Compare commits
7 Commits
bbefcea786
...
7c4169c424
Author | SHA1 | Date | |
---|---|---|---|
7c4169c424 | |||
998d2a5f5e | |||
275976f1e6 | |||
6a0924c72c | |||
601af978cd | |||
e28cad6552 | |||
accd829e91 |
@ -9,6 +9,9 @@ available.
|
|||||||
|
|
||||||
## Roles
|
## Roles
|
||||||
|
|
||||||
|
- [`mastodon`](roles/mastodon/README.md): deployment using a container based
|
||||||
|
setup, able to use webfinger delegation.
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
[CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License
|
[CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License
|
||||||
|
24
roles/gotosocial/README.md
Normal file
24
roles/gotosocial/README.md
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# `finallycoffee.fediverse.gotosocial` ansible role
|
||||||
|
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
### Built-in LetsEncrypt client
|
||||||
|
|
||||||
|
To use the built-in letsencrypt client, set `gotosocial_config_letsencrypt_enabled: true`.
|
||||||
|
|
||||||
|
You are required to fill in a valid administrative email address into
|
||||||
|
`gotosocial_config_letsencrypt_email_address`.
|
||||||
|
|
||||||
|
The port letsencrypt will listen on defaults to `80` and can be set using
|
||||||
|
`gotosocial_config_letsencrypt_port` (if f.ex. the container lacks the permission
|
||||||
|
to bind to ports < 1024). Note that when `gotosocial_config_letsencrypt_enabled` is
|
||||||
|
`true`, the `gotosocial_config_letsencrypt_port` will by default be mapped to
|
||||||
|
_host_ port 80 on all interfaces!
|
||||||
|
|
||||||
|
This is fine when this is the only ACME client and allows easily changing
|
||||||
|
`gotosocial_config_letsencrypt_port` without breaking any functionality,
|
||||||
|
but with multiple acme clients all performing HTTP-01 challenges, you need to manually
|
||||||
|
overwrite `gotosocial_container_ports` to fit your needs.
|
||||||
|
|
||||||
|
### Advanced configuration
|
130
roles/gotosocial/defaults/main.yml
Normal file
130
roles/gotosocial/defaults/main.yml
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
gotosocial_user: "gotosocial"
|
||||||
|
gotosocial_version: 0.3.8
|
||||||
|
gotosocial_base_path: "/opt/gotosocial"
|
||||||
|
gotosocial_config_path: "{{ gotosocial_base_path }}/config"
|
||||||
|
gotosocial_template_path: "{{ gotosocial_base_path }}/templates"
|
||||||
|
gotosocial_asset_path: "{{ gotosocial_base_path }}/assets"
|
||||||
|
gotosocial_storage_path: "{{ gotosocial_base_path }}/storage"
|
||||||
|
gotosocial_cert_path: "{{ gotosocial_base_path }}/certificates"
|
||||||
|
gotosocial_config_file: "{{ gotosocial_config_path }}/config.yaml"
|
||||||
|
|
||||||
|
gotosocial_config: >-
|
||||||
|
{{ gotosocial_default_config
|
||||||
|
| combine(gotosocial_extra_config | default({}), recursive=True) }}
|
||||||
|
|
||||||
|
gotosocial_config_log_level: info
|
||||||
|
gotosocial_config_log_db_queries: false
|
||||||
|
gotosocial_config_host: social.example.party
|
||||||
|
gotosocial_config_account_domain: ~
|
||||||
|
|
||||||
|
# listening / revproxy configuration
|
||||||
|
gotosocial_config_protocol: https
|
||||||
|
gotosocial_config_bind_address: 127.0.0.1
|
||||||
|
gotosocial_config_port: 8080
|
||||||
|
gotosocial_config_trusted_proxies: []
|
||||||
|
|
||||||
|
# database configuration
|
||||||
|
gotosocial_config_db_type: postgres
|
||||||
|
gotosocial_config_db_address: ~
|
||||||
|
gotosocial_config_db_port: ~
|
||||||
|
gotosocial_config_db_user: ~
|
||||||
|
gotosocial_config_db_password: ~
|
||||||
|
gotosocial_config_db_database: gotosocial
|
||||||
|
gotosocial_config_db_tls_mode: enable
|
||||||
|
gotosocial_config_db_tls_ca_cert:
|
||||||
|
|
||||||
|
gotosocial_config_web_template_base_dir: "{{ gotosocial_template_path }}"
|
||||||
|
gotosocial_config_web_asset_base_dir: "{{ gotosocial_asset_path }}"
|
||||||
|
|
||||||
|
# instance privacy
|
||||||
|
gotosocial_config_instance_expose_peers: false
|
||||||
|
gotosocial_config_expose_suspended: false
|
||||||
|
|
||||||
|
# account config
|
||||||
|
gotosocial_config_acounts_registration_open: true
|
||||||
|
gotosocial_config_accounts_approval_required: true
|
||||||
|
gotosocial_config_accounts_reason_required: true
|
||||||
|
|
||||||
|
# media config
|
||||||
|
gotosocial_config_media_image_max_size_bytes: 2097152 #2MB
|
||||||
|
gotosocial_config_media_video_max_size_bytes: 10485760 #10MB
|
||||||
|
gotosocial_config_media_description_min_chars: 0
|
||||||
|
gotosocial_config_media_description_max_chars: 1000
|
||||||
|
gotosocial_config_media_remote_cache_days: 30
|
||||||
|
|
||||||
|
# storage for media etc
|
||||||
|
gotosocial_config_storage_backend: local
|
||||||
|
gotosocial_config_storage_local_base_path: "{{ gotosocial_storage_path }}"
|
||||||
|
|
||||||
|
# status config
|
||||||
|
gotosocial_config_statuses_max_chars: 5000
|
||||||
|
gotosocial_config_statuses_cw_max_chars: 100
|
||||||
|
gotosocial_config_statuses_poll_max_options: 6
|
||||||
|
gotosocial_config_statuses_poll_option_max_chars: 50
|
||||||
|
gotosocial_config_statuses_media_max_files: 30
|
||||||
|
|
||||||
|
# letsencrypt config
|
||||||
|
gotosocial_config_letsencrypt_enabled: false
|
||||||
|
gotosocial_config_letsencrypt_port: 80
|
||||||
|
gotosocial_config_letsencrypt_cert_dir: "{{ gotosocial_cert_path }}"
|
||||||
|
gotosocial_config_letsencrypt_email_address: ~
|
||||||
|
|
||||||
|
# oidc config
|
||||||
|
gotosocial_config_oidc_enabled: false
|
||||||
|
gotosocial_config_oidc_idp_name: ~
|
||||||
|
gotosocial_config_oidc_skip_verification: false
|
||||||
|
gotosocial_config_oidc_issuer: ~
|
||||||
|
gotosocial_config_oidc_client_id: ~
|
||||||
|
gotosocial_config_oidc_client_secret: ~
|
||||||
|
gotosocial_config_oidc_scopes:
|
||||||
|
- openid
|
||||||
|
- email
|
||||||
|
- profile
|
||||||
|
|
||||||
|
# smtp config
|
||||||
|
gotosocial_config_smtp_host: ~
|
||||||
|
gotosocial_config_smtp_port: ~
|
||||||
|
gotosocial_config_smtp_username: ~
|
||||||
|
gotosocial_config_smtp_password: ~
|
||||||
|
gotosocial_config_smtp_from: ~
|
||||||
|
|
||||||
|
# syslog config
|
||||||
|
gotosocial_config_syslog_enabled: false
|
||||||
|
gotosocial_config_syslog_protocol: udp
|
||||||
|
gotosocial_config_syslog_address: "localhost:514"
|
||||||
|
|
||||||
|
# advanced config:
|
||||||
|
gotosocial_config_advanced_cookies_samesite: lax
|
||||||
|
|
||||||
|
# container defaults
|
||||||
|
gotosocial_container_name: gotosocial
|
||||||
|
gotosocial_container_image_name: docker.io/superseriousbusiness/gotosocial
|
||||||
|
gotosocial_container_image_tag: ~
|
||||||
|
gotosocial_container_image: >-2
|
||||||
|
{{ gotosocial_container_image_name }}:{{ gotoscial_container_image_tag
|
||||||
|
| default(gotosocial_version) }}
|
||||||
|
gotosocial_container_volumes: >-2
|
||||||
|
{{ gotosocial_container_default_volumes
|
||||||
|
+ gotosocial_container_extra_volumes }}
|
||||||
|
gotosocial_container_default_volumes:
|
||||||
|
- "{{ gotosocial_config_file }}:/gotosocial/config.yaml:ro"
|
||||||
|
- "{{ gotosocial_storage_path }}:/gotosocial/storage:z"
|
||||||
|
- "{{ gotosocial_template_path }}:/gotosocial/web/templates:ro"
|
||||||
|
gotosocial_container_extra_volumes: []
|
||||||
|
|
||||||
|
gotosocial_container_env: {}
|
||||||
|
gotosocial_container_labels: {}
|
||||||
|
gotosocial_container_user: "{{ gotosocial_user }}"
|
||||||
|
gotosocial_container_etc_hosts: ~
|
||||||
|
gotosocial_container_networks: ~
|
||||||
|
gotosocial_container_purge_networks: false
|
||||||
|
gotosocial_container_restart_policy: unless-stopped
|
||||||
|
gotosocial_container_entrypoint:
|
||||||
|
- "/gotosocial/gotosocial"
|
||||||
|
- "--config-path"
|
||||||
|
- "config.yaml"
|
||||||
|
- "server"
|
||||||
|
- "start"
|
||||||
|
|
8
roles/gotosocial/handlers/main.yml
Normal file
8
roles/gotosocial/handlers/main.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Restart gotosocial
|
||||||
|
listen: restart-gotosocial
|
||||||
|
docker_container:
|
||||||
|
name: "{{ gotosocial_container_name }}"
|
||||||
|
state: started
|
||||||
|
restart: true
|
65
roles/gotosocial/tasks/main.yml
Normal file
65
roles/gotosocial/tasks/main.yml
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure user {{ gotosocial_user }} is present
|
||||||
|
user:
|
||||||
|
name: "{{ gotosocial_user }}"
|
||||||
|
system: true
|
||||||
|
state: present
|
||||||
|
register: gotosocial_user_info
|
||||||
|
|
||||||
|
- name: Ensure host directories for mounts are present
|
||||||
|
file:
|
||||||
|
path: "{{ path.name }}"
|
||||||
|
state: directory
|
||||||
|
owner: >-
|
||||||
|
{{ path.owner | default(gotosocial_user_info.uid | default(gotosocial_user)) }}
|
||||||
|
group: >-
|
||||||
|
{{ path.group | default(gotosocial_user_info.group | default(gotosocial_user)) }}
|
||||||
|
mode: "{{ path.mode | default('0750') }}"
|
||||||
|
loop:
|
||||||
|
- name: "{{ gotosocial_base_path }}"
|
||||||
|
- name: "{{ gotosocial_config_path }}"
|
||||||
|
- name: "{{ gotosocial_storage_path }}"
|
||||||
|
- name: "{{ gotosocial_template_path }}"
|
||||||
|
- name: "{{ gotosocial_asset_path }}"
|
||||||
|
mode: '0770'
|
||||||
|
loop_control:
|
||||||
|
loop_var: path
|
||||||
|
label: "{{ path.name }}"
|
||||||
|
|
||||||
|
- name: Ensure configuration is up to date
|
||||||
|
copy:
|
||||||
|
content: "{{ gotosocial_config | to_nice_yaml(indent=2, width=10000) }}"
|
||||||
|
dest: "{{ gotosocial_config_file }}"
|
||||||
|
owner: "{{ gotosocial_user_info.uid | default(gotosocial_user) }}"
|
||||||
|
group: "{{ gotosocial_user_info.group | default(gotosocial_user) }}"
|
||||||
|
mode: 0640
|
||||||
|
notify: restart-gotosocial
|
||||||
|
|
||||||
|
- name: Ensure container image is available
|
||||||
|
docker_image:
|
||||||
|
name: "{{ gotosocial_container_image }}"
|
||||||
|
state: present
|
||||||
|
source: pull
|
||||||
|
force_source: >-
|
||||||
|
{{ gotosocial_container_image_force_pull
|
||||||
|
| default(gotoscial_container_image_tag | default(true, true)) }}
|
||||||
|
register: gotosocial_container_image_pull_status
|
||||||
|
until: gotosocial_container_image_pull_status is succeeded
|
||||||
|
retries: 5
|
||||||
|
delay: 3
|
||||||
|
|
||||||
|
- name: Ensure gotosocial container named {{ gotosocial_container_name }} is running
|
||||||
|
docker_container:
|
||||||
|
name: "{{ gotosocial_container_name }}"
|
||||||
|
image: "{{ gotosocial_container_image }}"
|
||||||
|
volumes: "{{ gotosocial_container_volumes }}"
|
||||||
|
env: "{{ gotosocial_container_env | default(omit, True) }}"
|
||||||
|
ports: "{{ gotosocial_container_ports | default(omit, True) }}"
|
||||||
|
labels: "{{ gotosocial_container_labels | default(omit, True) }}"
|
||||||
|
networks: "{{ gotosocial_container_networks | default(omit, True) }}"
|
||||||
|
etc_hosts: "{{ gotosocial_container_etc_hosts | default(omit, True) }}"
|
||||||
|
purge_networks: "{{ gotosocial_container_purge_networks | default(False, True) }}"
|
||||||
|
restart_policy: "{{ gotosocial_container_restart_policy }}"
|
||||||
|
entrypoint: "{{ gotosocial_container_entrypoint }}"
|
||||||
|
state: started
|
59
roles/gotosocial/vars/main.yml
Normal file
59
roles/gotosocial/vars/main.yml
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
gotosocial_default_config:
|
||||||
|
log-level: "{{ gotosocial_config_log_level }}"
|
||||||
|
log-db-queries: "{{ gotosocial_config_log_db_queries }}"
|
||||||
|
application-name: gotosocial
|
||||||
|
host: "{{ gotosocial_config_host }}"
|
||||||
|
account-domain: "{{ gotosocial_config_account_domain }}"
|
||||||
|
protocol: "{{ gotosocial_config_protocol }}"
|
||||||
|
bind-address: "{{ gotosocial_config_bind_address }}"
|
||||||
|
port: "{{ gotosocial_config_port }}"
|
||||||
|
trusted-proxies: "{{ gotosocial_config_trusted_proxies }}"
|
||||||
|
db-type: "{{ gotosocial_config_db_type }}"
|
||||||
|
db-address: "{{ gotosocial_config_db_address }}"
|
||||||
|
db-port: "{{ gotosocial_config_db_port }}"
|
||||||
|
db-user: "{{ gotosocial_config_db_user }}"
|
||||||
|
db-password: "{{ gotosocial_config_db_password }}"
|
||||||
|
db-database: "{{ gotosocial_config_db_database }}"
|
||||||
|
db-tls-mode: "{{ gotosocial_config_db_tls_mode }}"
|
||||||
|
db-tls-ca-cert: "{{ gotosocial_config_db_tls_ca_cert }}"
|
||||||
|
web-template-base-dir: "{{ gotosocial_config_web_template_base_dir }}"
|
||||||
|
web-asset-base-dir: "{{ gotosocial_config_web_asset_base_dir }}"
|
||||||
|
instance-expose-peer: "{{ gotosocial_config_instance_expose_peers }}"
|
||||||
|
instance-expose-suspended: "{{ gotosocial_config_expose_suspended }}"
|
||||||
|
accounts-registration-open: "{{ gotosocial_config_acounts_registration_open }}"
|
||||||
|
accounts-approval-required: "{{ gotosocial_config_accounts_approval_required }}"
|
||||||
|
accounts-reason-required: "{{ gotosocial_config_accounts_reason_required }}"
|
||||||
|
media-image-max-size: "{{ gotosocial_config_media_image_max_size_bytes }}"
|
||||||
|
media-video-max-size: "{{ gotosocial_config_media_video_max_size_bytes }}"
|
||||||
|
media-description-min-chars: "{{ gotosocial_config_media_description_min_chars }}"
|
||||||
|
media-description-max-chars: "{{ gotosocial_config_media_description_max_chars }}"
|
||||||
|
media-remote-cache-days: "{{ gotosocial_config_media_remote_cache_days }}"
|
||||||
|
storage-backend: "{{ gotosocial_config_storage_backend }}"
|
||||||
|
storage-local-base-path: "{{ gotosocial_config_storage_local_base_path }}"
|
||||||
|
statuses-max-chars: "{{ gotosocial_config_statuses_max_chars }}"
|
||||||
|
statuses-cw-max-chars: "{{ gotosocial_config_statuses_cw_max_chars }}"
|
||||||
|
statuses-poll-max-options: "{{ gotosocial_config_statuses_poll_max_options }}"
|
||||||
|
statuses-poll-option-max-chars: "{{ gotosocial_config_statuses_poll_option_max_chars }}"
|
||||||
|
statuses-media-max-files: "{{ gotosocial_config_statuses_media_max_files }}"
|
||||||
|
letsencrypt-enabled: "{{ gotosocial_config_letsencrypt_enabled }}"
|
||||||
|
letsencrypt-port: "{{ gotosocial_config_letsencrypt_port }}"
|
||||||
|
letsencrypt-cert-dir: "{{ gotosocial_config_letsencrypt_cert_dir }}"
|
||||||
|
letsencrypt-email-address: "{{ gotosocial_config_letsencrypt_email_address }}"
|
||||||
|
oidc-enabled: "{{ gotosocial_config_oidc_enabled }}"
|
||||||
|
oidc-idp-name: "{{ gotosocial_config_oidc_idp_name }}"
|
||||||
|
oidc-skip-verification: "{{ gotosocial_config_oidc_skip_verification }}"
|
||||||
|
oidc-issuer: "{{ gotosocial_config_oidc_issuer }}"
|
||||||
|
oidc-client-id: "{{ gotosocial_config_oidc_client_id }}"
|
||||||
|
oidc-client-secret: "{{ gotosocial_config_oidc_client_secret }}"
|
||||||
|
oidc-scopes: "{{ gotosocial_config_oidc_scopes }}"
|
||||||
|
smtp-host: "{{ gotosocial_config_smtp_host }}"
|
||||||
|
smtp-port: "{{ gotosocial_config_smtp_port }}"
|
||||||
|
smtp-username: "{{ gotosocial_config_smtp_username }}"
|
||||||
|
smtp-password: "{{ gotosocial_config_smtp_password }}"
|
||||||
|
smtp-from: "{{ gotosocial_config_smtp_from }}"
|
||||||
|
syslog-enabled: "{{ gotosocial_config_syslog_enabled }}"
|
||||||
|
syslog-protocol: "{{ gotosocial_config_syslog_protocol }}"
|
||||||
|
syslog-address: "{{ gotosocial_config_syslog_address }}"
|
||||||
|
advanced-cookies-samesite: "{{ gotosocial_config_advanced_cookies_samesite }}"
|
65
roles/mastodon/README.md
Normal file
65
roles/mastodon/README.md
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
# `finallycoffee.fediverse.mastodon` ansible role
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
This role aims to automate as much as possible with running a docker container
|
||||||
|
based mastodon setup. It provides you with the streaming container, sidekiq and
|
||||||
|
web (api) as well an nginx routing the application traffic.
|
||||||
|
|
||||||
|
You need to provide a postgresql database, the redis server, optionally an
|
||||||
|
elasticsearch instance and the mail server. Roles providing components are linked,
|
||||||
|
if applicable.
|
||||||
|
|
||||||
|
### Usage
|
||||||
|
|
||||||
|
The minimum configuration could be as follows:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
mastodon_domain: finally.coffee
|
||||||
|
# Optional, if you want to host your frontend + api somewhere else
|
||||||
|
mastodon_web_domain: frontend.some.website
|
||||||
|
|
||||||
|
# you need to provide and manage the following secrets
|
||||||
|
mastodon_secret_key: very_long_secret
|
||||||
|
mastodon_otp_secret: also_very_long_secret
|
||||||
|
mastodon_vapid_public_key: check_mastodon_docs_for_this
|
||||||
|
mastodon_vapid_private_key: see_above
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Database
|
||||||
|
|
||||||
|
The database configuration is as follows:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
mastodon_database_host: postgres.local
|
||||||
|
mastodon_database_port: 5432 #optional, defaults to this
|
||||||
|
mastodon_database_user: mastodont
|
||||||
|
mastodon_database_pass: hopefully_secure
|
||||||
|
mastodon_database_name: mastodon
|
||||||
|
```
|
||||||
|
|
||||||
|
For seeding the database during initial deployment, you need to set
|
||||||
|
`mastodon_seed_database: true` exactly once (when it succeeds).
|
||||||
|
|
||||||
|
### Redis
|
||||||
|
|
||||||
|
As of writing this, it seems that atleast one component of mastodon can't
|
||||||
|
deal with a password for redis, leading to the need to run redis without
|
||||||
|
authentification for all components:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
mastodon_redis_url: unix:///var/run/redis/mastodon.sock
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Mail
|
||||||
|
|
||||||
|
The mail server for verifications and notifications can be configured as followed:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
mastodon_mail_server: mail.example.org
|
||||||
|
mastodon_mail_user: mailuser@mydomain.org
|
||||||
|
mastodon_mail_password: very_secure_password_for_mailing_account
|
||||||
|
```
|
||||||
|
|
||||||
|
For further Configuration, see [`defaults/main.yml`](defaults/main.yml) to
|
||||||
|
override further keys for configuration
|
133
roles/mastodon/defaults/main.yml
Normal file
133
roles/mastodon/defaults/main.yml
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
mastodon_user: mastodon
|
||||||
|
mastodon_base_path: /opt/mastodon
|
||||||
|
mastodon_domain: ~
|
||||||
|
mastodon_web_domain: ~
|
||||||
|
mastodon_version: 3.5.1
|
||||||
|
mastodon_git_upstream_url: "https://github.com/mastodon/mastodon.git"
|
||||||
|
|
||||||
|
mastodon_data_path: "{{ mastodon_base_path }}/data"
|
||||||
|
mastodon_repo_path: "{{ mastodon_base_path }}/src"
|
||||||
|
mastodon_config_path: "{{ mastodon_base_path }}/config"
|
||||||
|
mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
|
||||||
|
mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
|
||||||
|
mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
|
||||||
|
mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
|
||||||
|
mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
|
||||||
|
mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
|
||||||
|
|
||||||
|
mastodon_container_bind_ip: "127.0.0.1"
|
||||||
|
mastodon_streaming_backend: "{{ mastodon_container_bind_ip }}:4000"
|
||||||
|
mastodon_api_backend: "{{ mastodon_container_bind_ip }}:3000"
|
||||||
|
mastodon_backend: "{{ mastodon_container_bind_ip }}:5000"
|
||||||
|
|
||||||
|
mastodon_container_name: mastodon
|
||||||
|
mastodon_container_name_sidekiq: "{{ mastodon_container_name }}_sidekiq"
|
||||||
|
mastodon_container_name_streaming: "{{ mastodon_container_name }}_streaming"
|
||||||
|
mastodon_container_image_name: "tootsuite/mastodon"
|
||||||
|
mastodon_container_image_tag: "v{{ mastodon_version }}"
|
||||||
|
mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_container_image_tag }}"
|
||||||
|
mastodon_container_networks:
|
||||||
|
- name: "{{ mastodon_container_network_name }}"
|
||||||
|
|
||||||
|
mastodon_container_base_volumes_streaming:
|
||||||
|
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
|
||||||
|
- "{{ mastodon_config_group_file }}:/etc/group:ro"
|
||||||
|
mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
|
||||||
|
mastodon_container_volumes_streaming: >-
|
||||||
|
{{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
|
||||||
|
|
||||||
|
mastodon_container_base_volumes_sidekiq:
|
||||||
|
- "{{ mastodon_repo_path }}/public/system:/mastodon/public/system:ro"
|
||||||
|
mastodon_container_extra_volumes_sidekiq: "{{ mastodon_container_extra_volumes }}"
|
||||||
|
mastodon_container_volumes_sidekiq: >-
|
||||||
|
{{ mastodon_container_base_volumes_sidekiq + mastodon_container_extra_volumes_sidekiq }}
|
||||||
|
|
||||||
|
mastodon_container_base_volumes:
|
||||||
|
- "{{ mastodon_repo_path }}/public:/mastodon/public:z"
|
||||||
|
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
|
||||||
|
- "{{ mastodon_config_group_file }}:/etc/group:ro"
|
||||||
|
mastodon_container_extra_volumes: []
|
||||||
|
mastodon_container_volumes: >-
|
||||||
|
{{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
|
||||||
|
|
||||||
|
mastodon_container_ports_streaming:
|
||||||
|
- "{{ mastodon_streaming_backend }}:4000"
|
||||||
|
mastodon_container_ports:
|
||||||
|
- "{{ mastodon_api_backend }}:3000"
|
||||||
|
mastodon_container_restart_policy: unless-stopped
|
||||||
|
|
||||||
|
mastodon_nginx_version: 1.21.6
|
||||||
|
mastodon_nginx_server_name: "{{ mastodon_domain }}"
|
||||||
|
mastodon_container_nginx_name: "{{ mastodon_container_name }}_nginx"
|
||||||
|
mastodon_container_nginx_image_name: docker.io/library/nginx
|
||||||
|
mastodon_container_nginx_image_tag: ~
|
||||||
|
mastodon_container_nginx_image_flavour: alpine
|
||||||
|
mastodon_container_nginx_image: >-2
|
||||||
|
{{ mastodon_container_nginx_image_name }}:{{ mastodon_container_nginx_image_tag
|
||||||
|
| default(mastodon_nginx_version + ('-' + mastodon_container_nginx_image_flavour if mastodon_container_nginx_image_flavour else ''), True) }}
|
||||||
|
mastodon_container_nginx_working_directory: "/var/www/mastodon"
|
||||||
|
mastodon_container_nginx_cache_directory: "/var/cache/nginx"
|
||||||
|
mastodon_container_volumes_nginx:
|
||||||
|
- "{{ mastodon_nginx_config_file }}:/etc/nginx/conf.d/default.conf:ro"
|
||||||
|
- "{{ mastodon_repo_path }}/public:{{ mastodon_container_nginx_working_directory }}:ro"
|
||||||
|
- "{{ mastodon_nginx_cache_path }}:{{ mastodon_container_nginx_cache_directory }}:z"
|
||||||
|
|
||||||
|
mastodon_container_network_name: mastodon
|
||||||
|
|
||||||
|
mastodon_secret_key: ~
|
||||||
|
mastodon_otp_secret: ~
|
||||||
|
mastodon_vapid_public_key: ~
|
||||||
|
mastodon_vapid_private_key: ~
|
||||||
|
|
||||||
|
mastodon_redis_host: ~
|
||||||
|
mastodon_redis_port: ~
|
||||||
|
mastodon_redis_url: ~
|
||||||
|
mastodon_redis_password: ~
|
||||||
|
mastodon_redis_db_index: ~
|
||||||
|
|
||||||
|
mastodon_database_host: localhost
|
||||||
|
mastodon_database_port: 5432
|
||||||
|
mastodon_database_user: mastodon
|
||||||
|
mastodon_database_pass: ~
|
||||||
|
mastodon_database_name: mastodon
|
||||||
|
|
||||||
|
mastodon_mail_server: ~
|
||||||
|
mastodon_mail_port: 587
|
||||||
|
mastodon_mail_user: ~
|
||||||
|
mastodon_mail_password: ~
|
||||||
|
mastodon_mail_from_address: "notifications@{{ mastodon_domain }}"
|
||||||
|
|
||||||
|
mastodon_elasticsearch_enabled: false
|
||||||
|
mastodon_elasticsearch_host: ~
|
||||||
|
mastodon_elasticsearch_port: ~
|
||||||
|
mastodon_elasticsearch_user: ~
|
||||||
|
mastodon_elasticsearch_pass: ~
|
||||||
|
|
||||||
|
mastodon_s3_enabled: false
|
||||||
|
mastodon_s3_bucket: ~
|
||||||
|
mastodon_s3_aws_access_key_id: ~
|
||||||
|
mastodon_s3_aws_secret_access_key: ~
|
||||||
|
mastodon_s3_alias_host: ~
|
||||||
|
|
||||||
|
mastodon_oidc_enabled: false
|
||||||
|
mastodon_oidc_issuer_url: ~
|
||||||
|
mastodon_oidc_discovery: true
|
||||||
|
mastodon_oidc_scope: openid,profile
|
||||||
|
mastodon_oidc_client_id: ~
|
||||||
|
mastodon_oidc_client_secret: ~
|
||||||
|
mastodon_oidc_client_auth_method: basic
|
||||||
|
mastodon_oidc_response_mode: query
|
||||||
|
mastodon_oidc_response_type: code
|
||||||
|
mastodon_oidc_prompt: ~
|
||||||
|
mastodon_oidc_display_name: My IDP
|
||||||
|
mastodon_oidc_auth_endpoint: ~
|
||||||
|
mastodon_oidc_token_endpoint: ~
|
||||||
|
mastodon_oidc_user_info_endpoint: ~
|
||||||
|
mastodon_oidc_end_session_endpoint: ~
|
||||||
|
mastodon_oidc_jwks_uri:
|
||||||
|
mastodon_oidc_redirect_uri:
|
||||||
|
mastodon_oidc_idp_logout_redirect_uri: ~
|
||||||
|
mastodon_oidc_uid_field: preferred_username
|
||||||
|
mastodon_oidc_security_assume_email_is_verified: false
|
33
roles/mastodon/handlers/main.yml
Normal file
33
roles/mastodon/handlers/main.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Restart mastodon sidekiq
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_name_sidekiq }}"
|
||||||
|
state: started
|
||||||
|
restart: true
|
||||||
|
listen:
|
||||||
|
- restart-mastodon
|
||||||
|
- restart-mastodon-sidekiq
|
||||||
|
|
||||||
|
- name: Restart mastodon streaming
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_name_streaming }}"
|
||||||
|
state: started
|
||||||
|
restart: true
|
||||||
|
listen:
|
||||||
|
- restart-mastodon
|
||||||
|
- restart-mastodon-streaming
|
||||||
|
|
||||||
|
- name: Restart mastodon web
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_name }}"
|
||||||
|
state: started
|
||||||
|
restart: true
|
||||||
|
listen: restart-mastodon
|
||||||
|
|
||||||
|
- name: Restart mastodon nginx
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_nginx_name }}"
|
||||||
|
state: started
|
||||||
|
restart: true
|
||||||
|
listen: restart-mastodon-nginx
|
198
roles/mastodon/tasks/main.yml
Normal file
198
roles/mastodon/tasks/main.yml
Normal file
@ -0,0 +1,198 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure mastodon user '{{ mastodon_user }}' exists
|
||||||
|
user:
|
||||||
|
name: "{{ mastodon_user }}"
|
||||||
|
state: present
|
||||||
|
system: true
|
||||||
|
register: mastodon_user_info
|
||||||
|
|
||||||
|
- name: Ensure host directories are present
|
||||||
|
file:
|
||||||
|
path: "{{ item.path }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ item.owner | default(mastodon_user) }}"
|
||||||
|
group: "{{ item.group | default(mastodon_user) }}"
|
||||||
|
mode: "{{ item.mode | default('0750') }}"
|
||||||
|
loop:
|
||||||
|
- path: "{{ mastodon_base_path }}"
|
||||||
|
mode: '0755'
|
||||||
|
- path: "{{ mastodon_config_path }}"
|
||||||
|
- path: "{{ mastodon_data_path }}"
|
||||||
|
- path: "{{ mastodon_repo_path }}"
|
||||||
|
mode: '0700'
|
||||||
|
- path: "{{ mastodon_nginx_config_path }}"
|
||||||
|
- path: "{{ mastodon_nginx_cache_path }}"
|
||||||
|
loop_control: { label: "{{ item.path }}" }
|
||||||
|
|
||||||
|
- name: Ensure environment file is templated
|
||||||
|
template:
|
||||||
|
src: env.j2
|
||||||
|
dest: "{{ mastodon_config_env_file }}"
|
||||||
|
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
|
||||||
|
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
|
||||||
|
mode: "0640"
|
||||||
|
notify: restart-mastodon
|
||||||
|
|
||||||
|
- name: Ensure reverse proxy configuration is templated
|
||||||
|
template:
|
||||||
|
src: nginx.conf.j2
|
||||||
|
dest: "{{ mastodon_nginx_config_file }}"
|
||||||
|
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
|
||||||
|
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
|
||||||
|
mode: "0640"
|
||||||
|
notify: restart-mastodon-nginx
|
||||||
|
|
||||||
|
- name: Ensure fake passwd file is templated
|
||||||
|
template:
|
||||||
|
src: passwd.j2
|
||||||
|
dest: "{{ mastodon_config_passwd_file }}"
|
||||||
|
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
|
||||||
|
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart-mastodon
|
||||||
|
|
||||||
|
- name: Ensure fake passwd file is templated
|
||||||
|
template:
|
||||||
|
src: group.j2
|
||||||
|
dest: "{{ mastodon_config_group_file }}"
|
||||||
|
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
|
||||||
|
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart-mastodon
|
||||||
|
|
||||||
|
- name: Ensure mastodon git repository is present and up-to-date
|
||||||
|
git:
|
||||||
|
repo: "{{ mastodon_git_upstream_url }}"
|
||||||
|
dest: "{{ mastodon_repo_path }}"
|
||||||
|
refspec: "v{{ mastodon_version }}"
|
||||||
|
version: "v{{ mastodon_version }}"
|
||||||
|
force: no
|
||||||
|
recursive: yes
|
||||||
|
track_submodules: yes
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ mastodon_user }}"
|
||||||
|
register: git_repo_info
|
||||||
|
|
||||||
|
- name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
|
||||||
|
file:
|
||||||
|
path: "{{ mastodon_repo_path }}"
|
||||||
|
state: directory
|
||||||
|
recurse: yes
|
||||||
|
owner: "{{ mastodon_user }}"
|
||||||
|
group: "{{ mastodon_user }}"
|
||||||
|
|
||||||
|
- name: Ensure docker network for backend communication is created
|
||||||
|
docker_network:
|
||||||
|
name: "{{ mastodon_container_network_name }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Ensure mastodon docker image is built
|
||||||
|
docker_image:
|
||||||
|
name: "{{ mastodon_container_image_name }}"
|
||||||
|
tag: "{{ mastodon_container_image_tag }}"
|
||||||
|
state: present
|
||||||
|
source: build
|
||||||
|
build:
|
||||||
|
path: "{{ mastodon_repo_path }}"
|
||||||
|
args:
|
||||||
|
UID: "{{ mastodon_user_info.uid }}"
|
||||||
|
GID: "{{ mastodon_user_info.group }}"
|
||||||
|
when: git_repo_info.before != git_repo_info.after
|
||||||
|
|
||||||
|
- name: Ensure nginx reverse proxy image is present
|
||||||
|
docker_image:
|
||||||
|
name: "{{ mastodon_container_nginx_image }}"
|
||||||
|
state: present
|
||||||
|
source: pull
|
||||||
|
force_source: "{{ mastodon_container_nginx_image_tag|default(false, true) | bool }}"
|
||||||
|
register: masto_nginx_pull
|
||||||
|
until: masto_nginx_pull is succeeded
|
||||||
|
retries: 5
|
||||||
|
delay: 3
|
||||||
|
|
||||||
|
- name: Ensure database is seeded
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_name }}_setup_db"
|
||||||
|
image: "{{ mastodon_container_image_ref }}"
|
||||||
|
networks: "{{ mastodon_container_networks }}"
|
||||||
|
volumes: "{{ mastodon_container_volumes }}"
|
||||||
|
env_file: "{{ mastodon_config_env_file }}"
|
||||||
|
command: "bash -c \"bundle exec rails db:setup\""
|
||||||
|
tty: yes
|
||||||
|
interactive: yes
|
||||||
|
detach: no
|
||||||
|
cleanup: yes
|
||||||
|
when: mastodon_seed_database|default(false, true)
|
||||||
|
|
||||||
|
- name: Ensure mastodon sidekiq container '{{ mastodon_container_name_sidekiq }}' is running
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_name_sidekiq }}"
|
||||||
|
image: "{{ mastodon_container_image_ref }}"
|
||||||
|
networks: "{{ mastodon_container_networks }}"
|
||||||
|
volumes: "{{ mastodon_container_volumes_sidekiq }}"
|
||||||
|
env_file: "{{ mastodon_config_env_file }}"
|
||||||
|
command: "bundle exec sidekiq"
|
||||||
|
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "ps aux | grep '[s]idekiq\ 6' || false"]
|
||||||
|
interval: 5s
|
||||||
|
retries: 3
|
||||||
|
start_period: 0s
|
||||||
|
timeout: 5s
|
||||||
|
|
||||||
|
- name: Ensure mastodon streaming container '{{ mastodon_container_name_streaming }}' is running
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_name_streaming }}"
|
||||||
|
image: "{{ mastodon_container_image_ref }}"
|
||||||
|
networks: "{{ mastodon_container_networks }}"
|
||||||
|
volumes: "{{ mastodon_container_volumes_streaming }}"
|
||||||
|
env_file: "{{ mastodon_config_env_file }}"
|
||||||
|
command: "node ./streaming"
|
||||||
|
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||||
|
ports: "{{ mastodon_container_ports_streaming }}"
|
||||||
|
user: "{{ mastodon_user }}"
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
|
||||||
|
interval: 5s
|
||||||
|
retries: 3
|
||||||
|
start_period: 0s
|
||||||
|
timeout: 5s
|
||||||
|
|
||||||
|
- name: Ensure mastodon container '{{ mastodon_container_name }}' is running
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_name }}"
|
||||||
|
image: "{{ mastodon_container_image_ref }}"
|
||||||
|
networks: "{{ mastodon_container_networks }}"
|
||||||
|
volumes: "{{ mastodon_container_volumes }}"
|
||||||
|
env_file: "{{ mastodon_config_env_file }}"
|
||||||
|
command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
|
||||||
|
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||||
|
ports: "{{ mastodon_container_ports }}"
|
||||||
|
user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
|
||||||
|
interval: 5s
|
||||||
|
retries: 3
|
||||||
|
start_period: 0s
|
||||||
|
timeout: 5s
|
||||||
|
|
||||||
|
- name: Ensure container paths belong to the mastodon user
|
||||||
|
community.docker.docker_container_exec:
|
||||||
|
container: "{{ mastodon_container_name }}"
|
||||||
|
command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
|
||||||
|
user: "0"
|
||||||
|
|
||||||
|
- name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mastodon_container_nginx_name }}"
|
||||||
|
image: "{{ mastodon_container_nginx_image }}"
|
||||||
|
network_mode: host
|
||||||
|
volumes: "{{ mastodon_container_volumes_nginx }}"
|
||||||
|
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||||
|
|
||||||
|
- name: Ensure assets are precompiled
|
||||||
|
community.docker.docker_container_exec:
|
||||||
|
container: "{{ mastodon_container_name }}"
|
||||||
|
command: "bundle exec rails assets:precompile"
|
||||||
|
when: git_repo_info.before != git_repo_info.after
|
128
roles/mastodon/templates/env.j2
Normal file
128
roles/mastodon/templates/env.j2
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
# This is a sample configuration file. You can generate your configuration
|
||||||
|
# with the `rake mastodon:setup` interactive setup wizard, but to customize
|
||||||
|
# your setup even further, you'll need to edit it manually. This sample does
|
||||||
|
# not demonstrate all available configuration options. Please look at
|
||||||
|
# https://docs.joinmastodon.org/admin/config/ for the full documentation.
|
||||||
|
|
||||||
|
# Note that this file accepts slightly different syntax depending on whether
|
||||||
|
# you are using `docker-compose` or not. In particular, if you use
|
||||||
|
# `docker-compose`, the value of each declared variable will be taken verbatim,
|
||||||
|
# including surrounding quotes.
|
||||||
|
# See: https://github.com/mastodon/mastodon/issues/16895
|
||||||
|
|
||||||
|
# Federation
|
||||||
|
# ----------
|
||||||
|
# This identifies your server and cannot be changed safely later
|
||||||
|
# ----------
|
||||||
|
LOCAL_DOMAIN={{ mastodon_domain }}
|
||||||
|
{% if mastodon_web_domain|default(false, true) %}
|
||||||
|
WEB_DOMAIN={{ mastodon_web_domain }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# Redis
|
||||||
|
# -----
|
||||||
|
{% if mastodon_redis_host|default(false, true) %}
|
||||||
|
REDIS_HOST={{ mastodon_redis_host }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_redis_port|default(false, true) %}
|
||||||
|
REDIS_PORT={{ mastodon_redis_port }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_redis_url %}
|
||||||
|
REDIS_URL={{ mastodon_redis_url }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_redis_password %}
|
||||||
|
REDIS_PASSWORD={{ mastodon_redis_password }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_redis_db_index %}
|
||||||
|
REDIS_DB_INDEX={{ mastodon_redis_db_index }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# PostgreSQL
|
||||||
|
# ----------
|
||||||
|
DB_HOST={{ mastodon_database_host }}
|
||||||
|
DB_USER={{ mastodon_database_user }}
|
||||||
|
DB_NAME={{ mastodon_database_name }}
|
||||||
|
DB_PASS={{ mastodon_database_pass }}
|
||||||
|
DB_PORT={{ mastodon_database_port }}
|
||||||
|
|
||||||
|
# Elasticsearch (optional)
|
||||||
|
# ------------------------
|
||||||
|
ES_ENABLED={{ mastodon_elasticsearch_enabled }}
|
||||||
|
ES_HOST={{ mastodon_elasticsearch_host }}
|
||||||
|
ES_PORT={{ mastodon_elasticsearch_port }}
|
||||||
|
# Authentication for ES (optional)
|
||||||
|
{% if mastodon_elasticsearch_user %}
|
||||||
|
ES_USER={{ mastodon_elasticsearch_user }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_elasticsearch_pass %}
|
||||||
|
ES_PASS={{ mastodon_elasticsearch_pass }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# Secrets
|
||||||
|
# -------
|
||||||
|
# Make sure to use `rake secret` to generate secrets
|
||||||
|
# -------
|
||||||
|
SECRET_KEY_BASE={{ mastodon_secret_key }}
|
||||||
|
OTP_SECRET={{ mastodon_otp_secret }}
|
||||||
|
|
||||||
|
# Web Push
|
||||||
|
# --------
|
||||||
|
# Generate with `rake mastodon:webpush:generate_vapid_key`
|
||||||
|
# --------
|
||||||
|
VAPID_PRIVATE_KEY={{ mastodon_vapid_private_key }}
|
||||||
|
VAPID_PUBLIC_KEY={{ mastodon_vapid_public_key }}
|
||||||
|
|
||||||
|
# Sending mail
|
||||||
|
# ------------
|
||||||
|
SMTP_SERVER={{ mastodon_mail_server }}
|
||||||
|
SMTP_PORT={{ mastodon_mail_port }}
|
||||||
|
SMTP_LOGIN={{ mastodon_mail_user }}
|
||||||
|
SMTP_PASSWORD={{ mastodon_mail_password }}
|
||||||
|
SMTP_FROM_ADDRESS={{ mastodon_mail_from_address }}
|
||||||
|
|
||||||
|
# File storage (optional)
|
||||||
|
# -----------------------
|
||||||
|
S3_ENABLED={{ mastodon_s3_enabled }}
|
||||||
|
S3_BUCKET={{ mastodon_s3_bucket }}
|
||||||
|
AWS_ACCESS_KEY_ID={{ mastodon_s3_aws_access_key_id }}
|
||||||
|
AWS_SECRET_ACCESS_KEY={{ mastodon_s3_aws_secret_access_key }}
|
||||||
|
S3_ALIAS_HOST={{ mastodon_s3_alias_host }}
|
||||||
|
|
||||||
|
# OpenId connect (optional)
|
||||||
|
OIDC_ENABLED={{ mastodon_oidc_enabled | bool | string | lower }}
|
||||||
|
OIDC_ISSUER={{ mastodon_oidc_issuer_url }}
|
||||||
|
OIDC_DISCOVERY={{ mastodon_oidc_discovery | bool | string | lower }}
|
||||||
|
OIDC_CLIENT_AUTH_METHOD={{ mastodon_oidc_client_auth_method }}
|
||||||
|
OIDC_CLIENT_ID={{ mastodon_oidc_client_id }}
|
||||||
|
OIDC_CLIENT_SECRET={{ mastodon_oidc_client_secret }}
|
||||||
|
OIDC_SCOPE={{ mastodon_oidc_scope }}
|
||||||
|
{% if mastodon_oidc_auth_endpoint %}
|
||||||
|
OIDC_AUTH_ENDPOINT={{ mastodon_oidc_auth_endpoint }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_oidc_token_endpoint %}
|
||||||
|
OIDC_TOKEN_ENDPOINT={{ mastodon_oidc_token_endpoint }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_oidc_user_info_endpoint %}
|
||||||
|
OIDC_USER_INFO_ENDPOINT={{ mastodon_oidc_user_info_endpoint }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_oidc_end_session_endpoint %}
|
||||||
|
OIDC_END_SESSION_ENDPOINT={{ mastodon_oidc_end_session_endpoint }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_oidc_jwks_uri %}
|
||||||
|
OIDC_JWKS_URI={{ mastodon_oidc_jwks_uri }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_oidc_redirect_uri %}
|
||||||
|
OIDC_REDIRECT_URI={{ mastodon_oidc_redirect_uri }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_oidc_idp_logout_redirect_uri %}
|
||||||
|
OIDC_IDP_LOGOUT_REDIRECT_URI={{ mastodon_oidc_idp_logout_redirect_uri }}
|
||||||
|
{% endif %}
|
||||||
|
OIDC_DISPLAY_NAME={{ mastodon_oidc_display_name }}
|
||||||
|
OIDC_UID_FIELD={{ mastodon_oidc_uid_field }}
|
||||||
|
{% if mastodon_oidc_response_mode %}
|
||||||
|
OIDC_RESPONSE_MODE={{ mastodon_oidc_response_mode }}
|
||||||
|
{% endif %}
|
||||||
|
{% if mastodon_oidc_response_type %}
|
||||||
|
OIDC_RESPONSE_TYPE={{ mastodon_oidc_response_type }}
|
||||||
|
{% endif %}
|
||||||
|
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED={{ mastodon_oidc_security_assume_email_is_verified | bool | string | lower }}
|
40
roles/mastodon/templates/group.j2
Normal file
40
roles/mastodon/templates/group.j2
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
root:x:0:
|
||||||
|
daemon:x:1:
|
||||||
|
bin:x:2:
|
||||||
|
sys:x:3:
|
||||||
|
adm:x:4:
|
||||||
|
tty:x:5:
|
||||||
|
disk:x:6:
|
||||||
|
lp:x:7:
|
||||||
|
mail:x:8:
|
||||||
|
news:x:9:
|
||||||
|
uucp:x:10:
|
||||||
|
man:x:12:
|
||||||
|
proxy:x:13:
|
||||||
|
kmem:x:15:
|
||||||
|
dialout:x:20:
|
||||||
|
fax:x:21:
|
||||||
|
voice:x:22:
|
||||||
|
cdrom:x:24:
|
||||||
|
floppy:x:25:
|
||||||
|
tape:x:26:
|
||||||
|
sudo:x:27:
|
||||||
|
audio:x:29:
|
||||||
|
dip:x:30:
|
||||||
|
www-data:x:33:
|
||||||
|
backup:x:34:
|
||||||
|
operator:x:37:
|
||||||
|
list:x:38:
|
||||||
|
irc:x:39:
|
||||||
|
src:x:40:
|
||||||
|
gnats:x:41:
|
||||||
|
shadow:x:42:
|
||||||
|
utmp:x:43:
|
||||||
|
video:x:44:
|
||||||
|
sasl:x:45:
|
||||||
|
plugdev:x:46:
|
||||||
|
staff:x:50:
|
||||||
|
games:x:60:
|
||||||
|
users:x:100:
|
||||||
|
nogroup:x:65534:
|
||||||
|
{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:
|
94
roles/mastodon/templates/nginx.conf.j2
Normal file
94
roles/mastodon/templates/nginx.conf.j2
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
|
upstream backend {
|
||||||
|
server {{ mastodon_api_backend }} fail_timeout=0;
|
||||||
|
}
|
||||||
|
|
||||||
|
upstream streaming {
|
||||||
|
server {{ mastodon_streaming_backend }} fail_timeout=0;
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_cache_path {{ mastodon_container_nginx_cache_directory }} levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=2g;
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen {{ mastodon_backend }};
|
||||||
|
server_name {{ mastodon_nginx_server_name }};
|
||||||
|
|
||||||
|
keepalive_timeout 70;
|
||||||
|
sendfile on;
|
||||||
|
client_max_body_size 200m;
|
||||||
|
|
||||||
|
root {{ mastodon_container_nginx_working_directory }};
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_comp_level 6;
|
||||||
|
gzip_buffers 16 8k;
|
||||||
|
gzip_http_version 1.1;
|
||||||
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri @proxy;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
|
||||||
|
add_header Cache-Control "public, max-age=31536000, immutable";
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||||
|
try_files $uri @proxy;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /sw.js {
|
||||||
|
add_header Cache-Control "public, max-age=0";
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||||
|
try_files $uri @proxy;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @proxy {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_pass_header Server;
|
||||||
|
|
||||||
|
proxy_pass http://backend;
|
||||||
|
proxy_buffering on;
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
proxy_cache CACHE;
|
||||||
|
proxy_cache_valid 200 7d;
|
||||||
|
proxy_cache_valid 410 24h;
|
||||||
|
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
||||||
|
add_header X-Cached $upstream_cache_status;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||||
|
|
||||||
|
tcp_nodelay on;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /api/v1/streaming {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
|
||||||
|
proxy_pass http://streaming;
|
||||||
|
proxy_buffering off;
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
tcp_nodelay on;
|
||||||
|
}
|
||||||
|
|
||||||
|
error_page 500 501 502 503 504 /500.html;
|
||||||
|
}
|
20
roles/mastodon/templates/passwd.j2
Normal file
20
roles/mastodon/templates/passwd.j2
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
root:x:0:0:root:/root:/bin/bash
|
||||||
|
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||||||
|
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||||||
|
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||||||
|
sync:x:4:65534:sync:/bin:/bin/sync
|
||||||
|
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
||||||
|
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
||||||
|
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
||||||
|
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
||||||
|
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
|
||||||
|
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
|
||||||
|
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
|
||||||
|
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|
||||||
|
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
|
||||||
|
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
|
||||||
|
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
|
||||||
|
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
|
||||||
|
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
||||||
|
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
|
||||||
|
{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh
|
0
roles/mastodon/vars/main.yml
Normal file
0
roles/mastodon/vars/main.yml
Normal file
143
roles/pixelfed/defaults/main.yml
Normal file
143
roles/pixelfed/defaults/main.yml
Normal file
@ -0,0 +1,143 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
pixelfed_user: pixelfed
|
||||||
|
pixelfed_version: 0.11.2
|
||||||
|
pixelfed_base_path: /opt/pixelfed
|
||||||
|
|
||||||
|
pixelfed_deployment_method: docker_selfbuilt
|
||||||
|
|
||||||
|
# user to run pixelfed as
|
||||||
|
pixelfed_run_user: "{{ pixelfed_user_stat.uid | default(pixelfed_user) }}"
|
||||||
|
pixelfed_run_group: "{{ pixelfed_user_stat.group | default(pixelfed_user) }}"
|
||||||
|
|
||||||
|
# container settings
|
||||||
|
pixelfed_container_name: pixelfed
|
||||||
|
pixelfed_container_image_name: pixelfed
|
||||||
|
pixelfed_container_image_tag: ~
|
||||||
|
pixelfed_container_image: "{{ pixelfed_container_image_name }}:{{ pixelfed_container_image_tag | default('v' + pixelfed_version, True) }}"
|
||||||
|
pixelfed_container_image_local_build: true
|
||||||
|
pixelfed_container_ports: []
|
||||||
|
pixelfed_container_networks: []
|
||||||
|
pixelfed_container_extra_volumes: []
|
||||||
|
pixelfed_container_extra_labels: {}
|
||||||
|
pixelfed_container_extra_env: {}
|
||||||
|
pixelfed_container_restart_policy: unless-stopped
|
||||||
|
pixelfed_worker_container_name: "{{ pixelfed_container_name }}-worker"
|
||||||
|
|
||||||
|
# host filesystem paths
|
||||||
|
pixelfed_config_path: "{{ pixelfed_base_path }}/config"
|
||||||
|
pixelfed_storage_path: "{{ pixelfed_base_path }}/storage"
|
||||||
|
pixelfed_source_path: "{{ pixelfed_base_path }}/source"
|
||||||
|
|
||||||
|
pixelfed_app_paths:
|
||||||
|
- path: "{{ pixelfed_base_path }}"
|
||||||
|
mode: "0750"
|
||||||
|
- path: "{{ pixelfed_config_path }}"
|
||||||
|
mode: "0750"
|
||||||
|
- path: "{{ pixelfed_storage_path }}"
|
||||||
|
mode: "0750"
|
||||||
|
- path: "{{ pixelfed_source_path }}"
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
pixelfed_config_app_key: ~
|
||||||
|
pixelfed_config_app_name: "Pixelfed"
|
||||||
|
pixelfed_config_app_env: production
|
||||||
|
pixelfed_config_app_debug: false
|
||||||
|
pixelfed_config_app_url: "https://{{ pixelfed_config_app_url }}"
|
||||||
|
pixelfed_config_app_domain: ~ # my.pixelfed.domain
|
||||||
|
pixelfed_config_admin_domain: "{{ pixelfed_config_app_domain }}"
|
||||||
|
pixelfed_config_session_domain: "{{ pixelfed_config_app_domain }}"
|
||||||
|
|
||||||
|
pixelfed_config_open_registration: true
|
||||||
|
pixelfed_config_enforce_email_verification: false
|
||||||
|
pixelfed_config_pf_max_users: 1000
|
||||||
|
pixelfed_config_oauth_enabled: true
|
||||||
|
|
||||||
|
pixelfed_config_app_timezone: UTC
|
||||||
|
pixelfed_config_app_locale: en
|
||||||
|
|
||||||
|
pixelfed_config_limit_account_size: true
|
||||||
|
pixelfed_config_max_account_size: 1000000
|
||||||
|
pixelfed_config_max_photo_size: 15000
|
||||||
|
pixelfed_config_max_avatar_size: 2000
|
||||||
|
pixelfed_config_max_caption_length: 500
|
||||||
|
pixelfed_config_max_bio_length: 125
|
||||||
|
pixelfed_config_max_name_length: 30
|
||||||
|
pixelfed_config_max_album_length: 4
|
||||||
|
pixelfed_config_image_quality: 80
|
||||||
|
pixelfed_config_pf_optimize_images: true
|
||||||
|
pixelfed_config_pf_optimize_videos: true
|
||||||
|
pixelfed_config_admin_env_editor: false
|
||||||
|
pixelfed_config_account_deletion: true
|
||||||
|
pixelfed_config_account_delete_after: false
|
||||||
|
pixelfed_config_max_links_per_post: 0
|
||||||
|
|
||||||
|
pixelfed_config_instance_description: ~
|
||||||
|
pixelfed_config_instance_public_hashtags: false
|
||||||
|
pixelfed_config_instance_contact_email: ~
|
||||||
|
pixelfed_config_instance_public_local_timetime: false
|
||||||
|
pixelfed_config_banned_usernames: ~
|
||||||
|
pixelfed_config_stories_enabled: false
|
||||||
|
pixelfed_config_restricted_instance: false
|
||||||
|
|
||||||
|
pixelfed_config_mail_driver: log
|
||||||
|
pixelfed_config_mail_host: ~
|
||||||
|
pixelfed_config_mail_port: 25
|
||||||
|
pixelfed_config_mail_from_address: "pixelfed@{{ pixelfed_config_app_domain }}"
|
||||||
|
pixelfed_config_mail_from_name: "{{ pixelfed_config_app_name }}"
|
||||||
|
pixelfed_config_mail_username: null
|
||||||
|
pixelfed_config_mail_password: null
|
||||||
|
pixelfed_config_mail_encryption: null
|
||||||
|
|
||||||
|
pixelfed_config_db_connection: pgsql
|
||||||
|
pixelfed_config_db_host: postgres
|
||||||
|
pixelfed_config_db_port: 5432
|
||||||
|
pixelfed_config_db_username: pixelfed
|
||||||
|
pixelfed_config_db_password: ~
|
||||||
|
pixelfed_config_db_database: pixelfed
|
||||||
|
|
||||||
|
pixelfed_config_redis_client: phpredis
|
||||||
|
pixelfed_config_redis_scheme: tcp
|
||||||
|
pixelfed_config_redis_host: redis
|
||||||
|
pixelfed_config_redis_password: ~
|
||||||
|
pixelfed_config_redis_port: 6379
|
||||||
|
pixelfed_config_redis_database: 0
|
||||||
|
|
||||||
|
pixelfed_config_exp_lc: false
|
||||||
|
pixelfed_config_exp_rec: false
|
||||||
|
pixelfed_config_exp_loops: false
|
||||||
|
|
||||||
|
pixelfed_config_activity_pub: false
|
||||||
|
pixelfed_config_ap_remote_follow: false
|
||||||
|
pixelfed_config_ap_shared_inbox: false
|
||||||
|
pixelfed_config_ap_inbox: false
|
||||||
|
pixelfed_config_ap_outbox: false
|
||||||
|
pixelfed_config_atom_feeds: true
|
||||||
|
pixelfed_config_nodeinfo: true
|
||||||
|
pixelfed_config_webfinger: true
|
||||||
|
|
||||||
|
pixelfed_config_filesystem_driver: local
|
||||||
|
pixelfed_config_filesystem_cloud: s3
|
||||||
|
pixelfed_config_pf_enable_cloud: false
|
||||||
|
pixelfed_config_aws_access_key_id: ~
|
||||||
|
pixelfed_config_aws_secret_access_key: ~
|
||||||
|
pixelfed_config_aws_default_region: ~
|
||||||
|
pixelfed_config_aws_bucket: ~
|
||||||
|
pixelfed_config_aws_url: ~
|
||||||
|
pixelfed_config_aws_endpont: ~
|
||||||
|
pixelfed_config_aws_use_path_style_endpoint: false
|
||||||
|
|
||||||
|
pixelfed_config_horizon_darkmode: false
|
||||||
|
pixelfed_config_pf_costar_enabled: false
|
||||||
|
pixelfed_config_media_exif_database: false
|
||||||
|
pixelfed_config_log_channel: stderr
|
||||||
|
pixelfed_config_image_driver: imagick
|
||||||
|
|
||||||
|
pixelfed_config_broadcast_driver: log
|
||||||
|
pixelfed_config_cache_driver: redis
|
||||||
|
pixelfed_config_restrict_html_types: true
|
||||||
|
pixelfed_config_queue_driver: redis
|
||||||
|
pixelfed_config_session_driver: redis
|
||||||
|
pixelfed_config_trust_proxies: "*"
|
||||||
|
pixelfed_config_passport_private_key: ~
|
||||||
|
pixelfed_config_passport_public_key: ~
|
17
roles/pixelfed/handlers/main.yml
Normal file
17
roles/pixelfed/handlers/main.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Restart pixelfed (docker)
|
||||||
|
docker_container:
|
||||||
|
name: "{{ pixelfed_container_name }}"
|
||||||
|
state: started
|
||||||
|
restart: yes
|
||||||
|
when: 'docker' in pixelfed_deployment_method
|
||||||
|
listen: restart-pixelfed
|
||||||
|
|
||||||
|
- name: Restart pixelfed worker (docker)
|
||||||
|
docker_container:
|
||||||
|
name: "{{ pixelfed_worker_container_name }}"
|
||||||
|
state: started
|
||||||
|
restart: yes
|
||||||
|
when: 'docker' in pixelfed_deployment_method
|
||||||
|
listen: restart-pixelfed
|
28
roles/pixelfed/tasks/docker-deploy.yml
Normal file
28
roles/pixelfed/tasks/docker-deploy.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure docker container '{{ pixelfed_container_name }}' is running
|
||||||
|
docker_container:
|
||||||
|
name: "{{ pixelfed_container_name }}"
|
||||||
|
image: "{{ pixelfed_container_image }}"
|
||||||
|
env: "{{ pixelfed_container_env }}"
|
||||||
|
env_file: "{{ pixelfed_config_path }}/env"
|
||||||
|
labels: "{{ pixelfed_container_labels }}"
|
||||||
|
volumes: "{{ pixelfed_container_volumes }}"
|
||||||
|
ports: "{{ pixelfed_container_ports | default(omit, True) }}"
|
||||||
|
networks: "{{ pixelfed_container_networks | default(omit, True) }}"
|
||||||
|
purge_networks: "{{ pixelfed_container_purge_networks|default(False) }}"
|
||||||
|
restart_policy: "{{ pixelfed_container_restart_policy }}"
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Ensure docker container '{{ pixelfed_worker_container_name }}' is running
|
||||||
|
docker_container:
|
||||||
|
name: "{{ pixelfed_worker_container_name }}"
|
||||||
|
image: "{{ pixelfed_container_image }}"
|
||||||
|
env: "{{ pixelfed_container_env }}"
|
||||||
|
env_file: "{{ pixelfed_config_path }}/env"
|
||||||
|
volumes: "{{ pixelfed_container_volumes }}"
|
||||||
|
networks: "{{ pixelfed_container_networks | default(omit, True) }}"
|
||||||
|
purge_networks: "{{ pixelfed_container_purge_networks|default(False) }}"
|
||||||
|
restart_policy: "{{ pixelfed_container_restart_policy }}"
|
||||||
|
command: "gosu www-data php artisan horizon"
|
||||||
|
state: started
|
28
roles/pixelfed/tasks/docker-image.yml
Normal file
28
roles/pixelfed/tasks/docker-image.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure docker container image is pulled
|
||||||
|
docker_image:
|
||||||
|
name: "{{ pixelfed_container_image }}"
|
||||||
|
state: present
|
||||||
|
source: pull
|
||||||
|
force_source: "{{ true if docker_container_image_tag else false }}"
|
||||||
|
when: not pixelfed_container_image_local_build
|
||||||
|
|
||||||
|
- name: Ensure upstream git repository is cloned to source folder
|
||||||
|
git:
|
||||||
|
repo: "{{ pixelfed_source_upstream_git_repo }}"
|
||||||
|
dest: "{{ pixelfed_source_path }}"
|
||||||
|
update: yes
|
||||||
|
clone: yes
|
||||||
|
when: pixelfed_container_image_local_build
|
||||||
|
|
||||||
|
- name: Build docker container image '{{ pixelfed_container_image }}' locally
|
||||||
|
docker_image:
|
||||||
|
name: "{{ pixelfed_container_image_name }}"
|
||||||
|
tag: "{{ pixelfed_container_image_tag | default('v' + pixelfed_version) }}"
|
||||||
|
state: present
|
||||||
|
source: build
|
||||||
|
build:
|
||||||
|
dockerfile: "contrib/docker/Dockerfile.apache"
|
||||||
|
path: "{{ pixelfed_source_path }}"
|
||||||
|
when: pixelfed_container_image_local_build
|
48
roles/pixelfed/tasks/main.yml
Normal file
48
roles/pixelfed/tasks/main.yml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure user '{{ pixelfed_user }}' for pixelfed is created
|
||||||
|
user:
|
||||||
|
name: "{{ pixelfed_user }}"
|
||||||
|
state: present
|
||||||
|
system: true
|
||||||
|
register: pixelfed_user_stat
|
||||||
|
|
||||||
|
- name: Ensure file system paths exist for persisting data
|
||||||
|
file:
|
||||||
|
path: "{{ dir.path }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ dir.user | default(pixelfed_run_user) }}"
|
||||||
|
group: "{{ dir.group | default(pixelfed_run_group) }}"
|
||||||
|
mode: "{{ dir.mode }}"
|
||||||
|
loop: "{{ pixelfed_app_paths }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: dir
|
||||||
|
label: "{{ dir.path }}"
|
||||||
|
|
||||||
|
- name: Ensure pixelfed configuration is templated
|
||||||
|
copy:
|
||||||
|
content: |+
|
||||||
|
{% for key in pixelfed_config | dict2items %}
|
||||||
|
{% if pixelfed_config[key] %}
|
||||||
|
{{ key }}={{ pixelfed_config[key] }}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
dest: "{{ pixelfed_config_path }}/env"
|
||||||
|
owner: "{{ pixelfed_run_user }}"
|
||||||
|
group: "{{ pixelfed_run_group }}"
|
||||||
|
mode: "0640"
|
||||||
|
notify: restart-pixelfed
|
||||||
|
|
||||||
|
- name: Ensure docker container image is available
|
||||||
|
include_tasks:
|
||||||
|
file: docker-image.yml
|
||||||
|
when: 'docker' in pixelfed_deployment_method
|
||||||
|
|
||||||
|
- name: Ensure pixelfed instance is started
|
||||||
|
block:
|
||||||
|
- name: Ensure pixelfed instance is started (docker)
|
||||||
|
include_tasks:
|
||||||
|
file: docker-deploy.yml
|
||||||
|
when: 'docker' in pixelfed_deployment_method
|
||||||
|
|
||||||
|
|
148
roles/pixelfed/templates/env.docker.j2
Normal file
148
roles/pixelfed/templates/env.docker.j2
Normal file
@ -0,0 +1,148 @@
|
|||||||
|
## Crypto
|
||||||
|
APP_KEY=
|
||||||
|
|
||||||
|
## General Settings
|
||||||
|
APP_NAME="Pixelfed Prod"
|
||||||
|
APP_ENV=production
|
||||||
|
APP_DEBUG=false
|
||||||
|
APP_URL=https://real.domain
|
||||||
|
APP_DOMAIN="real.domain"
|
||||||
|
ADMIN_DOMAIN="real.domain"
|
||||||
|
SESSION_DOMAIN="real.domain"
|
||||||
|
|
||||||
|
OPEN_REGISTRATION=true
|
||||||
|
ENFORCE_EMAIL_VERIFICATION=false
|
||||||
|
PF_MAX_USERS=1000
|
||||||
|
OAUTH_ENABLED=true
|
||||||
|
|
||||||
|
APP_TIMEZONE=UTC
|
||||||
|
APP_LOCALE=en
|
||||||
|
|
||||||
|
## Pixelfed Tweaks
|
||||||
|
LIMIT_ACCOUNT_SIZE=true
|
||||||
|
MAX_ACCOUNT_SIZE=1000000
|
||||||
|
MAX_PHOTO_SIZE=15000
|
||||||
|
MAX_AVATAR_SIZE=2000
|
||||||
|
MAX_CAPTION_LENGTH=500
|
||||||
|
MAX_BIO_LENGTH=125
|
||||||
|
MAX_NAME_LENGTH=30
|
||||||
|
MAX_ALBUM_LENGTH=4
|
||||||
|
IMAGE_QUALITY=80
|
||||||
|
PF_OPTIMIZE_IMAGES=true
|
||||||
|
PF_OPTIMIZE_VIDEOS=true
|
||||||
|
ADMIN_ENV_EDITOR=false
|
||||||
|
ACCOUNT_DELETION=true
|
||||||
|
ACCOUNT_DELETE_AFTER=false
|
||||||
|
MAX_LINKS_PER_POST=0
|
||||||
|
|
||||||
|
## Instance
|
||||||
|
#INSTANCE_DESCRIPTION=
|
||||||
|
INSTANCE_PUBLIC_HASHTAGS=false
|
||||||
|
#INSTANCE_CONTACT_EMAIL=
|
||||||
|
INSTANCE_PUBLIC_LOCAL_TIMELINE=false
|
||||||
|
#BANNED_USERNAMES=
|
||||||
|
STORIES_ENABLED=false
|
||||||
|
RESTRICTED_INSTANCE=false
|
||||||
|
|
||||||
|
## Mail
|
||||||
|
MAIL_DRIVER=log
|
||||||
|
MAIL_HOST=smtp.mailtrap.io
|
||||||
|
MAIL_PORT=2525
|
||||||
|
MAIL_FROM_ADDRESS="pixelfed@example.com"
|
||||||
|
MAIL_FROM_NAME="Pixelfed"
|
||||||
|
MAIL_USERNAME=null
|
||||||
|
MAIL_PASSWORD=null
|
||||||
|
MAIL_ENCRYPTION=null
|
||||||
|
|
||||||
|
## Databases (MySQL)
|
||||||
|
DB_CONNECTION=mysql
|
||||||
|
DB_DATABASE=pixelfed_prod
|
||||||
|
DB_HOST=db
|
||||||
|
DB_PASSWORD=pixelfed_db_pass
|
||||||
|
DB_PORT=3306
|
||||||
|
DB_USERNAME=pixelfed
|
||||||
|
# pass the same values to the db itself
|
||||||
|
MYSQL_DATABASE=pixelfed_prod
|
||||||
|
MYSQL_PASSWORD=pixelfed_db_pass
|
||||||
|
MYSQL_RANDOM_ROOT_PASSWORD=true
|
||||||
|
MYSQL_USER=pixelfed
|
||||||
|
|
||||||
|
## Databases (Postgres)
|
||||||
|
#DB_CONNECTION=pgsql
|
||||||
|
#DB_HOST=postgres
|
||||||
|
#DB_PORT=5432
|
||||||
|
#DB_DATABASE=pixelfed
|
||||||
|
#DB_USERNAME=postgres
|
||||||
|
#DB_PASSWORD=postgres
|
||||||
|
|
||||||
|
## Cache (Redis)
|
||||||
|
REDIS_CLIENT=phpredis
|
||||||
|
REDIS_SCHEME=tcp
|
||||||
|
REDIS_HOST=redis
|
||||||
|
REDIS_PASSWORD=redis_password
|
||||||
|
REDIS_PORT=6379
|
||||||
|
REDIS_DATABASE=0
|
||||||
|
|
||||||
|
## EXPERIMENTS
|
||||||
|
EXP_LC=false
|
||||||
|
EXP_REC=false
|
||||||
|
EXP_LOOPS=false
|
||||||
|
|
||||||
|
## ActivityPub Federation
|
||||||
|
ACTIVITY_PUB=false
|
||||||
|
AP_REMOTE_FOLLOW=false
|
||||||
|
AP_SHAREDINBOX=false
|
||||||
|
AP_INBOX=false
|
||||||
|
AP_OUTBOX=false
|
||||||
|
ATOM_FEEDS=true
|
||||||
|
NODEINFO=true
|
||||||
|
WEBFINGER=true
|
||||||
|
|
||||||
|
## S3
|
||||||
|
FILESYSTEM_DRIVER=local
|
||||||
|
FILESYSTEM_CLOUD=s3
|
||||||
|
PF_ENABLE_CLOUD=false
|
||||||
|
#AWS_ACCESS_KEY_ID=
|
||||||
|
#AWS_SECRET_ACCESS_KEY=
|
||||||
|
#AWS_DEFAULT_REGION=
|
||||||
|
#AWS_BUCKET=
|
||||||
|
#AWS_URL=
|
||||||
|
#AWS_ENDPOINT=
|
||||||
|
#AWS_USE_PATH_STYLE_ENDPOINT=false
|
||||||
|
|
||||||
|
## Horizon
|
||||||
|
HORIZON_DARKMODE=false
|
||||||
|
|
||||||
|
## COSTAR - Confirm Object Sentiment Transform and Reduce
|
||||||
|
PF_COSTAR_ENABLED=false
|
||||||
|
|
||||||
|
# Media
|
||||||
|
MEDIA_EXIF_DATABASE=false
|
||||||
|
|
||||||
|
## Logging
|
||||||
|
LOG_CHANNEL=stderr
|
||||||
|
|
||||||
|
## Image
|
||||||
|
IMAGE_DRIVER=imagick
|
||||||
|
|
||||||
|
## Broadcasting
|
||||||
|
BROADCAST_DRIVER=log # log driver for local development
|
||||||
|
|
||||||
|
## Cache
|
||||||
|
CACHE_DRIVER=redis
|
||||||
|
|
||||||
|
## Purify
|
||||||
|
RESTRICT_HTML_TYPES=true
|
||||||
|
|
||||||
|
## Queue
|
||||||
|
QUEUE_DRIVER=redis
|
||||||
|
|
||||||
|
## Session
|
||||||
|
SESSION_DRIVER=redis
|
||||||
|
|
||||||
|
## Trusted Proxy
|
||||||
|
TRUST_PROXIES="*"
|
||||||
|
|
||||||
|
## Passport
|
||||||
|
#PASSPORT_PRIVATE_KEY=
|
||||||
|
#PASSPORT_PUBLIC_KEY=
|
0
roles/pixelfed/templates/main.yml
Normal file
0
roles/pixelfed/templates/main.yml
Normal file
133
roles/pixelfed/vars/main.yml
Normal file
133
roles/pixelfed/vars/main.yml
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
pixelfed_container_base_volumes:
|
||||||
|
- "{{ pixelfed_storage_path }}:/var/www/storage:z"
|
||||||
|
- "{{ pixelfed_config_path/env:/var/www/.env:ro"
|
||||||
|
|
||||||
|
pixelfed_container_base_env: {}
|
||||||
|
|
||||||
|
pixelfed_container_base_labels:
|
||||||
|
VERSION: "{{ pixelfed_version }}"
|
||||||
|
|
||||||
|
pixelfed_container_volumes: "{{ pixelfed_container_base_volumes + pixelfed_container_extra_volumes }}"
|
||||||
|
pixelfed_container_labels: "{{ pixelfed_container_base_labels + pixelfed_container_extra_labels }}"
|
||||||
|
pixelfed_container_env: "{{ pixelfed_container_base_env + pixelfed_container_extra_env }}"
|
||||||
|
|
||||||
|
pixelfed_source_upstream_git_repo: "https://github.com/pixelfed/pixelfed.git"
|
||||||
|
|
||||||
|
pixelfed_supported_deployment_methods:
|
||||||
|
- docker_selfbuilt
|
||||||
|
- docker_pulled
|
||||||
|
|
||||||
|
|
||||||
|
# pixelfed app config
|
||||||
|
pixelfed_config:
|
||||||
|
APP_KEY: "{{ pixelfed_config_app_key }}"
|
||||||
|
APP_NAME: "{{ pixelfed_config_app_name }}"
|
||||||
|
APP_ENV: "{{ pixelfed_config_app_env }}"
|
||||||
|
APP_DEBUG: "{{ pixelfed_config_app_debug }}"
|
||||||
|
APP_URL: "{{ pixelfed_config_app_url }}"
|
||||||
|
APP_DOMAIN: "{{ pixelfed_config_app_domain }}"
|
||||||
|
ADMIN_DOMAIN: "{{ pixelfed_config_app_admin_domain }}"
|
||||||
|
SESSION_DOMAIN: "{{ pixelfed_config_session_domain }}"
|
||||||
|
|
||||||
|
OPEN_REGISTRATION: "{{ pixelfed_config_open_registration }}"
|
||||||
|
ENFORCE_EMAIL_VERIFICATION: "{{ pixelfed_config_enforce_email_verification }}"
|
||||||
|
PF_MAX_USERS: "{{ pixelfed_config_pf_max_users }}"
|
||||||
|
OAUTH_ENABLED: "{{ pixelfed_config_oauth_enabled }}"
|
||||||
|
|
||||||
|
APP_TIMEZONE: "{{ pixelfed_config_app_timezone }}"
|
||||||
|
APP_LOCALE: "{{ pixelfed_config_all_locale }}"
|
||||||
|
|
||||||
|
LIMIT_ACCOUNT_SIZE: "{{ pixelfed_config_limit_account_size }}"
|
||||||
|
MAX_ACCOUNT_SIZE: "{{ pixelfed_config_max_account_size }}"
|
||||||
|
MAX_PHOTO_SIZE: "{{ pixelfed_config_ }}"
|
||||||
|
MAX_AVATAR_SIZE: "{{ pixelfed_config_ }}"
|
||||||
|
MAX_CAPTION_LENGTH: "{{ pixelfed_config_ }}"
|
||||||
|
MAX_BIO_LENGTH: "{{ pixelfed_config_ }}"
|
||||||
|
MAX_NAME_LENGTH: "{{ pixelfed_config_ }}"
|
||||||
|
MAX_ALBUM_LENGTH: "{{ pixelfed_config_ }}"
|
||||||
|
IMAGE_QUALITY: "{{ pixelfed_config_ }}"
|
||||||
|
PF_OPTIMIZE_IMAGES: "{{ pixelfed_config_ }}"
|
||||||
|
PF_OPTIMIZE_VIDEOS: "{{ pixelfed_config_ }}"
|
||||||
|
ADMIN_ENV_EDITOR: "{{ pixelfed_config_ }}"
|
||||||
|
ACCOUNT_DELETION: "{{ pixelfed_config_ }}"
|
||||||
|
ACCOUNT_DELETE_AFTER: "{{ pixelfed_config_ }}"
|
||||||
|
MAX_LINKS_PER_POST: "{{ pixelfed_config_ }}"
|
||||||
|
|
||||||
|
INSTANCE_DESCRIPTION: "{{ pixelfed_config_instance_description }}"
|
||||||
|
INSTANCE_PUBLIC_HASHTAGS: "{{ pixelfed_config_instance_public_hashtags }}"
|
||||||
|
INSTANCE_CONTACT_EMAIL: "{{ pixelfed_config_instance_contact_email }}"
|
||||||
|
INSTANCE_PUBLIC_LOCAL_TIMELINE: "{{ pixelfed_config_instance_public_local_timeline }}"
|
||||||
|
BANNED_USERNAMES: "{{ pixelfed_config_banned_usernames }}"
|
||||||
|
STORIES_ENABLED: "{{ pixelfed_config_stories_enabled }}"
|
||||||
|
RESTRICTED_INSTANCE: "{{ pixelfed_config_restricted_instance }}"
|
||||||
|
|
||||||
|
## Mail
|
||||||
|
MAIL_DRIVER: "{{ pixelfed_config_mail_driver }}"
|
||||||
|
MAIL_HOST: "{{ pixelfed_config_mail_host }}"
|
||||||
|
MAIL_PORT: "{{ pixelfed_config_mail_port }}"
|
||||||
|
MAIL_FROM_ADDRESS: "{{ pixelfed_config_mail_from_address }}"
|
||||||
|
MAIL_FROM_NAME: "{{ pixelfed_config_mail_from_name }}"
|
||||||
|
MAIL_USERNAME: "{{ pixelfed_config_mail_username }}"
|
||||||
|
MAIL_PASSWORD: "{{ pixelfed_config_mail_password }}"
|
||||||
|
MAIL_ENCRYPTION: "{{ pixelfed_config_mail_encryption }}"
|
||||||
|
|
||||||
|
## Databases (MySQL)
|
||||||
|
DB_CONNECTION: "{{ pixelfed_config_db_connection }}"
|
||||||
|
DB_DATABASE: "{{ pixelfed_config_db_database }}"
|
||||||
|
DB_HOST: "{{ pixelfed_config_db_host }}"
|
||||||
|
DB_PASSWORD: "{{ pixelfed_config_db_password }}"
|
||||||
|
DB_PORT: "{{ pixelfed_config_db_port }}"
|
||||||
|
DB_USERNAME: "{{ pixelfed_config_db_username }}"
|
||||||
|
|
||||||
|
## Cache (Redis)
|
||||||
|
REDIS_CLIENT: "{{ pixelfed_config_redis_client }}"
|
||||||
|
REDIS_SCHEME: "{{ pixelfed_config_redis_scheme }}"
|
||||||
|
REDIS_HOST: "{{ pixelfed_config_redis_host }}"
|
||||||
|
REDIS_PASSWORD: "{{ pixelfed_config_redis_password }}"
|
||||||
|
REDIS_PORT: "{{ pixelfed_config_redis_port }}"
|
||||||
|
REDIS_DATABASE: "{{ pixelfed_config_redis_database }}"
|
||||||
|
|
||||||
|
## EXPERIMENTS
|
||||||
|
EXP_LC: "{{ pixelfed_config_exp_lc }}"
|
||||||
|
EXP_REC: "{{ pixelfed_config_exp_rec }}"
|
||||||
|
EXP_LOOPS: "{{ pixelfed_config_exp_loops }}"
|
||||||
|
|
||||||
|
## ActivityPub Federation
|
||||||
|
ACTIVITY_PUB: "{{ pixelfed_config_activity_pub }}"
|
||||||
|
AP_REMOTE_FOLLOW: "{{ pixelfed_config_ap_remote_follow }}"
|
||||||
|
AP_SHAREDINBOX: "{{ pixelfed_config_ap_sharedinbox }}"
|
||||||
|
AP_INBOX: "{{ pixelfed_config_ap_inbox }}"
|
||||||
|
AP_OUTBOX: "{{ pixelfed_config_ap_outbox }}"
|
||||||
|
ATOM_FEEDS: "{{ pixelfed_config_atom_feeds }}"
|
||||||
|
NODEINFO: "{{ pixelfed_config_nodeinfo }}"
|
||||||
|
WEBFINGER: "{{ pixelfed_config_webfinger }}"
|
||||||
|
|
||||||
|
## S3
|
||||||
|
FILESYSTEM_DRIVER: "{{ pixelfed_config_filesystem_driver }}"
|
||||||
|
FILESYSTEM_CLOUD: "{{ pixelfed_config_filesystem_cloud }}"
|
||||||
|
PF_ENABLE_CLOUD: "{{ pixelfed_config_pf_enable_cloud }}"
|
||||||
|
AWS_ACCESS_KEY_ID: "{{ pixelfed_config_aws_access_key_id }}"
|
||||||
|
AWS_SECRET_ACCESS_KEY: "{{ pixelfed_config_aws_secret_access_key }}"
|
||||||
|
AWS_DEFAULT_REGION: "{{ pixelfed_config_aws_default_region }}"
|
||||||
|
AWS_BUCKET: "{{ pixelfed_config_aws_bucket }}"
|
||||||
|
AWS_URL: "{{ pixelfed_config_aws_url }}"
|
||||||
|
AWS_ENDPOINT: "{{ pixelfed_config_aws_endpoint }}"
|
||||||
|
AWS_USE_PATH_STYLE_ENDPOINT: "{{ pixelfed_config_aws_use_path_style_endpoint }}"
|
||||||
|
|
||||||
|
HORIZON_DARKMODE: "{{ pixelfed_config_horizon_darkmode }}"
|
||||||
|
PF_COSTAR_ENABLED: "{{ pixelfed_config_pf_costar_enabled }}"
|
||||||
|
MEDIA_EXIF_DATABASE: "{{ pixelfed_config_media_exif_database }}"
|
||||||
|
LOG_CHANNEL: "{{ pixelfed_config_log_channel }}"
|
||||||
|
IMAGE_DRIVER: "{{ pixelfed_config_image_driver }}"
|
||||||
|
|
||||||
|
BROADCAST_DRIVER: "{{ pixelfed_config_ }}"
|
||||||
|
CACHE_DRIVER: "{{ pixelfed_config_cache_driver }}"
|
||||||
|
RESTRICT_HTML_TYPES: "{{ 'true' pixelfed_config_restrict_html_types else 'false' }}"
|
||||||
|
QUEUE_DRIVER: "{{ pixelfed_config_queue_driver }}"
|
||||||
|
SESSION_DRIVER: "{{ pixelfed_config_session_driver }}"
|
||||||
|
TRUST_PROXIES: "{{ pixelfed_config_trust_proxies }}"
|
||||||
|
PASSPORT_PRIVATE_KEY: "{{ pixelfed_config_passport_private_key }}"
|
||||||
|
PASSPORT_PUBLIC_KEY: "{{ pixelfed_config_passport_public_key }}"
|
||||||
|
|
Loading…
x
Reference in New Issue
Block a user