Commit aa9f6cac authored by Birin Sanchez's avatar Birin Sanchez

Ansible role for Mastodon added.

Signed-off-by: Birin Sanchez's avatarBirin Sanchez <birin.sanchez@puri.sm>
parent af06ad3e
Pipeline #4276 passed with stage
in 1 minute and 19 seconds
---
- name: Simple Mastodon role for Keel/LDH
hosts: all
become: yes
roles:
- role: ldh_mastodon
vars:
ldh_mastodon_domain: freedom.test
ldh_mastodon_ssl_cert_src: "certs/mastodon.freedom.test.crt"
ldh_mastodon_ssl_cert: "/etc/ssl/certs/mastodon.freedom.test.crt"
ldh_mastodon_ssl_key_src: "cert_keys/mastodon.freedom.test.key"
ldh_mastodon_ssl_key: "/etc/ssl/private/mastodon.freedom.test.key"
# See https://github.com/tootsuite/mastodon/blob/v2.7.1/.env.production.sample#L34
# to find out how to create proper values for these variables:
ldh_mastodon_secret_key_base: "repalcethistextwithyoursecretkey"
ldh_mastodon_otp_secret: "repalcethistextwithyouroptsecret"
ldh_mastodon_vapid_private_key: "repalcethistextwithyourvapidprivatetkey"
ldh_mastodon_vapid_public_key: "repalcethistextwithyourvapidpublickey"
# Leaving this variable commented will create a file named
# 'mastodon_admin_passwd' in your playbook directory with the
# admin password:
# ldh_mastodon_admin_passwd: "supersecretpass"
# LDAP vars
ldh_mastodon_ldap_host: ldap.freedom.test
ldh_mastodon_ldap_port: 636
ldh_mastodon_ldap_base: "ou=people,dc=freedom,dc=test"
ldh_mastodon_ldap_bind_dn: "cn=admin,dc=freedom,dc=test"
ldh_mastodon_ldap_password: "verystrongpassword"
ldh_mastodon_ldap_tls_no_verify: "true"
Keel/LDH Mastodon
=================
This role installs and configures an instance of
[Mastodon](https://joinmastodon.org/) that will authenticate against a
Keel/LDH instance.
Requirements
------------
This role has only been tested with Ansible 2.7.1.
The target host needs to have at least 1.5Gb or RAM. Otherwise
compiling the CSS/JS will fail.
Role Variables
--------------
* `ldh_mastodon_domain`
Domain used by Mastodon instance. Default value: `example.com`.
* `ldh_mastodon_ssl_cert_src`
Location of the SSL certificate that Ansible will copy to the
host. Default value: `certs/example.com.crt`. This is the `certs`
directory relative to the playbooks directory.
* `ldh_mastodon_ssl_cert`
Location on the target host that will be used by Ansible to copy
the SSL certificate. Default value:
`/etc/ssl/certs/example.com.crt`
* `ldh_mastodon_ssl_key_src`
Location of the SSL key used to create the certificate that
Ansible will copy to the host. Default value:
`cert_keys/example.com.key.plain`. This is the `cert_keys`
directory relative to the playbooks directory.
* `ldh_mastodon_ssl_key`
Location on the target host that will be used by Ansible to copy
the key used to create the SSL certificate. Default value:
`/etc/ssl/private/example.com.key.plain`
* `ldh_mastodon_secret_key_base`
Value that will be set for `SECRET_KEY_BASE` Mastodon
variable. See
https://github.com/tootsuite/mastodon/blob/v2.7.1/.env.production.sample#L34
for instructions on how to create this value. There is no default
value for this variable but leaving it undeclared will make the
playbook to fail.
* `ldh_mastodon_otp_secret`
Value that will be set for `OTP_SECRET` Mastodon variable. See
https://github.com/tootsuite/mastodon/blob/v2.7.1/.env.production.sample#L34
for instructions on how to create this value. There is no default
value for this variable but leaving it undeclared will make the
playbook to fail.
* `ldh_mastodon_vapid_private_key`
Value that will be set for `VAPID_PRIVATE_KEY` Mastodon
variable. See
https://github.com/tootsuite/mastodon/blob/v2.7.1/.env.production.sample#L46
for instructions on how to create this value. There is no default
value for this variable but leaving it undeclared will make the
playbook to fail.
* `ldh_mastodon_vapid_public_key`
Value that will be set for `VAPID_PUBLIC_KEY` Mastodon
variable. See
https://github.com/tootsuite/mastodon/blob/v2.7.1/.env.production.sample#L46
for instructions on how to create this value. There is no default
value for this variable but leaving it undeclared will make the
playbook to fail.
* `ldh_mastodon_admin_passwd`
This variable sets the password for the admin user that is created
by this role. Not declaring this variable will create a file named
`mastodon_admin_passwd` in your playbooks directory with the admin
password. Default value `supersecretpass`
* `ldh_mastodon_ldap_host`
Host that will be used by Mastodon to authenticate users via
LDAP. Default value: `ldap.exmaple.com`
* `ldh_mastodon_ldap_port`
Port that will be used by Mastodon for simple TLS LDAP
connections. Default value `636`.
* `ldh_mastodon_ldap_base`
Organizational unit where Mastodon will look to authenticate
users. Default value: `ou=people,dc=example,dc=com`
* `ldh_mastodon_ldap_bind_dn`
LDAP binding value to use when querying the LDAP server. Default
value: `cn=admin,dc=example,dc=com`.
* `ldh_mastodon_ldap_password`
Password used to authenticate when using
`ldh_mastodon_ldap_bind_dn`. Default value: `verystrongpassword`
* `ldh_mastodon_ldap_tls_no_verify`
This variable tells Mastodon whether or not to verify the
certificate offered by the LDAP server. Default value:
`"true"`. Notice the double quotes on the default value. Removing
the double quotes will result on having `LDAP_TLS_NO_VERIFY=True`
which makes Mastodon to fail.
Dependencies
------------
This role does not depend on other roles.
License
-------
AGPL-3.0-or-later
Author Information
------------------
Purism SPC <liberty@puri.sm>
Homepage: https://source.puri.sm/liberty/ldh_developer
---
# defaults file for ldh_mastodon
ldh_mastodon_required_pkgs:
- imagemagick
- ffmpeg
- libpq-dev
- libxml2-dev
- libxslt1-dev
- file
- git-core
- g++
- libprotobuf-dev
- protobuf-compiler
- pkg-config
- gcc
- autoconf
- bison
- build-essential
- libssl-dev
- libyaml-dev
- libreadline-dev
- zlib1g-dev
- libncurses5-dev
- libffi-dev
- libgdbm3
- libgdbm-dev
- nginx
- redis-server
- redis-tools
- postgresql
- postgresql-contrib
- certbot
- yarn
- libidn11-dev
- libicu-dev
- ruby
- ruby-build
- acl
- python-psycopg2
ldh_mastodon_stretch_bpo_repo: deb http://ftp.debian.org/debian stretch-backports main
ldh_mastodon_yarn_repo_key: https://dl.yarnpkg.com/debian/pubkey.gpg
ldh_mastodon_yarn_repo: deb https://dl.yarnpkg.com/debian/ stable main
ldh_mastodon_usr_name: mastodon
ldh_mastodon_usr_home: /var/lib/mastodon
ldh_mastodon_git_repo: https://github.com/tootsuite/mastodon.git
ldh_mastodon_version: 2.7.1
ldh_mastodon_zip_url: "https://github.com/tootsuite/mastodon/archive/v{{ ldh_mastodon_version }}.zip"
ldh_mastodon_ruby_version: 2.4.0
ldh_mastodon_admin_passwd: "{{ lookup('password','mastodon_admin_passwd') }}"
# Nginx variables
ldh_mastodon_domain: example.com
ldh_mastodon_ssl_cert_src: "certs/mastodon.example.com.crt"
ldh_mastodon_ssl_cert: "/etc/ssl/certs/mastodon.example.com.crt"
ldh_mastodon_ssl_key_src: "cert_keys/mastodon.example.com.key"
ldh_mastodon_ssl_key: "/etc/ssl/private/mastodon.example.com.key"
ldh_mastodon_root_dir: "{{ ldh_mastodon_usr_home }}/live/public"
# LDAP vars
ldh_mastodon_ldap_host: ldap.example.com
ldh_mastodon_ldap_port: 636
ldh_mastodon_ldap_base: "ou=people,dc=example,dc=com"
ldh_mastodon_ldap_bind_dn: "cn=admin,dc=example,dc=com"
ldh_mastodon_ldap_password: "verystrongpassword"
ldh_mastodon_ldap_tls_no_verify: "true"
---
# handlers file for ldh_mastodon
- name: restart nginx
service:
name: nginx
state: restarted
- name: restart mastodon-web
service:
name: mastodon-web
state: restarted
enabled: yes
- name: restart mastodon-sidekiq
service:
name: mastodon-sidekiq
state: restarted
enabled: yes
- name: restart mastodon-streaming
service:
name: mastodon-streaming
state: restarted
enabled: yes
galaxy_info:
author: Purism SPC
description: Basic Prosody role for LDH development.
company: Purism SPC
license: AGPL-3.0-or-later
min_ansible_version: 2.7.1
platforms:
- name: Debian
versions:
- 9
galaxy_tags:
- mastodon
- social
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
---
# tasks file for ldh_mastodon
- name: Add Debian Stretch backports repo
apt_repository:
repo: "{{ ldh_mastodon_stretch_bpo_repo }}"
filename: stretch-backports.list
state: present
- name: Install apt-trasnport-https
apt:
name: apt-transport-https
update_cache: no
state: present
- name: Add Yarn repository key
apt_key:
url: "{{ ldh_mastodon_yarn_repo_key }}"
state: present
- name: Add Yarn repo
apt_repository:
repo: "{{ ldh_mastodon_yarn_repo }}"
filename: yarn.list
state: present
- name: Install node.js from backports
apt:
name: nodejs
update_cache: yes
cache_valid_time: 600
state: present
default_release: stretch-backports
- name: Install yarn + dependencies
apt:
name: "{{ ldh_mastodon_required_pkgs }}"
update_cache: yes
cache_valid_time: 600
state: present
- name: Create mastodon user
user:
name: "{{ ldh_mastodon_usr_name }}"
home: "{{ ldh_mastodon_usr_home }}"
system: yes
state: present
- name: Include Mastodon environment setup tasks
include: mastodon_env_setup.yml
- name: Create mastodon user for PostgreSQL
postgresql_user:
name: "{{ ldh_mastodon_usr_name }}"
role_attr_flags: CREATEDB
become: yes
become_user: postgres
- name: Configure Nginx
template:
src: templates/etc/nginx/mastodon.conf.j2
dest: /etc/nginx/sites-available/mastodon.conf
notify: "restart nginx"
- name: Copy SSL cert for Nginx
copy:
src: "{{ ldh_mastodon_ssl_cert_src }}"
dest: "{{ ldh_mastodon_ssl_cert }}"
notify: "restart nginx"
- name: Copy SSL key for Nginx
copy:
src: "{{ ldh_mastodon_ssl_key_src }}"
dest: "{{ ldh_mastodon_ssl_key }}"
notify: "restart nginx"
- name: Enable Mastodon site on Nginx, restart Nginx
file:
src: /etc/nginx/sites-available/mastodon.conf
dest: /etc/nginx/sites-enabled/mastodon.conf
state: link
notify: "restart nginx"
- name: Include Mastodon initialization tasks
include: mastodon_initialization.yml
- name: Mastodon Systemd configuration
template:
src: "templates/etc/systemd/system/{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
loop:
- mastodon-web.service
- mastodon-sidekiq.service
- mastodon-streaming.service
notify:
- "restart mastodon-web"
- "restart mastodon-sidekiq"
---
# This task file prepares Mastodon environment in
# {{ ldh_mastodon_usr_home }} directory.
- block:
- name: Download ruby "{{ ldh_mastodon_ruby_version }}" and make it default for mastodon user.
shell: |
rbenv install "{{ ldh_mastodon_ruby_version }}"
rbenv global "{{ ldh_mastodon_ruby_version }}"
args:
creates: "{{ ldh_mastodon_usr_home }}/.rbenv/versions/{{ ldh_mastodon_ruby_version }}"
- name: Install bundler through rbenv for mastodon user
shell: |
rbenv exec gem install bundler
args:
creates: "{{ ldh_mastodon_usr_home }}/.rbenv/versions/{{ ldh_mastodon_ruby_version }}/bin/bundler"
- name: Download and unzip Mastodon from GitHub
unarchive:
src: "{{ ldh_mastodon_zip_url }}"
dest: "{{ ldh_mastodon_usr_home }}"
remote_src: yes
creates: "{{ ldh_mastodon_usr_home }}/mastodon-{{ ldh_mastodon_version }}"
- name: "Create symlink for Mastodon's live dir"
file:
src: "{{ ldh_mastodon_usr_home }}/mastodon-{{ ldh_mastodon_version }}"
dest: "{{ ldh_mastodon_usr_home }}/live"
state: link
mode: 0755
# Mastodon repository on tag v2.7.1 uses Ruby 2.6.0 as local version
# this task sets its to {{ ldh_mastodon_ruby_version }}
- name: Set local Ruby version to "{{ ldh_mastodon_ruby_version }}"
shell: |
cp .ruby-version .ruby-version.bak
rbenv local "{{ ldh_mastodon_ruby_version }}"
args:
creates: "{{ ldh_mastodon_usr_home }}/live/.ruby-version.bak"
chdir: "{{ ldh_mastodon_usr_home }}/live"
- name: Install ruby dependencies through bundler
shell: |
rbenv exec bundle install -j$(getconf _NPROCESSORS_ONLN) --deployment --without development test
args:
creates: "{{ ldh_mastodon_usr_home }}/live/vendor/bundle/ruby/{{ ldh_mastodon_ruby_version }}"
chdir: "{{ ldh_mastodon_usr_home }}/live"
# Yarn fails the 1st is run due to missing file:
# /var/lib/mastodon/.config/yarn/global/.yarnclean
# Executing 2nd time works.
- name: Install node.js dependencies through yarn
shell: |
yarn install --pure-lockfile
yarn install --pure-lockfile
args:
creates: "{{ ldh_mastodon_usr_home }}/live/node_modules"
chdir: "{{ ldh_mastodon_usr_home }}/live"
- name: Copy and configure .env.production file
template:
src: templates/.env.production.j2
dest: "{{ ldh_mastodon_usr_home }}/live/.env.production"
notify:
- "restart mastodon-web"
- "restart mastodon-sidekiq"
become: yes
become_user: "{{ ldh_mastodon_usr_name }}"
---
# This task file initializes Mastodon by:
# * preparing DB
# * Compiling CSS/JS assets
# * Creating admin user
- block:
- name: Preparing the database
shell: |
SAFETY_ASSURED=1 RAILS_ENV=production rbenv exec bundle exec rails db:setup
if [ $? -eq 0 ]; then
touch .ansible_flag-db_created;
fi
args:
creates: "{{ ldh_mastodon_usr_home }}/live/.ansible_flag-db_created"
chdir: "{{ ldh_mastodon_usr_home }}/live"
- name: "Compiling CSS/JS assets (can take more than 5 mins!)"
shell: |
RAILS_ENV=production rbenv exec bundle exec rails assets:precompile
if [ $? -eq 0 ]; then
touch .ansible_flag-assets_precompiled;
fi
args:
creates: "{{ ldh_mastodon_usr_home }}/live/.ansible_flag-assets_precompiled"
chdir: "{{ ldh_mastodon_usr_home }}/live"
- name: Create the admin user for Mastodon
shell: |
RAILS_ENV=production rbenv exec bundle exec rails runner \
"user = User.new(admin: true, email: 'admin@{{ ldh_mastodon_domain }}', \
password: '{{ ldh_mastodon_admin_passwd }}', confirmed_at: Time.now.utc, \
account_attributes: { username: 'admin' });user.save(validate: false)"
if [ $? -eq 0 ]; then
touch .ansible_flag-admin_created;
fi
args:
creates: "{{ ldh_mastodon_usr_home }}/live/.ansible_flag-admin_created"
chdir: "{{ ldh_mastodon_usr_home }}/live"
become: yes
become_user: "{{ ldh_mastodon_usr_name }}"
# Generated by Ansible
LOCAL_DOMAIN={{ ldh_mastodon_domain }}
SINGLE_USER_MODE=false
SECRET_KEY_BASE={{ ldh_mastodon_secret_key_base }}
OTP_SECRET={{ ldh_mastodon_otp_secret }}
VAPID_PRIVATE_KEY={{ ldh_mastodon_vapid_private_key }}
VAPID_PUBLIC_KEY={{ ldh_mastodon_vapid_public_key }}
DB_HOST=/var/run/postgresql
DB_PORT=5432
DB_NAME=mastodon_production
DB_USER={{ ldh_mastodon_usr_name }}
DB_PASS=
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=
SMTP_SERVER=localhost
SMTP_PORT=25
SMTP_AUTH_METHOD=none
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_FROM_ADDRESS=Mastodon <notifications@{{ ldh_mastodon_domain }}>
# LDAP config
LDAP_ENABLED=true
LDAP_HOST={{ ldh_mastodon_ldap_host }}
LDAP_PORT={{ ldh_mastodon_ldap_port }}
LDAP_BASE="{{ ldh_mastodon_ldap_base }}"
LDAP_BIND_DN="{{ ldh_mastodon_ldap_bind_dn }}"
LDAP_PASSWORD="{{ ldh_mastodon_ldap_password }}"
LDAP_UID=uid
LDAP_TLS_NO_VERIFY={{ ldh_mastodon_ldap_tls_no_verify }}
LDAP_SEARCH_FILTER="mail=%{email}"
\ No newline at end of file
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ ldh_mastodon_domain }};
root /home/mastodon/live/public;
# Useful for Let's Encrypt
# location /.well-known/acme-challenge/ { allow all; }
location / { return 301 https://$host$request_uri; }
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ ldh_mastodon_domain }};
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate {{ ldh_mastodon_ssl_cert }};
ssl_certificate_key {{ ldh_mastodon_ssl_key }};
keepalive_timeout 70;
sendfile on;
client_max_body_size 80m;
root {{ ldh_mastodon_root_dir }};
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
add_header Strict-Transport-Security "max-age=31536000";
location / {
try_files $uri @proxy;
}
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
add_header Cache-Control "public, max-age=31536000, immutable";
try_files $uri @proxy;
}
location /sw.js {
add_header Cache-Control "public, max-age=0";
try_files $uri @proxy;
}
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://127.0.0.1:3000;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass http://127.0.0.1:4000;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
error_page 500 501 502 503 504 /500.html;
}
[Unit]
Description=mastodon-sidekiq
After=network.target
[Service]
Type=simple
User={{ ldh_mastodon_usr_name }}
WorkingDirectory={{ ldh_mastodon_usr_home }}/live
Environment="RAILS_ENV=production"
Environment="DB_POOL=5"
ExecStart={{ ldh_mastodon_usr_home }}/.rbenv/versions/2.4.0/bin/bundle exec sidekiq -c 5 -q default -q push -q mailers -q pull
TimeoutSec=15
Restart=always
[Install]
WantedBy=multi-user.target
\ No newline at end of file
[Unit]
Description=mastodon-streaming
After=network.target
[Service]
Type=simple
User={{ ldh_mastodon_usr_name }}
WorkingDirectory={{ ldh_mastodon_usr_home }}/live
Environment="NODE_ENV=production"
Environment="PORT=4000"
ExecStart=/usr/bin/npm run start
TimeoutSec=15
Restart=always
[Install]
WantedBy=multi-user.target
\ No newline at end of file
[Unit]
Description=mastodon-web
After=network.target
[Service]
Type=simple
User={{ ldh_mastodon_usr_name }}
WorkingDirectory={{ ldh_mastodon_usr_home }}/live
Environment="RAILS_ENV=production"
Environment="PORT=3000"
ExecStart={{ ldh_mastodon_usr_home }}/.rbenv/versions/2.4.0/bin/bundle exec puma -C config/puma.rb
ExecReload=/bin/kill -SIGUSR1 $MAINPID
TimeoutSec=15
Restart=always
[Install]
WantedBy=multi-user.target
\ No newline at end of file
---
- hosts: localhost
remote_user: root
roles:
- ldh_mastodon
\ No newline at end of file
---
# vars file for ldh_mastodon
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment