From 3a3b9231df4aaee6ed28d5eb6b6f7eb48b3addff Mon Sep 17 00:00:00 2001
From: "J. King" <jking@jkingweb.ca>
Date: Wed, 19 May 2021 15:06:37 -0400
Subject: [PATCH] Use generic configuration where possible

---
 dist/arch/PKGBUILD                         | 33 ++++++----
 dist/arch/nginx/arsse.conf                 | 17 -----
 dist/arch/sysuser.conf                     |  1 -
 dist/arch/tmpfiles.conf                    |  1 -
 dist/{arch/arsse.sh => arsse}              |  2 +-
 dist/arsse.service                         | 15 -----
 dist/nginx.conf                            | 75 ----------------------
 dist/{arch => }/nginx/arsse-fcgi.conf      |  0
 dist/{arch => }/nginx/arsse-loc.conf       |  0
 dist/nginx/arsse.conf                      | 17 +++++
 dist/{arch => }/nginx/example.conf         |  2 +-
 dist/{arch => }/php-fpm.conf               |  4 +-
 dist/{arch => systemd}/arsse-fetch.service | 19 +++---
 dist/{arch => systemd}/arsse.service       |  6 +-
 dist/sysuser.conf                          |  1 +
 dist/tmpfiles.conf                         |  1 +
 16 files changed, 59 insertions(+), 135 deletions(-)
 delete mode 100644 dist/arch/nginx/arsse.conf
 delete mode 100644 dist/arch/sysuser.conf
 delete mode 100644 dist/arch/tmpfiles.conf
 rename dist/{arch/arsse.sh => arsse} (80%)
 delete mode 100644 dist/arsse.service
 delete mode 100644 dist/nginx.conf
 rename dist/{arch => }/nginx/arsse-fcgi.conf (100%)
 rename dist/{arch => }/nginx/arsse-loc.conf (100%)
 create mode 100644 dist/nginx/arsse.conf
 rename dist/{arch => }/nginx/example.conf (88%)
 rename dist/{arch => }/php-fpm.conf (73%)
 rename dist/{arch => systemd}/arsse-fetch.service (66%)
 rename dist/{arch => systemd}/arsse.service (100%)
 create mode 100644 dist/sysuser.conf
 create mode 100644 dist/tmpfiles.conf

diff --git a/dist/arch/PKGBUILD b/dist/arch/PKGBUILD
index b44991c..8d1f2fb 100644
--- a/dist/arch/PKGBUILD
+++ b/dist/arch/PKGBUILD
@@ -7,11 +7,13 @@ arch=("any")
 url="https://thearsse.com/"
 license=("MIT")
 depends=()
-makedepends=("git" "php" "php-intl" "composer")
+makedepends=()
 checkdepends=()
-optdepends=("php-pgsql: PostgreSQL database support"
-            "nginx: HTTP server"
-            "apache: HTTP server")
+optdepends=("nginx: HTTP server"
+            "apache: HTTP server"
+            "percona-server: Alternate database"
+            "postgresql: Alternate database"
+            "php-pgsql: PostgreSQL database support")
 backup=("etc/webapps/arsse/config.php" "etc/php/php-fpm.d/arsse.conf")
 install=
 changelog=
@@ -19,23 +21,32 @@ source=("arsse-0.9.1.tar.gz")
 md5sums=("SKIP")
 
