finallycoffee/fediverse
finallycoffee/fediverse
5
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: finallycoffee:7c4169c4241c18bd19d612e3056d10a8aaba22f5
Branches Tags
finallycoffee:main
finallycoffee:transcaffeine/pixelfed
finallycoffee:transcaffeine/gotosocial
finallycoffee:0.1.1
finallycoffee:0.1.0
..
compare: finallycoffee:bbefcea786aadffd2b4ab972d1d81d8d862a11bf
Branches Tags
finallycoffee:main
finallycoffee:transcaffeine/pixelfed
finallycoffee:transcaffeine/gotosocial
finallycoffee:0.1.1
finallycoffee:0.1.0

1 Commits
7c4169c424 ... bbefcea786

Author SHA1 Message Date
Johanna Dorothea Reichmann
bbefcea786
feat(pixelfed): add ansible role 2022-02-04 16:54:41 +01:00
15 changed files with 0 additions and 1000 deletions
Show Stats Expand all files Collapse all files

3
README.md
View File

@ -9,9 +9,6 @@ available.
## Roles
- [`mastodon`](roles/mastodon/README.md): deployment using a container based
setup, able to use webfinger delegation.
## License
[CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License

24
roles/gotosocial/README.md
View File

@ -1,24 +0,0 @@
# `finallycoffee.fediverse.gotosocial` ansible role
## Configuration
### Built-in LetsEncrypt client
To use the built-in letsencrypt client, set `gotosocial_config_letsencrypt_enabled: true`.
You are required to fill in a valid administrative email address into
`gotosocial_config_letsencrypt_email_address`.
The port letsencrypt will listen on defaults to `80` and can be set using
`gotosocial_config_letsencrypt_port` (if f.ex. the container lacks the permission
to bind to ports < 1024). Note that when `gotosocial_config_letsencrypt_enabled` is
`true`, the `gotosocial_config_letsencrypt_port` will by default be mapped to
_host_ port 80 on all interfaces!
This is fine when this is the only ACME client and allows easily changing
`gotosocial_config_letsencrypt_port` without breaking any functionality,
but with multiple acme clients all performing HTTP-01 challenges, you need to manually
overwrite `gotosocial_container_ports` to fit your needs.
### Advanced configuration

130
roles/gotosocial/defaults/main.yml
View File

@ -1,130 +0,0 @@
---
gotosocial_user: "gotosocial"
gotosocial_version: 0.3.8
gotosocial_base_path: "/opt/gotosocial"
gotosocial_config_path: "{{ gotosocial_base_path }}/config"
gotosocial_template_path: "{{ gotosocial_base_path }}/templates"
gotosocial_asset_path: "{{ gotosocial_base_path }}/assets"
gotosocial_storage_path: "{{ gotosocial_base_path }}/storage"
gotosocial_cert_path: "{{ gotosocial_base_path }}/certificates"
gotosocial_config_file: "{{ gotosocial_config_path }}/config.yaml"
gotosocial_config: >-
{{ gotosocial_default_config
| combine(gotosocial_extra_config | default({}), recursive=True) }}
gotosocial_config_log_level: info
gotosocial_config_log_db_queries: false
gotosocial_config_host: social.example.party
gotosocial_config_account_domain: ~
# listening / revproxy configuration
gotosocial_config_protocol: https
gotosocial_config_bind_address: 127.0.0.1
gotosocial_config_port: 8080
gotosocial_config_trusted_proxies: []
# database configuration
gotosocial_config_db_type: postgres
gotosocial_config_db_address: ~
gotosocial_config_db_port: ~
gotosocial_config_db_user: ~
gotosocial_config_db_password: ~
gotosocial_config_db_database: gotosocial
gotosocial_config_db_tls_mode: enable
gotosocial_config_db_tls_ca_cert:
gotosocial_config_web_template_base_dir: "{{ gotosocial_template_path }}"
gotosocial_config_web_asset_base_dir: "{{ gotosocial_asset_path }}"
# instance privacy
gotosocial_config_instance_expose_peers: false
gotosocial_config_expose_suspended: false
# account config
gotosocial_config_acounts_registration_open: true
gotosocial_config_accounts_approval_required: true
gotosocial_config_accounts_reason_required: true
# media config
gotosocial_config_media_image_max_size_bytes: 2097152 #2MB
gotosocial_config_media_video_max_size_bytes: 10485760 #10MB
gotosocial_config_media_description_min_chars: 0
gotosocial_config_media_description_max_chars: 1000
gotosocial_config_media_remote_cache_days: 30
# storage for media etc
gotosocial_config_storage_backend: local
gotosocial_config_storage_local_base_path: "{{ gotosocial_storage_path }}"
# status config
gotosocial_config_statuses_max_chars: 5000
gotosocial_config_statuses_cw_max_chars: 100
gotosocial_config_statuses_poll_max_options: 6
gotosocial_config_statuses_poll_option_max_chars: 50
gotosocial_config_statuses_media_max_files: 30
# letsencrypt config
gotosocial_config_letsencrypt_enabled: false
gotosocial_config_letsencrypt_port: 80
gotosocial_config_letsencrypt_cert_dir: "{{ gotosocial_cert_path }}"
gotosocial_config_letsencrypt_email_address: ~
# oidc config
gotosocial_config_oidc_enabled: false
gotosocial_config_oidc_idp_name: ~
gotosocial_config_oidc_skip_verification: false
gotosocial_config_oidc_issuer: ~
gotosocial_config_oidc_client_id: ~
gotosocial_config_oidc_client_secret: ~
gotosocial_config_oidc_scopes:
- openid
- email
- profile
# smtp config
gotosocial_config_smtp_host: ~
gotosocial_config_smtp_port: ~
gotosocial_config_smtp_username: ~
gotosocial_config_smtp_password: ~
gotosocial_config_smtp_from: ~
# syslog config
gotosocial_config_syslog_enabled: false
gotosocial_config_syslog_protocol: udp
gotosocial_config_syslog_address: "localhost:514"
# advanced config:
gotosocial_config_advanced_cookies_samesite: lax
# container defaults
gotosocial_container_name: gotosocial
gotosocial_container_image_name: docker.io/superseriousbusiness/gotosocial
gotosocial_container_image_tag: ~
gotosocial_container_image: >-2
{{ gotosocial_container_image_name }}:{{ gotoscial_container_image_tag
| default(gotosocial_version) }}
gotosocial_container_volumes: >-2
{{ gotosocial_container_default_volumes
+ gotosocial_container_extra_volumes }}
gotosocial_container_default_volumes:
- "{{ gotosocial_config_file }}:/gotosocial/config.yaml:ro"
- "{{ gotosocial_storage_path }}:/gotosocial/storage:z"
- "{{ gotosocial_template_path }}:/gotosocial/web/templates:ro"
gotosocial_container_extra_volumes: []
gotosocial_container_env: {}
gotosocial_container_labels: {}
gotosocial_container_user: "{{ gotosocial_user }}"
gotosocial_container_etc_hosts: ~
gotosocial_container_networks: ~
gotosocial_container_purge_networks: false
gotosocial_container_restart_policy: unless-stopped
gotosocial_container_entrypoint:
- "/gotosocial/gotosocial"
- "--config-path"
- "config.yaml"
- "server"
- "start"

8
roles/gotosocial/handlers/main.yml
View File

@ -1,8 +0,0 @@
---
- name: Restart gotosocial
listen: restart-gotosocial
docker_container:
name: "{{ gotosocial_container_name }}"
state: started
restart: true

65
roles/gotosocial/tasks/main.yml
View File

@ -1,65 +0,0 @@
---
- name: Ensure user {{ gotosocial_user }} is present
user:
name: "{{ gotosocial_user }}"
system: true
state: present
register: gotosocial_user_info
- name: Ensure host directories for mounts are present
file:
path: "{{ path.name }}"
state: directory
owner: >-
{{ path.owner | default(gotosocial_user_info.uid | default(gotosocial_user)) }}
group: >-
{{ path.group | default(gotosocial_user_info.group | default(gotosocial_user)) }}
mode: "{{ path.mode | default('0750') }}"
loop:
- name: "{{ gotosocial_base_path }}"
- name: "{{ gotosocial_config_path }}"
- name: "{{ gotosocial_storage_path }}"
- name: "{{ gotosocial_template_path }}"
- name: "{{ gotosocial_asset_path }}"
mode: '0770'
loop_control:
loop_var: path
label: "{{ path.name }}"
- name: Ensure configuration is up to date
copy:
content: "{{ gotosocial_config | to_nice_yaml(indent=2, width=10000) }}"
dest: "{{ gotosocial_config_file }}"
owner: "{{ gotosocial_user_info.uid | default(gotosocial_user) }}"
group: "{{ gotosocial_user_info.group | default(gotosocial_user) }}"
mode: 0640
notify: restart-gotosocial
- name: Ensure container image is available
docker_image:
name: "{{ gotosocial_container_image }}"
state: present
source: pull
force_source: >-
{{ gotosocial_container_image_force_pull
| default(gotoscial_container_image_tag | default(true, true)) }}
register: gotosocial_container_image_pull_status
until: gotosocial_container_image_pull_status is succeeded
retries: 5
delay: 3
- name: Ensure gotosocial container named {{ gotosocial_container_name }} is running
docker_container:
name: "{{ gotosocial_container_name }}"
image: "{{ gotosocial_container_image }}"
volumes: "{{ gotosocial_container_volumes }}"
env: "{{ gotosocial_container_env | default(omit, True) }}"
ports: "{{ gotosocial_container_ports | default(omit, True) }}"
labels: "{{ gotosocial_container_labels | default(omit, True) }}"
networks: "{{ gotosocial_container_networks | default(omit, True) }}"
etc_hosts: "{{ gotosocial_container_etc_hosts | default(omit, True) }}"
purge_networks: "{{ gotosocial_container_purge_networks | default(False, True) }}"
restart_policy: "{{ gotosocial_container_restart_policy }}"
entrypoint: "{{ gotosocial_container_entrypoint }}"
state: started

59
roles/gotosocial/vars/main.yml
View File

@ -1,59 +0,0 @@
---
gotosocial_default_config:
log-level: "{{ gotosocial_config_log_level }}"
log-db-queries: "{{ gotosocial_config_log_db_queries }}"
application-name: gotosocial
host: "{{ gotosocial_config_host }}"
account-domain: "{{ gotosocial_config_account_domain }}"
protocol: "{{ gotosocial_config_protocol }}"
bind-address: "{{ gotosocial_config_bind_address }}"
port: "{{ gotosocial_config_port }}"
trusted-proxies: "{{ gotosocial_config_trusted_proxies }}"
db-type: "{{ gotosocial_config_db_type }}"
db-address: "{{ gotosocial_config_db_address }}"
db-port: "{{ gotosocial_config_db_port }}"
db-user: "{{ gotosocial_config_db_user }}"
db-password: "{{ gotosocial_config_db_password }}"
db-database: "{{ gotosocial_config_db_database }}"
db-tls-mode: "{{ gotosocial_config_db_tls_mode }}"
db-tls-ca-cert: "{{ gotosocial_config_db_tls_ca_cert }}"
web-template-base-dir: "{{ gotosocial_config_web_template_base_dir }}"
web-asset-base-dir: "{{ gotosocial_config_web_asset_base_dir }}"
instance-expose-peer: "{{ gotosocial_config_instance_expose_peers }}"
instance-expose-suspended: "{{ gotosocial_config_expose_suspended }}"
accounts-registration-open: "{{ gotosocial_config_acounts_registration_open }}"
accounts-approval-required: "{{ gotosocial_config_accounts_approval_required }}"
accounts-reason-required: "{{ gotosocial_config_accounts_reason_required }}"
media-image-max-size: "{{ gotosocial_config_media_image_max_size_bytes }}"
media-video-max-size: "{{ gotosocial_config_media_video_max_size_bytes }}"
media-description-min-chars: "{{ gotosocial_config_media_description_min_chars }}"
media-description-max-chars: "{{ gotosocial_config_media_description_max_chars }}"
media-remote-cache-days: "{{ gotosocial_config_media_remote_cache_days }}"
storage-backend: "{{ gotosocial_config_storage_backend }}"
storage-local-base-path: "{{ gotosocial_config_storage_local_base_path }}"
statuses-max-chars: "{{ gotosocial_config_statuses_max_chars }}"
statuses-cw-max-chars: "{{ gotosocial_config_statuses_cw_max_chars }}"
statuses-poll-max-options: "{{ gotosocial_config_statuses_poll_max_options }}"
statuses-poll-option-max-chars: "{{ gotosocial_config_statuses_poll_option_max_chars }}"
statuses-media-max-files: "{{ gotosocial_config_statuses_media_max_files }}"
letsencrypt-enabled: "{{ gotosocial_config_letsencrypt_enabled }}"
letsencrypt-port: "{{ gotosocial_config_letsencrypt_port }}"
letsencrypt-cert-dir: "{{ gotosocial_config_letsencrypt_cert_dir }}"
letsencrypt-email-address: "{{ gotosocial_config_letsencrypt_email_address }}"
oidc-enabled: "{{ gotosocial_config_oidc_enabled }}"
oidc-idp-name: "{{ gotosocial_config_oidc_idp_name }}"
oidc-skip-verification: "{{ gotosocial_config_oidc_skip_verification }}"
oidc-issuer: "{{ gotosocial_config_oidc_issuer }}"
oidc-client-id: "{{ gotosocial_config_oidc_client_id }}"
oidc-client-secret: "{{ gotosocial_config_oidc_client_secret }}"
oidc-scopes: "{{ gotosocial_config_oidc_scopes }}"
smtp-host: "{{ gotosocial_config_smtp_host }}"
smtp-port: "{{ gotosocial_config_smtp_port }}"
smtp-username: "{{ gotosocial_config_smtp_username }}"
smtp-password: "{{ gotosocial_config_smtp_password }}"
smtp-from: "{{ gotosocial_config_smtp_from }}"
syslog-enabled: "{{ gotosocial_config_syslog_enabled }}"
syslog-protocol: "{{ gotosocial_config_syslog_protocol }}"
syslog-address: "{{ gotosocial_config_syslog_address }}"
advanced-cookies-samesite: "{{ gotosocial_config_advanced_cookies_samesite }}"

65
roles/mastodon/README.md
View File

@ -1,65 +0,0 @@
# `finallycoffee.fediverse.mastodon` ansible role
## Overview
This role aims to automate as much as possible with running a docker container
based mastodon setup. It provides you with the streaming container, sidekiq and
web (api) as well an nginx routing the application traffic.
You need to provide a postgresql database, the redis server, optionally an
elasticsearch instance and the mail server. Roles providing components are linked,
if applicable.
### Usage
The minimum configuration could be as follows:
```yaml
mastodon_domain: finally.coffee
# Optional, if you want to host your frontend + api somewhere else
mastodon_web_domain: frontend.some.website
# you need to provide and manage the following secrets
mastodon_secret_key: very_long_secret
mastodon_otp_secret: also_very_long_secret
mastodon_vapid_public_key: check_mastodon_docs_for_this
mastodon_vapid_private_key: see_above
```
#### Database
The database configuration is as follows:
```yaml
mastodon_database_host: postgres.local
mastodon_database_port: 5432 #optional, defaults to this
mastodon_database_user: mastodont
mastodon_database_pass: hopefully_secure
mastodon_database_name: mastodon
```
For seeding the database during initial deployment, you need to set
`mastodon_seed_database: true` exactly once (when it succeeds).
### Redis
As of writing this, it seems that atleast one component of mastodon can't
deal with a password for redis, leading to the need to run redis without
authentification for all components:
```yaml
mastodon_redis_url: unix:///var/run/redis/mastodon.sock
```
#### Mail
The mail server for verifications and notifications can be configured as followed:
```yaml
mastodon_mail_server: mail.example.org
mastodon_mail_user: mailuser@mydomain.org
mastodon_mail_password: very_secure_password_for_mailing_account
```
For further Configuration, see [`defaults/main.yml`](defaults/main.yml) to
override further keys for configuration

133
roles/mastodon/defaults/main.yml
View File

@ -1,133 +0,0 @@
---
mastodon_user: mastodon
mastodon_base_path: /opt/mastodon
mastodon_domain: ~
mastodon_web_domain: ~
mastodon_version: 3.5.1
mastodon_git_upstream_url: "https://github.com/mastodon/mastodon.git"
mastodon_data_path: "{{ mastodon_base_path }}/data"
mastodon_repo_path: "{{ mastodon_base_path }}/src"
mastodon_config_path: "{{ mastodon_base_path }}/config"
mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
mastodon_container_bind_ip: "127.0.0.1"
mastodon_streaming_backend: "{{ mastodon_container_bind_ip }}:4000"
mastodon_api_backend: "{{ mastodon_container_bind_ip }}:3000"
mastodon_backend: "{{ mastodon_container_bind_ip }}:5000"
mastodon_container_name: mastodon
mastodon_container_name_sidekiq: "{{ mastodon_container_name }}_sidekiq"
mastodon_container_name_streaming: "{{ mastodon_container_name }}_streaming"
mastodon_container_image_name: "tootsuite/mastodon"
mastodon_container_image_tag: "v{{ mastodon_version }}"
mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_container_image_tag }}"
mastodon_container_networks:
- name: "{{ mastodon_container_network_name }}"
mastodon_container_base_volumes_streaming:
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
- "{{ mastodon_config_group_file }}:/etc/group:ro"
mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
mastodon_container_volumes_streaming: >-
{{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
mastodon_container_base_volumes_sidekiq:
- "{{ mastodon_repo_path }}/public/system:/mastodon/public/system:ro"
mastodon_container_extra_volumes_sidekiq: "{{ mastodon_container_extra_volumes }}"
mastodon_container_volumes_sidekiq: >-
{{ mastodon_container_base_volumes_sidekiq + mastodon_container_extra_volumes_sidekiq }}
mastodon_container_base_volumes:
- "{{ mastodon_repo_path }}/public:/mastodon/public:z"
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
- "{{ mastodon_config_group_file }}:/etc/group:ro"
mastodon_container_extra_volumes: []
mastodon_container_volumes: >-
{{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
mastodon_container_ports_streaming:
- "{{ mastodon_streaming_backend }}:4000"
mastodon_container_ports:
- "{{ mastodon_api_backend }}:3000"
mastodon_container_restart_policy: unless-stopped
mastodon_nginx_version: 1.21.6
mastodon_nginx_server_name: "{{ mastodon_domain }}"
mastodon_container_nginx_name: "{{ mastodon_container_name }}_nginx"
mastodon_container_nginx_image_name: docker.io/library/nginx
mastodon_container_nginx_image_tag: ~
mastodon_container_nginx_image_flavour: alpine
mastodon_container_nginx_image: >-2
{{ mastodon_container_nginx_image_name }}:{{ mastodon_container_nginx_image_tag
| default(mastodon_nginx_version + ('-' + mastodon_container_nginx_image_flavour if mastodon_container_nginx_image_flavour else ''), True) }}
mastodon_container_nginx_working_directory: "/var/www/mastodon"
mastodon_container_nginx_cache_directory: "/var/cache/nginx"
mastodon_container_volumes_nginx:
- "{{ mastodon_nginx_config_file }}:/etc/nginx/conf.d/default.conf:ro"
- "{{ mastodon_repo_path }}/public:{{ mastodon_container_nginx_working_directory }}:ro"
- "{{ mastodon_nginx_cache_path }}:{{ mastodon_container_nginx_cache_directory }}:z"
mastodon_container_network_name: mastodon
mastodon_secret_key: ~
mastodon_otp_secret: ~
mastodon_vapid_public_key: ~
mastodon_vapid_private_key: ~
mastodon_redis_host: ~
mastodon_redis_port: ~
mastodon_redis_url: ~
mastodon_redis_password: ~
mastodon_redis_db_index: ~
mastodon_database_host: localhost
mastodon_database_port: 5432
mastodon_database_user: mastodon
mastodon_database_pass: ~
mastodon_database_name: mastodon
mastodon_mail_server: ~
mastodon_mail_port: 587
mastodon_mail_user: ~
mastodon_mail_password: ~
mastodon_mail_from_address: "notifications@{{ mastodon_domain }}"
mastodon_elasticsearch_enabled: false
mastodon_elasticsearch_host: ~
mastodon_elasticsearch_port: ~
mastodon_elasticsearch_user: ~
mastodon_elasticsearch_pass: ~
mastodon_s3_enabled: false
mastodon_s3_bucket: ~
mastodon_s3_aws_access_key_id: ~
mastodon_s3_aws_secret_access_key: ~
mastodon_s3_alias_host: ~
mastodon_oidc_enabled: false
mastodon_oidc_issuer_url: ~
mastodon_oidc_discovery: true
mastodon_oidc_scope: openid,profile
mastodon_oidc_client_id: ~
mastodon_oidc_client_secret: ~
mastodon_oidc_client_auth_method: basic
mastodon_oidc_response_mode: query
mastodon_oidc_response_type: code
mastodon_oidc_prompt: ~
mastodon_oidc_display_name: My IDP
mastodon_oidc_auth_endpoint: ~
mastodon_oidc_token_endpoint: ~
mastodon_oidc_user_info_endpoint: ~
mastodon_oidc_end_session_endpoint: ~
mastodon_oidc_jwks_uri:
mastodon_oidc_redirect_uri:
mastodon_oidc_idp_logout_redirect_uri: ~
mastodon_oidc_uid_field: preferred_username
mastodon_oidc_security_assume_email_is_verified: false

33
roles/mastodon/handlers/main.yml
View File

@ -1,33 +0,0 @@
---
- name: Restart mastodon sidekiq
docker_container:
name: "{{ mastodon_container_name_sidekiq }}"
state: started
restart: true
listen:
- restart-mastodon
- restart-mastodon-sidekiq
- name: Restart mastodon streaming
docker_container:
name: "{{ mastodon_container_name_streaming }}"
state: started
restart: true
listen:
- restart-mastodon
- restart-mastodon-streaming
- name: Restart mastodon web
docker_container:
name: "{{ mastodon_container_name }}"
state: started
restart: true
listen: restart-mastodon
- name: Restart mastodon nginx
docker_container:
name: "{{ mastodon_container_nginx_name }}"
state: started
restart: true
listen: restart-mastodon-nginx

198
roles/mastodon/tasks/main.yml
View File

@ -1,198 +0,0 @@
---
- name: Ensure mastodon user '{{ mastodon_user }}' exists
user:
name: "{{ mastodon_user }}"
state: present
system: true
register: mastodon_user_info
- name: Ensure host directories are present
file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner | default(mastodon_user) }}"
group: "{{ item.group | default(mastodon_user) }}"
mode: "{{ item.mode | default('0750') }}"
loop:
- path: "{{ mastodon_base_path }}"
mode: '0755'
- path: "{{ mastodon_config_path }}"
- path: "{{ mastodon_data_path }}"
- path: "{{ mastodon_repo_path }}"
mode: '0700'
- path: "{{ mastodon_nginx_config_path }}"
- path: "{{ mastodon_nginx_cache_path }}"
loop_control: { label: "{{ item.path }}" }
- name: Ensure environment file is templated
template:
src: env.j2
dest: "{{ mastodon_config_env_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0640"
notify: restart-mastodon
- name: Ensure reverse proxy configuration is templated
template:
src: nginx.conf.j2
dest: "{{ mastodon_nginx_config_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0640"
notify: restart-mastodon-nginx
- name: Ensure fake passwd file is templated
template:
src: passwd.j2
dest: "{{ mastodon_config_passwd_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0644"
notify: restart-mastodon
- name: Ensure fake passwd file is templated
template:
src: group.j2
dest: "{{ mastodon_config_group_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0644"
notify: restart-mastodon
- name: Ensure mastodon git repository is present and up-to-date
git:
repo: "{{ mastodon_git_upstream_url }}"
dest: "{{ mastodon_repo_path }}"
refspec: "v{{ mastodon_version }}"
version: "v{{ mastodon_version }}"
force: no
recursive: yes
track_submodules: yes
become: yes
become_user: "{{ mastodon_user }}"
register: git_repo_info
- name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
file:
path: "{{ mastodon_repo_path }}"
state: directory
recurse: yes
owner: "{{ mastodon_user }}"
group: "{{ mastodon_user }}"
- name: Ensure docker network for backend communication is created
docker_network:
name: "{{ mastodon_container_network_name }}"
state: present
- name: Ensure mastodon docker image is built
docker_image:
name: "{{ mastodon_container_image_name }}"
tag: "{{ mastodon_container_image_tag }}"
state: present
source: build
build:
path: "{{ mastodon_repo_path }}"
args:
UID: "{{ mastodon_user_info.uid }}"
GID: "{{ mastodon_user_info.group }}"
when: git_repo_info.before != git_repo_info.after
- name: Ensure nginx reverse proxy image is present
docker_image:
name: "{{ mastodon_container_nginx_image }}"
state: present
source: pull
force_source: "{{ mastodon_container_nginx_image_tag|default(false, true) | bool }}"
register: masto_nginx_pull
until: masto_nginx_pull is succeeded
retries: 5
delay: 3
- name: Ensure database is seeded
docker_container:
name: "{{ mastodon_container_name }}_setup_db"
image: "{{ mastodon_container_image_ref }}"
networks: "{{ mastodon_container_networks }}"
volumes: "{{ mastodon_container_volumes }}"
env_file: "{{ mastodon_config_env_file }}"
command: "bash -c \"bundle exec rails db:setup\""
tty: yes
interactive: yes
detach: no
cleanup: yes
when: mastodon_seed_database|default(false, true)
- name: Ensure mastodon sidekiq container '{{ mastodon_container_name_sidekiq }}' is running
docker_container:
name: "{{ mastodon_container_name_sidekiq }}"
image: "{{ mastodon_container_image_ref }}"
networks: "{{ mastodon_container_networks }}"
volumes: "{{ mastodon_container_volumes_sidekiq }}"
env_file: "{{ mastodon_config_env_file }}"
command: "bundle exec sidekiq"
restart_policy: "{{ mastodon_container_restart_policy }}"
healthcheck:
test: ["CMD-SHELL", "ps aux | grep '[s]idekiq\ 6' || false"]
interval: 5s
retries: 3
start_period: 0s
timeout: 5s
- name: Ensure mastodon streaming container '{{ mastodon_container_name_streaming }}' is running
docker_container:
name: "{{ mastodon_container_name_streaming }}"
image: "{{ mastodon_container_image_ref }}"
networks: "{{ mastodon_container_networks }}"
volumes: "{{ mastodon_container_volumes_streaming }}"
env_file: "{{ mastodon_config_env_file }}"
command: "node ./streaming"
restart_policy: "{{ mastodon_container_restart_policy }}"
ports: "{{ mastodon_container_ports_streaming }}"
user: "{{ mastodon_user }}"
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
interval: 5s
retries: 3
start_period: 0s
timeout: 5s
- name: Ensure mastodon container '{{ mastodon_container_name }}' is running
docker_container:
name: "{{ mastodon_container_name }}"
image: "{{ mastodon_container_image_ref }}"
networks: "{{ mastodon_container_networks }}"
volumes: "{{ mastodon_container_volumes }}"
env_file: "{{ mastodon_config_env_file }}"
command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
restart_policy: "{{ mastodon_container_restart_policy }}"
ports: "{{ mastodon_container_ports }}"
user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
interval: 5s
retries: 3
start_period: 0s
timeout: 5s
- name: Ensure container paths belong to the mastodon user
community.docker.docker_container_exec:
container: "{{ mastodon_container_name }}"
command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
user: "0"
- name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
docker_container:
name: "{{ mastodon_container_nginx_name }}"
image: "{{ mastodon_container_nginx_image }}"
network_mode: host
volumes: "{{ mastodon_container_volumes_nginx }}"
restart_policy: "{{ mastodon_container_restart_policy }}"
- name: Ensure assets are precompiled
community.docker.docker_container_exec:
container: "{{ mastodon_container_name }}"
command: "bundle exec rails assets:precompile"
when: git_repo_info.before != git_repo_info.after

128
roles/mastodon/templates/env.j2
View File

@ -1,128 +0,0 @@
# This is a sample configuration file. You can generate your configuration
# with the `rake mastodon:setup` interactive setup wizard, but to customize
# your setup even further, you'll need to edit it manually. This sample does
# not demonstrate all available configuration options. Please look at
# https://docs.joinmastodon.org/admin/config/ for the full documentation.
# Note that this file accepts slightly different syntax depending on whether
# you are using `docker-compose` or not. In particular, if you use
# `docker-compose`, the value of each declared variable will be taken verbatim,
# including surrounding quotes.
# See: https://github.com/mastodon/mastodon/issues/16895
# Federation
# ----------
# This identifies your server and cannot be changed safely later
# ----------
LOCAL_DOMAIN={{ mastodon_domain }}
{% if mastodon_web_domain|default(false, true) %}
WEB_DOMAIN={{ mastodon_web_domain }}
{% endif %}
# Redis
# -----
{% if mastodon_redis_host|default(false, true) %}
REDIS_HOST={{ mastodon_redis_host }}
{% endif %}
{% if mastodon_redis_port|default(false, true) %}
REDIS_PORT={{ mastodon_redis_port }}
{% endif %}
{% if mastodon_redis_url %}
REDIS_URL={{ mastodon_redis_url }}
{% endif %}
{% if mastodon_redis_password %}
REDIS_PASSWORD={{ mastodon_redis_password }}
{% endif %}
{% if mastodon_redis_db_index %}
REDIS_DB_INDEX={{ mastodon_redis_db_index }}
{% endif %}
# PostgreSQL
# ----------
DB_HOST={{ mastodon_database_host }}
DB_USER={{ mastodon_database_user }}
DB_NAME={{ mastodon_database_name }}
DB_PASS={{ mastodon_database_pass }}
DB_PORT={{ mastodon_database_port }}
# Elasticsearch (optional)
# ------------------------
ES_ENABLED={{ mastodon_elasticsearch_enabled }}
ES_HOST={{ mastodon_elasticsearch_host }}
ES_PORT={{ mastodon_elasticsearch_port }}
# Authentication for ES (optional)
{% if mastodon_elasticsearch_user %}
ES_USER={{ mastodon_elasticsearch_user }}
{% endif %}
{% if mastodon_elasticsearch_pass %}
ES_PASS={{ mastodon_elasticsearch_pass }}
{% endif %}
# Secrets
# -------
# Make sure to use `rake secret` to generate secrets
# -------
SECRET_KEY_BASE={{ mastodon_secret_key }}
OTP_SECRET={{ mastodon_otp_secret }}
# Web Push
# --------
# Generate with `rake mastodon:webpush:generate_vapid_key`
# --------
VAPID_PRIVATE_KEY={{ mastodon_vapid_private_key }}
VAPID_PUBLIC_KEY={{ mastodon_vapid_public_key }}
# Sending mail
# ------------
SMTP_SERVER={{ mastodon_mail_server }}
SMTP_PORT={{ mastodon_mail_port }}
SMTP_LOGIN={{ mastodon_mail_user }}
SMTP_PASSWORD={{ mastodon_mail_password }}
SMTP_FROM_ADDRESS={{ mastodon_mail_from_address }}
# File storage (optional)
# -----------------------
S3_ENABLED={{ mastodon_s3_enabled }}
S3_BUCKET={{ mastodon_s3_bucket }}
AWS_ACCESS_KEY_ID={{ mastodon_s3_aws_access_key_id }}
AWS_SECRET_ACCESS_KEY={{ mastodon_s3_aws_secret_access_key }}
S3_ALIAS_HOST={{ mastodon_s3_alias_host }}
# OpenId connect (optional)
OIDC_ENABLED={{ mastodon_oidc_enabled | bool | string | lower }}
OIDC_ISSUER={{ mastodon_oidc_issuer_url }}
OIDC_DISCOVERY={{ mastodon_oidc_discovery | bool | string | lower }}
OIDC_CLIENT_AUTH_METHOD={{ mastodon_oidc_client_auth_method }}
OIDC_CLIENT_ID={{ mastodon_oidc_client_id }}
OIDC_CLIENT_SECRET={{ mastodon_oidc_client_secret }}
OIDC_SCOPE={{ mastodon_oidc_scope }}
{% if mastodon_oidc_auth_endpoint %}
OIDC_AUTH_ENDPOINT={{ mastodon_oidc_auth_endpoint }}
{% endif %}
{% if mastodon_oidc_token_endpoint %}
OIDC_TOKEN_ENDPOINT={{ mastodon_oidc_token_endpoint }}
{% endif %}
{% if mastodon_oidc_user_info_endpoint %}
OIDC_USER_INFO_ENDPOINT={{ mastodon_oidc_user_info_endpoint }}
{% endif %}
{% if mastodon_oidc_end_session_endpoint %}
OIDC_END_SESSION_ENDPOINT={{ mastodon_oidc_end_session_endpoint }}
{% endif %}
{% if mastodon_oidc_jwks_uri %}
OIDC_JWKS_URI={{ mastodon_oidc_jwks_uri }}
{% endif %}
{% if mastodon_oidc_redirect_uri %}
OIDC_REDIRECT_URI={{ mastodon_oidc_redirect_uri }}
{% endif %}
{% if mastodon_oidc_idp_logout_redirect_uri %}
OIDC_IDP_LOGOUT_REDIRECT_URI={{ mastodon_oidc_idp_logout_redirect_uri }}
{% endif %}
OIDC_DISPLAY_NAME={{ mastodon_oidc_display_name }}
OIDC_UID_FIELD={{ mastodon_oidc_uid_field }}
{% if mastodon_oidc_response_mode %}
OIDC_RESPONSE_MODE={{ mastodon_oidc_response_mode }}
{% endif %}
{% if mastodon_oidc_response_type %}
OIDC_RESPONSE_TYPE={{ mastodon_oidc_response_type }}
{% endif %}
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED={{ mastodon_oidc_security_assume_email_is_verified | bool | string | lower }}

40
roles/mastodon/templates/group.j2
View File

@ -1,40 +0,0 @@
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:

94
roles/mastodon/templates/nginx.conf.j2
View File

@ -1,94 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream backend {
server {{ mastodon_api_backend }} fail_timeout=0;
}
upstream streaming {
server {{ mastodon_streaming_backend }} fail_timeout=0;
}
proxy_cache_path {{ mastodon_container_nginx_cache_directory }} levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=2g;
server {
listen {{ mastodon_backend }};
server_name {{ mastodon_nginx_server_name }};
keepalive_timeout 70;
sendfile on;
client_max_body_size 200m;
root {{ mastodon_container_nginx_working_directory }};
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
location / {
try_files $uri @proxy;
}
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
add_header Cache-Control "public, max-age=31536000, immutable";
add_header Strict-Transport-Security "max-age=31536000" always;
try_files $uri @proxy;
}
location /sw.js {
add_header Cache-Control "public, max-age=0";
add_header Strict-Transport-Security "max-age=31536000" always;
try_files $uri @proxy;
}
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://backend;
proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache CACHE;
proxy_cache_valid 200 7d;
proxy_cache_valid 410 24h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cached $upstream_cache_status;
add_header Strict-Transport-Security "max-age=31536000" always;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass http://streaming;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
error_page 500 501 502 503 504 /500.html;
}

20
roles/mastodon/templates/passwd.j2
View File

@ -1,20 +0,0 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh

0
roles/mastodon/vars/main.yml
View File