1 @@
+u arsse - "The Arsse" /var/lib/arsse -

dist/tmpfiles.conf

@@ -0,0 +1 @@
+z /etc/arsse/config.php - root arsse - -