 package() {
+    # define runtime dependencies
     depends=("php" "php-intl" "php-sqlite" "php-fpm")
+    # create most directories necessary forn the final package
     cd "$pkgdir"
     mkdir -p "usr/share/webapps/arsse" "usr/share/doc/arsse" "usr/share/licenses/arsse" "usr/lib/systemd/system" "usr/lib/sysusers.d" "usr/lib/tmpfiles.d" "etc/php/php-fpm.d/" "etc/webapps/arsse" "etc/webapps/arsse/nginx"
+    #copy requisite files
     cd "$srcdir/arsse"
     cp -r lib locale sql vendor www CHANGELOG UPGRADING README.md arsse.php "$pkgdir/usr/share/webapps/arsse"
     cp -r manual/* "$pkgdir/usr/share/doc/arsse"
     cp LICENSE AUTHORS "$pkgdir/usr/share/licenses/arsse"
-    cp dist/arch/*.service "$pkgdir/usr/lib/systemd/system"
-    cp dist/arch/sysuser.conf "$pkgdir/usr/lib/sysusers.d/arsse.conf"
-    cp dist/arch/tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/arsse.conf"
-    cp dist/arch/php-fpm.conf "$pkgdir/etc/php/php-fpm.d/arsse.conf"
-    cp -r dist/arch/nginx config.defaults.php "$pkgdir/etc/webapps/arsse"
+    cp dist/systemd/* "$pkgdir/usr/lib/systemd/system"
+    cp dist/sysuser.conf "$pkgdir/usr/lib/sysusers.d/arsse.conf"
+    cp dist/tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/arsse.conf"
+    cp dist/php-fpm.conf "$pkgdir/etc/php/php-fpm.d/arsse.conf"
+    cp -r dist/nginx config.defaults.php "$pkgdir/etc/webapps/arsse"
     cd "$pkgdir"
+    # adjust permissions, just in case
     chmod -R u=rwX,g=rX,o=rX *
-    chmod u=r etc/webapps/arsse/
+    # create a symbolic link for the configuration file
     ln -sT "/etc/webapps/arsse/config.php" "usr/share/webapps/arsse/config.php"
+    # copy files requiring special permissions
     cd "$srcdir/arsse"
-    install -DTm755 dist/arch/arsse.sh "$pkgdir/usr/bin/arsse"
+    install -Dm755 dist/arsse "$pkgdir/usr/bin"
     install -Dm640 dist/arch/config.php "$pkgdir/etc/webapps/arsse"
+    # patch generic configuration files to use Arch-specific paths and identifiers
+    sed -ise 's/\/\(etc\|usr\/share\)\/arsse\//\/\1\/webapps\/arsse\//' "$pkgdir/etc/webapps/arsse/nginx/"* "$pkgdir/usr/lib/tmpfiles.d/arsse.conf" "$pkgdir/usr/lib/systemd/system/"* "$pkgdir/usr/bin/"*
+    sed -ise 's/\/var\/run\/php\//\/run\/php-fpm\//' "$pkgdir/etc/webapps/arsse/nginx/"* "$pkgdir/etc/php/php-fpm.d/arsse.conf"
+    sed -ise 's/www-data/http/' "$pkgdir/etc/php/php-fpm.d/arsse.conf"
 }
diff --git a/dist/arch/nginx/arsse.conf b/dist/arch/nginx/arsse.conf
deleted file mode 100644
index dd45d5a..0000000
--- a/dist/arch/nginx/arsse.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-root /usr/share/webapps/arsse/www;
-
-location @arsse {
-    # HTTP authentication may be enabled for this location, though this may impact some features
-    fastcgi_pass unix:/run/php-fpm/arsse.sock;
-    fastcgi_param SCRIPT_FILENAME /usr/share/webapps/arsse/arsse.php;
-    include /etc/webapps/arsse/nginx/arsse-fcgi.conf;
-}
-
-location @arsse_public {
-    # HTTP authentication should not be enabled for this location
-    fastcgi_pass unix:/run/php-fpm/arsse.sock;
-    fastcgi_param SCRIPT_FILENAME /usr/share/webapps/arsse/arsse.php;
-    include /etc/webapps/arsse/nginx/arsse-fcgi.conf;
-}
-
-include /etc/webapps/arsse/nginx/arsse-loc.conf;
diff --git a/dist/arch/sysuser.conf b/dist/arch/sysuser.conf
deleted file mode 100644
index 9f936e4..0000000
--- a/dist/arch/sysuser.conf
+++ /dev/null
@@ -1 +0,0 @@
-u arsse - "The Arsse" /usr/lib/arsse -
diff --git a/dist/arch/tmpfiles.conf b/dist/arch/tmpfiles.conf
deleted file mode 100644
index 8c1e510..0000000
--- a/dist/arch/tmpfiles.conf
+++ /dev/null
@@ -1 +0,0 @@
-z /etc/webapps/arsse/config.php - root arsse - -
diff --git a/dist/arch/arsse.sh b/dist/arsse
similarity index 80%
rename from dist/arch/arsse.sh
rename to dist/arsse
index e34ffd8..b4c56e4 100644
--- a/dist/arch/arsse.sh
+++ b/dist/arsse
@@ -7,4 +7,4 @@ if (posix_geteuid() == 0) {
         posix_setuid($info['uid']);
     }
 }
-require "/usr/share/webapps/arsse/arsse.php";
+require "/usr/share/arsse/arsse.php";
diff --git a/dist/arsse.service b/dist/arsse.service
deleted file mode 100644
index 0adcdae..0000000
--- a/dist/arsse.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=The Arsse feed fetching service
-After=network.target mysql.service postgresql.service
-
-[Service]
-User=www-data
-Group=www-data
-WorkingDirectory=/usr/share/arsse
-Type=simple
-StandardOutput=null
-StandardError=syslog
-ExecStart=/usr/bin/env php /usr/share/arsse/arsse.php daemon
-
-[Install]
-WantedBy=multi-user.target
diff --git a/dist/nginx.conf b/dist/nginx.conf
deleted file mode 100644
index c12ff21..0000000
--- a/dist/nginx.conf
+++ /dev/null
@@ -1,75 +0,0 @@
-server {
-    server_name example.com;
-    listen 80; # adding HTTPS configuration is highly recommended
-    root /usr/share/arsse/www; # adjust according to your installation path
-
-    location / {
-        try_files $uri $uri/ =404;
-    }
-
-    location @arsse {
-        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; # adjust according to your system configuration
-        fastcgi_pass_header Authorization; # required if the Arsse is to perform its own HTTP authentication
-        fastcgi_pass_request_body on;
-        fastcgi_pass_request_headers on;
-        fastcgi_intercept_errors off;
-        fastcgi_buffering off;
-        fastcgi_param SCRIPT_FILENAME /usr/share/arsse/arsse.php; # adjust according to your installation path
-        fastcgi_param REQUEST_METHOD  $request_method;
-        fastcgi_param CONTENT_TYPE    $content_type;
-        fastcgi_param CONTENT_LENGTH  $content_length;
-        fastcgi_param REQUEST_URI     $uri;
-        fastcgi_param QUERY_STRING    $query_string;
-        fastcgi_param HTTPS           $https if_not_empty;
-        fastcgi_param REMOTE_USER     $remote_user;
-    }
-
-    # Nextcloud News protocol
-    location /index.php/apps/news/api {
-        try_files $uri @arsse;
-
-        location ~ ^/index\.php/apps/news/api/?$ {
-            # this path should not be behind HTTP authentication
-            try_files $uri @arsse;
-        }
-    }
-
-    # Tiny Tiny RSS protocol
-    location /tt-rss/api {
-        try_files $uri @arsse;
-    }
-
-    # Tiny Tiny RSS feed icons
-    location /tt-rss/feed-icons/ {
-        try_files $uri @arsse;
-    }
-
-    # Tiny Tiny RSS special-feed icons; these are static files
-    location /tt-rss/images/ {
-        # this path should not be behind HTTP authentication
-        try_files $uri =404;
-    }
-
-    # Fever protocol
-    location /fever/ {
-        # this path should not be behind HTTP authentication
-        try_files $uri @arsse;
-    }
-
-    # Miniflux protocol
-    location /v1/ {
-        try_files $uri @arsse;
-    }
-
-    # Miniflux version number
-    location /version {
-        # this path should not be behind HTTP authentication
-        try_files $uri @arsse;
-    }
-
-    # Miniflux "health check"
-    location /healthcheck {
-        # this path should not be behind HTTP authentication
-        try_files $uri @arsse;
-    }
-}
diff --git a/dist/arch/nginx/arsse-fcgi.conf b/dist/nginx/arsse-fcgi.conf
similarity index 100%
rename from dist/arch/nginx/arsse-fcgi.conf
rename to dist/nginx/arsse-fcgi.conf
diff --git a/dist/arch/nginx/arsse-loc.conf b/dist/nginx/arsse-loc.conf
similarity index 100%
rename from dist/arch/nginx/arsse-loc.conf
rename to dist/nginx/arsse-loc.conf
diff --git a/dist/nginx/arsse.conf b/dist/nginx/arsse.conf
new file mode 100644
index 0000000..fe5721e
--- /dev/null
+++ b/dist/nginx/arsse.conf
@@ -0,0 +1,17 @@
+root /usr/share/arsse/www;
+
+location @arsse {
+    # HTTP authentication may be enabled for this location, though this may impact some features
+    fastcgi_pass unix:/var/run/php/arsse.sock;
+    fastcgi_param SCRIPT_FILENAME /usr/share/arsse/arsse.php;
+    include /etc/arsse/nginx/arsse-fcgi.conf;
+}
+
+location @arsse_public {
+    # HTTP authentication should not be enabled for this location
+    fastcgi_pass unix:/var/run/php/arsse.sock;
+    fastcgi_param SCRIPT_FILENAME /usr/share/arsse/arsse.php;
+    include /etc/arsse/nginx/arsse-fcgi.conf;
+}
+
+include /etc/arsse/nginx/arsse-loc.conf;
diff --git a/dist/arch/nginx/example.conf b/dist/nginx/example.conf
similarity index 88%
rename from dist/arch/nginx/example.conf
rename to dist/nginx/example.conf
index efaecd6..571a638 100644
--- a/dist/arch/nginx/example.conf
+++ b/dist/nginx/example.conf
@@ -9,5 +9,5 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/news.example.com/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/news.example.com/chain.pem;
 
-    include /etc/webapps/arsse/nginx/arsse.conf;
+    include /etc/arsse/nginx/arsse.conf;
 }
diff --git a/dist/arch/php-fpm.conf b/dist/php-fpm.conf
similarity index 73%
rename from dist/arch/php-fpm.conf
rename to dist/php-fpm.conf
index 4d15ae1..f1edc41 100644
--- a/dist/arch/php-fpm.conf
+++ b/dist/php-fpm.conf
@@ -1,9 +1,9 @@
 [arsse]
 user = arsse
 group = arsse
-listen = /run/php-fpm/arsse.sock
+listen = /var/run/php/arsse.sock
 listen.owner = arsse
-listen.group = http
+listen.group = www-data
 pm = dynamic
 pm.max_children = 5
 pm.start_servers = 2
diff --git a/dist/arch/arsse-fetch.service b/dist/systemd/arsse-fetch.service
similarity index 66%
rename from dist/arch/arsse-fetch.service
rename to dist/systemd/arsse-fetch.service
index 78688f5..76b16e0 100644
--- a/dist/arch/arsse-fetch.service
+++ b/dist/systemd/arsse-fetch.service
@@ -3,11 +3,14 @@ Description=The Arsse newsfeed fetching service
 Documentation=https://thearsse.com/manual/
 PartOf=arsse.service
 
+[Install]
+WantedBy=multi-user.target
+
 [Service]
 User=arsse
 Group=arsse
 Type=simple
-WorkingDirectory=/usr/share/webapps/arsse
+WorkingDirectory=/usr/share/arsse
 ExecStart=/usr/bin/arsse daemon
 
 ProtectProc=invisible
@@ -15,11 +18,7 @@ NoNewPrivileges=true
 ProtectSystem=full
 ProtectHome=true
 StateDirectory=arsse
-ConfigurationDirectory=webapps/arsse
-ReadOnlyPaths=/
-ReadWriePaths=/var/lib/arsse
-NoExecPaths=/
-ExecPaths=/usr/bin/php /usr/bin/php7
+ConfigurationDirectory=arsse
 PrivateTmp=true
 PrivateDevices=true
 RestrictSUIDSGID=true
@@ -29,5 +28,9 @@ SyslogIdentifier=arsse
 Restart=on-failure
 RestartPreventStatus=
 
-[Install]
-WantedBy=multi-user.target
+# These directives can be used for extra security, but are disabled for now for compatibility
+
+#ReadOnlyPaths=/
+#ReadWriePaths=/var/lib/arsse
+#NoExecPaths=/
+#ExecPaths=/usr/bin/php /usr/bin/php7
diff --git a/dist/arch/arsse.service b/dist/systemd/arsse.service
similarity index 100%
rename from dist/arch/arsse.service
rename to dist/systemd/arsse.service
index 62ee435..42e869f 100644
--- a/dist/arch/arsse.service
+++ b/dist/systemd/arsse.service
@@ -5,9 +5,9 @@ Requires=arsse-fetch.service
 BindsTo=php-fpm.service
 After=php-fpm.service
 
+[Install]
+WantedBy=multi-user.target
+
 [Service]
 Type=oneshot
 RemainAfterExit=true
-
-[Install]
-WantedBy=multi-user.target
diff --git a/dist/sysuser.conf b/dist/sysuser.conf
new file mode 100644
index 0000000..cd708c3
--- /dev/null
+++ b/dist/sysuser.conf
@@ -0,0 +1 @@
+u arsse - "The Arsse" /var/lib/arsse -
diff --git a/dist/tmpfiles.conf b/dist/tmpfiles.conf
new file mode 100644
index 0000000..fa1af72
--- /dev/null
+++ b/dist/tmpfiles.conf
@@ -0,0 +1 @@
+z /etc/arsse/config.php - root arsse - -