finallycoffee/fediverse
5
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: finallycoffee:dfb9433a542128e4ea781aa70fcb0243cf26372c
Branches Tags
finallycoffee:main finallycoffee:transcaffeine/sharkey finallycoffee:transcaffeine/fediwall finallycoffee:transcaffeine/pixelfed finallycoffee:transcaffeine/gotosocial
finallycoffee:0.2.0 finallycoffee:0.1.2 finallycoffee:0.1.1 finallycoffee:0.1.0
..
compare: finallycoffee:transcaffeine/fediwall
Branches Tags
finallycoffee:main finallycoffee:transcaffeine/sharkey finallycoffee:transcaffeine/fediwall finallycoffee:transcaffeine/pixelfed finallycoffee:transcaffeine/gotosocial
finallycoffee:0.2.0 finallycoffee:0.1.2 finallycoffee:0.1.1 finallycoffee:0.1.0

26 Commits
dfb9433a54 ... transcaffe

Author SHA1 Message Date
transcaffeine
a206695e69 feat(fediwall): add ansible role 2025-06-01 20:29:47 +02:00
transcaffeine
b6365008ad update(gotosocial): bump version to 0.19.0 2025-04-23 18:44:17 +02:00
transcaffeine
61ca04eb33 update(gotosocial): bump version to 0.18.3 2025-03-21 21:56:37 +01:00
transcaffeine
ec20504550 update(gotosocial): bump version to 0.18.2 2025-03-11 21:08:20 +01:00
transcaffeine
fc98913909 update(gotosocial): bump version to 0.18.1 2025-02-24 17:21:07 +01:00
transcaffeine
89740427c2 update(gotosocial): bump version to 0.18.0 2025-02-22 16:42:31 +01:00
transcaffeine
24bf7a6157 meta: update galaxy version to 0.1.2, require community.docker@^4.0.0 2025-02-12 22:02:42 +01:00
transcaffeine
1f14e043f3 update(gotosocial): bump version to 0.17.4 2025-02-12 20:31:46 +01:00
transcaffeine
2ad7d0103b update(mastodon): bump version to 4.3.2 2024-12-29 18:14:50 +01:00
transcaffeine
88b820ac89 update(gotosocial): bump version to 0.17.3 2024-12-28 21:19:20 +01:00
transcaffeine
89d0e2f396 meta: accept issues on codeberg.org mirror, bump collection version to 0.1.1. 2024-09-24 08:40:59 +02:00
Johanna Dorothea Reichmann
39efaf7083 meta: bump collection version to 0.1.0, require community.docker@^3.0.0 2024-09-22 14:02:27 +02:00
Johanna Dorothea Reichmann
ce7d036c3d meta: require ansible >= 2.15.0 2024-09-22 14:01:38 +02:00
Johanna Dorothea Reichmann
aba1a54375 update(gotosocial): bump version to 0.16.0 2024-09-22 14:00:58 +02:00
Johanna Dorothea Reichmann
c0278455b4 update(mastodon): bump version to 4.1.5 2023-07-28 19:47:07 +02:00
Johanna Dorothea Reichmann
1b4b38d85c update(mastodon): bump version to 3.5.11 2023-07-28 19:45:16 +02:00
Johanna Dorothea Reichmann
414bc3528a update(gotosocial): bump version to 0.10.0 2023-07-28 19:43:17 +02:00
Johanna Dorothea Reichmann
923b8155dd meta: update ansible galaxy collection metadata 2023-07-28 19:33:38 +02:00
Johanna Dorothea Reichmann
327e4c746c chore(gotosocial): extend README, fix typos 2023-07-28 19:30:56 +02:00
Johanna Dorothea Reichmann
1f2f89ff03 chore: update README 2023-07-14 12:29:06 +02:00
Johanna Dorothea Reichmann
998d2a5f5e feat(mastodon): add OIDC login support 2022-08-26 18:02:33 +02:00
Johanna Dorothea Reichmann
275976f1e6 fix(mastodon): mount host user into container properly 2022-08-26 11:26:58 +02:00
Johanna Dorothea Reichmann
6a0924c72c chore(gotosocial): fix container mounts 2022-08-25 07:40:42 +02:00
Johanna Dorothea Reichmann
601af978cd fix(gotosocial): complete role 2022-08-24 22:29:11 +02:00
Johanna Dorothea Reichmann
e28cad6552 feat(gotosocial): add ansible role for deployment using docker 2022-07-03 17:55:13 +02:00
Johanna Dorothea Reichmann
accd829e91 feat(mastodon): add ansible role for deployment 2022-07-03 08:32:05 +02:00
32 changed files with 1239 additions and 312 deletions
Expand all files Collapse all files

9
README.md
View File

@@ -9,6 +9,15 @@ available.
## Roles ## Roles
- [`fediwall`](roles/fediwall/README.md): deployment of [Fediwall](https://fediwall.social),
a media wall for mastodon inspired by mastowall.
- [`gotosocial`](roles/gotosocial/README.md): deployment of [GoToSocial.org](https://gotosocial.org/),
an ActivityPub social network server, in a docker container.
- [`mastodon`](roles/mastodon/README.md): deployment using a container based
setup, able to use webfinger delegation.
## License ## License
[CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License [CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License

18
galaxy.yml
View File

@@ -1,15 +1,17 @@
namespace: finallycoffee namespace: finallycoffee
name: fediverse name: fediverse
version: 0.0.1 version: 0.1.2
readme: README.md readme: README.md
authors: authors:
- Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu> - transcaffeine <transcaffeine@finally.coffee>
description: Various ansible roles for deploying fediverse software description: Deploying fediverse software, mostly ActivityPub based
dependencies: dependencies:
"community.docker": "^1.10.0" "community.docker": "^4.0.0"
license: license_file: LICENSE.md
- CNPLv7+
build_ignore: build_ignore:
- '*.tar.gz' - '*.tar.gz'
repository: https://git.finallycoffee.eu/finallycoffee.eu/fediverse repository: https://git.finally.coffee/finallycoffee/fediverse
issues: https://git.finallycoffee.eu/finallycoffee.eu/fediverse/issues issues: https://codeberg.org/finallycoffee/ansible-collection-fediverse/issues
tags:
- fediwall
- gotosocial

3
meta/runtime.yml Normal file
View File

@@ -0,0 +1,3 @@
---
requires_ansible: ">=2.15"

6
playbooks/fediwall.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Install and configure fediwall
hosts: "{{ fediwall_hosts | default('fediwall') }}"
become: "{{ fediwall_become | default(false) }}"
roles:
- role: fediwall

4
roles/fediwall/README.md Normal file
View File

@@ -0,0 +1,4 @@
# `finallycoffee.fediverse.fediwall` ansible role
Ansible role for [`fediwall`](https://fediwall.social) deployment.

50
roles/fediwall/defaults/main/config.yml Normal file
View File

@@ -0,0 +1,50 @@
---
fediwall_config_servers:
- mastodon.social
fediwall_config_tags:
- cats
fediwall_config_accounts: []
fediwall_config_load_public: false
fediwall_config_load_federated: false
fediwall_config_load_trends: false
fediwall_config_languages: []
fediwall_config_bad_words: []
fediwall_config_hide_sensitive: true
fediwall_config_hide_bots: true
fediwall_config_hide_replies: true
fediwall_config_hide_boosts: false
fediwall_config_limit: 20
fediwall_config_interval: 10
fediwall_config_title: "Fediwall"
fediwall_config_theme: "auto"
fediwall_config_show_infobar: true
fediwall_config_show_text: true
fediwall_config_show_media: true
fediwall_config_play_videos: true
fediwall_default_config:
servers: "{{ fediwall_config_servers }}"
tags: "{{ fediwall_config_tags }}"
accounts: "{{ fediwall_config_accounts }}"
loadPublic: "{{ fediwall_config_load_public }}"
loadFederated: "{{ fediwall_config_load_federated }}"
loadTrends: "{{ fediwall_config_load_trends }}"
languages: "{{ fediwall_config_languages }}"
badWords: "{{ fediwall_config_bad_words }}"
hideSensitive: "{{ fediwall_config_hide_sensitive }}"
hideBots: "{{ fediwall_config_hide_bots }}"
hideReplies: "{{ fediwall_config_hide_replies }}"
hideBoosts: "{{ fediwall_config_hide_boosts }}"
limit: "{{ fediwall_config_limit }}"
interval: "{{ fediwall_config_interval }}"
title: "{{ fediwall_config_title }}"
theme: "{{ fediwall_config_theme }}"
showInfobar: "{{ fediwall_config_show_infobar }}"
showText: "{{ fediwall_config_show_text }}"
showMedia: "{{ fediwall_config_show_media }}"
playVideos: "{{ fediwall_config_play_videos }}"
fediwall_config: {}
fediwall_final_config: >-2
{{ fediwall_default_config | default({}, true)
| combine(fediwall_config | default({}, true)) }}

45
roles/fediwall/defaults/main/container.yml Normal file
View File

@@ -0,0 +1,45 @@
---
fediwall_container_name: fediwall
fediwall_container_image_registry: ghcr.io
fediwall_container_image_namespace: defnull
fediwall_container_image_name: fediwall
fediwall_container_image_repository: >-2
{{
[
fediwall_container_image_registry | default([], true),
fediwall_container_image_namespace | default([], true),
fediwall_container_image_name
] | flatten | join('/')
}}
fediwall_container_image_tag: ~
fediwall_container_image_source: pull
fediwall_container_image_force_source: >-2
{{ fediwall_container_image_tag | default(false, true) | bool }}
fediwall_container_image: >-2
{{
[
fediwall_container_image_repository,
fediwall_container_image_tag | default(fediwall_version, true)
] | join(':')
}}
fediwall_container_env: ~
fediwall_container_user: ~
fediwall_container_ports: ~
fediwall_container_labels: ~
fediwall_container_volumes: []
fediwall_container_networks: ~
fediwall_container_network_mode: ~
fediwall_container_dns_servers: ~
fediwall_container_etc_hosts: ~
fediwall_container_memory: ~
fediwall_container_memory_swap: ~
fediwall_container_memory_reservation: ~
fediwall_container_restart_policy: "on-failure"
fediwall_container_config_file: "/usr/share/nginx/html/wall-config.json"
fediwall_container_base_volumes:
- "{{ fediwall_config_file }}:{{ fediwall_container_config_file }}:ro"
fediwall_container_final_volumes: >-2
{{ fediwall_container_base_volumes + fediwall_container_volumes }}
fediwall_container_state: >-2
{{ (fediwall_state == 'present') | ternary('started', 'absent') }}

8
roles/fediwall/defaults/main/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
fediwall_user: fediwall
fediwall_version: "1.4.0"
fediwall_config_file: "/etc/fediwall/config.json"
fediwall_config_file_path: "{{ fediwall_config_file | dirname }}"
fediwall_state: "present"
fediwall_deployment_method: "docker"

26
roles/fediwall/tasks/deploy-docker.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: Ensure container image '{{ fediwall_container_image }}' is {{ fediwall_state }}
community.docker.docker_image:
name: "{{ fediwall_container_image }}"
state: "{{ fediwall_state }}"
source: "{{ fediwall_container_image_source }}"
force_source: "{{ fediwall_container_image_force_source }}"
- name: Ensure container '{{ fediwall_container_name }}' is {{ fediwall_container_state }}
community.docker.docker_container:
name: "{{ fediwall_container_name }}"
image: "{{ fediwall_container_image }}"
env: "{{ fediwall_container_env | default(omit, true) }}"
user: "{{ fediwall_container_user | default(omit, true) }}"
ports: "{{ fediwall_container_ports | default(omit, true) }}"
labels: "{{ fediwall_container_labels | default(omit, true) }}"
volumes: "{{ fediwall_container_final_volumes | default(omit, true) }}"
networks: "{{ fediwall_container_networks | default(omit, true) }}"
network_mode: "{{ fediwall_container_network_mode | default(omit, true) }}"
dns_servers: "{{ fediwall_container_dns_servers | default(omit, true) }}"
etc_hosts: "{{ fediwall_container_etc_hosts | default(omit, true) }}"
memory: "{{ fediwall_container_memory | default(omit, true) }}"
memory_swap: "{{ fediwall_container_memory_swap | default(omit, true) }}"
memory_reservation: "{{ fediwall_container_memory_reservation | default(omit, true) }}"
restart_policy: "{{ fediwall_container_restart_policy }}"
state: "{{ fediwall_container_state }}"

43
roles/fediwall/tasks/main.yml Normal file
View File

@@ -0,0 +1,43 @@
---
- name: Ensure 'fediwall_state' is valid
ansible.builtin.fail:
msg: >-2
Unsupported state '{{ fediwall_state }}'. Supported
states are {{ fediwall_states | map(quote) | join(', ') }}
when: fediwall_state not in fediwall_states
- name: Ensure 'fediwall_deployment_method' is valid
ansible.builtin.fail:
msg: >-2
Unsupported deployment method '{{ fediwall_deployment_method }}'.
upported deployment methods are {{ fediwall_deployment_methods | join(', ') }}
when: fediwall_deployment_method not in fediwall_deployment_methods
- name: Ensure user '{{ fediwall_user }}' is {{ fediwall_state }}
ansible.builtin.user:
name: "{{ fediwall_user }}"
state: "{{ fediwall_state }}"
system: "{{ fediwall_user_system | default(true, true) }}"
create_home: "{{ fediwall_user_system | default(false, true) }}"
- name: Ensure configuration folder '{{ fediwall_config_file_path }}' is {{ fediwall_state }}
ansible.builtin.file:
path: "{{ fediwall_config_file_path }}"
state: directory
when: fediwall_state == 'present'
- name: Ensure configuration in '{{ fediwall_config_file }}' is {{ fediwall_state }}
ansible.builtin.copy:
content: "{{ fediwall_final_config | to_nice_json(indent=2) }}"
dest: "{{ fediwall_config_file }}"
state: "{{ fediwall_state }}"
- name: Ensure configuration folder is {{ fediwall_state }}
ansible.builtin.file:
path: "{{ fediwall_config_file_path }}"
state: absent
when: fediwall_state == 'absent'
- name: Deploy using {{ fediwall_deployment_method }}
ansible.builtin.include_tasks:
file: "deploy-{{ fediwall_deployment_method }}.yml"

6
roles/fediwall/vars/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
fediwall_states:
- "present"
- "absent"
fediwall_deployment_methods:
- "docker"

46
roles/gotosocial/README.md Normal file
View File

@@ -0,0 +1,46 @@
# `finallycoffee.fediverse.gotosocial` ansible role
## Configuration
The server name can be set using `gotosocial_config_host`, with `gotosocial_config_account_domain` being available when webfinger delegation is used:
```yaml
gotosocial_config_host: gotosocial.example.org
gotosocial_config_account_domain: example.org
```
### Database
The database can be configured using the `gotosocial_config_db_[address|port|user|password|database]` variables. the `[...]_type` defaults to `postgres`.
### Built-in LetsEncrypt client
To use the built-in letsencrypt client, set `gotosocial_config_letsencrypt_enabled: true`.
You are required to fill in a valid administrative email address into
`gotosocial_config_letsencrypt_email_address`.
The port letsencrypt will listen on defaults to `80` and can be set using
`gotosocial_config_letsencrypt_port` (if f.ex. the container lacks the permission
to bind to ports < 1024). Note that when `gotosocial_config_letsencrypt_enabled` is
`true`, the `gotosocial_config_letsencrypt_port` will by default be mapped to
_host_ port 80 on all interfaces!
This is fine when this is the only ACME client and allows easily changing
`gotosocial_config_letsencrypt_port` without breaking any functionality,
but with multiple acme clients all performing HTTP-01 challenges, you need to manually
overwrite `gotosocial_container_ports` to fit your needs.
### Advanced configuration
#### OIDC
OIDC can be configured using `gotosocial_config_oidc_*` variables, disabled by default. A minimal configuration could look like this:
```yaml
gotosocial_config_oidc_enabled: true
gotosocial_config_oidc_idp_name: "My fancy name for the configured IdP"
gotosocial_config_oidc_issuer: http://issuer/url
gotosocial_config_oidc_client_id: my_client_id
gotosocial_config_oidc_client_secret: my_client_secret
```

135
roles/gotosocial/defaults/main.yml Normal file
View File

@@ -0,0 +1,135 @@
---
gotosocial_user: "gotosocial"
gotosocial_version: "0.19.0"
gotosocial_base_path: "/opt/gotosocial"
gotosocial_config_path: "{{ gotosocial_base_path }}/config"
gotosocial_template_path: "{{ gotosocial_base_path }}/templates"
gotosocial_asset_path: "{{ gotosocial_base_path }}/assets"
gotosocial_storage_path: "{{ gotosocial_base_path }}/storage"
gotosocial_cert_path: "{{ gotosocial_base_path }}/certificates"
gotosocial_config_file: "{{ gotosocial_config_path }}/config.yaml"
gotosocial_config: >-
{{ gotosocial_default_config
| combine(gotosocial_extra_config | default({}), recursive=True) }}
gotosocial_config_log_level: info
gotosocial_config_log_db_queries: false
gotosocial_config_host: social.example.party
gotosocial_config_account_domain: ~
# listening / revproxy configuration
gotosocial_config_protocol: https
gotosocial_config_bind_address: 127.0.0.1
gotosocial_config_port: 8080
gotosocial_config_trusted_proxies: []
# database configuration
gotosocial_config_db_type: postgres
gotosocial_config_db_address: ~
gotosocial_config_db_port: ~
gotosocial_config_db_user: ~
gotosocial_config_db_password: ~
gotosocial_config_db_database: gotosocial
gotosocial_config_db_tls_mode: enable
gotosocial_config_db_tls_ca_cert:
gotosocial_config_web_template_base_dir: "{{ gotosocial_template_path }}"
gotosocial_config_web_asset_base_dir: "{{ gotosocial_asset_path }}"
# instance privacy
gotosocial_config_instance_expose_peers: false
gotosocial_config_instance_expose_suspended: false
gotosocial_config_instance_expose_public_timeline: false
gotosocial_config_instance_deliver_to_shared_inboxes: true
gotosocial_config_instance_inject_mastodon_version: false
# account config
gotosocial_config_accounts_registration_open: true
gotosocial_config_accounts_approval_required: true
gotosocial_config_accounts_reason_required: true
# media config
gotosocial_config_media_image_max_size_bytes: 2097152 #2MB
gotosocial_config_media_video_max_size_bytes: 10485760 #10MB
gotosocial_config_media_description_min_chars: 0
gotosocial_config_media_description_max_chars: 1000
gotosocial_config_media_remote_cache_days: 30
# storage for media etc
gotosocial_config_storage_backend: local
gotosocial_config_storage_local_base_path: "{{ gotosocial_storage_path }}"
# status config
gotosocial_config_statuses_max_chars: 5000
gotosocial_config_statuses_cw_max_chars: 100
gotosocial_config_statuses_poll_max_options: 6
gotosocial_config_statuses_poll_option_max_chars: 50
gotosocial_config_statuses_media_max_files: 30
# letsencrypt config
gotosocial_config_letsencrypt_enabled: false
gotosocial_config_letsencrypt_port: 80
gotosocial_config_letsencrypt_cert_dir: "{{ gotosocial_cert_path }}"
gotosocial_config_letsencrypt_email_address: ~
# oidc config
gotosocial_config_oidc_enabled: false
gotosocial_config_oidc_idp_name: ~
gotosocial_config_oidc_skip_verification: false
gotosocial_config_oidc_issuer: ~
gotosocial_config_oidc_client_id: ~
gotosocial_config_oidc_client_secret: ~
gotosocial_config_oidc_scopes:
- openid
- email
- profile
gotosocial_config_oidc_link_existing: false
gotosocial_config_oidc_admin_groups: []
# smtp config
gotosocial_config_smtp_host: ~
gotosocial_config_smtp_port: ~
gotosocial_config_smtp_username: ~
gotosocial_config_smtp_password: ~
gotosocial_config_smtp_from: ~
gotosocial_config_smtp_disclose_recipients: false
# syslog config
gotosocial_config_syslog_enabled: false
gotosocial_config_syslog_protocol: udp
gotosocial_config_syslog_address: "localhost:514"
# advanced config:
gotosocial_config_advanced_cookies_samesite: lax
# container defaults
gotosocial_container_name: gotosocial
gotosocial_container_image_name: docker.io/superseriousbusiness/gotosocial
gotosocial_container_image_tag: ~
gotosocial_container_image: >-2
{{ gotosocial_container_image_name }}:{{ gotoscial_container_image_tag
| default(gotosocial_version) }}
gotosocial_container_volumes: >-2
{{ gotosocial_container_default_volumes
+ gotosocial_container_extra_volumes }}
gotosocial_container_default_volumes:
- "{{ gotosocial_config_file }}:/gotosocial/config.yaml:ro"
- "{{ gotosocial_storage_path }}:/gotosocial/storage:z"
- "{{ gotosocial_template_path }}:/gotosocial/web/templates:ro"
gotosocial_container_extra_volumes: []
gotosocial_container_env: {}
gotosocial_container_labels: {}
gotosocial_container_user: "{{ gotosocial_user }}"
gotosocial_container_etc_hosts: ~
gotosocial_container_networks: ~
gotosocial_container_purge_networks: false
gotosocial_container_restart_policy: unless-stopped
gotosocial_container_entrypoint:
- "/gotosocial/gotosocial"
- "--config-path"
- "config.yaml"
- "server"
- "start"

8
roles/gotosocial/handlers/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Restart gotosocial
listen: restart-gotosocial
docker_container:
name: "{{ gotosocial_container_name }}"
state: started
restart: true

