NOTE: I will be removing the PSQL portion of the Docker config and using my own PSQL installation, that's on a different server. Refer to the official docs to see how to use the PSQL Docker image.
NOTE: I will be installing NGINX on my host machine to do SSL termination between the host and my reverse proxy. (not really necessary since it's all internal communications, but “best practices")
Create a new user
CREATE USER ttrss WITH PASSWORD '*************';Create a new database
CREATE DATABASE ttrss;Grant privileges to the new user on the new database
GRANT ALL PRIVILEGES ON DATABASE ttrss TO ttrss;Modify the /etc/postgresql/15/main/pg_hba.conf file to allow TT RSS to access the new database from its respective network host. Place your config at the bottom of the file.
host ttrss ttrss 10.0.0.61/32 md5Restart PSQL
systemctl restart postgresql.serviceInstall
apt install nginxCreate a new config file for TTRSS
bash -c "cat > /etc/nginx/sites-available/ttrss.conf" <<'EOF'
server {
server_name tt-rss.int.example.com;
listen 443 http2 ssl;
ssl_certificate /etc/ssl/private/tt-rss.crt;
ssl_certificate_key /etc/ssl/private/tt-rss.key ;
location / {
proxy_pass http://127.0.0.1:8280/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security "max-age=0;";
}
}
EOFLink the new NGINX config to the enabled site's directory
ln -s /etc/nginx/sites-available/ttrss.conf /etc/nginx/sites-enabled/ttrss.confRemove the default config
rm /etc/nginx/sites-enabled/defaultRestart NGINX to apply your changes
systemctl restart nginx.serviceCreate a new installation directory
mkdir /opt/ttrss && \
cd /opt/ttrss/Create a .env file. Modify the TTRSS_DB_ variables to fit your environment.
bash -c "cat > /opt/ttrss/.env" <<'EOF'
# Put any local modifications here.
# Run FPM under this UID/GID.
# OWNER_UID=1000
# OWNER_GID=1000
# FPM settings.
#PHP_WORKER_MAX_CHILDREN=5
#PHP_WORKER_MEMORY_LIMIT=256M
# ADMIN_USER_* settings are applied on every startup.
# Set admin user password to this value. If not set, random password
# will be generated on startup, look for it in the 'app' container logs.
#ADMIN_USER_PASS=
# Sets admin user access level to this value. Valid values:
# -2 - forbidden to login
# -1 - readonly
# 0 - default user
# 10 - admin
#ADMIN_USER_ACCESS_LEVEL=
# Auto create another user (in addition to built-in admin) unless it already exists.
#AUTO_CREATE_USER=
#AUTO_CREATE_USER_PASS=
#AUTO_CREATE_USER_ACCESS_LEVEL=0
# Default database credentials.
TTRSS_DB_HOST=db-1.example.com
TTRSS_DB_USER=ttrss
TTRSS_DB_NAME=ttrss
TTRSS_DB_PASS=**************
# You can customize other config.php defines by setting overrides here.
# See tt-rss/.docker/app/Dockerfile for a complete list.
# You probably shouldn't disable auth_internal unless you know what you're doing.
# TTRSS_PLUGINS=auth_internal,auth_remote
# TTRSS_SINGLE_USER_MODE=true
# TTRSS_SESSION_COOKIE_LIFETIME=2592000
# TTRSS_FORCE_ARTICLE_PURGE=30
# ...
# Bind exposed port to 127.0.0.1 to run behind reverse proxy on the same host.
# If you plan to expose the container, remove "127.0.0.1:".
HTTP_PORT=127.0.0.1:8280
#HTTP_PORT=8280
EOFCreate a docker-compose.yaml file
bash -c "cat > /opt/ttrss/docker-compose.yaml" <<'EOF'
services:
app:
image: cthulhoo/ttrss-fpm-pgsql-static:latest
restart: unless-stopped
env_file:
- .env
volumes:
- app:/var/www/html
- ./config.d:/opt/tt-rss/config.d:ro
updater:
image: cthulhoo/ttrss-fpm-pgsql-static:latest
restart: unless-stopped
env_file:
- .env
volumes:
- app:/var/www/html
- ./config.d:/opt/tt-rss/config.d:ro
depends_on:
- app
command: /opt/tt-rss/updater.sh
web-nginx:
image: cthulhoo/ttrss-web-nginx:latest
restart: unless-stopped
env_file:
- .env
ports:
- ${HTTP_PORT}:80
volumes:
- app:/var/www/html:ro
depends_on:
- app
volumes:
app:
EOF