feat(pixelfed): add ansible role

README.md

@@ -9,6 +9,9 @@ available.
 
 ## Roles
 
+- [`gotosocial`](roles/gotosocial/README.md): deployment of [GoToSocial.org](https://gotosocial.org/),
+  an ActivityPub social network server, in a docker container.
+
 - [`mastodon`](roles/mastodon/README.md): deployment using a container based
   setup, able to use webfinger delegation.
 

roles/gotosocial/defaults/main.yml

@@ -1,17 +1,18 @@
 ---
 
 gotosocial_user: "gotosocial"
-gotosocial_version: 0.3.6
+gotosocial_version: 0.3.8
 gotosocial_base_path: "/opt/gotosocial"
 gotosocial_config_path: "{{ gotosocial_base_path }}/config"
 gotosocial_template_path: "{{ gotosocial_base_path }}/templates"
 gotosocial_asset_path: "{{ gotosocial_base_path }}/assets"
 gotosocial_storage_path: "{{ gotosocial_base_path }}/storage"
+gotosocial_cert_path: "{{ gotosocial_base_path }}/certificates"
 gotosocial_config_file: "{{ gotosocial_config_path }}/config.yaml"
 
 gotosocial_config: >-
   {{ gotosocial_default_config
-  | combine(gotosocial_extra_config, recursive=True) }}
+  | combine(gotosocial_extra_config | default({}), recursive=True) }}
 
 gotosocial_config_log_level: info
 gotosocial_config_log_db_queries: false
@@ -108,7 +109,9 @@ gotosocial_container_volumes: >-2
   {{ gotosocial_container_default_volumes
   + gotosocial_container_extra_volumes }}
 gotosocial_container_default_volumes:
+  - "{{ gotosocial_config_file }}:/gotosocial/config.yaml:ro"
   - "{{ gotosocial_storage_path }}:/gotosocial/storage:z"
+  - "{{ gotosocial_template_path }}:/gotosocial/web/templates:ro"
 gotosocial_container_extra_volumes: []
 
 gotosocial_container_env: {}
@@ -117,4 +120,11 @@ gotosocial_container_user: "{{ gotosocial_user }}"
 gotosocial_container_etc_hosts: ~
 gotosocial_container_networks: ~
 gotosocial_container_purge_networks: false
-gotosocial_container_restart_policy: unless_stopped
+gotosocial_container_restart_policy: unless-stopped
+gotosocial_container_entrypoint:
+  - "/gotosocial/gotosocial"
+  - "--config-path"
+  - "config.yaml"
+  - "server"
+  - "start"
+

roles/gotosocial/tasks/main.yml

@@ -20,6 +20,8 @@
     - name: "{{ gotosocial_base_path }}"
     - name: "{{ gotosocial_config_path }}"
     - name: "{{ gotosocial_storage_path }}"
+    - name: "{{ gotosocial_template_path }}"
+    - name: "{{ gotosocial_asset_path }}"
       mode: '0770'
   loop_control:
     loop_var: path
@@ -27,7 +29,7 @@
 
 - name: Ensure configuration is up to date
   copy:
-    content: "{{ gotosocial_config | to_nice_yaml(indent=2, max_with=10000) }}"
+    content: "{{ gotosocial_config | to_nice_yaml(indent=2, width=10000) }}"
     dest: "{{ gotosocial_config_file }}"
     owner: "{{ gotosocial_user_info.uid | default(gotosocial_user) }}"
     group: "{{ gotosocial_user_info.group | default(gotosocial_user) }}"
@@ -36,7 +38,7 @@
 
 - name: Ensure container image is available
   docker_image:
-    image: "{{ gotosocial_container_image }}"
+    name: "{{ gotosocial_container_image }}"
     state: present
     source: pull
     force_source: >-
@@ -54,9 +56,10 @@
     volumes: "{{ gotosocial_container_volumes }}"
     env: "{{ gotosocial_container_env | default(omit, True) }}"
     ports: "{{ gotosocial_container_ports | default(omit, True) }}"
-    labels: "{{ gotosocial_container_labels | default(omit, True }}"
+    labels: "{{ gotosocial_container_labels | default(omit, True) }}"
     networks: "{{ gotosocial_container_networks | default(omit, True) }}"
     etc_hosts: "{{ gotosocial_container_etc_hosts | default(omit, True) }}"
     purge_networks: "{{ gotosocial_container_purge_networks | default(False, True) }}"
     restart_policy: "{{ gotosocial_container_restart_policy }}"
+    entrypoint: "{{ gotosocial_container_entrypoint }}"
     state: started

roles/gotosocial/vars/main.yml

@@ -11,6 +11,7 @@ gotosocial_default_config:
   port: "{{ gotosocial_config_port }}"
   trusted-proxies: "{{ gotosocial_config_trusted_proxies }}"
   db-type: "{{ gotosocial_config_db_type }}"
+  db-address: "{{ gotosocial_config_db_address }}"
   db-port: "{{ gotosocial_config_db_port }}"
   db-user: "{{ gotosocial_config_db_user }}"
   db-password: "{{ gotosocial_config_db_password }}"

roles/mastodon/defaults/main.yml

@@ -11,6 +11,8 @@ mastodon_data_path: "{{ mastodon_base_path }}/data"
 mastodon_repo_path: "{{ mastodon_base_path }}/src"
 mastodon_config_path: "{{ mastodon_base_path }}/config"
 mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
+mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
+mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
 mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
 mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
 mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
@@ -29,7 +31,9 @@ mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_c
 mastodon_container_networks:
   - name: "{{ mastodon_container_network_name }}"
 
-mastodon_container_base_volumes_streaming: []
+mastodon_container_base_volumes_streaming:
+  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
+  - "{{ mastodon_config_group_file }}:/etc/group:ro"
 mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
 mastodon_container_volumes_streaming: >-
   {{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
@@ -42,6 +46,8 @@ mastodon_container_volumes_sidekiq: >-
 
 mastodon_container_base_volumes:
   - "{{ mastodon_repo_path }}/public:/mastodon/public:z"
+  - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
+  - "{{ mastodon_config_group_file }}:/etc/group:ro"
 mastodon_container_extra_volumes: []
 mastodon_container_volumes: >-
   {{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
@@ -104,3 +110,24 @@ mastodon_s3_bucket: ~
 mastodon_s3_aws_access_key_id: ~
 mastodon_s3_aws_secret_access_key: ~
 mastodon_s3_alias_host: ~
+
+mastodon_oidc_enabled: false
+mastodon_oidc_issuer_url: ~
+mastodon_oidc_discovery: true
+mastodon_oidc_scope: openid,profile
+mastodon_oidc_client_id: ~
+mastodon_oidc_client_secret: ~
+mastodon_oidc_client_auth_method: basic
+mastodon_oidc_response_mode: query
+mastodon_oidc_response_type: code
+mastodon_oidc_prompt: ~
+mastodon_oidc_display_name: My IDP
+mastodon_oidc_auth_endpoint: ~
+mastodon_oidc_token_endpoint: ~
+mastodon_oidc_user_info_endpoint: ~
+mastodon_oidc_end_session_endpoint: ~
+mastodon_oidc_jwks_uri:
+mastodon_oidc_redirect_uri:
+mastodon_oidc_idp_logout_redirect_uri: ~
+mastodon_oidc_uid_field: preferred_username
+mastodon_oidc_security_assume_email_is_verified: false

roles/mastodon/tasks/main.yml

@@ -43,6 +43,24 @@
     mode: "0640"
   notify: restart-mastodon-nginx
 
+- name: Ensure fake passwd file is templated
+  template:
+    src: passwd.j2
+    dest: "{{ mastodon_config_passwd_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0644"
+  notify: restart-mastodon
+
+- name: Ensure fake passwd file is templated
+  template:
+    src: group.j2
+    dest: "{{ mastodon_config_group_file }}"
+    owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
+    group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
+    mode: "0644"
+  notify: restart-mastodon
+
 - name: Ensure mastodon git repository is present and up-to-date
   git:
     repo: "{{ mastodon_git_upstream_url }}"
@@ -52,6 +70,8 @@
     force: no
     recursive: yes
     track_submodules: yes
+  become: yes
+  become_user: "{{ mastodon_user }}"
   register: git_repo_info
 
 - name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
@@ -131,6 +151,7 @@
     command: "node ./streaming"
     restart_policy: "{{ mastodon_container_restart_policy }}"
     ports: "{{ mastodon_container_ports_streaming }}"
+    user: "{{ mastodon_user }}"
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
       interval: 5s
@@ -148,7 +169,7 @@
     command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
     restart_policy: "{{ mastodon_container_restart_policy }}"
     ports: "{{ mastodon_container_ports }}"
-    user: "{{ mastodon_user }}"
+    user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
       interval: 5s
@@ -156,6 +177,12 @@
       start_period: 0s
       timeout: 5s
 
+- name: Ensure container paths belong to the mastodon user
+  community.docker.docker_container_exec:
+    container: "{{ mastodon_container_name }}"
+    command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
+    user: "0"
+
 - name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
   docker_container:
     name: "{{ mastodon_container_nginx_name }}"
@@ -165,12 +192,7 @@
     restart_policy: "{{ mastodon_container_restart_policy }}"
 
 - name: Ensure assets are precompiled
-  docker_container:
+  community.docker.docker_container_exec:
-    name: "{{ mastodon_container_name }}"
+    container: "{{ mastodon_container_name }}"
-    env_file: "{{ mastodon_config_env_file }}"
+    command: "bundle exec rails assets:precompile"
-    command: "bash -c \"bundle exec rails assets:precompile\""
-    user: "{{ mastodon_user }}"
-    tty: yes
-    interactive: yes
-    detach: no
   when: git_repo_info.before != git_repo_info.after

roles/mastodon/templates/env.j2

@@ -51,8 +51,12 @@ ES_ENABLED={{ mastodon_elasticsearch_enabled }}
 ES_HOST={{ mastodon_elasticsearch_host }}
 ES_PORT={{ mastodon_elasticsearch_port }}
 # Authentication for ES (optional)
+{% if mastodon_elasticsearch_user %}
 ES_USER={{ mastodon_elasticsearch_user }}
+{% endif %}
+{% if mastodon_elasticsearch_pass %}
 ES_PASS={{ mastodon_elasticsearch_pass }}
+{% endif %}
 
 # Secrets
 # -------
@@ -84,3 +88,41 @@ AWS_ACCESS_KEY_ID={{ mastodon_s3_aws_access_key_id }}
 AWS_SECRET_ACCESS_KEY={{ mastodon_s3_aws_secret_access_key }}
 S3_ALIAS_HOST={{ mastodon_s3_alias_host }}
 
+# OpenId connect (optional)
+OIDC_ENABLED={{ mastodon_oidc_enabled | bool | string | lower }}
+OIDC_ISSUER={{ mastodon_oidc_issuer_url }}
+OIDC_DISCOVERY={{ mastodon_oidc_discovery | bool | string | lower }}
+OIDC_CLIENT_AUTH_METHOD={{ mastodon_oidc_client_auth_method }}
+OIDC_CLIENT_ID={{ mastodon_oidc_client_id }}
+OIDC_CLIENT_SECRET={{ mastodon_oidc_client_secret }}
+OIDC_SCOPE={{ mastodon_oidc_scope }}
+{% if mastodon_oidc_auth_endpoint %}
+OIDC_AUTH_ENDPOINT={{ mastodon_oidc_auth_endpoint }}
+{% endif %}
+{% if mastodon_oidc_token_endpoint %}
+OIDC_TOKEN_ENDPOINT={{ mastodon_oidc_token_endpoint }}
+{% endif %}
+{% if mastodon_oidc_user_info_endpoint %}
+OIDC_USER_INFO_ENDPOINT={{ mastodon_oidc_user_info_endpoint }}
+{% endif %}
+{% if mastodon_oidc_end_session_endpoint %}
+OIDC_END_SESSION_ENDPOINT={{ mastodon_oidc_end_session_endpoint }}
+{% endif %}
+{% if mastodon_oidc_jwks_uri %}
+OIDC_JWKS_URI={{ mastodon_oidc_jwks_uri }}
+{% endif %}
+{% if mastodon_oidc_redirect_uri %}
+OIDC_REDIRECT_URI={{ mastodon_oidc_redirect_uri }}
+{% endif %}
+{% if mastodon_oidc_idp_logout_redirect_uri %}
+OIDC_IDP_LOGOUT_REDIRECT_URI={{ mastodon_oidc_idp_logout_redirect_uri }}
+{% endif %}
+OIDC_DISPLAY_NAME={{ mastodon_oidc_display_name }}
+OIDC_UID_FIELD={{ mastodon_oidc_uid_field }}
+{% if mastodon_oidc_response_mode %}
+OIDC_RESPONSE_MODE={{ mastodon_oidc_response_mode }}
+{% endif %}
+{% if mastodon_oidc_response_type %}
+OIDC_RESPONSE_TYPE={{ mastodon_oidc_response_type }}
+{% endif %}
+OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED={{ mastodon_oidc_security_assume_email_is_verified | bool | string | lower }}

roles/mastodon/templates/group.j2

@@ -0,0 +1,40 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:

roles/mastodon/templates/passwd.j2

@@ -0,0 +1,20 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh

roles/pixelfed/defaults/main.yml

@@ -0,0 +1,143 @@
+---
+
+pixelfed_user: pixelfed
+pixelfed_version: 0.11.2
+pixelfed_base_path: /opt/pixelfed
+
+pixelfed_deployment_method: docker_selfbuilt
+
+# user to run pixelfed as
+pixelfed_run_user: "{{ pixelfed_user_stat.uid | default(pixelfed_user) }}"
+pixelfed_run_group: "{{ pixelfed_user_stat.group | default(pixelfed_user) }}"
+
+# container settings
+pixelfed_container_name: pixelfed
+pixelfed_container_image_name: pixelfed
+pixelfed_container_image_tag: ~
+pixelfed_container_image: "{{ pixelfed_container_image_name }}:{{ pixelfed_container_image_tag | default('v' + pixelfed_version, True) }}"
+pixelfed_container_image_local_build: true
+pixelfed_container_ports: []
+pixelfed_container_networks: []
+pixelfed_container_extra_volumes: []
+pixelfed_container_extra_labels: {}
+pixelfed_container_extra_env: {}
+pixelfed_container_restart_policy: unless-stopped
+pixelfed_worker_container_name: "{{ pixelfed_container_name }}-worker"
+
+# host filesystem paths
+pixelfed_config_path: "{{ pixelfed_base_path }}/config"
+pixelfed_storage_path: "{{ pixelfed_base_path }}/storage"
+pixelfed_source_path: "{{ pixelfed_base_path }}/source"
+
+pixelfed_app_paths:
+  - path: "{{ pixelfed_base_path }}"
+    mode: "0750"
+  - path: "{{ pixelfed_config_path }}"
+    mode: "0750"
+  - path: "{{ pixelfed_storage_path }}"
+    mode: "0750"
+  - path: "{{ pixelfed_source_path }}"
+    mode: "0750"
+
+pixelfed_config_app_key: ~
+pixelfed_config_app_name: "Pixelfed"
+pixelfed_config_app_env: production
+pixelfed_config_app_debug: false
+pixelfed_config_app_url: "https://{{ pixelfed_config_app_url }}"
+pixelfed_config_app_domain: ~ # my.pixelfed.domain
+pixelfed_config_admin_domain: "{{ pixelfed_config_app_domain }}"
+pixelfed_config_session_domain: "{{ pixelfed_config_app_domain }}"
+
+pixelfed_config_open_registration: true
+pixelfed_config_enforce_email_verification: false
+pixelfed_config_pf_max_users: 1000
+pixelfed_config_oauth_enabled: true
+
+pixelfed_config_app_timezone: UTC
+pixelfed_config_app_locale: en
+
+pixelfed_config_limit_account_size: true
+pixelfed_config_max_account_size: 1000000
+pixelfed_config_max_photo_size: 15000
+pixelfed_config_max_avatar_size: 2000
+pixelfed_config_max_caption_length: 500
+pixelfed_config_max_bio_length: 125
+pixelfed_config_max_name_length: 30
+pixelfed_config_max_album_length: 4
+pixelfed_config_image_quality: 80
+pixelfed_config_pf_optimize_images: true
+pixelfed_config_pf_optimize_videos: true
+pixelfed_config_admin_env_editor: false
+pixelfed_config_account_deletion: true
+pixelfed_config_account_delete_after: false
+pixelfed_config_max_links_per_post: 0
+
+pixelfed_config_instance_description: ~
+pixelfed_config_instance_public_hashtags: false
+pixelfed_config_instance_contact_email: ~
+pixelfed_config_instance_public_local_timetime: false
+pixelfed_config_banned_usernames: ~
+pixelfed_config_stories_enabled: false
+pixelfed_config_restricted_instance: false
+
+pixelfed_config_mail_driver: log
+pixelfed_config_mail_host: ~
+pixelfed_config_mail_port: 25
+pixelfed_config_mail_from_address: "pixelfed@{{ pixelfed_config_app_domain }}"
+pixelfed_config_mail_from_name: "{{ pixelfed_config_app_name }}"
+pixelfed_config_mail_username: null
+pixelfed_config_mail_password: null
+pixelfed_config_mail_encryption: null
+
+pixelfed_config_db_connection: pgsql
+pixelfed_config_db_host: postgres
+pixelfed_config_db_port: 5432
+pixelfed_config_db_username: pixelfed
+pixelfed_config_db_password: ~
+pixelfed_config_db_database: pixelfed
+
+pixelfed_config_redis_client: phpredis
+pixelfed_config_redis_scheme: tcp
+pixelfed_config_redis_host: redis
+pixelfed_config_redis_password: ~
+pixelfed_config_redis_port: 6379
+pixelfed_config_redis_database: 0
+
+pixelfed_config_exp_lc: false
+pixelfed_config_exp_rec: false
+pixelfed_config_exp_loops: false
+
+pixelfed_config_activity_pub: false
+pixelfed_config_ap_remote_follow: false
+pixelfed_config_ap_shared_inbox: false
+pixelfed_config_ap_inbox: false
+pixelfed_config_ap_outbox: false
+pixelfed_config_atom_feeds: true
+pixelfed_config_nodeinfo: true
+pixelfed_config_webfinger: true
+
+pixelfed_config_filesystem_driver: local
+pixelfed_config_filesystem_cloud: s3
+pixelfed_config_pf_enable_cloud: false
+pixelfed_config_aws_access_key_id: ~
+pixelfed_config_aws_secret_access_key: ~
+pixelfed_config_aws_default_region: ~
+pixelfed_config_aws_bucket: ~
+pixelfed_config_aws_url: ~
+pixelfed_config_aws_endpont: ~
+pixelfed_config_aws_use_path_style_endpoint: false
+
+pixelfed_config_horizon_darkmode: false
+pixelfed_config_pf_costar_enabled: false
+pixelfed_config_media_exif_database: false
+pixelfed_config_log_channel: stderr
+pixelfed_config_image_driver: imagick
+
+pixelfed_config_broadcast_driver: log
+pixelfed_config_cache_driver: redis
+pixelfed_config_restrict_html_types: true
+pixelfed_config_queue_driver: redis
+pixelfed_config_session_driver: redis
+pixelfed_config_trust_proxies: "*"
+pixelfed_config_passport_private_key: ~
+pixelfed_config_passport_public_key: ~

roles/pixelfed/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Restart pixelfed (docker)
+  docker_container:
+    name: "{{ pixelfed_container_name }}"
+    state: started
+    restart: yes
+  when: 'docker' in pixelfed_deployment_method
+  listen: restart-pixelfed
+
+- name: Restart pixelfed worker (docker)
+  docker_container:
+    name: "{{ pixelfed_worker_container_name }}"
+    state: started
+    restart: yes
+  when: 'docker' in pixelfed_deployment_method
+  listen: restart-pixelfed

roles/pixelfed/tasks/docker-deploy.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Ensure docker container '{{ pixelfed_container_name }}' is running
+  docker_container:
+    name: "{{ pixelfed_container_name }}"
+    image: "{{ pixelfed_container_image }}"
+    env: "{{ pixelfed_container_env }}"
+    env_file: "{{ pixelfed_config_path }}/env"
+    labels: "{{ pixelfed_container_labels }}"
+    volumes: "{{ pixelfed_container_volumes }}"
+    ports: "{{ pixelfed_container_ports | default(omit, True) }}"
+    networks: "{{ pixelfed_container_networks | default(omit, True) }}"
+    purge_networks: "{{ pixelfed_container_purge_networks|default(False) }}"
+    restart_policy: "{{ pixelfed_container_restart_policy }}"
+    state: started
+
+- name: Ensure docker container '{{ pixelfed_worker_container_name }}' is running
+  docker_container:
+    name: "{{ pixelfed_worker_container_name }}"
+    image: "{{ pixelfed_container_image }}"
+    env: "{{ pixelfed_container_env }}"
+    env_file: "{{ pixelfed_config_path }}/env"
+    volumes: "{{ pixelfed_container_volumes }}"
+    networks: "{{ pixelfed_container_networks | default(omit, True) }}"
+    purge_networks: "{{ pixelfed_container_purge_networks|default(False) }}"
+    restart_policy: "{{ pixelfed_container_restart_policy }}"
+    command: "gosu www-data php artisan horizon"
+    state: started

roles/pixelfed/tasks/docker-image.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Ensure docker container image is pulled
+  docker_image:
+    name: "{{ pixelfed_container_image }}"
+    state: present
+    source: pull
+    force_source: "{{ true if docker_container_image_tag else false }}"
+  when: not pixelfed_container_image_local_build
+
+- name: Ensure upstream git repository is cloned to source folder
+  git:
+    repo: "{{ pixelfed_source_upstream_git_repo }}"
+    dest: "{{ pixelfed_source_path }}"
+    update: yes
+    clone: yes
+  when: pixelfed_container_image_local_build
+
+- name: Build docker container image '{{ pixelfed_container_image }}' locally
+  docker_image:
+    name: "{{ pixelfed_container_image_name }}"
+    tag: "{{ pixelfed_container_image_tag | default('v' + pixelfed_version) }}"
+    state: present
+    source: build
+    build:
+      dockerfile: "contrib/docker/Dockerfile.apache"
+      path: "{{ pixelfed_source_path }}"
+  when: pixelfed_container_image_local_build

roles/pixelfed/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+
+- name: Ensure user '{{ pixelfed_user }}' for pixelfed is created
+  user:
+    name: "{{ pixelfed_user }}"
+    state: present
+    system: true
+  register: pixelfed_user_stat
+
+- name: Ensure file system paths exist for persisting data
+  file:
+    path: "{{ dir.path }}"
+    state: directory
+    owner: "{{ dir.user | default(pixelfed_run_user) }}"
+    group: "{{ dir.group | default(pixelfed_run_group) }}"
+    mode: "{{ dir.mode }}"
+  loop: "{{ pixelfed_app_paths }}"
+  loop_control:
+    loop_var: dir
+    label: "{{ dir.path }}"
+
+- name: Ensure pixelfed configuration is templated
+  copy:
+    content: |+
+      {% for key in pixelfed_config | dict2items %}
+      {% if pixelfed_config[key] %}
+      {{ key }}={{ pixelfed_config[key] }}
+      {% endif %}
+      {% endfor %}
+    dest: "{{ pixelfed_config_path }}/env"
+    owner: "{{ pixelfed_run_user }}"
+    group: "{{ pixelfed_run_group }}"
+    mode: "0640"
+  notify: restart-pixelfed
+
+- name: Ensure docker container image is available
+  include_tasks:
+    file: docker-image.yml
+  when: 'docker' in pixelfed_deployment_method
+
+- name: Ensure pixelfed instance is started
+  block:
+    - name: Ensure pixelfed instance is started (docker)
+      include_tasks:
+        file: docker-deploy.yml
+      when: 'docker' in pixelfed_deployment_method
+
+

roles/pixelfed/templates/env.docker.j2

@@ -0,0 +1,148 @@
+## Crypto
+APP_KEY=
+
+## General Settings
+APP_NAME="Pixelfed Prod"
+APP_ENV=production
+APP_DEBUG=false
+APP_URL=https://real.domain
+APP_DOMAIN="real.domain"
+ADMIN_DOMAIN="real.domain"
+SESSION_DOMAIN="real.domain"
+
+OPEN_REGISTRATION=true
+ENFORCE_EMAIL_VERIFICATION=false
+PF_MAX_USERS=1000
+OAUTH_ENABLED=true
+
+APP_TIMEZONE=UTC
+APP_LOCALE=en
+
+## Pixelfed Tweaks
+LIMIT_ACCOUNT_SIZE=true
+MAX_ACCOUNT_SIZE=1000000
+MAX_PHOTO_SIZE=15000
+MAX_AVATAR_SIZE=2000
+MAX_CAPTION_LENGTH=500
+MAX_BIO_LENGTH=125
+MAX_NAME_LENGTH=30
+MAX_ALBUM_LENGTH=4
+IMAGE_QUALITY=80
+PF_OPTIMIZE_IMAGES=true
+PF_OPTIMIZE_VIDEOS=true
+ADMIN_ENV_EDITOR=false
+ACCOUNT_DELETION=true
+ACCOUNT_DELETE_AFTER=false
+MAX_LINKS_PER_POST=0
+
+## Instance
+#INSTANCE_DESCRIPTION=
+INSTANCE_PUBLIC_HASHTAGS=false
+#INSTANCE_CONTACT_EMAIL=
+INSTANCE_PUBLIC_LOCAL_TIMELINE=false
+#BANNED_USERNAMES=
+STORIES_ENABLED=false
+RESTRICTED_INSTANCE=false
+
+## Mail
+MAIL_DRIVER=log
+MAIL_HOST=smtp.mailtrap.io
+MAIL_PORT=2525
+MAIL_FROM_ADDRESS="pixelfed@example.com"
+MAIL_FROM_NAME="Pixelfed"
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
+
+## Databases (MySQL)
+DB_CONNECTION=mysql
+DB_DATABASE=pixelfed_prod
+DB_HOST=db
+DB_PASSWORD=pixelfed_db_pass
+DB_PORT=3306
+DB_USERNAME=pixelfed
+# pass the same values to the db itself
+MYSQL_DATABASE=pixelfed_prod
+MYSQL_PASSWORD=pixelfed_db_pass
+MYSQL_RANDOM_ROOT_PASSWORD=true
+MYSQL_USER=pixelfed
+
+## Databases (Postgres)
+#DB_CONNECTION=pgsql
+#DB_HOST=postgres
+#DB_PORT=5432
+#DB_DATABASE=pixelfed
+#DB_USERNAME=postgres
+#DB_PASSWORD=postgres
+
+## Cache (Redis)
+REDIS_CLIENT=phpredis
+REDIS_SCHEME=tcp
+REDIS_HOST=redis
+REDIS_PASSWORD=redis_password
+REDIS_PORT=6379
+REDIS_DATABASE=0
+
+## EXPERIMENTS 
+EXP_LC=false
+EXP_REC=false
+EXP_LOOPS=false
+
+## ActivityPub Federation
+ACTIVITY_PUB=false
+AP_REMOTE_FOLLOW=false
+AP_SHAREDINBOX=false
+AP_INBOX=false
+AP_OUTBOX=false
+ATOM_FEEDS=true
+NODEINFO=true
+WEBFINGER=true
+
+## S3
+FILESYSTEM_DRIVER=local
+FILESYSTEM_CLOUD=s3
+PF_ENABLE_CLOUD=false
+#AWS_ACCESS_KEY_ID=
+#AWS_SECRET_ACCESS_KEY=
+#AWS_DEFAULT_REGION=
+#AWS_BUCKET=
+#AWS_URL=
+#AWS_ENDPOINT=
+#AWS_USE_PATH_STYLE_ENDPOINT=false
+
+## Horizon
+HORIZON_DARKMODE=false
+
+## COSTAR - Confirm Object Sentiment Transform and Reduce
+PF_COSTAR_ENABLED=false
+
+# Media
+MEDIA_EXIF_DATABASE=false
+
+## Logging
+LOG_CHANNEL=stderr
+
+## Image
+IMAGE_DRIVER=imagick
+
+## Broadcasting
+BROADCAST_DRIVER=log  # log driver for local development
+
+## Cache
+CACHE_DRIVER=redis
+
+## Purify
+RESTRICT_HTML_TYPES=true
+
+## Queue
+QUEUE_DRIVER=redis
+
+## Session
+SESSION_DRIVER=redis
+
+## Trusted Proxy
+TRUST_PROXIES="*"
+
+## Passport
+#PASSPORT_PRIVATE_KEY=
+#PASSPORT_PUBLIC_KEY=

roles/pixelfed/vars/main.yml

@@ -0,0 +1,133 @@
+---
+
+pixelfed_container_base_volumes:
+  - "{{ pixelfed_storage_path }}:/var/www/storage:z"
+  - "{{ pixelfed_config_path/env:/var/www/.env:ro"
+
+pixelfed_container_base_env: {}
+
+pixelfed_container_base_labels:
+  VERSION: "{{ pixelfed_version }}"
+
+pixelfed_container_volumes: "{{ pixelfed_container_base_volumes + pixelfed_container_extra_volumes }}"
+pixelfed_container_labels: "{{ pixelfed_container_base_labels + pixelfed_container_extra_labels }}"
+pixelfed_container_env: "{{ pixelfed_container_base_env + pixelfed_container_extra_env }}"
+
+pixelfed_source_upstream_git_repo: "https://github.com/pixelfed/pixelfed.git"
+
+pixelfed_supported_deployment_methods:
+  - docker_selfbuilt
+  - docker_pulled
+
+
+# pixelfed app config
+pixelfed_config:
+  APP_KEY: "{{ pixelfed_config_app_key }}"
+  APP_NAME: "{{ pixelfed_config_app_name }}"
+  APP_ENV: "{{ pixelfed_config_app_env }}"
+  APP_DEBUG: "{{ pixelfed_config_app_debug }}"
+  APP_URL: "{{ pixelfed_config_app_url }}"
+  APP_DOMAIN: "{{ pixelfed_config_app_domain }}"
+  ADMIN_DOMAIN: "{{ pixelfed_config_app_admin_domain }}"
+  SESSION_DOMAIN: "{{ pixelfed_config_session_domain }}"
+
+  OPEN_REGISTRATION: "{{ pixelfed_config_open_registration }}"
+  ENFORCE_EMAIL_VERIFICATION: "{{ pixelfed_config_enforce_email_verification }}"
+  PF_MAX_USERS: "{{ pixelfed_config_pf_max_users }}"
+  OAUTH_ENABLED: "{{ pixelfed_config_oauth_enabled }}"
+
+  APP_TIMEZONE: "{{ pixelfed_config_app_timezone }}"
+  APP_LOCALE: "{{ pixelfed_config_all_locale }}"
+
+  LIMIT_ACCOUNT_SIZE: "{{ pixelfed_config_limit_account_size }}"
+  MAX_ACCOUNT_SIZE: "{{ pixelfed_config_max_account_size }}"
+  MAX_PHOTO_SIZE: "{{ pixelfed_config_ }}"
+  MAX_AVATAR_SIZE: "{{ pixelfed_config_ }}"
+  MAX_CAPTION_LENGTH: "{{ pixelfed_config_ }}"
+  MAX_BIO_LENGTH:  "{{ pixelfed_config_ }}"
+  MAX_NAME_LENGTH:  "{{ pixelfed_config_ }}"
+  MAX_ALBUM_LENGTH:  "{{ pixelfed_config_ }}"
+  IMAGE_QUALITY:  "{{ pixelfed_config_ }}"
+  PF_OPTIMIZE_IMAGES:  "{{ pixelfed_config_ }}"
+  PF_OPTIMIZE_VIDEOS:  "{{ pixelfed_config_ }}"
+  ADMIN_ENV_EDITOR:  "{{ pixelfed_config_ }}"
+  ACCOUNT_DELETION:  "{{ pixelfed_config_ }}"
+  ACCOUNT_DELETE_AFTER:  "{{ pixelfed_config_ }}"
+  MAX_LINKS_PER_POST:    "{{ pixelfed_config_ }}"
+
+  INSTANCE_DESCRIPTION: "{{ pixelfed_config_instance_description }}"
+  INSTANCE_PUBLIC_HASHTAGS: "{{ pixelfed_config_instance_public_hashtags }}"
+  INSTANCE_CONTACT_EMAIL: "{{ pixelfed_config_instance_contact_email }}"
+  INSTANCE_PUBLIC_LOCAL_TIMELINE: "{{ pixelfed_config_instance_public_local_timeline }}"
+  BANNED_USERNAMES: "{{ pixelfed_config_banned_usernames }}"
+  STORIES_ENABLED: "{{ pixelfed_config_stories_enabled }}"
+  RESTRICTED_INSTANCE: "{{ pixelfed_config_restricted_instance }}"
+  
+  ## Mail
+  MAIL_DRIVER: "{{ pixelfed_config_mail_driver }}"
+  MAIL_HOST: "{{ pixelfed_config_mail_host }}"
+  MAIL_PORT: "{{ pixelfed_config_mail_port }}"
+  MAIL_FROM_ADDRESS: "{{ pixelfed_config_mail_from_address }}"
+  MAIL_FROM_NAME: "{{ pixelfed_config_mail_from_name }}"
+  MAIL_USERNAME: "{{ pixelfed_config_mail_username }}"
+  MAIL_PASSWORD: "{{ pixelfed_config_mail_password }}"
+  MAIL_ENCRYPTION: "{{ pixelfed_config_mail_encryption }}"
+  
+  ## Databases (MySQL)
+  DB_CONNECTION: "{{ pixelfed_config_db_connection }}"
+  DB_DATABASE: "{{ pixelfed_config_db_database }}"
+  DB_HOST: "{{ pixelfed_config_db_host }}"
+  DB_PASSWORD: "{{ pixelfed_config_db_password }}"
+  DB_PORT: "{{ pixelfed_config_db_port }}"
+  DB_USERNAME: "{{ pixelfed_config_db_username }}"
+ 
+  ## Cache (Redis)
+  REDIS_CLIENT: "{{ pixelfed_config_redis_client }}"
+  REDIS_SCHEME: "{{ pixelfed_config_redis_scheme }}"
+  REDIS_HOST: "{{ pixelfed_config_redis_host }}"
+  REDIS_PASSWORD: "{{ pixelfed_config_redis_password }}"
+  REDIS_PORT: "{{ pixelfed_config_redis_port }}"
+  REDIS_DATABASE: "{{ pixelfed_config_redis_database }}"
+  
+  ## EXPERIMENTS 
+  EXP_LC: "{{ pixelfed_config_exp_lc }}"
+  EXP_REC: "{{ pixelfed_config_exp_rec }}"
+  EXP_LOOPS: "{{ pixelfed_config_exp_loops }}"
+  
+  ## ActivityPub Federation
+  ACTIVITY_PUB: "{{ pixelfed_config_activity_pub }}"
+  AP_REMOTE_FOLLOW: "{{ pixelfed_config_ap_remote_follow }}"
+  AP_SHAREDINBOX: "{{ pixelfed_config_ap_sharedinbox }}"
+  AP_INBOX: "{{ pixelfed_config_ap_inbox }}"
+  AP_OUTBOX: "{{ pixelfed_config_ap_outbox }}"
+  ATOM_FEEDS: "{{ pixelfed_config_atom_feeds }}"
+  NODEINFO: "{{ pixelfed_config_nodeinfo }}"
+  WEBFINGER: "{{ pixelfed_config_webfinger }}"
+  
+  ## S3
+  FILESYSTEM_DRIVER: "{{ pixelfed_config_filesystem_driver }}"
+  FILESYSTEM_CLOUD: "{{ pixelfed_config_filesystem_cloud }}"
+  PF_ENABLE_CLOUD: "{{ pixelfed_config_pf_enable_cloud }}"
+  AWS_ACCESS_KEY_ID: "{{ pixelfed_config_aws_access_key_id }}"
+  AWS_SECRET_ACCESS_KEY: "{{ pixelfed_config_aws_secret_access_key }}"
+  AWS_DEFAULT_REGION: "{{ pixelfed_config_aws_default_region }}"
+  AWS_BUCKET: "{{ pixelfed_config_aws_bucket }}"
+  AWS_URL: "{{ pixelfed_config_aws_url }}"
+  AWS_ENDPOINT: "{{ pixelfed_config_aws_endpoint }}"
+  AWS_USE_PATH_STYLE_ENDPOINT: "{{ pixelfed_config_aws_use_path_style_endpoint }}"
+  
+  HORIZON_DARKMODE: "{{ pixelfed_config_horizon_darkmode }}"
+  PF_COSTAR_ENABLED: "{{ pixelfed_config_pf_costar_enabled }}"
+  MEDIA_EXIF_DATABASE: "{{ pixelfed_config_media_exif_database }}"
+  LOG_CHANNEL: "{{ pixelfed_config_log_channel }}"
+  IMAGE_DRIVER: "{{ pixelfed_config_image_driver }}"
+  
+  BROADCAST_DRIVER: "{{ pixelfed_config_ }}"
+  CACHE_DRIVER: "{{ pixelfed_config_cache_driver }}"
+  RESTRICT_HTML_TYPES: "{{ 'true' pixelfed_config_restrict_html_types else 'false' }}"
+  QUEUE_DRIVER: "{{ pixelfed_config_queue_driver }}"
+  SESSION_DRIVER: "{{ pixelfed_config_session_driver }}"
+  TRUST_PROXIES: "{{ pixelfed_config_trust_proxies }}"
+  PASSPORT_PRIVATE_KEY: "{{ pixelfed_config_passport_private_key }}"
+  PASSPORT_PUBLIC_KEY: "{{ pixelfed_config_passport_public_key }}"
+