65
roles/gotosocial/tasks/main.yml Normal file
View File

@@ -0,0 +1,65 @@
---
- name: Ensure user {{ gotosocial_user }} is present
user:
name: "{{ gotosocial_user }}"
system: true
state: present
register: gotosocial_user_info
- name: Ensure host directories for mounts are present
file:
path: "{{ path.name }}"
state: directory
owner: >-
{{ path.owner | default(gotosocial_user_info.uid | default(gotosocial_user)) }}
group: >-
{{ path.group | default(gotosocial_user_info.group | default(gotosocial_user)) }}
mode: "{{ path.mode | default('0750') }}"
loop:
- name: "{{ gotosocial_base_path }}"
- name: "{{ gotosocial_config_path }}"
- name: "{{ gotosocial_storage_path }}"
- name: "{{ gotosocial_template_path }}"
- name: "{{ gotosocial_asset_path }}"
mode: '0770'
loop_control:
loop_var: path
label: "{{ path.name }}"
- name: Ensure configuration is up to date
copy:
content: "{{ gotosocial_config | to_nice_yaml(indent=2, width=10000) }}"
dest: "{{ gotosocial_config_file }}"
owner: "{{ gotosocial_user_info.uid | default(gotosocial_user) }}"
group: "{{ gotosocial_user_info.group | default(gotosocial_user) }}"
mode: 0640
notify: restart-gotosocial
- name: Ensure container image is available
docker_image:
name: "{{ gotosocial_container_image }}"
state: present
source: pull
force_source: >-
{{ gotosocial_container_image_force_pull
| default(gotoscial_container_image_tag | default(true, true)) }}
register: gotosocial_container_image_pull_status
until: gotosocial_container_image_pull_status is succeeded
retries: 5
delay: 3
- name: Ensure gotosocial container named {{ gotosocial_container_name }} is running
docker_container:
name: "{{ gotosocial_container_name }}"
image: "{{ gotosocial_container_image }}"
volumes: "{{ gotosocial_container_volumes }}"
env: "{{ gotosocial_container_env | default(omit, True) }}"
ports: "{{ gotosocial_container_ports | default(omit, True) }}"
labels: "{{ gotosocial_container_labels | default(omit, True) }}"
networks: "{{ gotosocial_container_networks | default(omit, True) }}"
etc_hosts: "{{ gotosocial_container_etc_hosts | default(omit, True) }}"
purge_networks: "{{ gotosocial_container_purge_networks | default(False, True) }}"
restart_policy: "{{ gotosocial_container_restart_policy }}"
entrypoint: "{{ gotosocial_container_entrypoint }}"
state: started

65
roles/gotosocial/vars/main.yml Normal file
View File

@@ -0,0 +1,65 @@
---
gotosocial_default_config:
log-level: "{{ gotosocial_config_log_level }}"
log-db-queries: "{{ gotosocial_config_log_db_queries }}"
application-name: gotosocial
host: "{{ gotosocial_config_host }}"
account-domain: "{{ gotosocial_config_account_domain }}"
protocol: "{{ gotosocial_config_protocol }}"
bind-address: "{{ gotosocial_config_bind_address }}"
port: "{{ gotosocial_config_port }}"
trusted-proxies: "{{ gotosocial_config_trusted_proxies }}"
db-type: "{{ gotosocial_config_db_type }}"
db-address: "{{ gotosocial_config_db_address }}"
db-port: "{{ gotosocial_config_db_port }}"
db-user: "{{ gotosocial_config_db_user }}"
db-password: "{{ gotosocial_config_db_password }}"
db-database: "{{ gotosocial_config_db_database }}"
db-tls-mode: "{{ gotosocial_config_db_tls_mode }}"
db-tls-ca-cert: "{{ gotosocial_config_db_tls_ca_cert }}"
web-template-base-dir: "{{ gotosocial_config_web_template_base_dir }}"
web-asset-base-dir: "{{ gotosocial_config_web_asset_base_dir }}"
instance-expose-peers: "{{ gotosocial_config_instance_expose_peers }}"
instance-expose-suspended: "{{ gotosocial_config_instance_expose_suspended }}"
instance-expose-public-timeline: "{{ gotosocial_config_instance_expose_public_timeline }}"
instance-deliver-to-shared-inboxes: "{{ gotosocial_config_instance_deliver_to_shared_inboxes }}"
instance-inject-mastodon-version: "{{ gotosocial_config_instance_inject_mastodon_version }}"
accounts-registration-open: "{{ gotosocial_config_acounts_registration_open }}"
accounts-approval-required: "{{ gotosocial_config_accounts_approval_required }}"
accounts-reason-required: "{{ gotosocial_config_accounts_reason_required }}"
media-image-max-size: "{{ gotosocial_config_media_image_max_size_bytes }}"
media-video-max-size: "{{ gotosocial_config_media_video_max_size_bytes }}"
media-description-min-chars: "{{ gotosocial_config_media_description_min_chars }}"
media-description-max-chars: "{{ gotosocial_config_media_description_max_chars }}"
media-remote-cache-days: "{{ gotosocial_config_media_remote_cache_days }}"
storage-backend: "{{ gotosocial_config_storage_backend }}"
storage-local-base-path: "{{ gotosocial_config_storage_local_base_path }}"
statuses-max-chars: "{{ gotosocial_config_statuses_max_chars }}"
statuses-cw-max-chars: "{{ gotosocial_config_statuses_cw_max_chars }}"
statuses-poll-max-options: "{{ gotosocial_config_statuses_poll_max_options }}"
statuses-poll-option-max-chars: "{{ gotosocial_config_statuses_poll_option_max_chars }}"
statuses-media-max-files: "{{ gotosocial_config_statuses_media_max_files }}"
letsencrypt-enabled: "{{ gotosocial_config_letsencrypt_enabled }}"
letsencrypt-port: "{{ gotosocial_config_letsencrypt_port }}"
letsencrypt-cert-dir: "{{ gotosocial_config_letsencrypt_cert_dir }}"
letsencrypt-email-address: "{{ gotosocial_config_letsencrypt_email_address }}"
oidc-enabled: "{{ gotosocial_config_oidc_enabled }}"
oidc-idp-name: "{{ gotosocial_config_oidc_idp_name }}"
oidc-skip-verification: "{{ gotosocial_config_oidc_skip_verification }}"
oidc-issuer: "{{ gotosocial_config_oidc_issuer }}"
oidc-client-id: "{{ gotosocial_config_oidc_client_id }}"
oidc-client-secret: "{{ gotosocial_config_oidc_client_secret }}"
oidc-scopes: "{{ gotosocial_config_oidc_scopes }}"
oidc-link-existing: "{{ gotosocial_config_oidc_link_existing }}"
oidc-admin-groups: "{{ gotosocial_config_oidc_admin_groups }}"
smtp-host: "{{ gotosocial_config_smtp_host }}"
smtp-port: "{{ gotosocial_config_smtp_port }}"
smtp-username: "{{ gotosocial_config_smtp_username }}"
smtp-password: "{{ gotosocial_config_smtp_password }}"
smtp-from: "{{ gotosocial_config_smtp_from }}"
smtp-disclose-recipients: "{{ gotosocial_config_smtp_disclose_recipients }}"
syslog-enabled: "{{ gotosocial_config_syslog_enabled }}"
syslog-protocol: "{{ gotosocial_config_syslog_protocol }}"
syslog-address: "{{ gotosocial_config_syslog_address }}"
advanced-cookies-samesite: "{{ gotosocial_config_advanced_cookies_samesite }}"

65
roles/mastodon/README.md Normal file
View File

@@ -0,0 +1,65 @@
# `finallycoffee.fediverse.mastodon` ansible role
## Overview
This role aims to automate as much as possible with running a docker container
based mastodon setup. It provides you with the streaming container, sidekiq and
web (api) as well an nginx routing the application traffic.
You need to provide a postgresql database, the redis server, optionally an
elasticsearch instance and the mail server. Roles providing components are linked,
if applicable.
### Usage
The minimum configuration could be as follows:
```yaml
mastodon_domain: finally.coffee
# Optional, if you want to host your frontend + api somewhere else
mastodon_web_domain: frontend.some.website
# you need to provide and manage the following secrets
mastodon_secret_key: very_long_secret
mastodon_otp_secret: also_very_long_secret
mastodon_vapid_public_key: check_mastodon_docs_for_this
mastodon_vapid_private_key: see_above
```
#### Database
The database configuration is as follows:
```yaml
mastodon_database_host: postgres.local
mastodon_database_port: 5432 #optional, defaults to this
mastodon_database_user: mastodont
mastodon_database_pass: hopefully_secure
mastodon_database_name: mastodon
```
For seeding the database during initial deployment, you need to set
`mastodon_seed_database: true` exactly once (when it succeeds).
### Redis
As of writing this, it seems that atleast one component of mastodon can't
deal with a password for redis, leading to the need to run redis without
authentification for all components:
```yaml
mastodon_redis_url: unix:///var/run/redis/mastodon.sock
```
#### Mail
The mail server for verifications and notifications can be configured as followed:
```yaml
mastodon_mail_server: mail.example.org
mastodon_mail_user: mailuser@mydomain.org
mastodon_mail_password: very_secure_password_for_mailing_account
```
For further Configuration, see [`defaults/main.yml`](defaults/main.yml) to
override further keys for configuration

132
roles/mastodon/defaults/main.yml Normal file
View File

@@ -0,0 +1,132 @@
---
mastodon_user: mastodon
mastodon_base_path: /opt/mastodon
mastodon_domain: ~
mastodon_web_domain: ~
mastodon_version: "4.3.2"
mastodon_git_upstream_url: "https://github.com/mastodon/mastodon.git"
mastodon_data_path: "{{ mastodon_base_path }}/data"
mastodon_repo_path: "{{ mastodon_base_path }}/src"
mastodon_config_path: "{{ mastodon_base_path }}/config"
mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
mastodon_container_bind_ip: "127.0.0.1"
mastodon_streaming_backend: "{{ mastodon_container_bind_ip }}:4000"
mastodon_api_backend: "{{ mastodon_container_bind_ip }}:3000"
mastodon_backend: "{{ mastodon_container_bind_ip }}:5000"
mastodon_container_name: mastodon
mastodon_container_name_sidekiq: "{{ mastodon_container_name }}_sidekiq"
mastodon_container_name_streaming: "{{ mastodon_container_name }}_streaming"
mastodon_container_image_name: "tootsuite/mastodon"
mastodon_container_image_tag: "v{{ mastodon_version }}"
mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_container_image_tag }}"
mastodon_container_networks:
- name: "{{ mastodon_container_network_name }}"
mastodon_container_base_volumes_streaming:
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
- "{{ mastodon_config_group_file }}:/etc/group:ro"
mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
mastodon_container_volumes_streaming: >-
{{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
mastodon_container_base_volumes_sidekiq:
- "{{ mastodon_repo_path }}/public/system:/mastodon/public/system:ro"
mastodon_container_extra_volumes_sidekiq: "{{ mastodon_container_extra_volumes }}"
mastodon_container_volumes_sidekiq: >-
{{ mastodon_container_base_volumes_sidekiq + mastodon_container_extra_volumes_sidekiq }}
mastodon_container_base_volumes:
- "{{ mastodon_repo_path }}/public:/mastodon/public:z"
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
- "{{ mastodon_config_group_file }}:/etc/group:ro"
mastodon_container_extra_volumes: []
mastodon_container_volumes: >-
{{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
mastodon_container_ports_streaming:
- "{{ mastodon_streaming_backend }}:4000"
mastodon_container_ports:
- "{{ mastodon_api_backend }}:3000"
mastodon_container_restart_policy: unless-stopped
mastodon_nginx_version: 1.21.6
mastodon_nginx_server_name: "{{ mastodon_domain }}"
mastodon_container_nginx_name: "{{ mastodon_container_name }}_nginx"
mastodon_container_nginx_image_name: docker.io/library/nginx
mastodon_container_nginx_image_tag: ~
mastodon_container_nginx_image_flavour: alpine
mastodon_container_nginx_image: >-2
{{ mastodon_container_nginx_image_name }}:{{ mastodon_container_nginx_image_tag
| default(mastodon_nginx_version + ('-' + mastodon_container_nginx_image_flavour if mastodon_container_nginx_image_flavour else ''), True) }}
mastodon_container_nginx_working_directory: "/var/www/mastodon"
mastodon_container_nginx_cache_directory: "/var/cache/nginx"
mastodon_container_volumes_nginx:
- "{{ mastodon_nginx_config_file }}:/etc/nginx/conf.d/default.conf:ro"
- "{{ mastodon_repo_path }}/public:{{ mastodon_container_nginx_working_directory }}:ro"
- "{{ mastodon_nginx_cache_path }}:{{ mastodon_container_nginx_cache_directory }}:z"
mastodon_container_network_name: mastodon
mastodon_secret_key: ~
mastodon_otp_secret: ~
mastodon_vapid_public_key: ~
mastodon_vapid_private_key: ~
mastodon_redis_host: ~
mastodon_redis_port: ~
mastodon_redis_url: ~
mastodon_redis_password: ~
mastodon_redis_db_index: ~
mastodon_database_host: localhost
mastodon_database_port: 5432
mastodon_database_user: mastodon
mastodon_database_pass: ~
mastodon_database_name: mastodon
mastodon_mail_server: ~
mastodon_mail_port: 587
mastodon_mail_user: ~
mastodon_mail_password: ~
mastodon_mail_from_address: "notifications@{{ mastodon_domain }}"
mastodon_elasticsearch_enabled: false
mastodon_elasticsearch_host: ~
mastodon_elasticsearch_port: ~
mastodon_elasticsearch_user: ~
mastodon_elasticsearch_pass: ~
mastodon_s3_enabled: false
mastodon_s3_bucket: ~
mastodon_s3_aws_access_key_id: ~
mastodon_s3_aws_secret_access_key: ~
mastodon_s3_alias_host: ~
mastodon_oidc_enabled: false
mastodon_oidc_issuer_url: ~
mastodon_oidc_discovery: true
mastodon_oidc_scope: openid,profile
mastodon_oidc_client_id: ~
mastodon_oidc_client_secret: ~
mastodon_oidc_client_auth_method: basic
mastodon_oidc_response_mode: query
mastodon_oidc_response_type: code
mastodon_oidc_prompt: ~
mastodon_oidc_display_name: My IDP
mastodon_oidc_auth_endpoint: ~
mastodon_oidc_token_endpoint: ~
mastodon_oidc_user_info_endpoint: ~
mastodon_oidc_end_session_endpoint: ~
mastodon_oidc_jwks_uri:
mastodon_oidc_redirect_uri:
mastodon_oidc_idp_logout_redirect_uri: ~
mastodon_oidc_uid_field: preferred_username
mastodon_oidc_security_assume_email_is_verified: false

33
roles/mastodon/handlers/main.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: Restart mastodon sidekiq
docker_container:
name: "{{ mastodon_container_name_sidekiq }}"
state: started
restart: true
listen:
- restart-mastodon
- restart-mastodon-sidekiq
- name: Restart mastodon streaming
docker_container:
name: "{{ mastodon_container_name_streaming }}"
state: started
restart: true
listen:
- restart-mastodon
- restart-mastodon-streaming
- name: Restart mastodon web
docker_container:
name: "{{ mastodon_container_name }}"
state: started
restart: true
listen: restart-mastodon
- name: Restart mastodon nginx
docker_container:
name: "{{ mastodon_container_nginx_name }}"
state: started
restart: true
listen: restart-mastodon-nginx

198
roles/mastodon/tasks/main.yml Normal file
View File

@@ -0,0 +1,198 @@
---
- name: Ensure mastodon user '{{ mastodon_user }}' exists
user:
name: "{{ mastodon_user }}"
state: present
system: true
register: mastodon_user_info
- name: Ensure host directories are present
file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner | default(mastodon_user) }}"
group: "{{ item.group | default(mastodon_user) }}"
mode: "{{ item.mode | default('0750') }}"
loop:
- path: "{{ mastodon_base_path }}"
mode: '0755'
- path: "{{ mastodon_config_path }}"
- path: "{{ mastodon_data_path }}"
- path: "{{ mastodon_repo_path }}"
mode: '0700'
- path: "{{ mastodon_nginx_config_path }}"
- path: "{{ mastodon_nginx_cache_path }}"
loop_control: { label: "{{ item.path }}" }
- name: Ensure environment file is templated
template:
src: env.j2
dest: "{{ mastodon_config_env_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0640"
notify: restart-mastodon
- name: Ensure reverse proxy configuration is templated
template:
src: nginx.conf.j2
dest: "{{ mastodon_nginx_config_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0640"
notify: restart-mastodon-nginx
- name: Ensure fake passwd file is templated
template:
src: passwd.j2
dest: "{{ mastodon_config_passwd_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0644"
notify: restart-mastodon
- name: Ensure fake passwd file is templated
template:
src: group.j2
dest: "{{ mastodon_config_group_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0644"
notify: restart-mastodon
- name: Ensure mastodon git repository is present and up-to-date
git:
repo: "{{ mastodon_git_upstream_url }}"
dest: "{{ mastodon_repo_path }}"
refspec: "v{{ mastodon_version }}"
version: "v{{ mastodon_version }}"
force: no
recursive: yes
track_submodules: yes
become: yes
become_user: "{{ mastodon_user }}"
register: git_repo_info
- name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
file:
path: "{{ mastodon_repo_path }}"
state: directory
recurse: yes
owner: "{{ mastodon_user }}"
group: "{{ mastodon_user }}"
- name: Ensure docker network for backend communication is created
docker_network:
name: "{{ mastodon_container_network_name }}"
state: present
- name: Ensure mastodon docker image is built
docker_image:
name: "{{ mastodon_container_image_name }}"
tag: "{{ mastodon_container_image_tag }}"
state: present
source: build
build:
path: "{{ mastodon_repo_path }}"
args:
UID: "{{ mastodon_user_info.uid }}"
GID: "{{ mastodon_user_info.group }}"
when: git_repo_info.before != git_repo_info.after
- name: Ensure nginx reverse proxy image is present
docker_image:
name: "{{ mastodon_container_nginx_image }}"
state: present
source: pull
force_source: "{{ mastodon_container_nginx_image_tag|default(false, true) | bool }}"
register: masto_nginx_pull
until: masto_nginx_pull is succeeded
retries: 5
delay: 3
- name: Ensure database is seeded
docker_container:
name: "{{ mastodon_container_name }}_setup_db"
image: "{{ mastodon_container_image_ref }}"
networks: "{{ mastodon_container_networks }}"
volumes: "{{ mastodon_container_volumes }}"
env_file: "{{ mastodon_config_env_file }}"
command: "bash -c \"bundle exec rails db:setup\""
tty: yes
interactive: yes
detach: no
cleanup: yes
when: mastodon_seed_database|default(false, true)
- name: Ensure mastodon sidekiq container '{{ mastodon_container_name_sidekiq }}' is running
docker_container:
name: "{{ mastodon_container_name_sidekiq }}"
image: "{{ mastodon_container_image_ref }}"
networks: "{{ mastodon_container_networks }}"
volumes: "{{ mastodon_container_volumes_sidekiq }}"
env_file: "{{ mastodon_config_env_file }}"
command: "bundle exec sidekiq"
restart_policy: "{{ mastodon_container_restart_policy }}"
healthcheck:
test: ["CMD-SHELL", "ps aux | grep '[s]idekiq\ 6' || false"]
interval: 5s
retries: 3
start_period: 0s
timeout: 5s
- name: Ensure mastodon streaming container '{{ mastodon_container_name_streaming }}' is running
docker_container:
name: "{{ mastodon_container_name_streaming }}"
image: "{{ mastodon_container_image_ref }}"
networks: "{{ mastodon_container_networks }}"
volumes: "{{ mastodon_container_volumes_streaming }}"
env_file: "{{ mastodon_config_env_file }}"
command: "node ./streaming"
restart_policy: "{{ mastodon_container_restart_policy }}"
ports: "{{ mastodon_container_ports_streaming }}"
user: "{{ mastodon_user }}"
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
interval: 5s
retries: 3
start_period: 0s
timeout: 5s
- name: Ensure mastodon container '{{ mastodon_container_name }}' is running
docker_container:
name: "{{ mastodon_container_name }}"
image: "{{ mastodon_container_image_ref }}"
networks: "{{ mastodon_container_networks }}"
volumes: "{{ mastodon_container_volumes }}"
env_file: "{{ mastodon_config_env_file }}"
command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
restart_policy: "{{ mastodon_container_restart_policy }}"
ports: "{{ mastodon_container_ports }}"
user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
interval: 5s
retries: 3
start_period: 0s
timeout: 5s
- name: Ensure container paths belong to the mastodon user
community.docker.docker_container_exec:
container: "{{ mastodon_container_name }}"
command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
user: "0"
- name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
docker_container:
name: "{{ mastodon_container_nginx_name }}"
image: "{{ mastodon_container_nginx_image }}"
network_mode: host
volumes: "{{ mastodon_container_volumes_nginx }}"
restart_policy: "{{ mastodon_container_restart_policy }}"
- name: Ensure assets are precompiled
community.docker.docker_container_exec:
container: "{{ mastodon_container_name }}"
command: "bundle exec rails assets:precompile"
when: git_repo_info.before != git_repo_info.after

128
roles/mastodon/templates/env.j2 Normal file
View File

@@ -0,0 +1,128 @@
# This is a sample configuration file. You can generate your configuration
# with the `rake mastodon:setup` interactive setup wizard, but to customize
# your setup even further, you'll need to edit it manually. This sample does
# not demonstrate all available configuration options. Please look at
# https://docs.joinmastodon.org/admin/config/ for the full documentation.
# Note that this file accepts slightly different syntax depending on whether
# you are using `docker-compose` or not. In particular, if you use
# `docker-compose`, the value of each declared variable will be taken verbatim,
# including surrounding quotes.
# See: https://github.com/mastodon/mastodon/issues/16895
# Federation
# ----------
# This identifies your server and cannot be changed safely later
# ----------
LOCAL_DOMAIN={{ mastodon_domain }}
{% if mastodon_web_domain|default(false, true) %}
WEB_DOMAIN={{ mastodon_web_domain }}
{% endif %}
# Redis
# -----
{% if mastodon_redis_host|default(false, true) %}
REDIS_HOST={{ mastodon_redis_host }}
{% endif %}
{% if mastodon_redis_port|default(false, true) %}
REDIS_PORT={{ mastodon_redis_port }}
{% endif %}
{% if mastodon_redis_url %}
REDIS_URL={{ mastodon_redis_url }}
{% endif %}
{% if mastodon_redis_password %}
REDIS_PASSWORD={{ mastodon_redis_password }}
{% endif %}
{% if mastodon_redis_db_index %}
REDIS_DB_INDEX={{ mastodon_redis_db_index }}
{% endif %}
# PostgreSQL
# ----------
DB_HOST={{ mastodon_database_host }}
DB_USER={{ mastodon_database_user }}
DB_NAME={{ mastodon_database_name }}
DB_PASS={{ mastodon_database_pass }}
DB_PORT={{ mastodon_database_port }}
# Elasticsearch (optional)
# ------------------------
ES_ENABLED={{ mastodon_elasticsearch_enabled }}
ES_HOST={{ mastodon_elasticsearch_host }}
ES_PORT={{ mastodon_elasticsearch_port }}
# Authentication for ES (optional)
{% if mastodon_elasticsearch_user %}
ES_USER={{ mastodon_elasticsearch_user }}
{% endif %}
{% if mastodon_elasticsearch_pass %}
ES_PASS={{ mastodon_elasticsearch_pass }}
{% endif %}
# Secrets
# -------
# Make sure to use `rake secret` to generate secrets
# -------
SECRET_KEY_BASE={{ mastodon_secret_key }}
OTP_SECRET={{ mastodon_otp_secret }}
# Web Push
# --------
# Generate with `rake mastodon:webpush:generate_vapid_key`
# --------
VAPID_PRIVATE_KEY={{ mastodon_vapid_private_key }}
VAPID_PUBLIC_KEY={{ mastodon_vapid_public_key }}
# Sending mail
# ------------
SMTP_SERVER={{ mastodon_mail_server }}
SMTP_PORT={{ mastodon_mail_port }}
SMTP_LOGIN={{ mastodon_mail_user }}
SMTP_PASSWORD={{ mastodon_mail_password }}
SMTP_FROM_ADDRESS={{ mastodon_mail_from_address }}
# File storage (optional)
# -----------------------
S3_ENABLED={{ mastodon_s3_enabled }}
S3_BUCKET={{ mastodon_s3_bucket }}
AWS_ACCESS_KEY_ID={{ mastodon_s3_aws_access_key_id }}
AWS_SECRET_ACCESS_KEY={{ mastodon_s3_aws_secret_access_key }}
S3_ALIAS_HOST={{ mastodon_s3_alias_host }}
# OpenId connect (optional)
OIDC_ENABLED={{ mastodon_oidc_enabled | bool | string | lower }}
OIDC_ISSUER={{ mastodon_oidc_issuer_url }}
OIDC_DISCOVERY={{ mastodon_oidc_discovery | bool | string | lower }}
OIDC_CLIENT_AUTH_METHOD={{ mastodon_oidc_client_auth_method }}
OIDC_CLIENT_ID={{ mastodon_oidc_client_id }}
OIDC_CLIENT_SECRET={{ mastodon_oidc_client_secret }}
OIDC_SCOPE={{ mastodon_oidc_scope }}
{% if mastodon_oidc_auth_endpoint %}
OIDC_AUTH_ENDPOINT={{ mastodon_oidc_auth_endpoint }}
{% endif %}
{% if mastodon_oidc_token_endpoint %}
OIDC_TOKEN_ENDPOINT={{ mastodon_oidc_token_endpoint }}
{% endif %}
{% if mastodon_oidc_user_info_endpoint %}
OIDC_USER_INFO_ENDPOINT={{ mastodon_oidc_user_info_endpoint }}
{% endif %}
{% if mastodon_oidc_end_session_endpoint %}
OIDC_END_SESSION_ENDPOINT={{ mastodon_oidc_end_session_endpoint }}
{% endif %}
{% if mastodon_oidc_jwks_uri %}
OIDC_JWKS_URI={{ mastodon_oidc_jwks_uri }}
{% endif %}
{% if mastodon_oidc_redirect_uri %}
OIDC_REDIRECT_URI={{ mastodon_oidc_redirect_uri }}
{% endif %}
{% if mastodon_oidc_idp_logout_redirect_uri %}
OIDC_IDP_LOGOUT_REDIRECT_URI={{ mastodon_oidc_idp_logout_redirect_uri }}
{% endif %}
OIDC_DISPLAY_NAME={{ mastodon_oidc_display_name }}
OIDC_UID_FIELD={{ mastodon_oidc_uid_field }}
{% if mastodon_oidc_response_mode %}
OIDC_RESPONSE_MODE={{ mastodon_oidc_response_mode }}
{% endif %}
{% if mastodon_oidc_response_type %}
OIDC_RESPONSE_TYPE={{ mastodon_oidc_response_type }}
{% endif %}
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED={{ mastodon_oidc_security_assume_email_is_verified | bool | string | lower }}

40
roles/mastodon/templates/group.j2 Normal file
View File

@@ -0,0 +1,40 @@
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:

94
roles/mastodon/templates/nginx.conf.j2 Normal file
View File

@@ -0,0 +1,94 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream backend {
server {{ mastodon_api_backend }} fail_timeout=0;
}
upstream streaming {
server {{ mastodon_streaming_backend }} fail_timeout=0;
}
proxy_cache_path {{ mastodon_container_nginx_cache_directory }} levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=2g;
server {
listen {{ mastodon_backend }};
server_name {{ mastodon_nginx_server_name }};
keepalive_timeout 70;
sendfile on;
client_max_body_size 200m;
root {{ mastodon_container_nginx_working_directory }};
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
location / {
try_files $uri @proxy;
}
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
add_header Cache-Control "public, max-age=31536000, immutable";
add_header Strict-Transport-Security "max-age=31536000" always;
try_files $uri @proxy;
}
location /sw.js {
add_header Cache-Control "public, max-age=0";
add_header Strict-Transport-Security "max-age=31536000" always;
try_files $uri @proxy;
}
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://backend;
proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache CACHE;
proxy_cache_valid 200 7d;
proxy_cache_valid 410 24h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cached $upstream_cache_status;
add_header Strict-Transport-Security "max-age=31536000" always;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass http://streaming;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
error_page 500 501 502 503 504 /500.html;
}

20
roles/mastodon/templates/passwd.j2 Normal file
View File

@@ -0,0 +1,20 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh

0
roles/pixelfed/handlers/main.yml → roles/mastodon/vars/main.yml
View File

40
roles/pixelfed/defaults/main.yml
View File

@@ -1,40 +0,0 @@
---
pixelfed_user: pixelfed
pixelfed_version: 0.11.2
pixelfed_base_path: /opt/pixelfed
pixelfed_deployment_method: docker_selfbuilt
# user to run pixelfed as
pixelfed_run_user: "{{ pixelfed_user_stat.uid | default(pixelfed_user) }}"
pixelfed_run_group: "{{ pixelfed_user_stat.group | default(pixelfed_user) }}"
# container settings
pixelfed_container_name: pixelfed
pixelfed_container_image_name: pixelfed
pixelfed_container_image_tag: ~
pixelfed_container_image: "{{ pixelfed_container_image_name }}:{{ pixelfed_container_image_tag | default('v' + pixelfed_version, True) }}"
pixelfed_container_image_local_build: true
pixelfed_container_ports: []
pixelfed_container_networks: []
pixelfed_container_extra_volumes: []
pixelfed_container_extra_labels: {}
pixelfed_container_extra_env: {}
pixelfed_container_restart_policy: unless-stopped
pixelfed_worker_container_name: "{{ pixelfed_container_name }}-worker"
# host filesystem paths
pixelfed_config_path: "{{ pixelfed_base_path }}/config"
pixelfed_storage_path: "{{ pixelfed_base_path }}/storage"
pixelfed_source_path: "{{ pixelfed_base_path }}/source"
pixelfed_app_paths:
- path: "{{ pixelfed_base_path }}"
mode: "0750"
- path: "{{ pixelfed_config_path }}"
mode: "0750"
- path: "{{ pixelfed_storage_path }}"
mode: "0750"
- path: "{{ pixelfed_source_path }}"
mode: "0750"

28
roles/pixelfed/tasks/docker-deploy.yml
View File

@@ -1,28 +0,0 @@
---
- name: Ensure docker container '{{ pixelfed_container_name }}' is running
docker_container:
name: "{{ pixelfed_container_name }}"
image: "{{ pixelfed_container_image }}"
env: "{{ pixelfed_container_env }}"
env_file: "{{ pixelfed_config_path }}/env"
labels: "{{ pixelfed_container_labels }}"
volumes: "{{ pixelfed_container_volumes }}"
ports: "{{ pixelfed_container_ports | default(omit, True) }}"
networks: "{{ pixelfed_container_networks | default(omit, True) }}"
purge_networks: "{{ pixelfed_container_purge_networks|default(False) }}"
restart_policy: "{{ pixelfed_container_restart_policy }}"
state: started
- name: Ensure docker container '{{ pixelfed_worker_container_name }}' is running
docker_container:
name: "{{ pixelfed_worker_container_name }}"
image: "{{ pixelfed_container_image }}"
env: "{{ pixelfed_container_env }}"
env_file: "{{ pixelfed_config_path }}/env"
volumes: "{{ pixelfed_container_volumes }}"
networks: "{{ pixelfed_container_networks | default(omit, True) }}"
purge_networks: "{{ pixelfed_container_purge_networks|default(False) }}"
restart_policy: "{{ pixelfed_container_restart_policy }}"
command: "gosu www-data php artisan horizon"
state: started

28
roles/pixelfed/tasks/docker-image.yml
View File

@@ -1,28 +0,0 @@
---
- name: Ensure docker container image is pulled
docker_image:
name: "{{ pixelfed_container_image }}"
state: present
source: pull
force_source: "{{ true if docker_container_image_tag else false }}"
when: not pixelfed_container_image_local_build
- name: Ensure upstream git repository is cloned to source folder
git:
repo: "{{ pixelfed_source_upstream_git_repo }}"
dest: "{{ pixelfed_source_path }}"
update: yes
clone: yes
when: pixelfed_container_image_local_build
- name: Build docker container image '{{ pixelfed_container_image }}' locally
docker_image:
name: "{{ pixelfed_container_image_name }}"
tag: "{{ pixelfed_container_image_tag | default('v' + pixelfed_version) }}"
state: present
source: build
build:
dockerfile: "contrib/docker/Dockerfile.apache"
path: "{{ pixelfed_source_path }}"
when: pixelfed_container_image_local_build

39
roles/pixelfed/tasks/main.yml
View File

@@ -1,39 +0,0 @@
---
- name: Ensure user '{{ pixelfed_user }}' for pixelfed is created
user:
name: "{{ pixelfed_user }}"
state: present
system: true
register: pixelfed_user_stat
- name: Ensure file system paths exist for persisting data
file:
path: "{{ dir.path }}"
state: directory
owner: "{{ dir.user | default(pixelfed_run_user) }}"
group: "{{ dir.group | default(pixelfed_run_group) }}"
mode: "{{ dir.mode }}"
loop: "{{ pixelfed_app_paths }}"
loop_control:
loop_var: dir
label: "{{ dir.path }}"
- name: Ensure env file for pixelfed is templated
template:
src: env.docker.j2
dest: "{{ pixelfed_config_path }}/env"
owner: "{{ pixelfed_run_user }}"
group: "{{ pixelfed_run_group }}"
mode: "0640"
- name: Ensure docker container image is available
include_tasks:
file: docker-image.yml
when: 'docker' in pixelfed_deployment_method
- name: Ensure pixelfed instance is started
block:
- name: Ensure pixelfed instance is started (docker)
include_tasks:
file: docker-deploy.yml

148
roles/pixelfed/templates/env.docker.j2
View File

@@ -1,148 +0,0 @@
## Crypto
APP_KEY=
## General Settings
APP_NAME="Pixelfed Prod"
APP_ENV=production
APP_DEBUG=false
APP_URL=https://real.domain
APP_DOMAIN="real.domain"
ADMIN_DOMAIN="real.domain"
SESSION_DOMAIN="real.domain"
OPEN_REGISTRATION=true
ENFORCE_EMAIL_VERIFICATION=false
PF_MAX_USERS=1000
OAUTH_ENABLED=true
APP_TIMEZONE=UTC
APP_LOCALE=en
## Pixelfed Tweaks
LIMIT_ACCOUNT_SIZE=true
MAX_ACCOUNT_SIZE=1000000
MAX_PHOTO_SIZE=15000
MAX_AVATAR_SIZE=2000
MAX_CAPTION_LENGTH=500
MAX_BIO_LENGTH=125
MAX_NAME_LENGTH=30
MAX_ALBUM_LENGTH=4
IMAGE_QUALITY=80
PF_OPTIMIZE_IMAGES=true
PF_OPTIMIZE_VIDEOS=true
ADMIN_ENV_EDITOR=false
ACCOUNT_DELETION=true
ACCOUNT_DELETE_AFTER=false
MAX_LINKS_PER_POST=0
## Instance
#INSTANCE_DESCRIPTION=
INSTANCE_PUBLIC_HASHTAGS=false
#INSTANCE_CONTACT_EMAIL=
INSTANCE_PUBLIC_LOCAL_TIMELINE=false
#BANNED_USERNAMES=
STORIES_ENABLED=false
RESTRICTED_INSTANCE=false
## Mail
MAIL_DRIVER=log
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_FROM_ADDRESS="pixelfed@example.com"
MAIL_FROM_NAME="Pixelfed"
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
## Databases (MySQL)
DB_CONNECTION=mysql
DB_DATABASE=pixelfed_prod
DB_HOST=db
DB_PASSWORD=pixelfed_db_pass
DB_PORT=3306
DB_USERNAME=pixelfed
# pass the same values to the db itself
MYSQL_DATABASE=pixelfed_prod
MYSQL_PASSWORD=pixelfed_db_pass
MYSQL_RANDOM_ROOT_PASSWORD=true
MYSQL_USER=pixelfed
## Databases (Postgres)
#DB_CONNECTION=pgsql
#DB_HOST=postgres
#DB_PORT=5432
#DB_DATABASE=pixelfed
#DB_USERNAME=postgres
#DB_PASSWORD=postgres
## Cache (Redis)
REDIS_CLIENT=phpredis
REDIS_SCHEME=tcp
REDIS_HOST=redis
REDIS_PASSWORD=redis_password
REDIS_PORT=6379
REDIS_DATABASE=0
## EXPERIMENTS
EXP_LC=false
EXP_REC=false
EXP_LOOPS=false
## ActivityPub Federation
ACTIVITY_PUB=false
AP_REMOTE_FOLLOW=false
AP_SHAREDINBOX=false
AP_INBOX=false
AP_OUTBOX=false
ATOM_FEEDS=true
NODEINFO=true
WEBFINGER=true
## S3
FILESYSTEM_DRIVER=local
FILESYSTEM_CLOUD=s3
PF_ENABLE_CLOUD=false
#AWS_ACCESS_KEY_ID=
#AWS_SECRET_ACCESS_KEY=
#AWS_DEFAULT_REGION=
#AWS_BUCKET=
#AWS_URL=
#AWS_ENDPOINT=
#AWS_USE_PATH_STYLE_ENDPOINT=false
## Horizon
HORIZON_DARKMODE=false
## COSTAR - Confirm Object Sentiment Transform and Reduce
PF_COSTAR_ENABLED=false
# Media
MEDIA_EXIF_DATABASE=false
## Logging
LOG_CHANNEL=stderr
## Image
IMAGE_DRIVER=imagick
## Broadcasting
BROADCAST_DRIVER=log # log driver for local development
## Cache
CACHE_DRIVER=redis
## Purify
RESTRICT_HTML_TYPES=true
## Queue
QUEUE_DRIVER=redis
## Session
SESSION_DRIVER=redis
## Trusted Proxy
TRUST_PROXIES="*"
## Passport
#PASSPORT_PRIVATE_KEY=
#PASSPORT_PUBLIC_KEY=

0
roles/pixelfed/templates/main.yml
View File

21
roles/pixelfed/vars/main.yml
View File

@@ -1,21 +0,0 @@
---
pixelfed_container_base_volumes:
- "{{ pixelfed_storage_path }}:/var/www/storage:z"
- "{{ pixelfed_config_path/env:/var/www/.env:ro"
pixelfed_container_base_env:
pixelfed_container_base_labels:
VERSION: "{{ pixelfed_version }}"
pixelfed_container_volumes: "{{ pixelfed_container_base_volumes + pixelfed_container_extra_volumes }}"
pixelfed_container_labels: "{{ pixelfed_container_base_labels + pixelfed_container_extra_labels }}"
pixelfed_container_env: "{{ pixelfed_container_base_env + pixelfed_container_extra_env }}"
pixelfed_source_upstream_git_repo: "https://github.com/pixelfed/pixelfed.git"
pixelfed_supported_deployment_methods:
- docker_selfbuilt
- docker_pulled