feat(fediwall): add ansible role

README.md

@@ -9,6 +9,12 @@ available.
 
 ## Roles
 
+- [`fediwall`](roles/fediwall/README.md): deployment of [Fediwall](https://fediwall.social),
+  a media wall for mastodon inspired by mastowall.
+
+- [`gotosocial`](roles/gotosocial/README.md): deployment of [GoToSocial.org](https://gotosocial.org/),
+  an ActivityPub social network server, in a docker container.
+
 - [`mastodon`](roles/mastodon/README.md): deployment using a container based
   setup, able to use webfinger delegation.
 

galaxy.yml

@@ -1,15 +1,17 @@
 namespace: finallycoffee
 name: fediverse
-version: 0.0.1
+version: 0.1.2
 readme: README.md
 authors:
-- Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu>
+- transcaffeine <transcaffeine@finally.coffee>
-description: Various ansible roles for deploying fediverse software
+description: Deploying fediverse software, mostly ActivityPub based
 dependencies:
-  "community.docker": "^1.10.0"
+  "community.docker": "^4.0.0"
-license:
+license_file: LICENSE.md
-- CNPLv7+
 build_ignore:
 - '*.tar.gz'
-repository: https://git.finallycoffee.eu/finallycoffee.eu/fediverse
+repository: https://git.finally.coffee/finallycoffee/fediverse
-issues: https://git.finallycoffee.eu/finallycoffee.eu/fediverse/issues
+issues: https://codeberg.org/finallycoffee/ansible-collection-fediverse/issues
+tags:
+  - fediwall
+  - gotosocial

meta/runtime.yml

@@ -0,0 +1,3 @@
+---
+
+requires_ansible: ">=2.15"

playbooks/fediwall.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and configure fediwall
+  hosts: "{{ fediwall_hosts | default('fediwall') }}"
+  become: "{{ fediwall_become | default(false) }}"
+  roles:
+    - role: fediwall

roles/fediwall/README.md

@@ -0,0 +1,4 @@
+# `finallycoffee.fediverse.fediwall` ansible role
+
+Ansible role for [`fediwall`](https://fediwall.social) deployment.
+

roles/fediwall/defaults/main/config.yml

@@ -0,0 +1,50 @@
+---
+fediwall_config_servers:
+  - mastodon.social
+fediwall_config_tags:
+  - cats
+fediwall_config_accounts: []
+fediwall_config_load_public: false
+fediwall_config_load_federated: false
+fediwall_config_load_trends: false
+fediwall_config_languages: []
+fediwall_config_bad_words: []
+fediwall_config_hide_sensitive: true
+fediwall_config_hide_bots: true
+fediwall_config_hide_replies: true
+fediwall_config_hide_boosts: false
+fediwall_config_limit: 20
+fediwall_config_interval: 10
+fediwall_config_title: "Fediwall"
+fediwall_config_theme: "auto"
+fediwall_config_show_infobar: true
+fediwall_config_show_text: true
+fediwall_config_show_media: true
+fediwall_config_play_videos: true
+
+fediwall_default_config:
+  servers: "{{ fediwall_config_servers }}"
+  tags: "{{ fediwall_config_tags }}"
+  accounts: "{{ fediwall_config_accounts }}"
+  loadPublic: "{{ fediwall_config_load_public }}"
+  loadFederated: "{{ fediwall_config_load_federated }}"
+  loadTrends: "{{ fediwall_config_load_trends }}"
+  languages: "{{ fediwall_config_languages }}"
+  badWords: "{{ fediwall_config_bad_words }}"
+  hideSensitive: "{{ fediwall_config_hide_sensitive }}"
+  hideBots: "{{ fediwall_config_hide_bots }}"
+  hideReplies: "{{ fediwall_config_hide_replies }}"
+  hideBoosts: "{{ fediwall_config_hide_boosts }}"
+  limit: "{{ fediwall_config_limit }}"
+  interval: "{{ fediwall_config_interval }}"
+  title: "{{ fediwall_config_title }}"
+  theme: "{{ fediwall_config_theme }}"
+  showInfobar: "{{ fediwall_config_show_infobar }}"
+  showText: "{{ fediwall_config_show_text }}"
+  showMedia: "{{ fediwall_config_show_media }}"
+  playVideos: "{{ fediwall_config_play_videos }}"
+
+fediwall_config: {}
+fediwall_final_config: >-2
+  {{ fediwall_default_config | default({}, true)
+    | combine(fediwall_config | default({}, true)) }}

roles/fediwall/defaults/main/container.yml

@@ -0,0 +1,45 @@
+---
+fediwall_container_name: fediwall
+fediwall_container_image_registry: ghcr.io
+fediwall_container_image_namespace: defnull
+fediwall_container_image_name: fediwall
+fediwall_container_image_repository: >-2
+  {{
+    [
+      fediwall_container_image_registry | default([], true),
+      fediwall_container_image_namespace | default([], true),
+      fediwall_container_image_name
+    ] | flatten | join('/')
+  }}
+fediwall_container_image_tag: ~
+fediwall_container_image_source: pull
+fediwall_container_image_force_source: >-2
+  {{ fediwall_container_image_tag | default(false, true) | bool }}
+fediwall_container_image: >-2
+  {{
+    [
+      fediwall_container_image_repository,
+      fediwall_container_image_tag | default(fediwall_version, true)
+    ] | join(':')
+  }}
+fediwall_container_env: ~
+fediwall_container_user: ~
+fediwall_container_ports: ~
+fediwall_container_labels: ~
+fediwall_container_volumes: []
+fediwall_container_networks: ~
+fediwall_container_network_mode: ~
+fediwall_container_dns_servers: ~
+fediwall_container_etc_hosts: ~
+fediwall_container_memory: ~
+fediwall_container_memory_swap: ~
+fediwall_container_memory_reservation: ~
+fediwall_container_restart_policy: "on-failure"
+
+fediwall_container_config_file: "/usr/share/nginx/html/wall-config.json"
+fediwall_container_base_volumes:
+  - "{{ fediwall_config_file }}:{{ fediwall_container_config_file }}:ro"
+fediwall_container_final_volumes: >-2
+  {{ fediwall_container_base_volumes + fediwall_container_volumes }}
+fediwall_container_state: >-2
+  {{ (fediwall_state == 'present') | ternary('started', 'absent') }}

roles/fediwall/defaults/main/main.yml

@@ -0,0 +1,8 @@
+---
+fediwall_user: fediwall
+fediwall_version: "1.4.0"
+fediwall_config_file: "/etc/fediwall/config.json"
+fediwall_config_file_path: "{{ fediwall_config_file | dirname }}"
+
+fediwall_state: "present"
+fediwall_deployment_method: "docker"

roles/fediwall/tasks/deploy-docker.yml

@@ -0,0 +1,26 @@
+---
+- name: Ensure container image '{{ fediwall_container_image }}' is {{ fediwall_state }}
+  community.docker.docker_image:
+    name: "{{ fediwall_container_image }}"
+    state: "{{ fediwall_state }}"
+    source: "{{ fediwall_container_image_source }}"
+    force_source: "{{ fediwall_container_image_force_source }}"
+
+- name: Ensure container '{{ fediwall_container_name }}' is {{ fediwall_container_state }}
+  community.docker.docker_container:
+    name: "{{ fediwall_container_name }}"
+    image: "{{ fediwall_container_image }}"
+    env: "{{ fediwall_container_env | default(omit, true) }}"
+    user: "{{ fediwall_container_user | default(omit, true) }}"
+    ports: "{{ fediwall_container_ports | default(omit, true) }}"
+    labels: "{{ fediwall_container_labels | default(omit, true) }}"
+    volumes: "{{ fediwall_container_final_volumes | default(omit, true) }}"
+    networks: "{{ fediwall_container_networks | default(omit, true) }}"
+    network_mode: "{{ fediwall_container_network_mode | default(omit, true) }}"
+    dns_servers: "{{ fediwall_container_dns_servers | default(omit, true) }}"
+    etc_hosts: "{{ fediwall_container_etc_hosts | default(omit, true) }}"
+    memory: "{{ fediwall_container_memory | default(omit, true) }}"
+    memory_swap: "{{ fediwall_container_memory_swap | default(omit, true) }}"
+    memory_reservation: "{{ fediwall_container_memory_reservation | default(omit, true) }}"
+    restart_policy: "{{ fediwall_container_restart_policy }}"
+    state: "{{ fediwall_container_state }}"

roles/fediwall/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+- name: Ensure 'fediwall_state' is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported state '{{ fediwall_state }}'. Supported
+      states are {{ fediwall_states | map(quote) | join(', ') }}
+  when: fediwall_state not in fediwall_states
+
+- name: Ensure 'fediwall_deployment_method' is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported deployment method '{{ fediwall_deployment_method }}'.
+      upported deployment methods are {{ fediwall_deployment_methods | join(', ') }}
+  when: fediwall_deployment_method not in fediwall_deployment_methods
+
+- name: Ensure user '{{ fediwall_user }}' is {{ fediwall_state }}
+  ansible.builtin.user:
+    name: "{{ fediwall_user }}"
+    state: "{{ fediwall_state }}"
+    system: "{{ fediwall_user_system | default(true, true) }}"
+    create_home: "{{ fediwall_user_system | default(false, true) }}"
+
+- name: Ensure configuration folder '{{ fediwall_config_file_path }}' is {{ fediwall_state }}
+  ansible.builtin.file:
+    path: "{{ fediwall_config_file_path }}"
+    state: directory
+  when: fediwall_state == 'present'
+
+- name: Ensure configuration in '{{ fediwall_config_file }}' is {{ fediwall_state }}
+  ansible.builtin.copy:
+    content: "{{ fediwall_final_config | to_nice_json(indent=2) }}"
+    dest: "{{ fediwall_config_file }}"
+    state: "{{ fediwall_state }}"
+
+- name: Ensure configuration folder is {{ fediwall_state }}
+  ansible.builtin.file:
+    path: "{{ fediwall_config_file_path }}"
+    state: absent
+  when: fediwall_state == 'absent'
+
+- name: Deploy using {{ fediwall_deployment_method }}
+  ansible.builtin.include_tasks:
+    file: "deploy-{{ fediwall_deployment_method }}.yml"

roles/fediwall/vars/main.yml

@@ -0,0 +1,6 @@
+---
+fediwall_states:
+  - "present"
+  - "absent"
+fediwall_deployment_methods:
+  - "docker"

roles/gotosocial/README.md

@@ -1,8 +1,18 @@
 # `finallycoffee.fediverse.gotosocial` ansible role
 
-
 ## Configuration
 
+The server name can be set using `gotosocial_config_host`, with `gotosocial_config_account_domain` being available when webfinger delegation is used:
+
+```yaml
+gotosocial_config_host: gotosocial.example.org
+gotosocial_config_account_domain: example.org
+```
+
+### Database
+
+The database can be configured using the `gotosocial_config_db_[address|port|user|password|database]` variables. the `[...]_type` defaults to `postgres`.
+
 ### Built-in LetsEncrypt client
 
 To use the built-in letsencrypt client, set `gotosocial_config_letsencrypt_enabled: true`.
@@ -22,3 +32,15 @@ but with multiple acme clients all performing HTTP-01 challenges, you need to ma
 overwrite `gotosocial_container_ports` to fit your needs.
 
 ### Advanced configuration
+
+#### OIDC
+
+OIDC can be configured using `gotosocial_config_oidc_*` variables, disabled by default. A minimal configuration could look like this:
+
+```yaml
+gotosocial_config_oidc_enabled: true
+gotosocial_config_oidc_idp_name: "My fancy name for the configured IdP"
+gotosocial_config_oidc_issuer: http://issuer/url
+gotosocial_config_oidc_client_id: my_client_id
+gotosocial_config_oidc_client_secret: my_client_secret
+```

roles/gotosocial/defaults/main.yml

@@ -1,17 +1,17 @@
 ---
-
 gotosocial_user: "gotosocial"
-gotosocial_version: 0.3.6
+gotosocial_version: "0.19.0"
 gotosocial_base_path: "/opt/gotosocial"
 gotosocial_config_path: "{{ gotosocial_base_path }}/config"
 gotosocial_template_path: "{{ gotosocial_base_path }}/templates"
 gotosocial_asset_path: "{{ gotosocial_base_path }}/assets"
 gotosocial_storage_path: "{{ gotosocial_base_path }}/storage"
+gotosocial_cert_path: "{{ gotosocial_base_path }}/certificates"
 gotosocial_config_file: "{{ gotosocial_config_path }}/config.yaml"
 
 gotosocial_config: >-
   {{ gotosocial_default_config
-  | combine(gotosocial_extra_config, recursive=True) }}
+  | combine(gotosocial_extra_config | default({}), recursive=True) }}
 
 gotosocial_config_log_level: info
 gotosocial_config_log_db_queries: false
@@ -39,10 +39,13 @@ gotosocial_config_web_asset_base_dir: "{{ gotosocial_asset_path }}"
 
 # instance privacy
 gotosocial_config_instance_expose_peers: false
-gotosocial_config_expose_suspended: false
+gotosocial_config_instance_expose_suspended: false
+gotosocial_config_instance_expose_public_timeline: false
+gotosocial_config_instance_deliver_to_shared_inboxes: true
+gotosocial_config_instance_inject_mastodon_version: false
 
 # account config
-gotosocial_config_acounts_registration_open: true
+gotosocial_config_accounts_registration_open: true
 gotosocial_config_accounts_approval_required: true
 gotosocial_config_accounts_reason_required: true
 
@@ -81,6 +84,8 @@ gotosocial_config_oidc_scopes:
   - openid
   - email
   - profile
+gotosocial_config_oidc_link_existing: false
+gotosocial_config_oidc_admin_groups: []
 
 # smtp config
 gotosocial_config_smtp_host: ~
@@ -88,6 +93,7 @@ gotosocial_config_smtp_port: ~
 gotosocial_config_smtp_username: ~
 gotosocial_config_smtp_password: ~
 gotosocial_config_smtp_from: ~
+gotosocial_config_smtp_disclose_recipients: false
 
 # syslog config
 gotosocial_config_syslog_enabled: false
@@ -108,7 +114,9 @@ gotosocial_container_volumes: >-2
   {{ gotosocial_container_default_volumes
   + gotosocial_container_extra_volumes }}
 gotosocial_container_default_volumes:
+  - "{{ gotosocial_config_file }}:/gotosocial/config.yaml:ro"
   - "{{ gotosocial_storage_path }}:/gotosocial/storage:z"
+  - "{{ gotosocial_template_path }}:/gotosocial/web/templates:ro"
 gotosocial_container_extra_volumes: []
 
 gotosocial_container_env: {}
@@ -117,4 +125,11 @@ gotosocial_container_user: "{{ gotosocial_user }}"
 gotosocial_container_etc_hosts: ~
 gotosocial_container_networks: ~
 gotosocial_container_purge_networks: false
-gotosocial_container_restart_policy: unless_stopped
+gotosocial_container_restart_policy: unless-stopped
+gotosocial_container_entrypoint:
+  - "/gotosocial/gotosocial"
+  - "--config-path"
+  - "config.yaml"
+  - "server"
+  - "start"
+

roles/gotosocial/tasks/main.yml

@@ -20,6 +20,8 @@
     - name: "{{ gotosocial_base_path }}"
     - name: "{{ gotosocial_config_path }}"
     - name: "{{ gotosocial_storage_path }}"
+    - name: "{{ gotosocial_template_path }}"
+    - name: "{{ gotosocial_asset_path }}"
       mode: '0770'
   loop_control:
     loop_var: path
@@ -27,7 +29,7 @@
 
 - name: Ensure configuration is up to date
   copy:
-    content: "{{ gotosocial_config | to_nice_yaml(indent=2, max_with=10000) }}"
+    content: "{{ gotosocial_config | to_nice_yaml(indent=2, width=10000) }}"
     dest: "{{ gotosocial_config_file }}"
     owner: "{{ gotosocial_user_info.uid | default(gotosocial_user) }}"
     group: "{{ gotosocial_user_info.group | default(gotosocial_user) }}"
@@ -36,7 +38,7 @@
 
 - name: Ensure container image is available
   docker_image:
-    image: "{{ gotosocial_container_image }}"
+    name: "{{ gotosocial_container_image }}"
     state: present
     source: pull
     force_source: >-
@@ -54,9 +56,10 @@
     volumes: "{{ gotosocial_container_volumes }}"
     env: "{{ gotosocial_container_env | default(omit, True) }}"
     ports: "{{ gotosocial_container_ports | default(omit, True) }}"
-    labels: "{{ gotosocial_container_labels | default(omit, True }}"
+    labels: "{{ gotosocial_container_labels | default(omit, True) }}"
     networks: "{{ gotosocial_container_networks | default(omit, True) }}"
     etc_hosts: "{{ gotosocial_container_etc_hosts | default(omit, True) }}"
     purge_networks: "{{ gotosocial_container_purge_networks | default(False, True) }}"
     restart_policy: "{{ gotosocial_container_restart_policy }}"
+    entrypoint: "{{ gotosocial_container_entrypoint }}"
     state: started

roles/gotosocial/vars/main.yml

@@ -11,6 +11,7 @@ gotosocial_default_config:
   port: "{{ gotosocial_config_port }}"
   trusted-proxies: "{{ gotosocial_config_trusted_proxies }}"
   db-type: "{{ gotosocial_config_db_type }}"
+  db-address: "{{ gotosocial_config_db_address }}"
   db-port: "{{ gotosocial_config_db_port }}"
   db-user: "{{ gotosocial_config_db_user }}"
   db-password: "{{ gotosocial_config_db_password }}"
@@ -19,8 +20,11 @@ gotosocial_default_config:
   db-tls-ca-cert: "{{ gotosocial_config_db_tls_ca_cert }}"
   web-template-base-dir: "{{ gotosocial_config_web_template_base_dir }}"
   web-asset-base-dir: "{{ gotosocial_config_web_asset_base_dir }}"
-  instance-expose-peer: "{{ gotosocial_config_instance_expose_peers }}"
+  instance-expose-peers: "{{ gotosocial_config_instance_expose_peers }}"
-  instance-expose-suspended: "{{ gotosocial_config_expose_suspended }}"
+  instance-expose-suspended: "{{ gotosocial_config_instance_expose_suspended }}"
+  instance-expose-public-timeline: "{{ gotosocial_config_instance_expose_public_timeline }}"
+  instance-deliver-to-shared-inboxes: "{{ gotosocial_config_instance_deliver_to_shared_inboxes }}"
+  instance-inject-mastodon-version: "{{ gotosocial_config_instance_inject_mastodon_version }}"
   accounts-registration-open: "{{ gotosocial_config_acounts_registration_open }}"
   accounts-approval-required: "{{ gotosocial_config_accounts_approval_required }}"
   accounts-reason-required: "{{ gotosocial_config_accounts_reason_required }}"
@@ -47,11 +51,14 @@ gotosocial_default_config:
   oidc-client-id: "{{ gotosocial_config_oidc_client_id }}"
   oidc-client-secret: "{{ gotosocial_config_oidc_client_secret }}"
   oidc-scopes: "{{ gotosocial_config_oidc_scopes }}"
+  oidc-link-existing: "{{ gotosocial_config_oidc_link_existing }}"
+  oidc-admin-groups: "{{ gotosocial_config_oidc_admin_groups }}"
   smtp-host: "{{ gotosocial_config_smtp_host }}"
   smtp-port: "{{ gotosocial_config_smtp_port }}"
   smtp-username: "{{ gotosocial_config_smtp_username }}"
   smtp-password: "{{ gotosocial_config_smtp_password }}"
   smtp-from: "{{ gotosocial_config_smtp_from }}"
+  smtp-disclose-recipients: "{{ gotosocial_config_smtp_disclose_recipients }}"
   syslog-enabled: "{{ gotosocial_config_syslog_enabled }}"
   syslog-protocol: "{{ gotosocial_config_syslog_protocol }}"
   syslog-address: "{{ gotosocial_config_syslog_address }}"

roles/mastodon/defaults/main.yml

@@ -1,16 +1,17 @@
 ---
-
 mastodon_user: mastodon
 mastodon_base_path: /opt/mastodon
 mastodon_domain: ~
 mastodon_web_domain: ~
-mastodon_version: 3.5.1
+mastodon_version: "4.3.2"
 mastodon_git_upstream_url: "https://github.com/mastodon/mastodon.git"
 
 mastodon_data_path: "{{ mastodon_base_path }}/data"
 mastodon_repo_path: "{{ mastodon_base_path }}/src"
 mastodon_config_path: "{{ mastodon_base_path }}/config"
 mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
+mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
+mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
 mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
 mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
 mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
@@ -29,7 +30,9 @@ mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_c
 mastodon_container_networks:
   - name: "{{ mastodon_container_network_name }}"
 
-mastodon_container_base_volumes_streaming: []
+mastodon_container_base_volumes_streaming:
+  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
+  - "{{ mastodon_config_group_file }}:/etc/group:ro"
 mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
 mastodon_container_volumes_streaming: >-
   {{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
@@ -42,6 +45,8 @@ mastodon_container_volumes_sidekiq: >-
 
 mastodon_container_base_volumes:
   - "{{ mastodon_repo_path }}/public:/mastodon/public:z"
+  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
+  - "{{ mastodon_config_group_file }}:/etc/group:ro"
 mastodon_container_extra_volumes: []
 mastodon_container_volumes: >-
   {{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
@@ -104,3 +109,24 @@ mastodon_s3_bucket: ~
 mastodon_s3_aws_access_key_id: ~
 mastodon_s3_aws_secret_access_key: ~
 mastodon_s3_alias_host: ~
+
+mastodon_oidc_enabled: false
+mastodon_oidc_issuer_url: ~
+mastodon_oidc_discovery: true
+mastodon_oidc_scope: openid,profile
+mastodon_oidc_client_id: ~
+mastodon_oidc_client_secret: ~
+mastodon_oidc_client_auth_method: basic
+mastodon_oidc_response_mode: query
+mastodon_oidc_response_type: code
+mastodon_oidc_prompt: ~
+mastodon_oidc_display_name: My IDP
+mastodon_oidc_auth_endpoint: ~
+mastodon_oidc_token_endpoint: ~
+mastodon_oidc_user_info_endpoint: ~
+mastodon_oidc_end_session_endpoint: ~
+mastodon_oidc_jwks_uri:
+mastodon_oidc_redirect_uri:
+mastodon_oidc_idp_logout_redirect_uri: ~
+mastodon_oidc_uid_field: preferred_username
+mastodon_oidc_security_assume_email_is_verified: false

roles/mastodon/tasks/main.yml

@@ -43,6 +43,24 @@
     mode: "0640"
   notify: restart-mastodon-nginx
 
+- name: Ensure fake passwd file is templated
+  template:
+    src: passwd.j2
+    dest: "{{ mastodon_config_passwd_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0644"
+  notify: restart-mastodon
+
+- name: Ensure fake passwd file is templated
+  template:
+    src: group.j2
+    dest: "{{ mastodon_config_group_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0644"
+  notify: restart-mastodon
+
 - name: Ensure mastodon git repository is present and up-to-date
   git:
     repo: "{{ mastodon_git_upstream_url }}"
@@ -52,6 +70,8 @@
     force: no
     recursive: yes
     track_submodules: yes
+  become: yes
+  become_user: "{{ mastodon_user }}"
   register: git_repo_info
 
 - name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
@@ -131,6 +151,7 @@
     command: "node ./streaming"
     restart_policy: "{{ mastodon_container_restart_policy }}"
     ports: "{{ mastodon_container_ports_streaming }}"
+    user: "{{ mastodon_user }}"
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
       interval: 5s
@@ -148,7 +169,7 @@
     command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
     restart_policy: "{{ mastodon_container_restart_policy }}"
     ports: "{{ mastodon_container_ports }}"
-    user: "{{ mastodon_user }}"
+    user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
       interval: 5s
@@ -156,6 +177,12 @@
       start_period: 0s
       timeout: 5s
 
+- name: Ensure container paths belong to the mastodon user
+  community.docker.docker_container_exec:
+    container: "{{ mastodon_container_name }}"
+    command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
+    user: "0"
+
 - name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
   docker_container:
     name: "{{ mastodon_container_nginx_name }}"
@@ -165,12 +192,7 @@
     restart_policy: "{{ mastodon_container_restart_policy }}"
 
 - name: Ensure assets are precompiled
-  docker_container:
+  community.docker.docker_container_exec:
-    name: "{{ mastodon_container_name }}"
+    container: "{{ mastodon_container_name }}"
-    env_file: "{{ mastodon_config_env_file }}"
+    command: "bundle exec rails assets:precompile"
-    command: "bash -c \"bundle exec rails assets:precompile\""
-    user: "{{ mastodon_user }}"
-    tty: yes
-    interactive: yes
-    detach: no
   when: git_repo_info.before != git_repo_info.after

roles/mastodon/templates/env.j2

@@ -51,8 +51,12 @@ ES_ENABLED={{ mastodon_elasticsearch_enabled }}
 ES_HOST={{ mastodon_elasticsearch_host }}
 ES_PORT={{ mastodon_elasticsearch_port }}
 # Authentication for ES (optional)
+{% if mastodon_elasticsearch_user %}
 ES_USER={{ mastodon_elasticsearch_user }}
+{% endif %}
+{% if mastodon_elasticsearch_pass %}
 ES_PASS={{ mastodon_elasticsearch_pass }}
+{% endif %}
 
 # Secrets
 # -------
@@ -84,3 +88,41 @@ AWS_ACCESS_KEY_ID={{ mastodon_s3_aws_access_key_id }}
 AWS_SECRET_ACCESS_KEY={{ mastodon_s3_aws_secret_access_key }}
 S3_ALIAS_HOST={{ mastodon_s3_alias_host }}
 
+# OpenId connect (optional)
+OIDC_ENABLED={{ mastodon_oidc_enabled | bool | string | lower }}
+OIDC_ISSUER={{ mastodon_oidc_issuer_url }}
+OIDC_DISCOVERY={{ mastodon_oidc_discovery | bool | string | lower }}
+OIDC_CLIENT_AUTH_METHOD={{ mastodon_oidc_client_auth_method }}
+OIDC_CLIENT_ID={{ mastodon_oidc_client_id }}
+OIDC_CLIENT_SECRET={{ mastodon_oidc_client_secret }}
+OIDC_SCOPE={{ mastodon_oidc_scope }}
+{% if mastodon_oidc_auth_endpoint %}
+OIDC_AUTH_ENDPOINT={{ mastodon_oidc_auth_endpoint }}
+{% endif %}
+{% if mastodon_oidc_token_endpoint %}
+OIDC_TOKEN_ENDPOINT={{ mastodon_oidc_token_endpoint }}
+{% endif %}
+{% if mastodon_oidc_user_info_endpoint %}
+OIDC_USER_INFO_ENDPOINT={{ mastodon_oidc_user_info_endpoint }}
+{% endif %}
+{% if mastodon_oidc_end_session_endpoint %}
+OIDC_END_SESSION_ENDPOINT={{ mastodon_oidc_end_session_endpoint }}
+{% endif %}
+{% if mastodon_oidc_jwks_uri %}
+OIDC_JWKS_URI={{ mastodon_oidc_jwks_uri }}
+{% endif %}
+{% if mastodon_oidc_redirect_uri %}
+OIDC_REDIRECT_URI={{ mastodon_oidc_redirect_uri }}
+{% endif %}
+{% if mastodon_oidc_idp_logout_redirect_uri %}
+OIDC_IDP_LOGOUT_REDIRECT_URI={{ mastodon_oidc_idp_logout_redirect_uri }}
+{% endif %}
+OIDC_DISPLAY_NAME={{ mastodon_oidc_display_name }}
+OIDC_UID_FIELD={{ mastodon_oidc_uid_field }}
+{% if mastodon_oidc_response_mode %}
+OIDC_RESPONSE_MODE={{ mastodon_oidc_response_mode }}
+{% endif %}
+{% if mastodon_oidc_response_type %}
+OIDC_RESPONSE_TYPE={{ mastodon_oidc_response_type }}
+{% endif %}
+OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED={{ mastodon_oidc_security_assume_email_is_verified | bool | string | lower }}

roles/mastodon/templates/group.j2

@@ -0,0 +1,40 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:

roles/mastodon/templates/passwd.j2

@@ -0,0 +1,20 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh