diff --git a/roles/fdroid/README.md b/roles/fdroid/README.md new file mode 100644 index 0000000..a729a19 --- /dev/null +++ b/roles/fdroid/README.md @@ -0,0 +1,71 @@ +# fdroid - F-Droid Custom APK Repository + +Deploys an [F-Droid](https://f-droid.org/) repository server using [austozi/fdroidserver](https://github.com/austozi/docker-fdroidserver) to host custom APKs for family devices. + +## Configuration + +### Required Variables + +Set in inventory or vault: + +```yaml +fdroid_keystore_password: "your-secure-password-here" # Min 12 chars +``` + +### Optional Variables + +See [defaults/main.yml](defaults/main.yml) for all configuration options. + +Key settings: + +```yaml +fdroid_version: "26.2.1" +fdroid_port: 8070 +fdroid_repo_url: "https://apk.jokester.fr/repo" +fdroid_repo_name: "F-Droid Repository" +fdroid_repo_description: "Custom APK repository" +fdroid_update_interval: "12h" + +# Nginx reverse proxy +fdroid_nginx_enabled: false +fdroid_nginx_hostname: apk.nas.local +``` + +## Usage + +### Adding APKs + +```bash +scp my-app.apk jokester@andromeda:/opt/podman/fdroid/data/repo/ +``` + +The container automatically re-runs `fdroid update` every `fdroid_update_interval` (default: 12h) to regenerate the signed index. + +To trigger an immediate update: + +```bash +ssh jokester@andromeda "podman exec fdroid-server fdroid update -c" +``` + +### F-Droid Client Setup + +On family phones, open F-Droid and add a new repository: + +- **Repository URL:** `https://apk.jokester.fr/repo` +- Accept the fingerprint on first connection + +### Keystore Backup + +The signing keystore at `{{ podman_projects_dir }}/fdroid/data/keystore.p12` is critical. If lost, all clients must re-add the repository. Back it up. + +## Architecture + +- **Container**: `austozi/fdroidserver` (Apache + fdroidserver + Android build-tools) +- **Storage**: Persistent data directory for keystore, config, metadata, and APKs +- **Networking**: Localhost binding, nginx reverse proxy for HTTPS +- **Index updates**: Automatic on configurable interval + +## Dependencies + +- podman +- nginx (if `fdroid_nginx_enabled: true`) diff --git a/roles/fdroid/defaults/main.yml b/roles/fdroid/defaults/main.yml new file mode 100644 index 0000000..b9c3a01 --- /dev/null +++ b/roles/fdroid/defaults/main.yml @@ -0,0 +1,29 @@ +--- +# F-Droid repository version (austozi/fdroidserver image tag) +fdroid_version: "26.2.1" + +# Container image +fdroid_image: austozi/fdroidserver + +# Host port mapping +fdroid_port: 8070 + +# Data directory (keystore, config, metadata, repo APKs) +fdroid_data_dir: "{{ podman_projects_dir }}/fdroid/data" + +# Repository metadata +fdroid_repo_url: "https://apk.mysite.fr/repo" +fdroid_repo_name: "F-Droid Repository" +fdroid_repo_description: "Custom APK repository" +fdroid_repo_icon: "fdroid.svg" +fdroid_repo_icon_url: "https://f-droid.org/assets/fdroid-logo-text_S0MUfk_FsnAYL7n2MQye-34IoSNm6QM6xYjDnMqkufo=.svg" + +# How often the container re-runs 'fdroid update' to re-sign the index +fdroid_update_interval: "24h" + +# Keystore password for signing the repository index +# fdroid_keystore_password: "" # Intentionally undefined - role will fail if not set + +# Nginx reverse proxy configuration +fdroid_nginx_enabled: false +fdroid_nginx_hostname: apk.nas.local diff --git a/roles/fdroid/handlers/main.yml b/roles/fdroid/handlers/main.yml new file mode 100644 index 0000000..963f3e8 --- /dev/null +++ b/roles/fdroid/handlers/main.yml @@ -0,0 +1,20 @@ +--- +- name: Reload systemd user + ansible.builtin.systemd: + daemon_reload: true + scope: user + become: false + become_user: "{{ ansible_user }}" + +- name: Restart fdroid + ansible.builtin.systemd: + name: fdroid.service + state: restarted + scope: user + become: false + become_user: "{{ ansible_user }}" + +- name: Reload nginx + ansible.builtin.systemd: + name: nginx + state: reloaded diff --git a/roles/fdroid/meta/main.yml b/roles/fdroid/meta/main.yml new file mode 100644 index 0000000..d80fa53 --- /dev/null +++ b/roles/fdroid/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: podman diff --git a/roles/fdroid/tasks/main.yml b/roles/fdroid/tasks/main.yml new file mode 100644 index 0000000..c170218 --- /dev/null +++ b/roles/fdroid/tasks/main.yml @@ -0,0 +1,179 @@ +--- +- name: Validate required passwords are set + ansible.builtin.assert: + that: + - fdroid_keystore_password is defined + - fdroid_keystore_password | length >= 12 + fail_msg: | + fdroid_keystore_password is required (min 12 chars). + See roles/fdroid/defaults/main.yml for configuration instructions. + success_msg: "Password validation passed" + +- name: Create fdroid project directory + ansible.builtin.file: + path: "{{ podman_projects_dir | default('/opt/podman') }}/fdroid" + state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0755" + +- name: Create fdroid data directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0755" + loop: + - "{{ fdroid_data_dir }}" + - "{{ fdroid_data_dir }}/repo" + - "{{ fdroid_data_dir }}/metadata" + +- name: Create fdroid repo icons directory + ansible.builtin.file: + path: "{{ fdroid_data_dir }}/repo/icons" + state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0755" + +- name: Download fdroid repository icon + ansible.builtin.get_url: + url: "{{ fdroid_repo_icon_url }}" + dest: "{{ fdroid_data_dir }}/repo/icons/{{ fdroid_repo_icon }}" + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0644" + +- name: Deploy fdroid repository configuration + ansible.builtin.template: + src: config.yml.j2 + dest: "{{ fdroid_data_dir }}/config.yml" + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0600" + notify: Restart fdroid + +- name: Pull fdroid container image + ansible.builtin.command: "podman pull {{ fdroid_image }}:{{ fdroid_version }}" + changed_when: pull_result.stdout is search('Writing manifest') + register: pull_result + become: false + become_user: "{{ ansible_user }}" + +- name: Deploy Kubernetes YAML for fdroid + ansible.builtin.template: + src: fdroid.yaml.j2 + dest: "{{ podman_projects_dir | default('/opt/podman') }}/fdroid/fdroid.yaml" + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0644" + notify: Restart fdroid + +- name: Get home directory for {{ ansible_user }} + ansible.builtin.getent: + database: passwd + key: "{{ ansible_user }}" + +- name: Set user home directory fact + ansible.builtin.set_fact: + user_home_dir: "{{ ansible_facts['getent_passwd'][ansible_user][4] }}" + +- name: Create systemd user directory for fdroid + ansible.builtin.file: + path: "{{ user_home_dir }}/.config/systemd/user" + state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0755" + +- name: Create systemd service for fdroid (user scope) + ansible.builtin.template: + src: fdroid.service.j2 + dest: "{{ user_home_dir }}/.config/systemd/user/fdroid.service" + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0644" + notify: Reload systemd user + +- name: Check if lingering is enabled for {{ ansible_user }} + ansible.builtin.stat: + path: "/var/lib/systemd/linger/{{ ansible_user }}" + register: linger_file + +- name: Enable lingering for user {{ ansible_user }} + ansible.builtin.command: "loginctl enable-linger {{ ansible_user }}" + changed_when: true + when: + - ansible_user != 'root' + - not linger_file.stat.exists + +- name: Check if keystore already exists + ansible.builtin.stat: + path: "{{ fdroid_data_dir }}/keystore.p12" + register: fdroid_keystore + +- name: Initialize fdroid repository (generate keystore and first index) + ansible.builtin.command: + argv: + - podman + - run + - --rm + - -v + - "{{ fdroid_data_dir }}:/fdroid" + - -e + - "FDROID_REPO_URL={{ fdroid_repo_url }}" + - -e + - "FDROID_REPO_NAME={{ fdroid_repo_name }}" + - -e + - "FDROID_REPO_DESCRIPTION={{ fdroid_repo_description }}" + - -e + - "FDROID_REPO_ICON={{ fdroid_repo_icon }}" + - "{{ fdroid_image }}:{{ fdroid_version }}" + - "fdroid update -c --create-key" + when: not fdroid_keystore.stat.exists + register: fdroid_init + changed_when: fdroid_init.rc == 0 + become: false + become_user: "{{ ansible_user }}" + +- name: Flush handlers before starting fdroid + ansible.builtin.meta: flush_handlers + +- name: Enable and start fdroid service (user scope) + ansible.builtin.systemd: + name: fdroid.service + enabled: true + state: started + scope: user + become: false + become_user: "{{ ansible_user }}" + +- name: Wait for fdroid to be ready + ansible.builtin.wait_for: + port: "{{ fdroid_port }}" + host: 127.0.0.1 + timeout: 60 + +- name: Provision TLS certificate for fdroid + ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml" + vars: + certbot_hostname: "{{ fdroid_nginx_hostname }}" + when: fdroid_nginx_enabled + +- name: Deploy nginx vhost configuration for fdroid + ansible.builtin.template: + src: nginx-vhost.conf.j2 + dest: "{{ nginx_conf_dir | default('/etc/nginx/conf.d') }}/fdroid.conf" + owner: root + group: root + mode: "0644" + when: fdroid_nginx_enabled + notify: Reload nginx + +- name: Remove nginx vhost configuration for fdroid + ansible.builtin.file: + path: "{{ nginx_conf_dir | default('/etc/nginx/conf.d') }}/fdroid.conf" + state: absent + when: not fdroid_nginx_enabled + notify: Reload nginx diff --git a/roles/fdroid/templates/config.yml.j2 b/roles/fdroid/templates/config.yml.j2 new file mode 100644 index 0000000..8388fec --- /dev/null +++ b/roles/fdroid/templates/config.yml.j2 @@ -0,0 +1,14 @@ +# F-Droid repository configuration +# Managed by Ansible - DO NOT EDIT MANUALLY + +repo_url: "{{ fdroid_repo_url }}" +repo_name: "{{ fdroid_repo_name }}" +repo_description: "{{ fdroid_repo_description }}" +repo_icon: "{{ fdroid_repo_icon }}" + +# Keystore configuration (auto-generated on first 'fdroid update -c --create-key') +repo_keyalias: fdroid-repo-key +keystore: keystore.p12 +keystorepass: "{{ fdroid_keystore_password }}" +keypass: "{{ fdroid_keystore_password }}" +keydname: "CN={{ fdroid_nginx_hostname }}" diff --git a/roles/fdroid/templates/nginx-vhost.conf.j2 b/roles/fdroid/templates/nginx-vhost.conf.j2 new file mode 100644 index 0000000..d0080b6 --- /dev/null +++ b/roles/fdroid/templates/nginx-vhost.conf.j2 @@ -0,0 +1,56 @@ +# F-Droid repository vhost with Let's Encrypt (Certbot) +# Managed by Ansible - DO NOT EDIT MANUALLY + +server { + listen 80; + listen [::]:80; + server_name {{ fdroid_nginx_hostname }}; + + # Certbot webroot for ACME challenges + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + # Redirect to HTTPS + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name {{ fdroid_nginx_hostname }}; + + # Let's Encrypt certificates (managed by Certbot) + ssl_certificate /etc/letsencrypt/live/{{ fdroid_nginx_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ fdroid_nginx_hostname }}/privkey.pem; + + # SSL configuration + ssl_protocols {{ nginx_ssl_protocols | default('TLSv1.3') }}; + ssl_prefer_server_ciphers on; + +{% if nginx_log_backend | default('journald') == 'journald' %} + access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_fdroid; + error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_fdroid; +{% else %} + access_log /var/log/nginx/{{ fdroid_nginx_hostname }}_access.log main; + error_log /var/log/nginx/{{ fdroid_nginx_hostname }}_error.log; +{% endif %} + + # Allow large APK uploads if ever needed + client_max_body_size 200M; + + # Redirect root to /repo for F-Droid client compatibility + location = / { + return 302 /repo; + } + + location / { + proxy_pass http://127.0.0.1:{{ fdroid_port }}; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +}