diff --git a/fresh-rss/.gitignore b/fresh-rss/.gitignore
new file mode 100644
index 0000000..35f3568
--- /dev/null
+++ b/fresh-rss/.gitignore
@@ -0,0 +1,164 @@
+
+# Created by https://www.gitignore.io/api/macos,python,ansible
+# Edit at https://www.gitignore.io/?templates=macos,python,ansible
+
+### Ansible ###
+*.retry
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Python ###
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+# Usually these files are written by a python script from a template
+# before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+# However, in case of collaboration, if having platform-specific dependencies or dependencies
+# having no cross-platform support, pipenv may install dependencies that don’t work, or not
+# install all needed dependencies.
+#Pipfile.lock
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# Downloaded files
+root@*
+
+# End of https://www.gitignore.io/api/macos,python,ansible
\ No newline at end of file
diff --git a/fresh-rss/.idea/.gitignore b/fresh-rss/.idea/.gitignore
new file mode 100644
index 0000000..13566b8
--- /dev/null
+++ b/fresh-rss/.idea/.gitignore
@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/fresh-rss/.idea/fresh-rss.iml b/fresh-rss/.idea/fresh-rss.iml
new file mode 100644
index 0000000..0ba1722
--- /dev/null
+++ b/fresh-rss/.idea/fresh-rss.iml
@@ -0,0 +1,17 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/fresh-rss/.idea/inspectionProfiles/profiles_settings.xml b/fresh-rss/.idea/inspectionProfiles/profiles_settings.xml
new file mode 100644
index 0000000..105ce2d
--- /dev/null
+++ b/fresh-rss/.idea/inspectionProfiles/profiles_settings.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/fresh-rss/.idea/misc.xml b/fresh-rss/.idea/misc.xml
new file mode 100644
index 0000000..0c3960c
--- /dev/null
+++ b/fresh-rss/.idea/misc.xml
@@ -0,0 +1,7 @@
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/fresh-rss/.idea/modules.xml b/fresh-rss/.idea/modules.xml
new file mode 100644
index 0000000..4e76cf9
--- /dev/null
+++ b/fresh-rss/.idea/modules.xml
@@ -0,0 +1,8 @@
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/fresh-rss/.idea/vcs.xml b/fresh-rss/.idea/vcs.xml
new file mode 100644
index 0000000..6c0b863
--- /dev/null
+++ b/fresh-rss/.idea/vcs.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/fresh-rss/Makefile b/fresh-rss/Makefile
new file mode 100644
index 0000000..0789436
--- /dev/null
+++ b/fresh-rss/Makefile
@@ -0,0 +1,9 @@
+install:
+ sudo dnf install ansible
+ ansible-galaxy collection install community.general
+ ansible-galaxy collection install containers.podman
+ ansible-galaxy collection install ansible.posix
+list-hosts:
+ ansible-inventory -i inventory.ini --list
+run:
+ ansible-playbook -i inventory.ini playbook.yaml --ask-become-pass
diff --git a/fresh-rss/inventory.ini b/fresh-rss/inventory.ini
new file mode 100644
index 0000000..b55c7de
--- /dev/null
+++ b/fresh-rss/inventory.ini
@@ -0,0 +1,5 @@
+[nuculabs]
+my-linux.box ansible_user=ansible
+
+[local]
+localhost
\ No newline at end of file
diff --git a/fresh-rss/playbook.yaml b/fresh-rss/playbook.yaml
new file mode 100644
index 0000000..1d944a8
--- /dev/null
+++ b/fresh-rss/playbook.yaml
@@ -0,0 +1,100 @@
+- name: Install FreshRSS
+ hosts: nuculabs
+ become: true
+ become_method: sudo
+ vars_files:
+ - variables.yaml
+ tasks:
+ # Create necessary directories.
+ - name: "Create directories"
+ block:
+ - name: Create base directory
+ ansible.builtin.file:
+ path: "{{ fresh_rss.base_directory }}"
+ state: directory
+ mode: "0755"
+ ignore_errors: true
+ - name: Create data directory
+ ansible.builtin.file:
+ path: "{{ fresh_rss.base_directory }}/{{ fresh_rss.data_directory }}"
+ state: directory
+ mode: "0755"
+ ignore_errors: true
+ - name: Create extensions directory
+ ansible.builtin.file:
+ path: "{{ fresh_rss.base_directory }}/{{ fresh_rss.extensions_directory }}"
+ state: directory
+ mode: "0755"
+ ignore_errors: true
+ - name: Setup SELinux
+ block:
+ - name: Ensure Udica is installed
+ ansible.builtin.package:
+ name: udica
+ state: present
+ - name: Ensure container-selinux is installed
+ ansible.builtin.package:
+ name: container-selinux
+ state: present
+ - name: Copy freshrss cil
+ ansible.builtin.copy:
+ src: ./templates/selinux/freshrss.cil
+ dest: /tmp/freshrss.cil
+ mode: "0644"
+ - name: Load freshrss CIL policy
+ ansible.builtin.command:
+ argv:
+ - semodule
+ - -i
+ - /tmp/freshrss.cil
+ - /usr/share/udica/templates/base_container.cil
+ - /usr/share/udica/templates/net_container.cil
+ when: setup_selinux
+ - name: Setup Container
+ block:
+ - name: Ensure Podman is installed
+ ansible.builtin.package:
+ name: podman
+ state: present
+ - name: Pull image
+ containers.podman.podman_image:
+ name: "{{ fresh_rss.container_image }}"
+ state: present
+ - name: "Copy container"
+ ansible.builtin.template:
+ src: ./templates/container/freshrss.container.j2
+ dest: /etc/containers/systemd/freshrss.container
+ mode: "0644"
+ - name: Reload systemd
+ ansible.builtin.command:
+ cmd: systemctl daemon-reload
+ - name: Stop service
+ ansible.builtin.systemd_service:
+ name: freshrss.service
+ state: stopped
+ enabled: true
+ - name: Enable service
+ ansible.builtin.systemd_service:
+ name: freshrss.service
+ state: started
+ enabled: true
+ - name: Setup firewall
+ block:
+ - name: Create firewalld service
+ ansible.builtin.template:
+ src: ./templates/firewall/freshrss.xml.j2
+ dest: /etc/firewalld/services/freshrss.xml
+ mode: "0644"
+ - name: Reload firewalld
+ ansible.builtin.command:
+ argv:
+ - firewall-cmd
+ - --reload
+ - name: Enable firewalld service
+ ansible.posix.firewalld:
+ service: freshrss
+ state: enabled
+ permanent: true
+ immediate: true
+ offline: true
+ when: setup_firewall
diff --git a/fresh-rss/readme.md b/fresh-rss/readme.md
new file mode 100644
index 0000000..e9c93ca
--- /dev/null
+++ b/fresh-rss/readme.md
@@ -0,0 +1,9 @@
+# Self Hosted FreshRSS server
+
+This playbook allows you to self-host a FreshRSS sever with podman containers and systemd Quadlets.
+
+It was tested on Fedora 41.
+
+References:
+- https://github.com/FreshRSS/FreshRSS/tree/edge
+- https://github.com/FreshRSS/FreshRSS/tree/edge/Docker
\ No newline at end of file
diff --git a/fresh-rss/templates/container/freshrss.container.j2 b/fresh-rss/templates/container/freshrss.container.j2
new file mode 100644
index 0000000..1c94fd6
--- /dev/null
+++ b/fresh-rss/templates/container/freshrss.container.j2
@@ -0,0 +1,20 @@
+[Unit]
+Description=freshrss
+
+[Container]
+Image={{ fresh_rss.container_image }}
+AutoUpdate=registry
+PublishPort={{ fresh_rss.port }}:80/tcp
+Volume={{ fresh_rss.base_directory }}/{{ fresh_rss.data_directory }}:/var/www/FreshRSS/data:Z
+Volume={{ fresh_rss.base_directory }}/{{ fresh_rss.extensions_directory }}:/var/www/FreshRSS/extensions:Z
+Environment=CRON_MIN={{ fresh_rss.cron_min }}
+SecurityLabelType=freshrss.process
+
+
+[Service]
+# Inform systemd of additional exit status
+SuccessExitStatus=0 143
+
+[Install]
+# Start by default on boot
+WantedBy=default.target
\ No newline at end of file
diff --git a/fresh-rss/templates/firewall/freshrss.xml.j2 b/fresh-rss/templates/firewall/freshrss.xml.j2
new file mode 100644
index 0000000..ce63340
--- /dev/null
+++ b/fresh-rss/templates/firewall/freshrss.xml.j2
@@ -0,0 +1,6 @@
+
+
+ FreshRSS Service
+ A free, self-hostable news aggregator.
+
+
diff --git a/fresh-rss/templates/selinux/freshrss.cil b/fresh-rss/templates/selinux/freshrss.cil
new file mode 100644
index 0000000..eb5695c
--- /dev/null
+++ b/fresh-rss/templates/selinux/freshrss.cil
@@ -0,0 +1,8 @@
+(block freshrss
+ (blockinherit container)
+ (blockinherit restricted_net_container)
+
+ (allow process default_t (dir (setattr add_name write create)))
+ (allow process default_t (file (create)))
+ (allow process http_port_t (tcp_socket (name_bind)))
+)
diff --git a/fresh-rss/variables.yaml b/fresh-rss/variables.yaml
new file mode 100644
index 0000000..66557ae
--- /dev/null
+++ b/fresh-rss/variables.yaml
@@ -0,0 +1,9 @@
+setup_selinux: true
+setup_firewall: true # exposes the firewall ports
+fresh_rss:
+ port: 8080
+ cron_min: "*,45"
+ container_image: "docker.io/freshrss/freshrss:1.25.0"
+ base_directory: "/fresh_rss"
+ data_directory: "data"
+ extensions_directory: "extensions"
\ No newline at end of file