README.md

@@ -9,9 +9,6 @@ available.
 
 ## Roles
 
-- [`gotosocial`](roles/gotosocial/README.md): deployment of [GoToSocial.org](https://gotosocial.org/),
-  an ActivityPub social network server, in a docker container.
-
 - [`mastodon`](roles/mastodon/README.md): deployment using a container based
   setup, able to use webfinger delegation.
 

galaxy.yml

@@ -1,14 +1,15 @@
 namespace: finallycoffee
 name: fediverse
-version: 0.1.1
+version: 0.0.1
 readme: README.md
 authors:
-- transcaffeine <transcaffeine@finally.coffee>
+- Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu>
-description: Deploying fediverse software, mostly ActivityPub based
+description: Various ansible roles for deploying fediverse software
 dependencies:
-  "community.docker": "^3.0.0"
+  "community.docker": "^1.10.0"
-license_file: LICENSE.md
+license:
+- CNPLv7+
 build_ignore:
 - '*.tar.gz'
-repository: https://git.finally.coffee/finallycoffee/fediverse
+repository: https://git.finallycoffee.eu/finallycoffee.eu/fediverse
-issues: https://codeberg.org/finallycoffee/ansible-collection-fediverse/issues
+issues: https://git.finallycoffee.eu/finallycoffee.eu/fediverse/issues

meta/runtime.yml

@@ -1,3 +0,0 @@
----
-
-requires_ansible: ">=2.15"

roles/gotosocial/README.md

@@ -1,18 +1,8 @@
 # `finallycoffee.fediverse.gotosocial` ansible role
 
+
 ## Configuration
 
-The server name can be set using `gotosocial_config_host`, with `gotosocial_config_account_domain` being available when webfinger delegation is used:
-
-```yaml
-gotosocial_config_host: gotosocial.example.org
-gotosocial_config_account_domain: example.org
-```
-
-### Database
-
-The database can be configured using the `gotosocial_config_db_[address|port|user|password|database]` variables. the `[...]_type` defaults to `postgres`.
-
 ### Built-in LetsEncrypt client
 
 To use the built-in letsencrypt client, set `gotosocial_config_letsencrypt_enabled: true`.
@@ -32,15 +22,3 @@ but with multiple acme clients all performing HTTP-01 challenges, you need to ma
 overwrite `gotosocial_container_ports` to fit your needs.
 
 ### Advanced configuration
-
-#### OIDC
-
-OIDC can be configured using `gotosocial_config_oidc_*` variables, disabled by default. A minimal configuration could look like this:
-
-```yaml
-gotosocial_config_oidc_enabled: true
-gotosocial_config_oidc_idp_name: "My fancy name for the configured IdP"
-gotosocial_config_oidc_issuer: http://issuer/url
-gotosocial_config_oidc_client_id: my_client_id
-gotosocial_config_oidc_client_secret: my_client_secret
-```

roles/gotosocial/defaults/main.yml

@@ -1,18 +1,17 @@
 ---
 
 gotosocial_user: "gotosocial"
-gotosocial_version: 0.16.0
+gotosocial_version: 0.3.6
 gotosocial_base_path: "/opt/gotosocial"
 gotosocial_config_path: "{{ gotosocial_base_path }}/config"
 gotosocial_template_path: "{{ gotosocial_base_path }}/templates"
 gotosocial_asset_path: "{{ gotosocial_base_path }}/assets"
 gotosocial_storage_path: "{{ gotosocial_base_path }}/storage"
-gotosocial_cert_path: "{{ gotosocial_base_path }}/certificates"
 gotosocial_config_file: "{{ gotosocial_config_path }}/config.yaml"
 
 gotosocial_config: >-
   {{ gotosocial_default_config
-  | combine(gotosocial_extra_config | default({}), recursive=True) }}
+  | combine(gotosocial_extra_config, recursive=True) }}
 
 gotosocial_config_log_level: info
 gotosocial_config_log_db_queries: false
@@ -40,13 +39,10 @@ gotosocial_config_web_asset_base_dir: "{{ gotosocial_asset_path }}"
 
 # instance privacy
 gotosocial_config_instance_expose_peers: false
-gotosocial_config_instance_expose_suspended: false
+gotosocial_config_expose_suspended: false
-gotosocial_config_instance_expose_public_timeline: false
-gotosocial_config_instance_deliver_to_shared_inboxes: true
-gotosocial_config_instance_inject_mastodon_version: false
 
 # account config
-gotosocial_config_accounts_registration_open: true
+gotosocial_config_acounts_registration_open: true
 gotosocial_config_accounts_approval_required: true
 gotosocial_config_accounts_reason_required: true
 
@@ -85,8 +81,6 @@ gotosocial_config_oidc_scopes:
   - openid
   - email
   - profile
-gotosocial_config_oidc_link_existing: false
-gotosocial_config_oidc_admin_groups: []
 
 # smtp config
 gotosocial_config_smtp_host: ~
@@ -94,7 +88,6 @@ gotosocial_config_smtp_port: ~
 gotosocial_config_smtp_username: ~
 gotosocial_config_smtp_password: ~
 gotosocial_config_smtp_from: ~
-gotosocial_config_smtp_disclose_recipients: false
 
 # syslog config
 gotosocial_config_syslog_enabled: false
@@ -115,9 +108,7 @@ gotosocial_container_volumes: >-2
   {{ gotosocial_container_default_volumes
   + gotosocial_container_extra_volumes }}
 gotosocial_container_default_volumes:
-  - "{{ gotosocial_config_file }}:/gotosocial/config.yaml:ro"
   - "{{ gotosocial_storage_path }}:/gotosocial/storage:z"
-  - "{{ gotosocial_template_path }}:/gotosocial/web/templates:ro"
 gotosocial_container_extra_volumes: []
 
 gotosocial_container_env: {}
@@ -126,11 +117,4 @@ gotosocial_container_user: "{{ gotosocial_user }}"
 gotosocial_container_etc_hosts: ~
 gotosocial_container_networks: ~
 gotosocial_container_purge_networks: false
-gotosocial_container_restart_policy: unless-stopped
+gotosocial_container_restart_policy: unless_stopped
-gotosocial_container_entrypoint:
-  - "/gotosocial/gotosocial"
-  - "--config-path"
-  - "config.yaml"
-  - "server"
-  - "start"
-

roles/gotosocial/tasks/main.yml

@@ -20,8 +20,6 @@
     - name: "{{ gotosocial_base_path }}"
     - name: "{{ gotosocial_config_path }}"
     - name: "{{ gotosocial_storage_path }}"
-    - name: "{{ gotosocial_template_path }}"
-    - name: "{{ gotosocial_asset_path }}"
       mode: '0770'
   loop_control:
     loop_var: path
@@ -29,7 +27,7 @@
 
 - name: Ensure configuration is up to date
   copy:
-    content: "{{ gotosocial_config | to_nice_yaml(indent=2, width=10000) }}"
+    content: "{{ gotosocial_config | to_nice_yaml(indent=2, max_with=10000) }}"
     dest: "{{ gotosocial_config_file }}"
     owner: "{{ gotosocial_user_info.uid | default(gotosocial_user) }}"
     group: "{{ gotosocial_user_info.group | default(gotosocial_user) }}"
@@ -38,7 +36,7 @@
 
 - name: Ensure container image is available
   docker_image:
-    name: "{{ gotosocial_container_image }}"
+    image: "{{ gotosocial_container_image }}"
     state: present
     source: pull
     force_source: >-
@@ -56,10 +54,9 @@
     volumes: "{{ gotosocial_container_volumes }}"
     env: "{{ gotosocial_container_env | default(omit, True) }}"
     ports: "{{ gotosocial_container_ports | default(omit, True) }}"
-    labels: "{{ gotosocial_container_labels | default(omit, True) }}"
+    labels: "{{ gotosocial_container_labels | default(omit, True }}"
     networks: "{{ gotosocial_container_networks | default(omit, True) }}"
     etc_hosts: "{{ gotosocial_container_etc_hosts | default(omit, True) }}"
     purge_networks: "{{ gotosocial_container_purge_networks | default(False, True) }}"
     restart_policy: "{{ gotosocial_container_restart_policy }}"
-    entrypoint: "{{ gotosocial_container_entrypoint }}"
     state: started

roles/gotosocial/vars.yml

@@ -11,7 +11,6 @@ gotosocial_default_config:
   port: "{{ gotosocial_config_port }}"
   trusted-proxies: "{{ gotosocial_config_trusted_proxies }}"
   db-type: "{{ gotosocial_config_db_type }}"
-  db-address: "{{ gotosocial_config_db_address }}"
   db-port: "{{ gotosocial_config_db_port }}"
   db-user: "{{ gotosocial_config_db_user }}"
   db-password: "{{ gotosocial_config_db_password }}"
@@ -20,11 +19,8 @@ gotosocial_default_config:
   db-tls-ca-cert: "{{ gotosocial_config_db_tls_ca_cert }}"
   web-template-base-dir: "{{ gotosocial_config_web_template_base_dir }}"
   web-asset-base-dir: "{{ gotosocial_config_web_asset_base_dir }}"
-  instance-expose-peers: "{{ gotosocial_config_instance_expose_peers }}"
+  instance-expose-peer: "{{ gotosocial_config_instance_expose_peers }}"
-  instance-expose-suspended: "{{ gotosocial_config_instance_expose_suspended }}"
+  instance-expose-suspended: "{{ gotosocial_config_expose_suspended }}"
-  instance-expose-public-timeline: "{{ gotosocial_config_instance_expose_public_timeline }}"
-  instance-deliver-to-shared-inboxes: "{{ gotosocial_config_instance_deliver_to_shared_inboxes }}"
-  instance-inject-mastodon-version: "{{ gotosocial_config_instance_inject_mastodon_version }}"
   accounts-registration-open: "{{ gotosocial_config_acounts_registration_open }}"
   accounts-approval-required: "{{ gotosocial_config_accounts_approval_required }}"
   accounts-reason-required: "{{ gotosocial_config_accounts_reason_required }}"
@@ -51,14 +47,11 @@ gotosocial_default_config:
   oidc-client-id: "{{ gotosocial_config_oidc_client_id }}"
   oidc-client-secret: "{{ gotosocial_config_oidc_client_secret }}"
   oidc-scopes: "{{ gotosocial_config_oidc_scopes }}"
-  oidc-link-existing: "{{ gotosocial_config_oidc_link_existing }}"
-  oidc-admin-groups: "{{ gotosocial_config_oidc_admin_groups }}"
   smtp-host: "{{ gotosocial_config_smtp_host }}"
   smtp-port: "{{ gotosocial_config_smtp_port }}"
   smtp-username: "{{ gotosocial_config_smtp_username }}"
   smtp-password: "{{ gotosocial_config_smtp_password }}"
   smtp-from: "{{ gotosocial_config_smtp_from }}"
-  smtp-disclose-recipients: "{{ gotosocial_config_smtp_disclose_recipients }}"
   syslog-enabled: "{{ gotosocial_config_syslog_enabled }}"
   syslog-protocol: "{{ gotosocial_config_syslog_protocol }}"
   syslog-address: "{{ gotosocial_config_syslog_address }}"

roles/mastodon/defaults/main.yml

@@ -4,15 +4,13 @@ mastodon_user: mastodon
 mastodon_base_path: /opt/mastodon
 mastodon_domain: ~
 mastodon_web_domain: ~
-mastodon_version: 4.1.5
+mastodon_version: 3.5.1
 mastodon_git_upstream_url: "https://github.com/mastodon/mastodon.git"
 
 mastodon_data_path: "{{ mastodon_base_path }}/data"
 mastodon_repo_path: "{{ mastodon_base_path }}/src"
 mastodon_config_path: "{{ mastodon_base_path }}/config"
 mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
-mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
-mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
 mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
 mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
 mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
@@ -31,9 +29,7 @@ mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_c
 mastodon_container_networks:
   - name: "{{ mastodon_container_network_name }}"
 
-mastodon_container_base_volumes_streaming:
+mastodon_container_base_volumes_streaming: []
-  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
-  - "{{ mastodon_config_group_file }}:/etc/group:ro"
 mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
 mastodon_container_volumes_streaming: >-
   {{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
@@ -46,8 +42,6 @@ mastodon_container_volumes_sidekiq: >-
 
 mastodon_container_base_volumes:
   - "{{ mastodon_repo_path }}/public:/mastodon/public:z"
-  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
-  - "{{ mastodon_config_group_file }}:/etc/group:ro"
 mastodon_container_extra_volumes: []
 mastodon_container_volumes: >-
   {{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
@@ -110,24 +104,3 @@ mastodon_s3_bucket: ~
 mastodon_s3_aws_access_key_id: ~
 mastodon_s3_aws_secret_access_key: ~
 mastodon_s3_alias_host: ~
-
-mastodon_oidc_enabled: false
-mastodon_oidc_issuer_url: ~
-mastodon_oidc_discovery: true
-mastodon_oidc_scope: openid,profile
-mastodon_oidc_client_id: ~
-mastodon_oidc_client_secret: ~
-mastodon_oidc_client_auth_method: basic
-mastodon_oidc_response_mode: query
-mastodon_oidc_response_type: code
-mastodon_oidc_prompt: ~
-mastodon_oidc_display_name: My IDP
-mastodon_oidc_auth_endpoint: ~
-mastodon_oidc_token_endpoint: ~
-mastodon_oidc_user_info_endpoint: ~
-mastodon_oidc_end_session_endpoint: ~
-mastodon_oidc_jwks_uri:
-mastodon_oidc_redirect_uri:
-mastodon_oidc_idp_logout_redirect_uri: ~
-mastodon_oidc_uid_field: preferred_username
-mastodon_oidc_security_assume_email_is_verified: false

roles/mastodon/tasks/main.yml

@@ -43,24 +43,6 @@
     mode: "0640"
   notify: restart-mastodon-nginx
 
-- name: Ensure fake passwd file is templated
-  template:
-    src: passwd.j2
-    dest: "{{ mastodon_config_passwd_file }}"
-    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
-    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
-    mode: "0644"
-  notify: restart-mastodon
-
-- name: Ensure fake passwd file is templated
-  template:
-    src: group.j2
-    dest: "{{ mastodon_config_group_file }}"
-    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
-    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
-    mode: "0644"
-  notify: restart-mastodon
-
 - name: Ensure mastodon git repository is present and up-to-date
   git:
     repo: "{{ mastodon_git_upstream_url }}"
@@ -70,8 +52,6 @@
     force: no
     recursive: yes
     track_submodules: yes
-  become: yes
-  become_user: "{{ mastodon_user }}"
   register: git_repo_info
 
 - name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
@@ -151,7 +131,6 @@
     command: "node ./streaming"
     restart_policy: "{{ mastodon_container_restart_policy }}"
     ports: "{{ mastodon_container_ports_streaming }}"
-    user: "{{ mastodon_user }}"
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
       interval: 5s
@@ -169,7 +148,7 @@
     command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
     restart_policy: "{{ mastodon_container_restart_policy }}"
     ports: "{{ mastodon_container_ports }}"
-    user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
+    user: "{{ mastodon_user }}"
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
       interval: 5s
@@ -177,12 +156,6 @@
       start_period: 0s
       timeout: 5s
 
-- name: Ensure container paths belong to the mastodon user
-  community.docker.docker_container_exec:
-    container: "{{ mastodon_container_name }}"
-    command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
-    user: "0"
-
 - name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
   docker_container:
     name: "{{ mastodon_container_nginx_name }}"
@@ -192,7 +165,12 @@
     restart_policy: "{{ mastodon_container_restart_policy }}"
 
 - name: Ensure assets are precompiled
-  community.docker.docker_container_exec:
+  docker_container:
-    container: "{{ mastodon_container_name }}"
+    name: "{{ mastodon_container_name }}"
-    command: "bundle exec rails assets:precompile"
+    env_file: "{{ mastodon_config_env_file }}"
+    command: "bash -c \"bundle exec rails assets:precompile\""
+    user: "{{ mastodon_user }}"
+    tty: yes
+    interactive: yes
+    detach: no
   when: git_repo_info.before != git_repo_info.after

roles/mastodon/templates/env.j2

@@ -51,12 +51,8 @@ ES_ENABLED={{ mastodon_elasticsearch_enabled }}
 ES_HOST={{ mastodon_elasticsearch_host }}
 ES_PORT={{ mastodon_elasticsearch_port }}
 # Authentication for ES (optional)
-{% if mastodon_elasticsearch_user %}
 ES_USER={{ mastodon_elasticsearch_user }}
-{% endif %}
-{% if mastodon_elasticsearch_pass %}
 ES_PASS={{ mastodon_elasticsearch_pass }}
-{% endif %}
 
 # Secrets
 # -------
@@ -88,41 +84,3 @@ AWS_ACCESS_KEY_ID={{ mastodon_s3_aws_access_key_id }}
 AWS_SECRET_ACCESS_KEY={{ mastodon_s3_aws_secret_access_key }}
 S3_ALIAS_HOST={{ mastodon_s3_alias_host }}
 
-# OpenId connect (optional)
-OIDC_ENABLED={{ mastodon_oidc_enabled | bool | string | lower }}
-OIDC_ISSUER={{ mastodon_oidc_issuer_url }}
-OIDC_DISCOVERY={{ mastodon_oidc_discovery | bool | string | lower }}
-OIDC_CLIENT_AUTH_METHOD={{ mastodon_oidc_client_auth_method }}
-OIDC_CLIENT_ID={{ mastodon_oidc_client_id }}
-OIDC_CLIENT_SECRET={{ mastodon_oidc_client_secret }}
-OIDC_SCOPE={{ mastodon_oidc_scope }}
-{% if mastodon_oidc_auth_endpoint %}
-OIDC_AUTH_ENDPOINT={{ mastodon_oidc_auth_endpoint }}
-{% endif %}
-{% if mastodon_oidc_token_endpoint %}
-OIDC_TOKEN_ENDPOINT={{ mastodon_oidc_token_endpoint }}
-{% endif %}
-{% if mastodon_oidc_user_info_endpoint %}
-OIDC_USER_INFO_ENDPOINT={{ mastodon_oidc_user_info_endpoint }}
-{% endif %}
-{% if mastodon_oidc_end_session_endpoint %}
-OIDC_END_SESSION_ENDPOINT={{ mastodon_oidc_end_session_endpoint }}
-{% endif %}
-{% if mastodon_oidc_jwks_uri %}
-OIDC_JWKS_URI={{ mastodon_oidc_jwks_uri }}
-{% endif %}
-{% if mastodon_oidc_redirect_uri %}
-OIDC_REDIRECT_URI={{ mastodon_oidc_redirect_uri }}
-{% endif %}
-{% if mastodon_oidc_idp_logout_redirect_uri %}
-OIDC_IDP_LOGOUT_REDIRECT_URI={{ mastodon_oidc_idp_logout_redirect_uri }}
-{% endif %}
-OIDC_DISPLAY_NAME={{ mastodon_oidc_display_name }}
-OIDC_UID_FIELD={{ mastodon_oidc_uid_field }}
-{% if mastodon_oidc_response_mode %}
-OIDC_RESPONSE_MODE={{ mastodon_oidc_response_mode }}
-{% endif %}
-{% if mastodon_oidc_response_type %}
-OIDC_RESPONSE_TYPE={{ mastodon_oidc_response_type }}
-{% endif %}
-OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED={{ mastodon_oidc_security_assume_email_is_verified | bool | string | lower }}

roles/mastodon/templates/group.j2

@@ -1,40 +0,0 @@
-root:x:0:
-daemon:x:1:
-bin:x:2:
-sys:x:3:
-adm:x:4:
-tty:x:5:
-disk:x:6:
-lp:x:7:
-mail:x:8:
-news:x:9:
-uucp:x:10:
-man:x:12:
-proxy:x:13:
-kmem:x:15:
-dialout:x:20:
-fax:x:21:
-voice:x:22:
-cdrom:x:24:
-floppy:x:25:
-tape:x:26:
-sudo:x:27:
-audio:x:29:
-dip:x:30:
-www-data:x:33:
-backup:x:34:
-operator:x:37:
-list:x:38:
-irc:x:39:
-src:x:40:
-gnats:x:41:
-shadow:x:42:
-utmp:x:43:
-video:x:44:
-sasl:x:45:
-plugdev:x:46:
-staff:x:50:
-games:x:60:
-users:x:100:
-nogroup:x:65534:
-{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:

roles/mastodon/templates/passwd.j2

@@ -1,20 +0,0 @@
-root:x:0:0:root:/root:/bin/bash
-daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
-bin:x:2:2:bin:/bin:/usr/sbin/nologin
-sys:x:3:3:sys:/dev:/usr/sbin/nologin
-sync:x:4:65534:sync:/bin:/bin/sync
-games:x:5:60:games:/usr/games:/usr/sbin/nologin
-man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
-lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
-mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
-news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
-uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
-proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
-www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
-backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
-list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
-irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
-gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
-nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
-_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
-{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh