feat(pixelfed): add ansible role

README.md

@@ -9,6 +9,9 @@ available.
 
 ## Roles
 
+- [`mastodon`](roles/mastodon/README.md): deployment using a container based
+  setup, able to use webfinger delegation.
+
 ## License
 
 [CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License

roles/gotosocial/README.md

@@ -0,0 +1,24 @@
+# `finallycoffee.fediverse.gotosocial` ansible role
+
+
+## Configuration
+
+### Built-in LetsEncrypt client
+
+To use the built-in letsencrypt client, set `gotosocial_config_letsencrypt_enabled: true`.
+
+You are required to fill in a valid administrative email address into
+`gotosocial_config_letsencrypt_email_address`.
+
+The port letsencrypt will listen on defaults to `80` and can be set using
+`gotosocial_config_letsencrypt_port` (if f.ex. the container lacks the permission
+to bind to ports < 1024). Note that when `gotosocial_config_letsencrypt_enabled` is
+`true`, the `gotosocial_config_letsencrypt_port` will by default be mapped to
+_host_ port 80 on all interfaces!
+
+This is fine when this is the only ACME client and allows easily changing
+`gotosocial_config_letsencrypt_port` without breaking any functionality,
+but with multiple acme clients all performing HTTP-01 challenges, you need to manually
+overwrite `gotosocial_container_ports` to fit your needs.
+
+### Advanced configuration

roles/gotosocial/defaults/main.yml

@@ -0,0 +1,130 @@
+---
+
+gotosocial_user: "gotosocial"
+gotosocial_version: 0.3.8
+gotosocial_base_path: "/opt/gotosocial"
+gotosocial_config_path: "{{ gotosocial_base_path }}/config"
+gotosocial_template_path: "{{ gotosocial_base_path }}/templates"
+gotosocial_asset_path: "{{ gotosocial_base_path }}/assets"
+gotosocial_storage_path: "{{ gotosocial_base_path }}/storage"
+gotosocial_cert_path: "{{ gotosocial_base_path }}/certificates"
+gotosocial_config_file: "{{ gotosocial_config_path }}/config.yaml"
+
+gotosocial_config: >-
+  {{ gotosocial_default_config
+  | combine(gotosocial_extra_config | default({}), recursive=True) }}
+
+gotosocial_config_log_level: info
+gotosocial_config_log_db_queries: false
+gotosocial_config_host: social.example.party
+gotosocial_config_account_domain: ~
+
+# listening / revproxy configuration
+gotosocial_config_protocol: https
+gotosocial_config_bind_address: 127.0.0.1
+gotosocial_config_port: 8080
+gotosocial_config_trusted_proxies: []
+
+# database configuration
+gotosocial_config_db_type: postgres
+gotosocial_config_db_address: ~
+gotosocial_config_db_port: ~
+gotosocial_config_db_user: ~
+gotosocial_config_db_password: ~
+gotosocial_config_db_database: gotosocial
+gotosocial_config_db_tls_mode: enable
+gotosocial_config_db_tls_ca_cert:
+
+gotosocial_config_web_template_base_dir: "{{ gotosocial_template_path }}"
+gotosocial_config_web_asset_base_dir: "{{ gotosocial_asset_path }}"
+
+# instance privacy
+gotosocial_config_instance_expose_peers: false
+gotosocial_config_expose_suspended: false
+
+# account config
+gotosocial_config_acounts_registration_open: true
+gotosocial_config_accounts_approval_required: true
+gotosocial_config_accounts_reason_required: true
+
+# media config
+gotosocial_config_media_image_max_size_bytes: 2097152 #2MB
+gotosocial_config_media_video_max_size_bytes: 10485760 #10MB
+gotosocial_config_media_description_min_chars: 0
+gotosocial_config_media_description_max_chars: 1000
+gotosocial_config_media_remote_cache_days: 30
+
+# storage for media etc
+gotosocial_config_storage_backend: local
+gotosocial_config_storage_local_base_path: "{{ gotosocial_storage_path }}"
+
+# status config
+gotosocial_config_statuses_max_chars: 5000
+gotosocial_config_statuses_cw_max_chars: 100
+gotosocial_config_statuses_poll_max_options: 6
+gotosocial_config_statuses_poll_option_max_chars: 50
+gotosocial_config_statuses_media_max_files: 30
+
+# letsencrypt config
+gotosocial_config_letsencrypt_enabled: false
+gotosocial_config_letsencrypt_port: 80
+gotosocial_config_letsencrypt_cert_dir: "{{ gotosocial_cert_path }}"
+gotosocial_config_letsencrypt_email_address: ~
+
+# oidc config
+gotosocial_config_oidc_enabled: false
+gotosocial_config_oidc_idp_name: ~
+gotosocial_config_oidc_skip_verification: false
+gotosocial_config_oidc_issuer: ~
+gotosocial_config_oidc_client_id: ~
+gotosocial_config_oidc_client_secret: ~
+gotosocial_config_oidc_scopes:
+  - openid
+  - email
+  - profile
+
+# smtp config
+gotosocial_config_smtp_host: ~
+gotosocial_config_smtp_port: ~
+gotosocial_config_smtp_username: ~
+gotosocial_config_smtp_password: ~
+gotosocial_config_smtp_from: ~
+
+# syslog config
+gotosocial_config_syslog_enabled: false
+gotosocial_config_syslog_protocol: udp
+gotosocial_config_syslog_address: "localhost:514"
+
+# advanced config:
+gotosocial_config_advanced_cookies_samesite: lax
+
+# container defaults
+gotosocial_container_name: gotosocial
+gotosocial_container_image_name: docker.io/superseriousbusiness/gotosocial
+gotosocial_container_image_tag: ~
+gotosocial_container_image: >-2
+  {{ gotosocial_container_image_name }}:{{ gotoscial_container_image_tag
+  | default(gotosocial_version) }}
+gotosocial_container_volumes: >-2
+  {{ gotosocial_container_default_volumes
+  + gotosocial_container_extra_volumes }}
+gotosocial_container_default_volumes:
+  - "{{ gotosocial_config_file }}:/gotosocial/config.yaml:ro"
+  - "{{ gotosocial_storage_path }}:/gotosocial/storage:z"
+  - "{{ gotosocial_template_path }}:/gotosocial/web/templates:ro"
+gotosocial_container_extra_volumes: []
+
+gotosocial_container_env: {}
+gotosocial_container_labels: {}
+gotosocial_container_user: "{{ gotosocial_user }}"
+gotosocial_container_etc_hosts: ~
+gotosocial_container_networks: ~
+gotosocial_container_purge_networks: false
+gotosocial_container_restart_policy: unless-stopped
+gotosocial_container_entrypoint:
+  - "/gotosocial/gotosocial"
+  - "--config-path"
+  - "config.yaml"
+  - "server"
+  - "start"
+

roles/gotosocial/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Restart gotosocial
+  listen: restart-gotosocial
+  docker_container:
+    name: "{{ gotosocial_container_name }}"
+    state: started
+    restart: true

roles/gotosocial/tasks/main.yml

@@ -0,0 +1,65 @@
+---
+
+- name: Ensure user {{ gotosocial_user }} is present
+  user:
+    name: "{{ gotosocial_user }}"
+    system: true
+    state: present
+  register: gotosocial_user_info
+
+- name: Ensure host directories for mounts are present
+  file:
+    path: "{{ path.name }}"
+    state: directory
+    owner: >-
+      {{ path.owner | default(gotosocial_user_info.uid | default(gotosocial_user)) }}
+    group: >-
+      {{ path.group | default(gotosocial_user_info.group | default(gotosocial_user)) }}
+    mode: "{{ path.mode | default('0750') }}"
+  loop:
+    - name: "{{ gotosocial_base_path }}"
+    - name: "{{ gotosocial_config_path }}"
+    - name: "{{ gotosocial_storage_path }}"
+    - name: "{{ gotosocial_template_path }}"
+    - name: "{{ gotosocial_asset_path }}"
+      mode: '0770'
+  loop_control:
+    loop_var: path
+    label: "{{ path.name }}"
+
+- name: Ensure configuration is up to date
+  copy:
+    content: "{{ gotosocial_config | to_nice_yaml(indent=2, width=10000) }}"
+    dest: "{{ gotosocial_config_file }}"
+    owner: "{{ gotosocial_user_info.uid | default(gotosocial_user) }}"
+    group: "{{ gotosocial_user_info.group | default(gotosocial_user) }}"
+    mode: 0640
+  notify: restart-gotosocial
+
+- name: Ensure container image is available
+  docker_image:
+    name: "{{ gotosocial_container_image }}"
+    state: present
+    source: pull
+    force_source: >-
+      {{ gotosocial_container_image_force_pull
+      | default(gotoscial_container_image_tag | default(true, true)) }}
+  register: gotosocial_container_image_pull_status
+  until: gotosocial_container_image_pull_status is succeeded
+  retries: 5
+  delay: 3
+
+- name: Ensure gotosocial container named {{ gotosocial_container_name }} is running
+  docker_container:
+    name: "{{ gotosocial_container_name }}"
+    image: "{{ gotosocial_container_image }}"
+    volumes: "{{ gotosocial_container_volumes }}"
+    env: "{{ gotosocial_container_env | default(omit, True) }}"
+    ports: "{{ gotosocial_container_ports | default(omit, True) }}"
+    labels: "{{ gotosocial_container_labels | default(omit, True) }}"
+    networks: "{{ gotosocial_container_networks | default(omit, True) }}"
+    etc_hosts: "{{ gotosocial_container_etc_hosts | default(omit, True) }}"
+    purge_networks: "{{ gotosocial_container_purge_networks | default(False, True) }}"
+    restart_policy: "{{ gotosocial_container_restart_policy }}"
+    entrypoint: "{{ gotosocial_container_entrypoint }}"
+    state: started

roles/gotosocial/vars/main.yml

@@ -0,0 +1,59 @@
+---
+
+gotosocial_default_config:
+  log-level: "{{ gotosocial_config_log_level }}"
+  log-db-queries: "{{ gotosocial_config_log_db_queries }}"
+  application-name: gotosocial
+  host: "{{ gotosocial_config_host }}"
+  account-domain: "{{ gotosocial_config_account_domain }}"
+  protocol: "{{ gotosocial_config_protocol }}"
+  bind-address: "{{ gotosocial_config_bind_address }}"
+  port: "{{ gotosocial_config_port }}"
+  trusted-proxies: "{{ gotosocial_config_trusted_proxies }}"
+  db-type: "{{ gotosocial_config_db_type }}"
+  db-address: "{{ gotosocial_config_db_address }}"
+  db-port: "{{ gotosocial_config_db_port }}"
+  db-user: "{{ gotosocial_config_db_user }}"
+  db-password: "{{ gotosocial_config_db_password }}"
+  db-database: "{{ gotosocial_config_db_database }}"
+  db-tls-mode: "{{ gotosocial_config_db_tls_mode }}"
+  db-tls-ca-cert: "{{ gotosocial_config_db_tls_ca_cert }}"
+  web-template-base-dir: "{{ gotosocial_config_web_template_base_dir }}"
+  web-asset-base-dir: "{{ gotosocial_config_web_asset_base_dir }}"
+  instance-expose-peer: "{{ gotosocial_config_instance_expose_peers }}"
+  instance-expose-suspended: "{{ gotosocial_config_expose_suspended }}"
+  accounts-registration-open: "{{ gotosocial_config_acounts_registration_open }}"
+  accounts-approval-required: "{{ gotosocial_config_accounts_approval_required }}"
+  accounts-reason-required: "{{ gotosocial_config_accounts_reason_required }}"
+  media-image-max-size: "{{ gotosocial_config_media_image_max_size_bytes }}"
+  media-video-max-size: "{{ gotosocial_config_media_video_max_size_bytes }}"
+  media-description-min-chars: "{{ gotosocial_config_media_description_min_chars }}"
+  media-description-max-chars: "{{ gotosocial_config_media_description_max_chars }}"
+  media-remote-cache-days: "{{ gotosocial_config_media_remote_cache_days }}"
+  storage-backend: "{{ gotosocial_config_storage_backend }}"
+  storage-local-base-path: "{{ gotosocial_config_storage_local_base_path }}"
+  statuses-max-chars: "{{ gotosocial_config_statuses_max_chars }}"
+  statuses-cw-max-chars: "{{ gotosocial_config_statuses_cw_max_chars }}"
+  statuses-poll-max-options: "{{ gotosocial_config_statuses_poll_max_options }}"
+  statuses-poll-option-max-chars: "{{ gotosocial_config_statuses_poll_option_max_chars }}"
+  statuses-media-max-files: "{{ gotosocial_config_statuses_media_max_files }}"
+  letsencrypt-enabled: "{{ gotosocial_config_letsencrypt_enabled }}"
+  letsencrypt-port: "{{ gotosocial_config_letsencrypt_port }}"
+  letsencrypt-cert-dir: "{{ gotosocial_config_letsencrypt_cert_dir }}"
+  letsencrypt-email-address: "{{ gotosocial_config_letsencrypt_email_address }}"
+  oidc-enabled: "{{ gotosocial_config_oidc_enabled }}"
+  oidc-idp-name: "{{ gotosocial_config_oidc_idp_name }}"
+  oidc-skip-verification: "{{ gotosocial_config_oidc_skip_verification }}"
+  oidc-issuer: "{{ gotosocial_config_oidc_issuer }}"
+  oidc-client-id: "{{ gotosocial_config_oidc_client_id }}"
+  oidc-client-secret: "{{ gotosocial_config_oidc_client_secret }}"
+  oidc-scopes: "{{ gotosocial_config_oidc_scopes }}"
+  smtp-host: "{{ gotosocial_config_smtp_host }}"
+  smtp-port: "{{ gotosocial_config_smtp_port }}"
+  smtp-username: "{{ gotosocial_config_smtp_username }}"
+  smtp-password: "{{ gotosocial_config_smtp_password }}"
+  smtp-from: "{{ gotosocial_config_smtp_from }}"
+  syslog-enabled: "{{ gotosocial_config_syslog_enabled }}"
+  syslog-protocol: "{{ gotosocial_config_syslog_protocol }}"
+  syslog-address: "{{ gotosocial_config_syslog_address }}"
+  advanced-cookies-samesite: "{{ gotosocial_config_advanced_cookies_samesite }}"

roles/mastodon/README.md

@@ -0,0 +1,65 @@
+# `finallycoffee.fediverse.mastodon` ansible role
+
+## Overview
+
+This role aims to automate as much as possible with running a docker container
+based mastodon setup. It provides you with the streaming container, sidekiq and
+web (api) as well an nginx routing the application traffic.
+
+You need to provide a postgresql database, the redis server, optionally an
+elasticsearch instance and the mail server. Roles providing components are linked,
+if applicable.
+
+### Usage
+
+The minimum configuration could be as follows:
+
+```yaml
+mastodon_domain: finally.coffee
+# Optional, if you want to host your frontend + api somewhere else
+mastodon_web_domain: frontend.some.website
+
+# you need to provide and manage the following secrets
+mastodon_secret_key: very_long_secret
+mastodon_otp_secret: also_very_long_secret
+mastodon_vapid_public_key: check_mastodon_docs_for_this
+mastodon_vapid_private_key: see_above
+```
+
+#### Database
+
+The database configuration is as follows:
+
+```yaml
+mastodon_database_host: postgres.local
+mastodon_database_port: 5432 #optional, defaults to this
+mastodon_database_user: mastodont
+mastodon_database_pass: hopefully_secure
+mastodon_database_name: mastodon
+```
+
+For seeding the database during initial deployment, you need to set
+`mastodon_seed_database: true` exactly once (when it succeeds).
+
+### Redis
+
+As of writing this, it seems that atleast one component of mastodon can't
+deal with a password for redis, leading to the need to run redis without
+authentification for all components:
+
+```yaml
+mastodon_redis_url: unix:///var/run/redis/mastodon.sock
+```
+
+#### Mail
+
+The mail server for verifications and notifications can be configured as followed:
+
+```yaml
+mastodon_mail_server: mail.example.org
+mastodon_mail_user: mailuser@mydomain.org
+mastodon_mail_password: very_secure_password_for_mailing_account
+```
+
+For further Configuration, see [`defaults/main.yml`](defaults/main.yml) to
+override further keys for configuration

roles/mastodon/defaults/main.yml

@@ -0,0 +1,133 @@
+---
+
+mastodon_user: mastodon
+mastodon_base_path: /opt/mastodon
+mastodon_domain: ~
+mastodon_web_domain: ~
+mastodon_version: 3.5.1
+mastodon_git_upstream_url: "https://github.com/mastodon/mastodon.git"
+
+mastodon_data_path: "{{ mastodon_base_path }}/data"
+mastodon_repo_path: "{{ mastodon_base_path }}/src"
+mastodon_config_path: "{{ mastodon_base_path }}/config"
+mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
+mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
+mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
+mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
+mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
+mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
+
+mastodon_container_bind_ip: "127.0.0.1"
+mastodon_streaming_backend: "{{ mastodon_container_bind_ip }}:4000"
+mastodon_api_backend: "{{ mastodon_container_bind_ip }}:3000"
+mastodon_backend: "{{ mastodon_container_bind_ip }}:5000"
+
+mastodon_container_name: mastodon
+mastodon_container_name_sidekiq: "{{ mastodon_container_name }}_sidekiq"
+mastodon_container_name_streaming: "{{ mastodon_container_name }}_streaming"
+mastodon_container_image_name: "tootsuite/mastodon"
+mastodon_container_image_tag: "v{{ mastodon_version }}"
+mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_container_image_tag }}"
+mastodon_container_networks:
+  - name: "{{ mastodon_container_network_name }}"
+
+mastodon_container_base_volumes_streaming:
+  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
+  - "{{ mastodon_config_group_file }}:/etc/group:ro"
+mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
+mastodon_container_volumes_streaming: >-
+  {{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
+
+mastodon_container_base_volumes_sidekiq:
+  - "{{ mastodon_repo_path }}/public/system:/mastodon/public/system:ro"
+mastodon_container_extra_volumes_sidekiq: "{{ mastodon_container_extra_volumes }}"
+mastodon_container_volumes_sidekiq: >-
+  {{ mastodon_container_base_volumes_sidekiq + mastodon_container_extra_volumes_sidekiq }}
+
+mastodon_container_base_volumes:
+  - "{{ mastodon_repo_path }}/public:/mastodon/public:z"
+  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
+  - "{{ mastodon_config_group_file }}:/etc/group:ro"
+mastodon_container_extra_volumes: []
+mastodon_container_volumes: >-
+  {{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
+
+mastodon_container_ports_streaming:
+  - "{{ mastodon_streaming_backend }}:4000"
+mastodon_container_ports:
+  - "{{ mastodon_api_backend }}:3000"
+mastodon_container_restart_policy: unless-stopped
+
+mastodon_nginx_version: 1.21.6
+mastodon_nginx_server_name: "{{ mastodon_domain }}"
+mastodon_container_nginx_name: "{{ mastodon_container_name }}_nginx"
+mastodon_container_nginx_image_name: docker.io/library/nginx
+mastodon_container_nginx_image_tag: ~
+mastodon_container_nginx_image_flavour: alpine
+mastodon_container_nginx_image: >-2
+  {{ mastodon_container_nginx_image_name }}:{{ mastodon_container_nginx_image_tag
+  | default(mastodon_nginx_version + ('-' + mastodon_container_nginx_image_flavour if mastodon_container_nginx_image_flavour else ''), True) }}
+mastodon_container_nginx_working_directory: "/var/www/mastodon"
+mastodon_container_nginx_cache_directory: "/var/cache/nginx"
+mastodon_container_volumes_nginx:
+  - "{{ mastodon_nginx_config_file }}:/etc/nginx/conf.d/default.conf:ro"
+  - "{{ mastodon_repo_path }}/public:{{ mastodon_container_nginx_working_directory }}:ro"
+  - "{{ mastodon_nginx_cache_path }}:{{ mastodon_container_nginx_cache_directory }}:z"
+
+mastodon_container_network_name: mastodon
+
+mastodon_secret_key: ~
+mastodon_otp_secret: ~
+mastodon_vapid_public_key: ~
+mastodon_vapid_private_key: ~
+
+mastodon_redis_host: ~
+mastodon_redis_port: ~
+mastodon_redis_url: ~
+mastodon_redis_password: ~
+mastodon_redis_db_index: ~
+
+mastodon_database_host: localhost
+mastodon_database_port: 5432
+mastodon_database_user: mastodon
+mastodon_database_pass: ~
+mastodon_database_name: mastodon
+
+mastodon_mail_server: ~
+mastodon_mail_port: 587
+mastodon_mail_user: ~
+mastodon_mail_password: ~
+mastodon_mail_from_address: "notifications@{{ mastodon_domain }}"
+
+mastodon_elasticsearch_enabled: false
+mastodon_elasticsearch_host: ~
+mastodon_elasticsearch_port: ~
+mastodon_elasticsearch_user: ~
+mastodon_elasticsearch_pass: ~
+
+mastodon_s3_enabled: false
+mastodon_s3_bucket: ~
+mastodon_s3_aws_access_key_id: ~
+mastodon_s3_aws_secret_access_key: ~
+mastodon_s3_alias_host: ~
+
+mastodon_oidc_enabled: false
+mastodon_oidc_issuer_url: ~
+mastodon_oidc_discovery: true
+mastodon_oidc_scope: openid,profile
+mastodon_oidc_client_id: ~
+mastodon_oidc_client_secret: ~
+mastodon_oidc_client_auth_method: basic
+mastodon_oidc_response_mode: query
+mastodon_oidc_response_type: code
+mastodon_oidc_prompt: ~
+mastodon_oidc_display_name: My IDP
+mastodon_oidc_auth_endpoint: ~
+mastodon_oidc_token_endpoint: ~
+mastodon_oidc_user_info_endpoint: ~
+mastodon_oidc_end_session_endpoint: ~
+mastodon_oidc_jwks_uri:
+mastodon_oidc_redirect_uri:
+mastodon_oidc_idp_logout_redirect_uri: ~
+mastodon_oidc_uid_field: preferred_username
+mastodon_oidc_security_assume_email_is_verified: false

roles/mastodon/handlers/main.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Restart mastodon sidekiq
+  docker_container:
+    name: "{{ mastodon_container_name_sidekiq }}"
+    state: started
+    restart: true
+  listen:
+    - restart-mastodon
+    - restart-mastodon-sidekiq
+
+- name: Restart mastodon streaming
+  docker_container:
+    name: "{{ mastodon_container_name_streaming }}"
+    state: started
+    restart: true
+  listen:
+    - restart-mastodon
+    - restart-mastodon-streaming
+
+- name: Restart mastodon web
+  docker_container:
+    name: "{{ mastodon_container_name }}"
+    state: started
+    restart: true
+  listen: restart-mastodon
+
+- name: Restart mastodon nginx
+  docker_container:
+    name: "{{ mastodon_container_nginx_name }}"
+    state: started
+    restart: true
+  listen: restart-mastodon-nginx

roles/mastodon/tasks/main.yml

@@ -0,0 +1,198 @@
+---
+
+- name: Ensure mastodon user '{{ mastodon_user }}' exists
+  user:
+    name: "{{ mastodon_user }}"
+    state: present
+    system: true
+  register: mastodon_user_info
+
+- name: Ensure host directories are present
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner | default(mastodon_user) }}"
+    group: "{{ item.group | default(mastodon_user) }}"
+    mode: "{{ item.mode | default('0750') }}"
+  loop:
+    - path: "{{ mastodon_base_path }}"
+      mode: '0755'
+    - path: "{{ mastodon_config_path }}"
+    - path: "{{ mastodon_data_path }}"
+    - path: "{{ mastodon_repo_path }}"
+      mode: '0700'
+    - path: "{{ mastodon_nginx_config_path }}"
+    - path: "{{ mastodon_nginx_cache_path }}"
+  loop_control: { label: "{{ item.path }}" }
+
+- name: Ensure environment file is templated
+  template:
+    src: env.j2
+    dest: "{{ mastodon_config_env_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0640"
+  notify: restart-mastodon
+
+- name: Ensure reverse proxy configuration is templated
+  template:
+    src: nginx.conf.j2
+    dest: "{{ mastodon_nginx_config_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0640"
+  notify: restart-mastodon-nginx
+
+- name: Ensure fake passwd file is templated
+  template:
+    src: passwd.j2
+    dest: "{{ mastodon_config_passwd_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0644"
+  notify: restart-mastodon
+
+- name: Ensure fake passwd file is templated
+  template:
+    src: group.j2
+    dest: "{{ mastodon_config_group_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0644"
+  notify: restart-mastodon
+
+- name: Ensure mastodon git repository is present and up-to-date
+  git:
+    repo: "{{ mastodon_git_upstream_url }}"
+    dest: "{{ mastodon_repo_path }}"
+    refspec: "v{{ mastodon_version }}"
+    version: "v{{ mastodon_version }}"
+    force: no
+    recursive: yes
+    track_submodules: yes
+  become: yes
+  become_user: "{{ mastodon_user }}"
+  register: git_repo_info
+
+- name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
+  file:
+    path: "{{ mastodon_repo_path }}"
+    state: directory
+    recurse: yes
+    owner: "{{ mastodon_user }}"
+    group: "{{ mastodon_user }}"
+
+- name: Ensure docker network for backend communication is created
+  docker_network:
+    name: "{{ mastodon_container_network_name }}"
+    state: present
+
+- name: Ensure mastodon docker image is built
+  docker_image:
+    name: "{{ mastodon_container_image_name }}"
+    tag: "{{ mastodon_container_image_tag }}"
+    state: present
+    source: build
+    build:
+      path: "{{ mastodon_repo_path }}"
+      args:
+        UID: "{{ mastodon_user_info.uid }}"
+        GID: "{{ mastodon_user_info.group }}"
+  when: git_repo_info.before != git_repo_info.after
+
+- name: Ensure nginx reverse proxy image is present
+  docker_image:
+    name: "{{ mastodon_container_nginx_image }}"
+    state: present
+    source: pull
+    force_source: "{{ mastodon_container_nginx_image_tag|default(false, true) | bool }}"
+  register: masto_nginx_pull
+  until: masto_nginx_pull is succeeded
+  retries: 5
+  delay: 3
+
+- name: Ensure database is seeded
+  docker_container:
+    name: "{{ mastodon_container_name }}_setup_db"
+    image: "{{ mastodon_container_image_ref }}"
+    networks: "{{ mastodon_container_networks }}"
+    volumes: "{{ mastodon_container_volumes }}"
+    env_file: "{{ mastodon_config_env_file }}" 
+    command: "bash -c \"bundle exec rails db:setup\""
+    tty: yes
+    interactive: yes
+    detach: no
+    cleanup: yes
+  when: mastodon_seed_database|default(false, true)
+
+- name: Ensure mastodon sidekiq container '{{ mastodon_container_name_sidekiq }}' is running
+  docker_container:
+    name: "{{ mastodon_container_name_sidekiq }}"
+    image: "{{ mastodon_container_image_ref }}"
+    networks: "{{ mastodon_container_networks }}"
+    volumes: "{{ mastodon_container_volumes_sidekiq }}"
+    env_file: "{{ mastodon_config_env_file }}" 
+    command: "bundle exec sidekiq"
+    restart_policy: "{{ mastodon_container_restart_policy }}"
+    healthcheck:
+      test: ["CMD-SHELL", "ps aux | grep '[s]idekiq\ 6' || false"]
+      interval: 5s
+      retries: 3
+      start_period: 0s
+      timeout: 5s
+
+- name: Ensure mastodon streaming container '{{ mastodon_container_name_streaming }}' is running
+  docker_container:
+    name: "{{ mastodon_container_name_streaming }}"
+    image: "{{ mastodon_container_image_ref }}"
+    networks: "{{ mastodon_container_networks }}"
+    volumes: "{{ mastodon_container_volumes_streaming }}"
+    env_file: "{{ mastodon_config_env_file }}" 
+    command: "node ./streaming"
+    restart_policy: "{{ mastodon_container_restart_policy }}"
+    ports: "{{ mastodon_container_ports_streaming }}"
+    user: "{{ mastodon_user }}"
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
+      interval: 5s
+      retries: 3
+      start_period: 0s
+      timeout: 5s
+
+- name: Ensure mastodon container '{{ mastodon_container_name }}' is running
+  docker_container:
+    name: "{{ mastodon_container_name }}"
+    image: "{{ mastodon_container_image_ref }}"
+    networks: "{{ mastodon_container_networks }}"
+    volumes: "{{ mastodon_container_volumes }}"
+    env_file: "{{ mastodon_config_env_file }}" 
+    command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
+    restart_policy: "{{ mastodon_container_restart_policy }}"
+    ports: "{{ mastodon_container_ports }}"
+    user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
+      interval: 5s
+      retries: 3
+      start_period: 0s
+      timeout: 5s
+
+- name: Ensure container paths belong to the mastodon user
+  community.docker.docker_container_exec:
+    container: "{{ mastodon_container_name }}"
+    command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
+    user: "0"
+
+- name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
+  docker_container:
+    name: "{{ mastodon_container_nginx_name }}"
+    image: "{{ mastodon_container_nginx_image }}"
+    network_mode: host
+    volumes: "{{ mastodon_container_volumes_nginx }}"
+    restart_policy: "{{ mastodon_container_restart_policy }}"
+
+- name: Ensure assets are precompiled
+  community.docker.docker_container_exec:
+    container: "{{ mastodon_container_name }}"
+    command: "bundle exec rails assets:precompile"
+  when: git_repo_info.before != git_repo_info.after

roles/mastodon/templates/env.j2

@@ -0,0 +1,128 @@
+# This is a sample configuration file. You can generate your configuration
+# with the `rake mastodon:setup` interactive setup wizard, but to customize
+# your setup even further, you'll need to edit it manually. This sample does
+# not demonstrate all available configuration options. Please look at
+# https://docs.joinmastodon.org/admin/config/ for the full documentation.
+
+# Note that this file accepts slightly different syntax depending on whether
+# you are using `docker-compose` or not. In particular, if you use
+# `docker-compose`, the value of each declared variable will be taken verbatim,
+# including surrounding quotes.
+# See: https://github.com/mastodon/mastodon/issues/16895
+
+# Federation
+# ----------
+# This identifies your server and cannot be changed safely later
+# ----------
+LOCAL_DOMAIN={{ mastodon_domain }}
+{% if mastodon_web_domain|default(false, true) %}
+WEB_DOMAIN={{ mastodon_web_domain }}
+{% endif %}
+
+# Redis
+# -----
+{% if mastodon_redis_host|default(false, true) %}
+REDIS_HOST={{ mastodon_redis_host }}
+{% endif %}
+{% if mastodon_redis_port|default(false, true) %}
+REDIS_PORT={{ mastodon_redis_port }}
+{% endif %}
+{% if mastodon_redis_url %}
+REDIS_URL={{ mastodon_redis_url }}
+{% endif %}
+{% if mastodon_redis_password %}
+REDIS_PASSWORD={{ mastodon_redis_password }}
+{% endif %}
+{% if mastodon_redis_db_index %}
+REDIS_DB_INDEX={{ mastodon_redis_db_index }}
+{% endif %}
+
+# PostgreSQL
+# ----------
+DB_HOST={{ mastodon_database_host }}
+DB_USER={{ mastodon_database_user }}
+DB_NAME={{ mastodon_database_name }}
+DB_PASS={{ mastodon_database_pass }}
+DB_PORT={{ mastodon_database_port }}
+
+# Elasticsearch (optional)
+# ------------------------
+ES_ENABLED={{ mastodon_elasticsearch_enabled }}
+ES_HOST={{ mastodon_elasticsearch_host }}
+ES_PORT={{ mastodon_elasticsearch_port }}
+# Authentication for ES (optional)
+{% if mastodon_elasticsearch_user %}
+ES_USER={{ mastodon_elasticsearch_user }}
+{% endif %}
+{% if mastodon_elasticsearch_pass %}
+ES_PASS={{ mastodon_elasticsearch_pass }}
+{% endif %}
+
+# Secrets
+# -------
+# Make sure to use `rake secret` to generate secrets
+# -------
+SECRET_KEY_BASE={{ mastodon_secret_key }}
+OTP_SECRET={{ mastodon_otp_secret }}
+
+# Web Push
+# --------
+# Generate with `rake mastodon:webpush:generate_vapid_key`
+# --------
+VAPID_PRIVATE_KEY={{ mastodon_vapid_private_key }}
+VAPID_PUBLIC_KEY={{ mastodon_vapid_public_key }}
+
+# Sending mail
+# ------------
+SMTP_SERVER={{ mastodon_mail_server }}
+SMTP_PORT={{ mastodon_mail_port }}
+SMTP_LOGIN={{ mastodon_mail_user }}
+SMTP_PASSWORD={{ mastodon_mail_password }}
+SMTP_FROM_ADDRESS={{ mastodon_mail_from_address }}
+
+# File storage (optional)
+# -----------------------
+S3_ENABLED={{ mastodon_s3_enabled }}
+S3_BUCKET={{ mastodon_s3_bucket }}
+AWS_ACCESS_KEY_ID={{ mastodon_s3_aws_access_key_id }}
+AWS_SECRET_ACCESS_KEY={{ mastodon_s3_aws_secret_access_key }}
+S3_ALIAS_HOST={{ mastodon_s3_alias_host }}
+
+# OpenId connect (optional)
+OIDC_ENABLED={{ mastodon_oidc_enabled | bool | string | lower }}
+OIDC_ISSUER={{ mastodon_oidc_issuer_url }}
+OIDC_DISCOVERY={{ mastodon_oidc_discovery | bool | string | lower }}
+OIDC_CLIENT_AUTH_METHOD={{ mastodon_oidc_client_auth_method }}
+OIDC_CLIENT_ID={{ mastodon_oidc_client_id }}
+OIDC_CLIENT_SECRET={{ mastodon_oidc_client_secret }}
+OIDC_SCOPE={{ mastodon_oidc_scope }}
+{% if mastodon_oidc_auth_endpoint %}
+OIDC_AUTH_ENDPOINT={{ mastodon_oidc_auth_endpoint }}
+{% endif %}
+{% if mastodon_oidc_token_endpoint %}
+OIDC_TOKEN_ENDPOINT={{ mastodon_oidc_token_endpoint }}
+{% endif %}
+{% if mastodon_oidc_user_info_endpoint %}
+OIDC_USER_INFO_ENDPOINT={{ mastodon_oidc_user_info_endpoint }}
+{% endif %}
+{% if mastodon_oidc_end_session_endpoint %}
+OIDC_END_SESSION_ENDPOINT={{ mastodon_oidc_end_session_endpoint }}
+{% endif %}
+{% if mastodon_oidc_jwks_uri %}
+OIDC_JWKS_URI={{ mastodon_oidc_jwks_uri }}
+{% endif %}
+{% if mastodon_oidc_redirect_uri %}
+OIDC_REDIRECT_URI={{ mastodon_oidc_redirect_uri }}
+{% endif %}
+{% if mastodon_oidc_idp_logout_redirect_uri %}
+OIDC_IDP_LOGOUT_REDIRECT_URI={{ mastodon_oidc_idp_logout_redirect_uri }}
+{% endif %}
+OIDC_DISPLAY_NAME={{ mastodon_oidc_display_name }}
+OIDC_UID_FIELD={{ mastodon_oidc_uid_field }}
+{% if mastodon_oidc_response_mode %}
+OIDC_RESPONSE_MODE={{ mastodon_oidc_response_mode }}
+{% endif %}
+{% if mastodon_oidc_response_type %}
+OIDC_RESPONSE_TYPE={{ mastodon_oidc_response_type }}
+{% endif %}
+OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED={{ mastodon_oidc_security_assume_email_is_verified | bool | string | lower }}

roles/mastodon/templates/group.j2

@@ -0,0 +1,40 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:

roles/mastodon/templates/nginx.conf.j2

@@ -0,0 +1,94 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+upstream backend {
+    server {{ mastodon_api_backend }} fail_timeout=0;
+}
+
+upstream streaming {
+    server {{ mastodon_streaming_backend }} fail_timeout=0;
+}
+
+proxy_cache_path {{ mastodon_container_nginx_cache_directory }} levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=2g;
+
+server {
+  listen {{ mastodon_backend }};
+  server_name {{ mastodon_nginx_server_name }};
+
+  keepalive_timeout    70;
+  sendfile             on;
+  client_max_body_size 200m;
+
+  root {{ mastodon_container_nginx_working_directory }};
+
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    try_files $uri @proxy;
+  }
+
+  location /sw.js {
+    add_header Cache-Control "public, max-age=0";
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Proxy "";
+    proxy_pass_header Server;
+
+    proxy_pass http://backend;
+    proxy_buffering on;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    proxy_cache CACHE;
+    proxy_cache_valid 200 7d;
+    proxy_cache_valid 410 24h;
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+    add_header X-Cached $upstream_cache_status;
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    tcp_nodelay on;
+  }
+
+  location /api/v1/streaming {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Proxy "";
+
+    proxy_pass http://streaming;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  error_page 500 501 502 503 504 /500.html;
+}

roles/mastodon/templates/passwd.j2

@@ -0,0 +1,20 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh

roles/pixelfed/defaults/main.yml

@@ -0,0 +1,143 @@
+---
+
+pixelfed_user: pixelfed
+pixelfed_version: 0.11.2
+pixelfed_base_path: /opt/pixelfed
+
+pixelfed_deployment_method: docker_selfbuilt
+
+# user to run pixelfed as
+pixelfed_run_user: "{{ pixelfed_user_stat.uid | default(pixelfed_user) }}"
+pixelfed_run_group: "{{ pixelfed_user_stat.group | default(pixelfed_user) }}"
+
+# container settings
+pixelfed_container_name: pixelfed
+pixelfed_container_image_name: pixelfed
+pixelfed_container_image_tag: ~
+pixelfed_container_image: "{{ pixelfed_container_image_name }}:{{ pixelfed_container_image_tag | default('v' + pixelfed_version, True) }}"
+pixelfed_container_image_local_build: true
+pixelfed_container_ports: []
+pixelfed_container_networks: []
+pixelfed_container_extra_volumes: []
+pixelfed_container_extra_labels: {}
+pixelfed_container_extra_env: {}
+pixelfed_container_restart_policy: unless-stopped
+pixelfed_worker_container_name: "{{ pixelfed_container_name }}-worker"
+
+# host filesystem paths
+pixelfed_config_path: "{{ pixelfed_base_path }}/config"
+pixelfed_storage_path: "{{ pixelfed_base_path }}/storage"
+pixelfed_source_path: "{{ pixelfed_base_path }}/source"
+
+pixelfed_app_paths:
+  - path: "{{ pixelfed_base_path }}"
+    mode: "0750"
+  - path: "{{ pixelfed_config_path }}"
+    mode: "0750"
+  - path: "{{ pixelfed_storage_path }}"
+    mode: "0750"
+  - path: "{{ pixelfed_source_path }}"
+    mode: "0750"
+
+pixelfed_config_app_key: ~
+pixelfed_config_app_name: "Pixelfed"
+pixelfed_config_app_env: production
+pixelfed_config_app_debug: false
+pixelfed_config_app_url: "https://{{ pixelfed_config_app_url }}"
+pixelfed_config_app_domain: ~ # my.pixelfed.domain
+pixelfed_config_admin_domain: "{{ pixelfed_config_app_domain }}"
+pixelfed_config_session_domain: "{{ pixelfed_config_app_domain }}"
+
+pixelfed_config_open_registration: true
+pixelfed_config_enforce_email_verification: false
+pixelfed_config_pf_max_users: 1000
+pixelfed_config_oauth_enabled: true
+
+pixelfed_config_app_timezone: UTC
+pixelfed_config_app_locale: en
+
+pixelfed_config_limit_account_size: true
+pixelfed_config_max_account_size: 1000000
+pixelfed_config_max_photo_size: 15000
+pixelfed_config_max_avatar_size: 2000
+pixelfed_config_max_caption_length: 500
+pixelfed_config_max_bio_length: 125
+pixelfed_config_max_name_length: 30
+pixelfed_config_max_album_length: 4
+pixelfed_config_image_quality: 80
+pixelfed_config_pf_optimize_images: true
+pixelfed_config_pf_optimize_videos: true
+pixelfed_config_admin_env_editor: false
+pixelfed_config_account_deletion: true
+pixelfed_config_account_delete_after: false
+pixelfed_config_max_links_per_post: 0
+
+pixelfed_config_instance_description: ~
+pixelfed_config_instance_public_hashtags: false
+pixelfed_config_instance_contact_email: ~
+pixelfed_config_instance_public_local_timetime: false
+pixelfed_config_banned_usernames: ~
+pixelfed_config_stories_enabled: false
+pixelfed_config_restricted_instance: false
+
+pixelfed_config_mail_driver: log
+pixelfed_config_mail_host: ~
+pixelfed_config_mail_port: 25
+pixelfed_config_mail_from_address: "pixelfed@{{ pixelfed_config_app_domain }}"
+pixelfed_config_mail_from_name: "{{ pixelfed_config_app_name }}"
+pixelfed_config_mail_username: null
+pixelfed_config_mail_password: null
+pixelfed_config_mail_encryption: null
+
+pixelfed_config_db_connection: pgsql
+pixelfed_config_db_host: postgres
+pixelfed_config_db_port: 5432
+pixelfed_config_db_username: pixelfed
+pixelfed_config_db_password: ~
+pixelfed_config_db_database: pixelfed
+
+pixelfed_config_redis_client: phpredis
+pixelfed_config_redis_scheme: tcp
+pixelfed_config_redis_host: redis
+pixelfed_config_redis_password: ~
+pixelfed_config_redis_port: 6379
+pixelfed_config_redis_database: 0
+
+pixelfed_config_exp_lc: false
+pixelfed_config_exp_rec: false
+pixelfed_config_exp_loops: false
+
+pixelfed_config_activity_pub: false
+pixelfed_config_ap_remote_follow: false
+pixelfed_config_ap_shared_inbox: false
+pixelfed_config_ap_inbox: false
+pixelfed_config_ap_outbox: false
+pixelfed_config_atom_feeds: true
+pixelfed_config_nodeinfo: true
+pixelfed_config_webfinger: true
+
+pixelfed_config_filesystem_driver: local
+pixelfed_config_filesystem_cloud: s3
+pixelfed_config_pf_enable_cloud: false
+pixelfed_config_aws_access_key_id: ~
+pixelfed_config_aws_secret_access_key: ~
+pixelfed_config_aws_default_region: ~
+pixelfed_config_aws_bucket: ~
+pixelfed_config_aws_url: ~
+pixelfed_config_aws_endpont: ~
+pixelfed_config_aws_use_path_style_endpoint: false
+
+pixelfed_config_horizon_darkmode: false
+pixelfed_config_pf_costar_enabled: false
+pixelfed_config_media_exif_database: false
+pixelfed_config_log_channel: stderr
+pixelfed_config_image_driver: imagick
+
+pixelfed_config_broadcast_driver: log
+pixelfed_config_cache_driver: redis
+pixelfed_config_restrict_html_types: true
+pixelfed_config_queue_driver: redis
+pixelfed_config_session_driver: redis
+pixelfed_config_trust_proxies: "*"
+pixelfed_config_passport_private_key: ~
+pixelfed_config_passport_public_key: ~

roles/pixelfed/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Restart pixelfed (docker)
+  docker_container:
+    name: "{{ pixelfed_container_name }}"
+    state: started
+    restart: yes
+  when: 'docker' in pixelfed_deployment_method
+  listen: restart-pixelfed
+
+- name: Restart pixelfed worker (docker)
+  docker_container:
+    name: "{{ pixelfed_worker_container_name }}"
+    state: started
+    restart: yes
+  when: 'docker' in pixelfed_deployment_method
+  listen: restart-pixelfed

roles/pixelfed/tasks/docker-deploy.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Ensure docker container '{{ pixelfed_container_name }}' is running
+  docker_container:
+    name: "{{ pixelfed_container_name }}"
+    image: "{{ pixelfed_container_image }}"
+    env: "{{ pixelfed_container_env }}"
+    env_file: "{{ pixelfed_config_path }}/env"
+    labels: "{{ pixelfed_container_labels }}"
+    volumes: "{{ pixelfed_container_volumes }}"
+    ports: "{{ pixelfed_container_ports | default(omit, True) }}"
+    networks: "{{ pixelfed_container_networks | default(omit, True) }}"
+    purge_networks: "{{ pixelfed_container_purge_networks|default(False) }}"
+    restart_policy: "{{ pixelfed_container_restart_policy }}"
+    state: started
+
+- name: Ensure docker container '{{ pixelfed_worker_container_name }}' is running
+  docker_container:
+    name: "{{ pixelfed_worker_container_name }}"
+    image: "{{ pixelfed_container_image }}"
+    env: "{{ pixelfed_container_env }}"
+    env_file: "{{ pixelfed_config_path }}/env"
+    volumes: "{{ pixelfed_container_volumes }}"
+    networks: "{{ pixelfed_container_networks | default(omit, True) }}"
+    purge_networks: "{{ pixelfed_container_purge_networks|default(False) }}"
+    restart_policy: "{{ pixelfed_container_restart_policy }}"
+    command: "gosu www-data php artisan horizon"
+    state: started

roles/pixelfed/tasks/docker-image.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Ensure docker container image is pulled
+  docker_image:
+    name: "{{ pixelfed_container_image }}"
+    state: present
+    source: pull
+    force_source: "{{ true if docker_container_image_tag else false }}"
+  when: not pixelfed_container_image_local_build
+
+- name: Ensure upstream git repository is cloned to source folder
+  git:
+    repo: "{{ pixelfed_source_upstream_git_repo }}"
+    dest: "{{ pixelfed_source_path }}"
+    update: yes
+    clone: yes
+  when: pixelfed_container_image_local_build
+
+- name: Build docker container image '{{ pixelfed_container_image }}' locally
+  docker_image:
+    name: "{{ pixelfed_container_image_name }}"
+    tag: "{{ pixelfed_container_image_tag | default('v' + pixelfed_version) }}"
+    state: present
+    source: build
+    build:
+      dockerfile: "contrib/docker/Dockerfile.apache"
+      path: "{{ pixelfed_source_path }}"
+  when: pixelfed_container_image_local_build

roles/pixelfed/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+
+- name: Ensure user '{{ pixelfed_user }}' for pixelfed is created
+  user:
+    name: "{{ pixelfed_user }}"
+    state: present
+    system: true
+  register: pixelfed_user_stat
+
+- name: Ensure file system paths exist for persisting data
+  file:
+    path: "{{ dir.path }}"
+    state: directory
+    owner: "{{ dir.user | default(pixelfed_run_user) }}"
+    group: "{{ dir.group | default(pixelfed_run_group) }}"
+    mode: "{{ dir.mode }}"
+  loop: "{{ pixelfed_app_paths }}"
+  loop_control:
+    loop_var: dir
+    label: "{{ dir.path }}"
+
+- name: Ensure pixelfed configuration is templated
+  copy:
+    content: |+
+      {% for key in pixelfed_config | dict2items %}
+      {% if pixelfed_config[key] %}
+      {{ key }}={{ pixelfed_config[key] }}
+      {% endif %}
+      {% endfor %}
+    dest: "{{ pixelfed_config_path }}/env"
+    owner: "{{ pixelfed_run_user }}"
+    group: "{{ pixelfed_run_group }}"
+    mode: "0640"
+  notify: restart-pixelfed
+
+- name: Ensure docker container image is available
+  include_tasks:
+    file: docker-image.yml
+  when: 'docker' in pixelfed_deployment_method
+
+- name: Ensure pixelfed instance is started
+  block:
+    - name: Ensure pixelfed instance is started (docker)
+      include_tasks:
+        file: docker-deploy.yml
+      when: 'docker' in pixelfed_deployment_method
+
+

roles/pixelfed/templates/env.docker.j2

@@ -0,0 +1,148 @@
+## Crypto
+APP_KEY=
+
+## General Settings
+APP_NAME="Pixelfed Prod"
+APP_ENV=production
+APP_DEBUG=false
+APP_URL=https://real.domain
+APP_DOMAIN="real.domain"
+ADMIN_DOMAIN="real.domain"
+SESSION_DOMAIN="real.domain"
+
+OPEN_REGISTRATION=true
+ENFORCE_EMAIL_VERIFICATION=false
+PF_MAX_USERS=1000
+OAUTH_ENABLED=true
+
+APP_TIMEZONE=UTC
+APP_LOCALE=en
+
+## Pixelfed Tweaks
+LIMIT_ACCOUNT_SIZE=true
+MAX_ACCOUNT_SIZE=1000000
+MAX_PHOTO_SIZE=15000
+MAX_AVATAR_SIZE=2000
+MAX_CAPTION_LENGTH=500
+MAX_BIO_LENGTH=125
+MAX_NAME_LENGTH=30
+MAX_ALBUM_LENGTH=4
+IMAGE_QUALITY=80
+PF_OPTIMIZE_IMAGES=true
+PF_OPTIMIZE_VIDEOS=true
+ADMIN_ENV_EDITOR=false
+ACCOUNT_DELETION=true
+ACCOUNT_DELETE_AFTER=false
+MAX_LINKS_PER_POST=0
+
+## Instance
+#INSTANCE_DESCRIPTION=
+INSTANCE_PUBLIC_HASHTAGS=false
+#INSTANCE_CONTACT_EMAIL=
+INSTANCE_PUBLIC_LOCAL_TIMELINE=false
+#BANNED_USERNAMES=
+STORIES_ENABLED=false
+RESTRICTED_INSTANCE=false
+
+## Mail
+MAIL_DRIVER=log
+MAIL_HOST=smtp.mailtrap.io
+MAIL_PORT=2525
+MAIL_FROM_ADDRESS="pixelfed@example.com"
+MAIL_FROM_NAME="Pixelfed"
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
+
+## Databases (MySQL)
+DB_CONNECTION=mysql
+DB_DATABASE=pixelfed_prod
+DB_HOST=db
+DB_PASSWORD=pixelfed_db_pass
+DB_PORT=3306
+DB_USERNAME=pixelfed
+# pass the same values to the db itself
+MYSQL_DATABASE=pixelfed_prod
+MYSQL_PASSWORD=pixelfed_db_pass
+MYSQL_RANDOM_ROOT_PASSWORD=true
+MYSQL_USER=pixelfed
+
+## Databases (Postgres)
+#DB_CONNECTION=pgsql
+#DB_HOST=postgres
+#DB_PORT=5432
+#DB_DATABASE=pixelfed
+#DB_USERNAME=postgres
+#DB_PASSWORD=postgres
+
+## Cache (Redis)
+REDIS_CLIENT=phpredis
+REDIS_SCHEME=tcp
+REDIS_HOST=redis
+REDIS_PASSWORD=redis_password
+REDIS_PORT=6379
+REDIS_DATABASE=0
+
+## EXPERIMENTS 
+EXP_LC=false
+EXP_REC=false
+EXP_LOOPS=false
+
+## ActivityPub Federation
+ACTIVITY_PUB=false
+AP_REMOTE_FOLLOW=false
+AP_SHAREDINBOX=false
+AP_INBOX=false
+AP_OUTBOX=false
+ATOM_FEEDS=true
+NODEINFO=true
+WEBFINGER=true
+
+## S3
+FILESYSTEM_DRIVER=local
+FILESYSTEM_CLOUD=s3
+PF_ENABLE_CLOUD=false
+#AWS_ACCESS_KEY_ID=
+#AWS_SECRET_ACCESS_KEY=
+#AWS_DEFAULT_REGION=
+#AWS_BUCKET=
+#AWS_URL=
+#AWS_ENDPOINT=
+#AWS_USE_PATH_STYLE_ENDPOINT=false
+
+## Horizon
+HORIZON_DARKMODE=false
+
+## COSTAR - Confirm Object Sentiment Transform and Reduce
+PF_COSTAR_ENABLED=false
+
+# Media
+MEDIA_EXIF_DATABASE=false
+
+## Logging
+LOG_CHANNEL=stderr
+
+## Image
+IMAGE_DRIVER=imagick
+
+## Broadcasting
+BROADCAST_DRIVER=log  # log driver for local development
+
+## Cache
+CACHE_DRIVER=redis
+
+## Purify
+RESTRICT_HTML_TYPES=true
+
+## Queue
+QUEUE_DRIVER=redis
+
+## Session
+SESSION_DRIVER=redis
+
+## Trusted Proxy
+TRUST_PROXIES="*"
+
+## Passport
+#PASSPORT_PRIVATE_KEY=
+#PASSPORT_PUBLIC_KEY=

roles/pixelfed/vars/main.yml

@@ -0,0 +1,133 @@
+---
+
+pixelfed_container_base_volumes:
+  - "{{ pixelfed_storage_path }}:/var/www/storage:z"
+  - "{{ pixelfed_config_path/env:/var/www/.env:ro"
+
+pixelfed_container_base_env: {}
+
+pixelfed_container_base_labels:
+  VERSION: "{{ pixelfed_version }}"
+
+pixelfed_container_volumes: "{{ pixelfed_container_base_volumes + pixelfed_container_extra_volumes }}"
+pixelfed_container_labels: "{{ pixelfed_container_base_labels + pixelfed_container_extra_labels }}"
+pixelfed_container_env: "{{ pixelfed_container_base_env + pixelfed_container_extra_env }}"
+
+pixelfed_source_upstream_git_repo: "https://github.com/pixelfed/pixelfed.git"
+
+pixelfed_supported_deployment_methods:
+  - docker_selfbuilt
+  - docker_pulled
+
+
+# pixelfed app config
+pixelfed_config:
+  APP_KEY: "{{ pixelfed_config_app_key }}"
+  APP_NAME: "{{ pixelfed_config_app_name }}"
+  APP_ENV: "{{ pixelfed_config_app_env }}"
+  APP_DEBUG: "{{ pixelfed_config_app_debug }}"
+  APP_URL: "{{ pixelfed_config_app_url }}"
+  APP_DOMAIN: "{{ pixelfed_config_app_domain }}"
+  ADMIN_DOMAIN: "{{ pixelfed_config_app_admin_domain }}"
+  SESSION_DOMAIN: "{{ pixelfed_config_session_domain }}"
+
+  OPEN_REGISTRATION: "{{ pixelfed_config_open_registration }}"
+  ENFORCE_EMAIL_VERIFICATION: "{{ pixelfed_config_enforce_email_verification }}"
+  PF_MAX_USERS: "{{ pixelfed_config_pf_max_users }}"
+  OAUTH_ENABLED: "{{ pixelfed_config_oauth_enabled }}"
+
+  APP_TIMEZONE: "{{ pixelfed_config_app_timezone }}"
+  APP_LOCALE: "{{ pixelfed_config_all_locale }}"
+
+  LIMIT_ACCOUNT_SIZE: "{{ pixelfed_config_limit_account_size }}"
+  MAX_ACCOUNT_SIZE: "{{ pixelfed_config_max_account_size }}"
+  MAX_PHOTO_SIZE: "{{ pixelfed_config_ }}"
+  MAX_AVATAR_SIZE: "{{ pixelfed_config_ }}"
+  MAX_CAPTION_LENGTH: "{{ pixelfed_config_ }}"
+  MAX_BIO_LENGTH:  "{{ pixelfed_config_ }}"
+  MAX_NAME_LENGTH:  "{{ pixelfed_config_ }}"
+  MAX_ALBUM_LENGTH:  "{{ pixelfed_config_ }}"
+  IMAGE_QUALITY:  "{{ pixelfed_config_ }}"
+  PF_OPTIMIZE_IMAGES:  "{{ pixelfed_config_ }}"
+  PF_OPTIMIZE_VIDEOS:  "{{ pixelfed_config_ }}"
+  ADMIN_ENV_EDITOR:  "{{ pixelfed_config_ }}"
+  ACCOUNT_DELETION:  "{{ pixelfed_config_ }}"
+  ACCOUNT_DELETE_AFTER:  "{{ pixelfed_config_ }}"
+  MAX_LINKS_PER_POST:    "{{ pixelfed_config_ }}"
+
+  INSTANCE_DESCRIPTION: "{{ pixelfed_config_instance_description }}"
+  INSTANCE_PUBLIC_HASHTAGS: "{{ pixelfed_config_instance_public_hashtags }}"
+  INSTANCE_CONTACT_EMAIL: "{{ pixelfed_config_instance_contact_email }}"
+  INSTANCE_PUBLIC_LOCAL_TIMELINE: "{{ pixelfed_config_instance_public_local_timeline }}"
+  BANNED_USERNAMES: "{{ pixelfed_config_banned_usernames }}"
+  STORIES_ENABLED: "{{ pixelfed_config_stories_enabled }}"
+  RESTRICTED_INSTANCE: "{{ pixelfed_config_restricted_instance }}"
+  
+  ## Mail
+  MAIL_DRIVER: "{{ pixelfed_config_mail_driver }}"
+  MAIL_HOST: "{{ pixelfed_config_mail_host }}"
+  MAIL_PORT: "{{ pixelfed_config_mail_port }}"
+  MAIL_FROM_ADDRESS: "{{ pixelfed_config_mail_from_address }}"
+  MAIL_FROM_NAME: "{{ pixelfed_config_mail_from_name }}"
+  MAIL_USERNAME: "{{ pixelfed_config_mail_username }}"
+  MAIL_PASSWORD: "{{ pixelfed_config_mail_password }}"
+  MAIL_ENCRYPTION: "{{ pixelfed_config_mail_encryption }}"
+  
+  ## Databases (MySQL)
+  DB_CONNECTION: "{{ pixelfed_config_db_connection }}"
+  DB_DATABASE: "{{ pixelfed_config_db_database }}"
+  DB_HOST: "{{ pixelfed_config_db_host }}"
+  DB_PASSWORD: "{{ pixelfed_config_db_password }}"
+  DB_PORT: "{{ pixelfed_config_db_port }}"
+  DB_USERNAME: "{{ pixelfed_config_db_username }}"
+ 
+  ## Cache (Redis)
+  REDIS_CLIENT: "{{ pixelfed_config_redis_client }}"
+  REDIS_SCHEME: "{{ pixelfed_config_redis_scheme }}"
+  REDIS_HOST: "{{ pixelfed_config_redis_host }}"
+  REDIS_PASSWORD: "{{ pixelfed_config_redis_password }}"
+  REDIS_PORT: "{{ pixelfed_config_redis_port }}"
+  REDIS_DATABASE: "{{ pixelfed_config_redis_database }}"
+  
+  ## EXPERIMENTS 
+  EXP_LC: "{{ pixelfed_config_exp_lc }}"
+  EXP_REC: "{{ pixelfed_config_exp_rec }}"
+  EXP_LOOPS: "{{ pixelfed_config_exp_loops }}"
+  
+  ## ActivityPub Federation
+  ACTIVITY_PUB: "{{ pixelfed_config_activity_pub }}"
+  AP_REMOTE_FOLLOW: "{{ pixelfed_config_ap_remote_follow }}"
+  AP_SHAREDINBOX: "{{ pixelfed_config_ap_sharedinbox }}"
+  AP_INBOX: "{{ pixelfed_config_ap_inbox }}"
+  AP_OUTBOX: "{{ pixelfed_config_ap_outbox }}"
+  ATOM_FEEDS: "{{ pixelfed_config_atom_feeds }}"
+  NODEINFO: "{{ pixelfed_config_nodeinfo }}"
+  WEBFINGER: "{{ pixelfed_config_webfinger }}"
+  
+  ## S3
+  FILESYSTEM_DRIVER: "{{ pixelfed_config_filesystem_driver }}"
+  FILESYSTEM_CLOUD: "{{ pixelfed_config_filesystem_cloud }}"
+  PF_ENABLE_CLOUD: "{{ pixelfed_config_pf_enable_cloud }}"
+  AWS_ACCESS_KEY_ID: "{{ pixelfed_config_aws_access_key_id }}"
+  AWS_SECRET_ACCESS_KEY: "{{ pixelfed_config_aws_secret_access_key }}"
+  AWS_DEFAULT_REGION: "{{ pixelfed_config_aws_default_region }}"
+  AWS_BUCKET: "{{ pixelfed_config_aws_bucket }}"
+  AWS_URL: "{{ pixelfed_config_aws_url }}"
+  AWS_ENDPOINT: "{{ pixelfed_config_aws_endpoint }}"
+  AWS_USE_PATH_STYLE_ENDPOINT: "{{ pixelfed_config_aws_use_path_style_endpoint }}"
+  
+  HORIZON_DARKMODE: "{{ pixelfed_config_horizon_darkmode }}"
+  PF_COSTAR_ENABLED: "{{ pixelfed_config_pf_costar_enabled }}"
+  MEDIA_EXIF_DATABASE: "{{ pixelfed_config_media_exif_database }}"
+  LOG_CHANNEL: "{{ pixelfed_config_log_channel }}"
+  IMAGE_DRIVER: "{{ pixelfed_config_image_driver }}"
+  
+  BROADCAST_DRIVER: "{{ pixelfed_config_ }}"
+  CACHE_DRIVER: "{{ pixelfed_config_cache_driver }}"
+  RESTRICT_HTML_TYPES: "{{ 'true' pixelfed_config_restrict_html_types else 'false' }}"
+  QUEUE_DRIVER: "{{ pixelfed_config_queue_driver }}"
+  SESSION_DRIVER: "{{ pixelfed_config_session_driver }}"
+  TRUST_PROXIES: "{{ pixelfed_config_trust_proxies }}"
+  PASSPORT_PRIVATE_KEY: "{{ pixelfed_config_passport_private_key }}"
+  PASSPORT_PUBLIC_KEY: "{{ pixelfed_config_passport_public_key }}"
+