Add new fdroid role to host custom apks

roles/fdroid/README.md

@@ -0,0 +1,71 @@
+# fdroid - F-Droid Custom APK Repository
+
+Deploys an [F-Droid](https://f-droid.org/) repository server using [austozi/fdroidserver](https://github.com/austozi/docker-fdroidserver) to host custom APKs for family devices.
+
+## Configuration
+
+### Required Variables
+
+Set in inventory or vault:
+
+```yaml
+fdroid_keystore_password: "your-secure-password-here"  # Min 12 chars
+```
+
+### Optional Variables
+
+See [defaults/main.yml](defaults/main.yml) for all configuration options.
+
+Key settings:
+
+```yaml
+fdroid_version: "26.2.1"
+fdroid_port: 8070
+fdroid_repo_url: "https://apk.jokester.fr/repo"
+fdroid_repo_name: "F-Droid Repository"
+fdroid_repo_description: "Custom APK repository"
+fdroid_update_interval: "12h"
+
+# Nginx reverse proxy
+fdroid_nginx_enabled: false
+fdroid_nginx_hostname: apk.nas.local
+```
+
+## Usage
+
+### Adding APKs
+
+```bash
+scp my-app.apk jokester@andromeda:/opt/podman/fdroid/data/repo/
+```
+
+The container automatically re-runs `fdroid update` every `fdroid_update_interval` (default: 12h) to regenerate the signed index.
+
+To trigger an immediate update:
+
+```bash
+ssh jokester@andromeda "podman exec fdroid-server fdroid update -c"
+```
+
+### F-Droid Client Setup
+
+On family phones, open F-Droid and add a new repository:
+
+- **Repository URL:** `https://apk.jokester.fr/repo`
+- Accept the fingerprint on first connection
+
+### Keystore Backup
+
+The signing keystore at `{{ podman_projects_dir }}/fdroid/data/keystore.p12` is critical. If lost, all clients must re-add the repository. Back it up.
+
+## Architecture
+
+- **Container**: `austozi/fdroidserver` (Apache + fdroidserver + Android build-tools)
+- **Storage**: Persistent data directory for keystore, config, metadata, and APKs
+- **Networking**: Localhost binding, nginx reverse proxy for HTTPS
+- **Index updates**: Automatic on configurable interval
+
+## Dependencies
+
+- podman
+- nginx (if `fdroid_nginx_enabled: true`)

roles/fdroid/defaults/main.yml

@@ -0,0 +1,29 @@
+---
+# F-Droid repository version (austozi/fdroidserver image tag)
+fdroid_version: "26.2.1"
+
+# Container image
+fdroid_image: austozi/fdroidserver
+
+# Host port mapping
+fdroid_port: 8070
+
+# Data directory (keystore, config, metadata, repo APKs)
+fdroid_data_dir: "{{ podman_projects_dir }}/fdroid/data"
+
+# Repository metadata
+fdroid_repo_url: "https://apk.mysite.fr/repo"
+fdroid_repo_name: "F-Droid Repository"
+fdroid_repo_description: "Custom APK repository"
+fdroid_repo_icon: "fdroid.svg"
+fdroid_repo_icon_url: "https://f-droid.org/assets/fdroid-logo-text_S0MUfk_FsnAYL7n2MQye-34IoSNm6QM6xYjDnMqkufo=.svg"
+
+# How often the container re-runs 'fdroid update' to re-sign the index
+fdroid_update_interval: "24h"
+
+# Keystore password for signing the repository index
+# fdroid_keystore_password: ""  # Intentionally undefined - role will fail if not set
+
+# Nginx reverse proxy configuration
+fdroid_nginx_enabled: false
+fdroid_nginx_hostname: apk.nas.local

roles/fdroid/handlers/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Reload systemd user
+  ansible.builtin.systemd:
+    daemon_reload: true
+    scope: user
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Restart fdroid
+  ansible.builtin.systemd:
+    name: fdroid.service
+    state: restarted
+    scope: user
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Reload nginx
+  ansible.builtin.systemd:
+    name: nginx
+    state: reloaded

roles/fdroid/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: podman

roles/fdroid/tasks/main.yml

@@ -0,0 +1,179 @@
+---
+- name: Validate required passwords are set
+  ansible.builtin.assert:
+    that:
+      - fdroid_keystore_password is defined
+      - fdroid_keystore_password | length >= 12
+    fail_msg: |
+      fdroid_keystore_password is required (min 12 chars).
+      See roles/fdroid/defaults/main.yml for configuration instructions.
+    success_msg: "Password validation passed"
+
+- name: Create fdroid project directory
+  ansible.builtin.file:
+    path: "{{ podman_projects_dir | default('/opt/podman') }}/fdroid"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+
+- name: Create fdroid data directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+  loop:
+    - "{{ fdroid_data_dir }}"
+    - "{{ fdroid_data_dir }}/repo"
+    - "{{ fdroid_data_dir }}/metadata"
+
+- name: Create fdroid repo icons directory
+  ansible.builtin.file:
+    path: "{{ fdroid_data_dir }}/repo/icons"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+
+- name: Download fdroid repository icon
+  ansible.builtin.get_url:
+    url: "{{ fdroid_repo_icon_url }}"
+    dest: "{{ fdroid_data_dir }}/repo/icons/{{ fdroid_repo_icon }}"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0644"
+
+- name: Deploy fdroid repository configuration
+  ansible.builtin.template:
+    src: config.yml.j2
+    dest: "{{ fdroid_data_dir }}/config.yml"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0600"
+  notify: Restart fdroid
+
+- name: Pull fdroid container image
+  ansible.builtin.command: "podman pull {{ fdroid_image }}:{{ fdroid_version }}"
+  changed_when: pull_result.stdout is search('Writing manifest')
+  register: pull_result
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Deploy Kubernetes YAML for fdroid
+  ansible.builtin.template:
+    src: fdroid.yaml.j2
+    dest: "{{ podman_projects_dir | default('/opt/podman') }}/fdroid/fdroid.yaml"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0644"
+  notify: Restart fdroid
+
+- name: Get home directory for {{ ansible_user }}
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ ansible_user }}"
+
+- name: Set user home directory fact
+  ansible.builtin.set_fact:
+    user_home_dir: "{{ ansible_facts['getent_passwd'][ansible_user][4] }}"
+
+- name: Create systemd user directory for fdroid
+  ansible.builtin.file:
+    path: "{{ user_home_dir }}/.config/systemd/user"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+
+- name: Create systemd service for fdroid (user scope)
+  ansible.builtin.template:
+    src: fdroid.service.j2
+    dest: "{{ user_home_dir }}/.config/systemd/user/fdroid.service"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0644"
+  notify: Reload systemd user
+
+- name: Check if lingering is enabled for {{ ansible_user }}
+  ansible.builtin.stat:
+    path: "/var/lib/systemd/linger/{{ ansible_user }}"
+  register: linger_file
+
+- name: Enable lingering for user {{ ansible_user }}
+  ansible.builtin.command: "loginctl enable-linger {{ ansible_user }}"
+  changed_when: true
+  when:
+    - ansible_user != 'root'
+    - not linger_file.stat.exists
+
+- name: Check if keystore already exists
+  ansible.builtin.stat:
+    path: "{{ fdroid_data_dir }}/keystore.p12"
+  register: fdroid_keystore
+
+- name: Initialize fdroid repository (generate keystore and first index)
+  ansible.builtin.command:
+    argv:
+      - podman
+      - run
+      - --rm
+      - -v
+      - "{{ fdroid_data_dir }}:/fdroid"
+      - -e
+      - "FDROID_REPO_URL={{ fdroid_repo_url }}"
+      - -e
+      - "FDROID_REPO_NAME={{ fdroid_repo_name }}"
+      - -e
+      - "FDROID_REPO_DESCRIPTION={{ fdroid_repo_description }}"
+      - -e
+      - "FDROID_REPO_ICON={{ fdroid_repo_icon }}"
+      - "{{ fdroid_image }}:{{ fdroid_version }}"
+      - "fdroid update -c --create-key"
+  when: not fdroid_keystore.stat.exists
+  register: fdroid_init
+  changed_when: fdroid_init.rc == 0
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Flush handlers before starting fdroid
+  ansible.builtin.meta: flush_handlers
+
+- name: Enable and start fdroid service (user scope)
+  ansible.builtin.systemd:
+    name: fdroid.service
+    enabled: true
+    state: started
+    scope: user
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Wait for fdroid to be ready
+  ansible.builtin.wait_for:
+    port: "{{ fdroid_port }}"
+    host: 127.0.0.1
+    timeout: 60
+
+- name: Provision TLS certificate for fdroid
+  ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml"
+  vars:
+    certbot_hostname: "{{ fdroid_nginx_hostname }}"
+  when: fdroid_nginx_enabled
+
+- name: Deploy nginx vhost configuration for fdroid
+  ansible.builtin.template:
+    src: nginx-vhost.conf.j2
+    dest: "{{ nginx_conf_dir | default('/etc/nginx/conf.d') }}/fdroid.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  when: fdroid_nginx_enabled
+  notify: Reload nginx
+
+- name: Remove nginx vhost configuration for fdroid
+  ansible.builtin.file:
+    path: "{{ nginx_conf_dir | default('/etc/nginx/conf.d') }}/fdroid.conf"
+    state: absent
+  when: not fdroid_nginx_enabled
+  notify: Reload nginx

roles/fdroid/templates/config.yml.j2

@@ -0,0 +1,14 @@
+# F-Droid repository configuration
+# Managed by Ansible - DO NOT EDIT MANUALLY
+
+repo_url: "{{ fdroid_repo_url }}"
+repo_name: "{{ fdroid_repo_name }}"
+repo_description: "{{ fdroid_repo_description }}"
+repo_icon: "{{ fdroid_repo_icon }}"
+
+# Keystore configuration (auto-generated on first 'fdroid update -c --create-key')
+repo_keyalias: fdroid-repo-key
+keystore: keystore.p12
+keystorepass: "{{ fdroid_keystore_password }}"
+keypass: "{{ fdroid_keystore_password }}"
+keydname: "CN={{ fdroid_nginx_hostname }}"

roles/fdroid/templates/nginx-vhost.conf.j2

@@ -0,0 +1,56 @@
+# F-Droid repository vhost with Let's Encrypt (Certbot)
+# Managed by Ansible - DO NOT EDIT MANUALLY
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ fdroid_nginx_hostname }};
+
+    # Certbot webroot for ACME challenges
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Redirect to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name {{ fdroid_nginx_hostname }};
+
+    # Let's Encrypt certificates (managed by Certbot)
+    ssl_certificate /etc/letsencrypt/live/{{ fdroid_nginx_hostname }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ fdroid_nginx_hostname }}/privkey.pem;
+
+    # SSL configuration
+    ssl_protocols {{ nginx_ssl_protocols | default('TLSv1.3') }};
+    ssl_prefer_server_ciphers on;
+
+{% if nginx_log_backend | default('journald') == 'journald' %}
+    access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_fdroid;
+    error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_fdroid;
+{% else %}
+    access_log /var/log/nginx/{{ fdroid_nginx_hostname }}_access.log main;
+    error_log /var/log/nginx/{{ fdroid_nginx_hostname }}_error.log;
+{% endif %}
+
+    # Allow large APK uploads if ever needed
+    client_max_body_size 200M;
+
+    # Redirect root to /repo for F-Droid client compatibility
+    location = / {
+        return 302 /repo;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:{{ fdroid_port }};
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}