From 608c3aa2dd6a35d8fe434d60822314cc23bd4314 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Thu, 16 Aug 2018 20:25:56 -0500 Subject: Initial commit. --- .hgignore | 9 ++++ Vagrantfile | 24 +++++++++ ansible.cfg | 17 ++++++ roles/pleroma/defaults/main.yaml | 5 ++ roles/pleroma/tasks/main.yaml | 86 ++++++++++++++++++++++++++++++ roles/pleroma/templates/dev.secret.exs.j2 | 26 +++++++++ roles/pleroma/templates/pleroma.service.j2 | 15 ++++++ roles/pleroma/templates/setup_db.psql.j2 | 9 ++++ vagrant.yaml | 13 +++++ 9 files changed, 204 insertions(+) create mode 100644 .hgignore create mode 100644 Vagrantfile create mode 100644 ansible.cfg create mode 100644 roles/pleroma/defaults/main.yaml create mode 100644 roles/pleroma/tasks/main.yaml create mode 100644 roles/pleroma/templates/dev.secret.exs.j2 create mode 100644 roles/pleroma/templates/pleroma.service.j2 create mode 100644 roles/pleroma/templates/setup_db.psql.j2 create mode 100644 vagrant.yaml diff --git a/.hgignore b/.hgignore new file mode 100644 index 0000000..685df1b --- /dev/null +++ b/.hgignore @@ -0,0 +1,9 @@ +syntax: regexp +\.DS_Store$ +\.vagrant/ +\.tfstate\.backup$ +\.tfstate\.blank$ +\.terraform/ +TAGS$ +tags$ +^group_vars/ diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..284cc03 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,24 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "ubuntu/bionic64" + + config.vm.network "forwarded_port", guest: 4000, host: 4000 + # config.vm.synced_folder "../data", "/vagrant_data" + + # config.vm.provider "virtualbox" do |vb| + # # Display the VirtualBox GUI when booting the machine + # vb.gui = true + # + # # Customize the amount of memory on the VM: + # vb.memory = "1024" + # end + + config.vm.provision "ansible" do |ansible| + ansible.limit = "all,localhost" + # ansible.verbose = "vvv" + ansible.playbook = "vagrant.yaml" + ansible.compatibility_mode = "2.0" + end +end diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..60b2e57 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,17 @@ +[defaults] +remote_tmp = ~/.ansible/tmp + +retry_files_enabled = false +roles_path = ./roles +become_flags = -H -S -n -E +squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper +merge_multiple_cli_flags = true + +# SSH +timeout = 10 +executable = /bin/bash +host_key_checking = False +#remote_port = 22 + +[ssh_connection] +pipelining = true diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml new file mode 100644 index 0000000..e39ba8a --- /dev/null +++ b/roles/pleroma/defaults/main.yaml @@ -0,0 +1,5 @@ +--- + +pleroma_user: "pleroma" +pleroma_instance_name: "{{pleroma_host}}" +pleroma_admin_email: "admin@{{pleroma_host}}" diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml new file mode 100644 index 0000000..9266e6d --- /dev/null +++ b/roles/pleroma/tasks/main.yaml @@ -0,0 +1,86 @@ +--- + +- name: add erland solutions key + become: yes + apt_key: "url=http://packages.erlang-solutions.com/debian/erlang_solutions.asc" + +- name: install erland solutions repo + become: yes + apt_repository: repo="deb http://binaries.erlang-solutions.com/debian bionic contrib" + +- name: update apt package cache + become: yes + apt: upgrade="dist" update_cache="yes" cache_valid_time="3600" + +- name: install extra apt packages + become: yes + apt: name="{{item}}" + with_items: + - "postgresql" + - "esl-erlang" + - "elixir" + - "build-essential" + - "git" + +- name: add users + become: yes + user: name="{{pleroma_user}}" shell="/bin/bash" + +- name: checkout plemora + become: yes + become_user: "{{pleroma_user}}" + git: + repo: "https://git.pleroma.social/pleroma/pleroma.git" + dest: "~{{pleroma_user}}/pleroma" + force: yes + +- name: update elixir dep + become: yes + become_user: "{{pleroma_user}}" + lineinfile: + path: "~{{pleroma_user}}/pleroma/mix.exs" + regexp: 'elixir: "~> 1.4",$' + line: 'elixir: "~> 1.7",' + +- name: install pleroma config files + template: + src: "{{item}}.j2" + dest: "~{{pleroma_user}}/pleroma/config/{{item}}" + owner: "{{pleroma_user}}" + group: "{{pleroma_user}}" + mode: "0775" + become: yes + become_user: "{{pleroma_user}}" + with_items: + - "setup_db.psql" + - "dev.secret.exs" + +- name: install pleroma psql + become: yes + become_user: "postgres" + command: "psql -f ~{{pleroma_user}}/pleroma/config/setup_db.psql" + +- name: migrate db + become: yes + become_user: "{{pleroma_user}}" + command: "{{item}}" + args: + chdir: "~{{pleroma_user}}/pleroma/" + with_items: + - "mix local.hex --force" + - "mix local.rebar --force" + - "mix deps.get" + - "mix ecto.migrate" + +- name: install pleroma systemd service + template: + src: "pleroma.service.j2" + dest: "/lib/systemd/system/pleroma.service" + owner: "{{pleroma_user}}" + group: "{{pleroma_user}}" + mode: "0770" + become: yes + +- name: enable pleroma systemd service + systemd: name="pleroma" enabled="yes" state="started" + become: yes diff --git a/roles/pleroma/templates/dev.secret.exs.j2 b/roles/pleroma/templates/dev.secret.exs.j2 new file mode 100644 index 0000000..fee7ac8 --- /dev/null +++ b/roles/pleroma/templates/dev.secret.exs.j2 @@ -0,0 +1,26 @@ +use Mix.Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "{{pleroma_host}}", scheme: "https", port: 443], + secret_key_base: "{{pleroma_secret_key}}" + +config :pleroma, :instance, + name: "{{pleroma_instance_name}}", + email: "{{pleroma_admin_email}}", + limit: 5000, + registrations_open: true, + dedupe_media: false + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + +# Configure your database +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "{{pleroma_user}}", + password: "{{pleroma_db_passwd}}", + database: "{{pleroma_user}}", + hostname: "localhost", + pool_size: 10 diff --git a/roles/pleroma/templates/pleroma.service.j2 b/roles/pleroma/templates/pleroma.service.j2 new file mode 100644 index 0000000..ca6e662 --- /dev/null +++ b/roles/pleroma/templates/pleroma.service.j2 @@ -0,0 +1,15 @@ +[Unit] +Description=Pleroma social network +After=network.target postgresql.service + +[Service] +User={{pleroma_user}} +WorkingDirectory=/home/{{pleroma_user}}/pleroma +Environment="HOME=/home/{{pleroma_user}}" +ExecStart=/usr/local/bin/mix phx.server +ExecReload=/bin/kill $MAINPID +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/pleroma/templates/setup_db.psql.j2 b/roles/pleroma/templates/setup_db.psql.j2 new file mode 100644 index 0000000..de390c0 --- /dev/null +++ b/roles/pleroma/templates/setup_db.psql.j2 @@ -0,0 +1,9 @@ +CREATE USER {{pleroma_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}' CREATEDB; +-- in case someone runs this second time accidentally +ALTER USER {{pleroma_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}' CREATEDB; +CREATE DATABASE {{pleroma_user}}; +ALTER DATABASE {{pleroma_user}} OWNER TO {{pleroma_user}}; +\c {{pleroma_user}}; +--Extensions made by ecto.migrate that need superuser access +CREATE EXTENSION IF NOT EXISTS citext; +CREATE EXTENSION IF NOT EXISTS pg_trgm; diff --git a/vagrant.yaml b/vagrant.yaml new file mode 100644 index 0000000..c9535f2 --- /dev/null +++ b/vagrant.yaml @@ -0,0 +1,13 @@ +--- + +- name: setup python2 + hosts: all + gather_facts: no + tasks: + - name: install python2 + become: yes + raw: "apt-get install python -y" + +- hosts: all + roles: + - pleroma -- cgit v1.2.3 From 90136b7be49f974d624dac4ee638d6176bf0d80b Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 20 Aug 2018 10:22:45 -0500 Subject: Added nginx reverse proxy to pleroma. --- .hgignore | 2 +- Vagrantfile | 3 +- ansible.cfg | 14 ++-- main.yaml | 14 ++++ roles/nginx/defaults/main.yaml | 6 ++ roles/nginx/handlers/main.yaml | 4 ++ roles/nginx/tasks/certbot.yaml | 17 +++++ roles/nginx/tasks/main.yaml | 38 +++++++++++ roles/pleroma/templates/pleroma.nginx.conf.j2 | 95 +++++++++++++++++++++++++++ vagrant.yaml | 13 ---- 10 files changed, 185 insertions(+), 21 deletions(-) create mode 100644 main.yaml create mode 100644 roles/nginx/defaults/main.yaml create mode 100644 roles/nginx/handlers/main.yaml create mode 100644 roles/nginx/tasks/certbot.yaml create mode 100644 roles/nginx/tasks/main.yaml create mode 100644 roles/pleroma/templates/pleroma.nginx.conf.j2 delete mode 100644 vagrant.yaml diff --git a/.hgignore b/.hgignore index 685df1b..1dcb667 100644 --- a/.hgignore +++ b/.hgignore @@ -6,4 +6,4 @@ syntax: regexp \.terraform/ TAGS$ tags$ -^group_vars/ +^inventory/ diff --git a/Vagrantfile b/Vagrantfile index 284cc03..25d5b54 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,6 +5,7 @@ Vagrant.configure("2") do |config| config.vm.box = "ubuntu/bionic64" config.vm.network "forwarded_port", guest: 4000, host: 4000 + config.vm.network "forwarded_port", guest: 80, host: 8080 # config.vm.synced_folder "../data", "/vagrant_data" # config.vm.provider "virtualbox" do |vb| @@ -18,7 +19,7 @@ Vagrant.configure("2") do |config| config.vm.provision "ansible" do |ansible| ansible.limit = "all,localhost" # ansible.verbose = "vvv" - ansible.playbook = "vagrant.yaml" + ansible.playbook = "main.yaml" ansible.compatibility_mode = "2.0" end end diff --git a/ansible.cfg b/ansible.cfg index 60b2e57..d4b0897 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,15 +1,17 @@ [defaults] -remote_tmp = ~/.ansible/tmp +inventory = ./inventory + +#remote_tmp = ~/.ansible/tmp retry_files_enabled = false roles_path = ./roles -become_flags = -H -S -n -E -squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper -merge_multiple_cli_flags = true +#become_flags = -H -S -n -E +#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper +#merge_multiple_cli_flags = true # SSH -timeout = 10 -executable = /bin/bash +#timeout = 10 +#executable = /bin/bash host_key_checking = False #remote_port = 22 diff --git a/main.yaml b/main.yaml new file mode 100644 index 0000000..64b514b --- /dev/null +++ b/main.yaml @@ -0,0 +1,14 @@ +--- + +- name: setup python2 + hosts: all + gather_facts: no + tasks: + - name: install python2 + become: yes + raw: "apt-get install python -y" + +- hosts: all + roles: + - nginx + - pleroma diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml new file mode 100644 index 0000000..895ce1d --- /dev/null +++ b/roles/nginx/defaults/main.yaml @@ -0,0 +1,6 @@ +--- + +nginx_enable_ssl: No +nginx_port: 80 +nginx_ssl_port: 443 +nginx_server_name: "{{ansible_host}}" diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml new file mode 100644 index 0000000..ce43c17 --- /dev/null +++ b/roles/nginx/handlers/main.yaml @@ -0,0 +1,4 @@ +--- +- name: restart nginx + become: yes + systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/nginx/tasks/certbot.yaml b/roles/nginx/tasks/certbot.yaml new file mode 100644 index 0000000..b7fbe8d --- /dev/null +++ b/roles/nginx/tasks/certbot.yaml @@ -0,0 +1,17 @@ +--- + +# https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx + +- name: add certbot (letsencrypt) repo + become: yes + apt_repository: repo="ppa:certbot/certbot" + +- name: install nginx packages + become: yes + apt: name="python-certbot-nginx" + notify: restart nginx + +- name: install certbot in nginx + become: yes + command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" + notify: restart nginx diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml new file mode 100644 index 0000000..77448ff --- /dev/null +++ b/roles/nginx/tasks/main.yaml @@ -0,0 +1,38 @@ +--- + +- name: set hostname in OS + become: yes + hostname: name="{{inventory_hostname}}" + +- name: change timezone to UTC + become: yes + timezone: name="UTC" + +- name: install nginx packages + become: yes + apt: name="nginx" + +- name: disable default site + become: yes + file: path="/etc/nginx/sites-enabled/default" state="absent" + notify: restart nginx + +- name: install site + become: yes + template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" + notify: restart nginx + +- import_tasks: certbot.yaml + when: nginx_enable_ssl + +- name: enable site + become: yes + file: + src: "/etc/nginx/sites-available/{{nginx_conf_dst}}" + dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}" + state: "link" + notify: restart nginx + +- name: enable nginx service + become: yes + systemd: name="nginx" enabled="yes" state="started" diff --git a/roles/pleroma/templates/pleroma.nginx.conf.j2 b/roles/pleroma/templates/pleroma.nginx.conf.j2 new file mode 100644 index 0000000..df35be6 --- /dev/null +++ b/roles/pleroma/templates/pleroma.nginx.conf.j2 @@ -0,0 +1,95 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen {{nginx_port}}; + listen [::]:{{nginx_port}}; + server_name {{nginx_server_name}}; + return 301 https://$server_name$request_uri; + + # Uncomment this if you need to use the 'webroot' method with certbot. Make sure + # that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and + # that is is accessible by the webserver. You may need to load this file with the ssl + # server block commented out, run certbot to get the certificate, and then uncomment it. + # + # location ~ /\.well-known/acme-challenge { + # root /pleroma/priv/static/; + # } +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen {{nginx_ssl_port}} ssl http2; + listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + server_name {{nginx_server_name}}; + + ssl_certificate /etc/letsencrypt/live/{{nginx_server_name}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{nginx_server_name}}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + # if you do not want remote frontends to be able to access your Pleroma backend + # server, remove these lines. + # add_header 'Access-Control-Allow-Origin' '*' always; + # add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + # add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + # add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + # if ($request_method = OPTIONS) { + # return 204; + # } + # stop removing lines here. + + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + # Uncomment this only after you get HTTPS working. + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{nginx_proxy}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{nginx_proxy}}; + } +} diff --git a/vagrant.yaml b/vagrant.yaml deleted file mode 100644 index c9535f2..0000000 --- a/vagrant.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- name: setup python2 - hosts: all - gather_facts: no - tasks: - - name: install python2 - become: yes - raw: "apt-get install python -y" - -- hosts: all - roles: - - pleroma -- cgit v1.2.3 From d222abadb1d8bba26b95516d16e4d71f7c256fba Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Wed, 5 Sep 2018 16:42:56 -0500 Subject: Added more config variables to pleroma. --- roles/nginx/handlers/main.yaml | 1 + roles/pleroma/defaults/main.yaml | 6 ++++++ roles/pleroma/handlers/main.yaml | 5 +++++ roles/pleroma/tasks/main.yaml | 3 +++ roles/pleroma/templates/dev.secret.exs.j2 | 10 +++++----- 5 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 roles/pleroma/handlers/main.yaml diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml index ce43c17..1feca07 100644 --- a/roles/nginx/handlers/main.yaml +++ b/roles/nginx/handlers/main.yaml @@ -1,4 +1,5 @@ --- + - name: restart nginx become: yes systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index e39ba8a..8883855 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -2,4 +2,10 @@ pleroma_user: "pleroma" pleroma_instance_name: "{{pleroma_host}}" +pleroma_host: "localhost" +pleroma_scheme: "https" +pleroma_port: 443 pleroma_admin_email: "admin@{{pleroma_host}}" +pleroma_char_limit: 5000 +pleroma_signup_open: "true" +pleroma_db_host: "localhost" diff --git a/roles/pleroma/handlers/main.yaml b/roles/pleroma/handlers/main.yaml new file mode 100644 index 0000000..452811a --- /dev/null +++ b/roles/pleroma/handlers/main.yaml @@ -0,0 +1,5 @@ +--- + +- name: restart pleroma + become: yes + systemd: name="pleroma" state="restarted" daemon_reload="yes" diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index 9266e6d..fa02320 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -54,11 +54,13 @@ with_items: - "setup_db.psql" - "dev.secret.exs" + notify: restart pleroma - name: install pleroma psql become: yes become_user: "postgres" command: "psql -f ~{{pleroma_user}}/pleroma/config/setup_db.psql" + notify: restart pleroma - name: migrate db become: yes @@ -71,6 +73,7 @@ - "mix local.rebar --force" - "mix deps.get" - "mix ecto.migrate" + notify: restart pleroma - name: install pleroma systemd service template: diff --git a/roles/pleroma/templates/dev.secret.exs.j2 b/roles/pleroma/templates/dev.secret.exs.j2 index fee7ac8..3cf913f 100644 --- a/roles/pleroma/templates/dev.secret.exs.j2 +++ b/roles/pleroma/templates/dev.secret.exs.j2 @@ -1,15 +1,15 @@ use Mix.Config config :pleroma, Pleroma.Web.Endpoint, - url: [host: "{{pleroma_host}}", scheme: "https", port: 443], + url: [host: "{{pleroma_host}}", scheme: "{{pleroma_scheme}}", port: {{pleroma_port}}], secret_key_base: "{{pleroma_secret_key}}" config :pleroma, :instance, name: "{{pleroma_instance_name}}", email: "{{pleroma_admin_email}}", - limit: 5000, - registrations_open: true, - dedupe_media: false + limit: {{pleroma_char_limit}}, + registrations_open: {{pleroma_signup_open}}, + dedupe_media: true config :pleroma, :media_proxy, enabled: false, @@ -22,5 +22,5 @@ config :pleroma, Pleroma.Repo, username: "{{pleroma_user}}", password: "{{pleroma_db_passwd}}", database: "{{pleroma_user}}", - hostname: "localhost", + hostname: "{{pleroma_db_host}}", pool_size: 10 -- cgit v1.2.3 From 52eafe0054688b9a582688fd6a986b91700c69db Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Thu, 27 Dec 2018 23:53:13 -0500 Subject: Updated for latest pleroma version. --- roles/pleroma/tasks/main.yaml | 8 -------- roles/pleroma/templates/setup_db.psql.j2 | 8 +++----- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index fa02320..ba3af9e 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -34,14 +34,6 @@ dest: "~{{pleroma_user}}/pleroma" force: yes -- name: update elixir dep - become: yes - become_user: "{{pleroma_user}}" - lineinfile: - path: "~{{pleroma_user}}/pleroma/mix.exs" - regexp: 'elixir: "~> 1.4",$' - line: 'elixir: "~> 1.7",' - - name: install pleroma config files template: src: "{{item}}.j2" diff --git a/roles/pleroma/templates/setup_db.psql.j2 b/roles/pleroma/templates/setup_db.psql.j2 index de390c0..0b4a87c 100644 --- a/roles/pleroma/templates/setup_db.psql.j2 +++ b/roles/pleroma/templates/setup_db.psql.j2 @@ -1,9 +1,7 @@ -CREATE USER {{pleroma_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}' CREATEDB; --- in case someone runs this second time accidentally -ALTER USER {{pleroma_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}' CREATEDB; -CREATE DATABASE {{pleroma_user}}; -ALTER DATABASE {{pleroma_user}} OWNER TO {{pleroma_user}}; +CREATE USER {{pleroma_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; +CREATE DATABASE {{pleroma_user}} OWNER {{pleroma_user}}; \c {{pleroma_user}}; --Extensions made by ecto.migrate that need superuser access CREATE EXTENSION IF NOT EXISTS citext; CREATE EXTENSION IF NOT EXISTS pg_trgm; +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; -- cgit v1.2.3 From 53b8707d976e35f074bd177d5fcf2d062e3bcc52 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Fri, 28 Dec 2018 00:27:10 -0500 Subject: Moved to prod config. --- roles/pleroma/defaults/main.yaml | 1 + roles/pleroma/tasks/main.yaml | 2 +- roles/pleroma/templates/dev.secret.exs.j2 | 26 -------------------------- roles/pleroma/templates/pleroma.service.j2 | 1 + roles/pleroma/templates/prod.secret.exs.j2 | 27 +++++++++++++++++++++++++++ 5 files changed, 30 insertions(+), 27 deletions(-) delete mode 100644 roles/pleroma/templates/dev.secret.exs.j2 create mode 100644 roles/pleroma/templates/prod.secret.exs.j2 diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 8883855..2ab59a5 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -2,6 +2,7 @@ pleroma_user: "pleroma" pleroma_instance_name: "{{pleroma_host}}" +pleroma_desc: "A Pleroma fediverse instance." pleroma_host: "localhost" pleroma_scheme: "https" pleroma_port: 443 diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index ba3af9e..2bb497c 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -45,7 +45,7 @@ become_user: "{{pleroma_user}}" with_items: - "setup_db.psql" - - "dev.secret.exs" + - "prod.secret.exs" notify: restart pleroma - name: install pleroma psql diff --git a/roles/pleroma/templates/dev.secret.exs.j2 b/roles/pleroma/templates/dev.secret.exs.j2 deleted file mode 100644 index 3cf913f..0000000 --- a/roles/pleroma/templates/dev.secret.exs.j2 +++ /dev/null @@ -1,26 +0,0 @@ -use Mix.Config - -config :pleroma, Pleroma.Web.Endpoint, - url: [host: "{{pleroma_host}}", scheme: "{{pleroma_scheme}}", port: {{pleroma_port}}], - secret_key_base: "{{pleroma_secret_key}}" - -config :pleroma, :instance, - name: "{{pleroma_instance_name}}", - email: "{{pleroma_admin_email}}", - limit: {{pleroma_char_limit}}, - registrations_open: {{pleroma_signup_open}}, - dedupe_media: true - -config :pleroma, :media_proxy, - enabled: false, - redirect_on_failure: true - #base_url: "https://cache.pleroma.social" - -# Configure your database -config :pleroma, Pleroma.Repo, - adapter: Ecto.Adapters.Postgres, - username: "{{pleroma_user}}", - password: "{{pleroma_db_passwd}}", - database: "{{pleroma_user}}", - hostname: "{{pleroma_db_host}}", - pool_size: 10 diff --git a/roles/pleroma/templates/pleroma.service.j2 b/roles/pleroma/templates/pleroma.service.j2 index ca6e662..e1cfd57 100644 --- a/roles/pleroma/templates/pleroma.service.j2 +++ b/roles/pleroma/templates/pleroma.service.j2 @@ -6,6 +6,7 @@ After=network.target postgresql.service User={{pleroma_user}} WorkingDirectory=/home/{{pleroma_user}}/pleroma Environment="HOME=/home/{{pleroma_user}}" +Environment="MIX_ENV=prod" ExecStart=/usr/local/bin/mix phx.server ExecReload=/bin/kill $MAINPID KillMode=process diff --git a/roles/pleroma/templates/prod.secret.exs.j2 b/roles/pleroma/templates/prod.secret.exs.j2 new file mode 100644 index 0000000..effedd7 --- /dev/null +++ b/roles/pleroma/templates/prod.secret.exs.j2 @@ -0,0 +1,27 @@ +use Mix.Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "{{pleroma_host}}", scheme: "{{pleroma_scheme}}", port: {{pleroma_port}}], + secret_key_base: "{{pleroma_secret_key}}" + +config :pleroma, :instance, + name: "{{pleroma_instance_name}}", + description: "{{pleroma_desc}}", + email: "{{pleroma_admin_email}}", + limit: {{pleroma_char_limit}}, + registrations_open: {{pleroma_signup_open}}, + dedupe_media: true + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + +# Configure your database +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "{{pleroma_user}}", + password: "{{pleroma_db_passwd}}", + database: "{{pleroma_user}}", + hostname: "{{pleroma_db_host}}", + pool_size: 10 -- cgit v1.2.3 From f722be7d3a7b4f68dd9837ebb6ca37adc9923a4c Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 30 Dec 2018 11:13:20 -0600 Subject: Moved mix commands to prod. --- roles/pleroma/tasks/main.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index 2bb497c..47a62cf 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -66,6 +66,8 @@ - "mix deps.get" - "mix ecto.migrate" notify: restart pleroma + environment: + MIX_ENV: "prod" - name: install pleroma systemd service template: -- cgit v1.2.3 From 035f6e2253e1a3f3283ca3e0f7044da8880880e4 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 31 Dec 2018 15:50:19 -0600 Subject: Updated for external DB. --- roles/pleroma/defaults/main.yaml | 1 + roles/pleroma/tasks/main.yaml | 7 +++++-- roles/pleroma/templates/setup_db.psql.j2 | 3 ++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 2ab59a5..94c39a1 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -10,3 +10,4 @@ pleroma_admin_email: "admin@{{pleroma_host}}" pleroma_char_limit: 5000 pleroma_signup_open: "true" pleroma_db_host: "localhost" +pleroma_db_superuser: "postgres" diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index 47a62cf..9d1a746 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -50,9 +50,12 @@ - name: install pleroma psql become: yes - become_user: "postgres" - command: "psql -f ~{{pleroma_user}}/pleroma/config/setup_db.psql" + become_user: "{{pleroma_db_superuser}}" + command: "psql -f ~{{pleroma_user}}/pleroma/config/setup_db.psql -h {{pleroma_db_host}}" notify: restart pleroma + environment: + PGUSER: "{{pleroma_db_superuser}}" + PGPASSWORD: "{{pleroma_db_superpass}}" - name: migrate db become: yes diff --git a/roles/pleroma/templates/setup_db.psql.j2 b/roles/pleroma/templates/setup_db.psql.j2 index 0b4a87c..459bec8 100644 --- a/roles/pleroma/templates/setup_db.psql.j2 +++ b/roles/pleroma/templates/setup_db.psql.j2 @@ -1,5 +1,6 @@ CREATE USER {{pleroma_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; -CREATE DATABASE {{pleroma_user}} OWNER {{pleroma_user}}; +CREATE DATABASE {{pleroma_user}}; +ALTER DATABASE {{pleroma_user}} OWNER TO {{pleroma_user}}; \c {{pleroma_user}}; --Extensions made by ecto.migrate that need superuser access CREATE EXTENSION IF NOT EXISTS citext; -- cgit v1.2.3 From bef0a0a3a662a83273d459d3c39eac3e1ee7b404 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Tue, 1 Jan 2019 21:57:11 -0600 Subject: Split out nginx sites. --- main.yaml | 32 +++++++++++++++++++--- roles/nginx/base/defaults/main.yaml | 3 +++ roles/nginx/base/handlers/main.yaml | 5 ++++ roles/nginx/base/tasks/certbot.yaml | 12 +++++++++ roles/nginx/base/tasks/main.yaml | 17 ++++++++++++ roles/nginx/defaults/main.yaml | 6 ----- roles/nginx/handlers/main.yaml | 5 ---- roles/nginx/site/defaults/main.yaml | 7 +++++ roles/nginx/site/handlers/main.yaml | 5 ++++ roles/nginx/site/meta/main.yaml | 4 +++ roles/nginx/site/tasks/main.yaml | 20 ++++++++++++++ roles/nginx/tasks/certbot.yaml | 17 ------------ roles/nginx/tasks/main.yaml | 38 --------------------------- roles/pleroma/defaults/main.yaml | 5 ++-- roles/pleroma/handlers/main.yaml | 2 +- roles/pleroma/meta/main.yaml | 4 +++ roles/pleroma/tasks/main.yaml | 4 +-- roles/pleroma/templates/pleroma.nginx.conf.j2 | 4 +-- roles/pleroma/templates/pleroma.service.j2 | 2 ++ 19 files changed, 116 insertions(+), 76 deletions(-) create mode 100644 roles/nginx/base/defaults/main.yaml create mode 100644 roles/nginx/base/handlers/main.yaml create mode 100644 roles/nginx/base/tasks/certbot.yaml create mode 100644 roles/nginx/base/tasks/main.yaml delete mode 100644 roles/nginx/defaults/main.yaml delete mode 100644 roles/nginx/handlers/main.yaml create mode 100644 roles/nginx/site/defaults/main.yaml create mode 100644 roles/nginx/site/handlers/main.yaml create mode 100644 roles/nginx/site/meta/main.yaml create mode 100644 roles/nginx/site/tasks/main.yaml delete mode 100644 roles/nginx/tasks/certbot.yaml delete mode 100644 roles/nginx/tasks/main.yaml create mode 100644 roles/pleroma/meta/main.yaml diff --git a/main.yaml b/main.yaml index 64b514b..b32b167 100644 --- a/main.yaml +++ b/main.yaml @@ -8,7 +8,33 @@ become: yes raw: "apt-get install python -y" -- hosts: all + - name: set hostname in OS + become: yes + hostname: name="{{inventory_hostname}}" + + - name: change timezone to UTC + become: yes + timezone: name="UTC" + +- hosts: pleroma-01 roles: - - nginx - - pleroma + - role: pleroma + pleroma_host: "haskell.social" + pleroma_user: "pleroma_haskell_social" + pleroma_port: 4000 + + - role: pleroma + pleroma_host: "nth.io" + pleroma_user: "pleroma_nth_io" + pleroma_port: 4001 + + +# - hosts: haskell.social +# roles: +# - nginx +# - pleroma + +# - hosts: nth.io +# roles: +# - nginx +# - pleroma diff --git a/roles/nginx/base/defaults/main.yaml b/roles/nginx/base/defaults/main.yaml new file mode 100644 index 0000000..44b37f8 --- /dev/null +++ b/roles/nginx/base/defaults/main.yaml @@ -0,0 +1,3 @@ +--- + +nginx_enable_ssl: No diff --git a/roles/nginx/base/handlers/main.yaml b/roles/nginx/base/handlers/main.yaml new file mode 100644 index 0000000..1feca07 --- /dev/null +++ b/roles/nginx/base/handlers/main.yaml @@ -0,0 +1,5 @@ +--- + +- name: restart nginx + become: yes + systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/nginx/base/tasks/certbot.yaml b/roles/nginx/base/tasks/certbot.yaml new file mode 100644 index 0000000..194f5c9 --- /dev/null +++ b/roles/nginx/base/tasks/certbot.yaml @@ -0,0 +1,12 @@ +--- + +# https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx + +- name: add certbot (letsencrypt) repo + become: yes + apt_repository: repo="ppa:certbot/certbot" + +- name: install nginx packages + become: yes + apt: name="python-certbot-nginx" + notify: restart nginx diff --git a/roles/nginx/base/tasks/main.yaml b/roles/nginx/base/tasks/main.yaml new file mode 100644 index 0000000..ee66773 --- /dev/null +++ b/roles/nginx/base/tasks/main.yaml @@ -0,0 +1,17 @@ +--- + +- name: install nginx packages + become: yes + apt: name="nginx" + +- name: disable default site + become: yes + file: path="/etc/nginx/sites-enabled/default" state="absent" + notify: restart nginx + +- import_tasks: certbot.yaml + when: nginx_enable_ssl + +- name: enable nginx service + become: yes + systemd: name="nginx" enabled="yes" state="started" diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml deleted file mode 100644 index 895ce1d..0000000 --- a/roles/nginx/defaults/main.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -nginx_enable_ssl: No -nginx_port: 80 -nginx_ssl_port: 443 -nginx_server_name: "{{ansible_host}}" diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml deleted file mode 100644 index 1feca07..0000000 --- a/roles/nginx/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart nginx - become: yes - systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/nginx/site/defaults/main.yaml b/roles/nginx/site/defaults/main.yaml new file mode 100644 index 0000000..0092918 --- /dev/null +++ b/roles/nginx/site/defaults/main.yaml @@ -0,0 +1,7 @@ +--- + +nginx_port: 80 +nginx_ssl_port: 443 +nginx_server_name: "{{ansible_host}}" +nginx_conf_dst: "{{nginx_server_name}}.nginx.conf" +nginx_admin_email: "admin@{{nginx_server_name}}" diff --git a/roles/nginx/site/handlers/main.yaml b/roles/nginx/site/handlers/main.yaml new file mode 100644 index 0000000..1feca07 --- /dev/null +++ b/roles/nginx/site/handlers/main.yaml @@ -0,0 +1,5 @@ +--- + +- name: restart nginx + become: yes + systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/nginx/site/meta/main.yaml b/roles/nginx/site/meta/main.yaml new file mode 100644 index 0000000..af2cf0f --- /dev/null +++ b/roles/nginx/site/meta/main.yaml @@ -0,0 +1,4 @@ +--- + +dependencies: + - nginx/base diff --git a/roles/nginx/site/tasks/main.yaml b/roles/nginx/site/tasks/main.yaml new file mode 100644 index 0000000..9b51013 --- /dev/null +++ b/roles/nginx/site/tasks/main.yaml @@ -0,0 +1,20 @@ +--- + +- name: install site + become: yes + template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" + notify: restart nginx + +- name: install certbot in nginx + become: yes + command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" + notify: restart nginx + when: nginx_enable_ssl + +- name: enable site + become: yes + file: + src: "/etc/nginx/sites-available/{{nginx_conf_dst}}" + dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}" + state: "link" + notify: restart nginx diff --git a/roles/nginx/tasks/certbot.yaml b/roles/nginx/tasks/certbot.yaml deleted file mode 100644 index b7fbe8d..0000000 --- a/roles/nginx/tasks/certbot.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -# https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx - -- name: add certbot (letsencrypt) repo - become: yes - apt_repository: repo="ppa:certbot/certbot" - -- name: install nginx packages - become: yes - apt: name="python-certbot-nginx" - notify: restart nginx - -- name: install certbot in nginx - become: yes - command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" - notify: restart nginx diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml deleted file mode 100644 index 77448ff..0000000 --- a/roles/nginx/tasks/main.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- - -- name: set hostname in OS - become: yes - hostname: name="{{inventory_hostname}}" - -- name: change timezone to UTC - become: yes - timezone: name="UTC" - -- name: install nginx packages - become: yes - apt: name="nginx" - -- name: disable default site - become: yes - file: path="/etc/nginx/sites-enabled/default" state="absent" - notify: restart nginx - -- name: install site - become: yes - template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" - notify: restart nginx - -- import_tasks: certbot.yaml - when: nginx_enable_ssl - -- name: enable site - become: yes - file: - src: "/etc/nginx/sites-available/{{nginx_conf_dst}}" - dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}" - state: "link" - notify: restart nginx - -- name: enable nginx service - become: yes - systemd: name="nginx" enabled="yes" state="started" diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 94c39a1..c9cbf1d 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -4,8 +4,9 @@ pleroma_user: "pleroma" pleroma_instance_name: "{{pleroma_host}}" pleroma_desc: "A Pleroma fediverse instance." pleroma_host: "localhost" -pleroma_scheme: "https" -pleroma_port: 443 +pleroma_scheme: "http" +pleroma_port: 4000 +pleroma_url: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" pleroma_admin_email: "admin@{{pleroma_host}}" pleroma_char_limit: 5000 pleroma_signup_open: "true" diff --git a/roles/pleroma/handlers/main.yaml b/roles/pleroma/handlers/main.yaml index 452811a..b935f8d 100644 --- a/roles/pleroma/handlers/main.yaml +++ b/roles/pleroma/handlers/main.yaml @@ -2,4 +2,4 @@ - name: restart pleroma become: yes - systemd: name="pleroma" state="restarted" daemon_reload="yes" + systemd: name="{{pleroma_user}}" state="restarted" daemon_reload="yes" diff --git a/roles/pleroma/meta/main.yaml b/roles/pleroma/meta/main.yaml new file mode 100644 index 0000000..efae8cd --- /dev/null +++ b/roles/pleroma/meta/main.yaml @@ -0,0 +1,4 @@ +--- + +dependencies: + - nginx/site diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index 9d1a746..0d4ed29 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -75,12 +75,12 @@ - name: install pleroma systemd service template: src: "pleroma.service.j2" - dest: "/lib/systemd/system/pleroma.service" + dest: "/lib/systemd/system/{{pleroma_user}}.service" owner: "{{pleroma_user}}" group: "{{pleroma_user}}" mode: "0770" become: yes - name: enable pleroma systemd service - systemd: name="pleroma" enabled="yes" state="started" + systemd: name="{{pleroma_user}}" enabled="yes" state="started" become: yes diff --git a/roles/pleroma/templates/pleroma.nginx.conf.j2 b/roles/pleroma/templates/pleroma.nginx.conf.j2 index df35be6..34cec8a 100644 --- a/roles/pleroma/templates/pleroma.nginx.conf.j2 +++ b/roles/pleroma/templates/pleroma.nginx.conf.j2 @@ -81,7 +81,7 @@ server { proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; - proxy_pass {{nginx_proxy}}; + proxy_pass {{pleroma_url}}; client_max_body_size 16m; } @@ -90,6 +90,6 @@ server { proxy_cache pleroma_media_cache; proxy_cache_lock on; proxy_ignore_client_abort on; - proxy_pass {{nginx_proxy}}; + proxy_pass {{pleroma_url}}; } } diff --git a/roles/pleroma/templates/pleroma.service.j2 b/roles/pleroma/templates/pleroma.service.j2 index e1cfd57..15a0879 100644 --- a/roles/pleroma/templates/pleroma.service.j2 +++ b/roles/pleroma/templates/pleroma.service.j2 @@ -1,3 +1,5 @@ +# {{ansible_managed}} + [Unit] Description=Pleroma social network After=network.target postgresql.service -- cgit v1.2.3 From d8e1d8bc284bfbe34b60ee5a40d5b5df0b25dc96 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Wed, 2 Jan 2019 23:24:27 -0600 Subject: Fixed port placement of multiple instances. --- main.yaml | 6 +++--- roles/pleroma/templates/prod.secret.exs.j2 | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/main.yaml b/main.yaml index b32b167..96c2cd4 100644 --- a/main.yaml +++ b/main.yaml @@ -16,17 +16,17 @@ become: yes timezone: name="UTC" -- hosts: pleroma-01 +- hosts: pleroma roles: - role: pleroma pleroma_host: "haskell.social" pleroma_user: "pleroma_haskell_social" - pleroma_port: 4000 + pleroma_port: 4001 - role: pleroma pleroma_host: "nth.io" pleroma_user: "pleroma_nth_io" - pleroma_port: 4001 + pleroma_port: 4000 # - hosts: haskell.social diff --git a/roles/pleroma/templates/prod.secret.exs.j2 b/roles/pleroma/templates/prod.secret.exs.j2 index effedd7..d39f57d 100644 --- a/roles/pleroma/templates/prod.secret.exs.j2 +++ b/roles/pleroma/templates/prod.secret.exs.j2 @@ -1,7 +1,8 @@ use Mix.Config config :pleroma, Pleroma.Web.Endpoint, - url: [host: "{{pleroma_host}}", scheme: "{{pleroma_scheme}}", port: {{pleroma_port}}], + url: [host: "{{pleroma_host}}", scheme: "{{pleroma_scheme}}", port: 443], + http: [port: {{pleroma_port}}], secret_key_base: "{{pleroma_secret_key}}" config :pleroma, :instance, -- cgit v1.2.3 From c5ba641b1cb66e19c23691995bcd0661fbf4d027 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Thu, 3 Jan 2019 20:46:13 -0600 Subject: Lots of updates. --- main.yaml | 23 ++++++-------- roles/nginx/base/defaults/main.yaml | 3 -- roles/nginx/base/handlers/main.yaml | 5 --- roles/nginx/base/tasks/certbot.yaml | 12 ------- roles/nginx/base/tasks/main.yaml | 17 ---------- roles/nginx/defaults/main.yaml | 8 +++++ roles/nginx/handlers/main.yaml | 5 +++ roles/nginx/site/defaults/main.yaml | 7 ----- roles/nginx/site/handlers/main.yaml | 5 --- roles/nginx/site/meta/main.yaml | 4 --- roles/nginx/site/tasks/main.yaml | 20 ------------ roles/nginx/tasks/main.yaml | 45 +++++++++++++++++++++++++++ roles/pleroma/defaults/main.yaml | 15 ++++++--- roles/pleroma/meta/main.yaml | 2 +- roles/pleroma/tasks/main.yaml | 2 +- roles/pleroma/templates/pleroma.nginx.conf.j2 | 12 +++---- roles/pleroma/templates/pleroma.service.j2 | 1 + roles/pleroma/templates/prod.secret.exs.j2 | 8 +++-- 18 files changed, 93 insertions(+), 101 deletions(-) delete mode 100644 roles/nginx/base/defaults/main.yaml delete mode 100644 roles/nginx/base/handlers/main.yaml delete mode 100644 roles/nginx/base/tasks/certbot.yaml delete mode 100644 roles/nginx/base/tasks/main.yaml create mode 100644 roles/nginx/defaults/main.yaml create mode 100644 roles/nginx/handlers/main.yaml delete mode 100644 roles/nginx/site/defaults/main.yaml delete mode 100644 roles/nginx/site/handlers/main.yaml delete mode 100644 roles/nginx/site/meta/main.yaml delete mode 100644 roles/nginx/site/tasks/main.yaml create mode 100644 roles/nginx/tasks/main.yaml diff --git a/main.yaml b/main.yaml index 96c2cd4..81108fd 100644 --- a/main.yaml +++ b/main.yaml @@ -16,25 +16,22 @@ become: yes timezone: name="UTC" + - name: authorize ssh keys + authorized_key: + user: "ubuntu" + key: "https://github.com/LukeHoersten.keys" + - hosts: pleroma roles: - role: pleroma - pleroma_host: "haskell.social" pleroma_user: "pleroma_haskell_social" + pleroma_link_host: "haskell.social" pleroma_port: 4001 +- hosts: pleroma + roles: - role: pleroma - pleroma_host: "nth.io" pleroma_user: "pleroma_nth_io" + pleroma_link_host: "nth.io" pleroma_port: 4000 - - -# - hosts: haskell.social -# roles: -# - nginx -# - pleroma - -# - hosts: nth.io -# roles: -# - nginx -# - pleroma + pleroma_signup_open: "false" diff --git a/roles/nginx/base/defaults/main.yaml b/roles/nginx/base/defaults/main.yaml deleted file mode 100644 index 44b37f8..0000000 --- a/roles/nginx/base/defaults/main.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -nginx_enable_ssl: No diff --git a/roles/nginx/base/handlers/main.yaml b/roles/nginx/base/handlers/main.yaml deleted file mode 100644 index 1feca07..0000000 --- a/roles/nginx/base/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart nginx - become: yes - systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/nginx/base/tasks/certbot.yaml b/roles/nginx/base/tasks/certbot.yaml deleted file mode 100644 index 194f5c9..0000000 --- a/roles/nginx/base/tasks/certbot.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- - -# https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx - -- name: add certbot (letsencrypt) repo - become: yes - apt_repository: repo="ppa:certbot/certbot" - -- name: install nginx packages - become: yes - apt: name="python-certbot-nginx" - notify: restart nginx diff --git a/roles/nginx/base/tasks/main.yaml b/roles/nginx/base/tasks/main.yaml deleted file mode 100644 index ee66773..0000000 --- a/roles/nginx/base/tasks/main.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: install nginx packages - become: yes - apt: name="nginx" - -- name: disable default site - become: yes - file: path="/etc/nginx/sites-enabled/default" state="absent" - notify: restart nginx - -- import_tasks: certbot.yaml - when: nginx_enable_ssl - -- name: enable nginx service - become: yes - systemd: name="nginx" enabled="yes" state="started" diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml new file mode 100644 index 0000000..8d65d55 --- /dev/null +++ b/roles/nginx/defaults/main.yaml @@ -0,0 +1,8 @@ +--- + +nginx_port: 80 +nginx_ssl_port: 443 +nginx_enable_ssl: No +nginx_server_name: "{{ansible_host}}" +nginx_conf_dst: "{{nginx_server_name}}.nginx.conf" +nginx_admin_email: "admin@{{nginx_server_name}}" diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml new file mode 100644 index 0000000..1feca07 --- /dev/null +++ b/roles/nginx/handlers/main.yaml @@ -0,0 +1,5 @@ +--- + +- name: restart nginx + become: yes + systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/nginx/site/defaults/main.yaml b/roles/nginx/site/defaults/main.yaml deleted file mode 100644 index 0092918..0000000 --- a/roles/nginx/site/defaults/main.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -nginx_port: 80 -nginx_ssl_port: 443 -nginx_server_name: "{{ansible_host}}" -nginx_conf_dst: "{{nginx_server_name}}.nginx.conf" -nginx_admin_email: "admin@{{nginx_server_name}}" diff --git a/roles/nginx/site/handlers/main.yaml b/roles/nginx/site/handlers/main.yaml deleted file mode 100644 index 1feca07..0000000 --- a/roles/nginx/site/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart nginx - become: yes - systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/nginx/site/meta/main.yaml b/roles/nginx/site/meta/main.yaml deleted file mode 100644 index af2cf0f..0000000 --- a/roles/nginx/site/meta/main.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -dependencies: - - nginx/base diff --git a/roles/nginx/site/tasks/main.yaml b/roles/nginx/site/tasks/main.yaml deleted file mode 100644 index 9b51013..0000000 --- a/roles/nginx/site/tasks/main.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: install site - become: yes - template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" - notify: restart nginx - -- name: install certbot in nginx - become: yes - command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" - notify: restart nginx - when: nginx_enable_ssl - -- name: enable site - become: yes - file: - src: "/etc/nginx/sites-available/{{nginx_conf_dst}}" - dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}" - state: "link" - notify: restart nginx diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml new file mode 100644 index 0000000..7a0589f --- /dev/null +++ b/roles/nginx/tasks/main.yaml @@ -0,0 +1,45 @@ +--- + +- name: install nginx packages + become: yes + apt: name="nginx" + +- name: install site + become: yes + template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" + notify: restart nginx + +# https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx +- name: add certbot (letsencrypt) repo + become: yes + apt_repository: repo="ppa:certbot/certbot" + when: nginx_enable_ssl + +- name: install nginx packages + become: yes + apt: name="python-certbot-nginx" + notify: restart nginx + when: nginx_enable_ssl + +- name: install certbot in nginx + become: yes + command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" + notify: restart nginx + when: nginx_enable_ssl + +- name: disable default site + become: yes + file: path="/etc/nginx/sites-enabled/default" state="absent" + notify: restart nginx + +- name: enable site + become: yes + file: + src: "/etc/nginx/sites-available/{{nginx_conf_dst}}" + dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}" + state: "link" + notify: restart nginx + +- name: enable nginx service + become: yes + systemd: name="nginx" enabled="yes" state="started" diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index c9cbf1d..5d2569f 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -1,12 +1,19 @@ --- pleroma_user: "pleroma" -pleroma_instance_name: "{{pleroma_host}}" -pleroma_desc: "A Pleroma fediverse instance." + pleroma_host: "localhost" -pleroma_scheme: "http" pleroma_port: 4000 -pleroma_url: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" +pleroma_scheme: "http" + +pleroma_proxy_pass: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" + +pleroma_link_host: "localhost" +pleroma_link_port: "443" +pleroma_link_scheme: "https" + +pleroma_instance_name: "{{pleroma_link_host}}" +pleroma_desc: "A Pleroma fediverse instance." pleroma_admin_email: "admin@{{pleroma_host}}" pleroma_char_limit: 5000 pleroma_signup_open: "true" diff --git a/roles/pleroma/meta/main.yaml b/roles/pleroma/meta/main.yaml index efae8cd..d7aa38d 100644 --- a/roles/pleroma/meta/main.yaml +++ b/roles/pleroma/meta/main.yaml @@ -1,4 +1,4 @@ --- dependencies: - - nginx/site + - nginx diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index 0d4ed29..f34952b 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -67,7 +67,7 @@ - "mix local.hex --force" - "mix local.rebar --force" - "mix deps.get" - - "mix ecto.migrate" + # - "mix ecto.migrate" notify: restart pleroma environment: MIX_ENV: "prod" diff --git a/roles/pleroma/templates/pleroma.nginx.conf.j2 b/roles/pleroma/templates/pleroma.nginx.conf.j2 index 34cec8a..b760a44 100644 --- a/roles/pleroma/templates/pleroma.nginx.conf.j2 +++ b/roles/pleroma/templates/pleroma.nginx.conf.j2 @@ -6,12 +6,12 @@ # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it # in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. -proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g +proxy_cache_path /tmp/{{pleroma_user}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_user}}-pleroma_media_cache:10m max_size=10g inactive=720m use_temp_path=off; server { listen {{nginx_port}}; - listen [::]:{{nginx_port}}; + # listen [::]:{{nginx_port}}; server_name {{nginx_server_name}}; return 301 https://$server_name$request_uri; @@ -30,7 +30,7 @@ ssl_session_cache shared:ssl_session_cache:10m; server { listen {{nginx_ssl_port}} ssl http2; - listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; server_name {{nginx_server_name}}; ssl_certificate /etc/letsencrypt/live/{{nginx_server_name}}/fullchain.pem; @@ -81,15 +81,15 @@ server { proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; - proxy_pass {{pleroma_url}}; + proxy_pass {{pleroma_proxy_pass}}; client_max_body_size 16m; } location /proxy { - proxy_cache pleroma_media_cache; + proxy_cache {{pleroma_user}}-pleroma_media_cache; proxy_cache_lock on; proxy_ignore_client_abort on; - proxy_pass {{pleroma_url}}; + proxy_pass {{pleroma_proxy_pass}}; } } diff --git a/roles/pleroma/templates/pleroma.service.j2 b/roles/pleroma/templates/pleroma.service.j2 index 15a0879..e024200 100644 --- a/roles/pleroma/templates/pleroma.service.j2 +++ b/roles/pleroma/templates/pleroma.service.j2 @@ -9,6 +9,7 @@ User={{pleroma_user}} WorkingDirectory=/home/{{pleroma_user}}/pleroma Environment="HOME=/home/{{pleroma_user}}" Environment="MIX_ENV=prod" +Environment="PLUG_TMPDIR=/tmp/{{pleroma_user}}" ExecStart=/usr/local/bin/mix phx.server ExecReload=/bin/kill $MAINPID KillMode=process diff --git a/roles/pleroma/templates/prod.secret.exs.j2 b/roles/pleroma/templates/prod.secret.exs.j2 index d39f57d..2c4d9f2 100644 --- a/roles/pleroma/templates/prod.secret.exs.j2 +++ b/roles/pleroma/templates/prod.secret.exs.j2 @@ -1,7 +1,7 @@ use Mix.Config config :pleroma, Pleroma.Web.Endpoint, - url: [host: "{{pleroma_host}}", scheme: "{{pleroma_scheme}}", port: 443], + url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], http: [port: {{pleroma_port}}], secret_key_base: "{{pleroma_secret_key}}" @@ -10,8 +10,10 @@ config :pleroma, :instance, description: "{{pleroma_desc}}", email: "{{pleroma_admin_email}}", limit: {{pleroma_char_limit}}, - registrations_open: {{pleroma_signup_open}}, - dedupe_media: true + registrations_open: {{pleroma_signup_open}} + +config :pleroma, Pleroma.Upload, + filters: [Pleroma.Upload.Filter.Dedupe] config :pleroma, :media_proxy, enabled: false, -- cgit v1.2.3 From d13ab2a9b8b0794f018d5f52f486f36dddf63682 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sat, 19 Jan 2019 11:48:07 -0600 Subject: Added readme. --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..903ff8c --- /dev/null +++ b/README.md @@ -0,0 +1,43 @@ +# Pleroma Ansible Roles + +This project is a collection of [Ansible](http://ansible.com) roles designed to install one or +more [Pleroma](https://pleroma.social) instances behind an [Nginx](http://nginx.org) reverse proxy. + +## Example Playbook + +The following example configures two Pleroma instances on one host and uses an Nginx reverse proxy to route based on +domain name. The second site is optional. + +```yaml +- hosts: pleroma + roles: + - role: pleroma + pleroma_user: "pleroma_example" + pleroma_link_host: "example.social" + pleroma_port: 4000 + pleroma_signup_open: "true" + +- hosts: pleroma + roles: + - role: pleroma + pleroma_user: "pleroma_test" + pleroma_link_host: "test.social" + pleroma_port: 4001 + pleroma_signup_open: "true" +``` + +## Example Ansible Vars + +The following variables would go into Ansible `group_vars`, for example, and connects to an AWS RDS PostgreSQL database. + +```yaml +nginx_conf_src: "roles/pleroma/templates/pleroma.nginx.conf.j2" +nginx_enable_ssl: Yes +nginx_server_name: "{{pleroma_link_host}}" + +pleroma_link_scheme: "https" +pleroma_db_host: "pleroma.123123.us-east-1.rds.amazonaws.com" +pleroma_db_passwd: "pleDbPass123" +pleroma_db_superpass: "dbpass123" +pleroma_secret_key: "secret123" +``` -- cgit v1.2.3 From 4e5135743f1a8b9a387d57998e808bd09e0c6b1f Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sat, 19 Jan 2019 11:52:11 -0600 Subject: Removed my project-specific main.yaml. --- main.yaml | 37 ------------------------------------- 1 file changed, 37 deletions(-) delete mode 100644 main.yaml diff --git a/main.yaml b/main.yaml deleted file mode 100644 index 81108fd..0000000 --- a/main.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- name: setup python2 - hosts: all - gather_facts: no - tasks: - - name: install python2 - become: yes - raw: "apt-get install python -y" - - - name: set hostname in OS - become: yes - hostname: name="{{inventory_hostname}}" - - - name: change timezone to UTC - become: yes - timezone: name="UTC" - - - name: authorize ssh keys - authorized_key: - user: "ubuntu" - key: "https://github.com/LukeHoersten.keys" - -- hosts: pleroma - roles: - - role: pleroma - pleroma_user: "pleroma_haskell_social" - pleroma_link_host: "haskell.social" - pleroma_port: 4001 - -- hosts: pleroma - roles: - - role: pleroma - pleroma_user: "pleroma_nth_io" - pleroma_link_host: "nth.io" - pleroma_port: 4000 - pleroma_signup_open: "false" -- cgit v1.2.3 From 02e2dca550bae1d23a3b37af98f8c568f11da989 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sat, 19 Jan 2019 13:00:49 -0600 Subject: Removed my specific ansible config. --- ansible.cfg | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 ansible.cfg diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index d4b0897..0000000 --- a/ansible.cfg +++ /dev/null @@ -1,19 +0,0 @@ -[defaults] -inventory = ./inventory - -#remote_tmp = ~/.ansible/tmp - -retry_files_enabled = false -roles_path = ./roles -#become_flags = -H -S -n -E -#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper -#merge_multiple_cli_flags = true - -# SSH -#timeout = 10 -#executable = /bin/bash -host_key_checking = False -#remote_port = 22 - -[ssh_connection] -pipelining = true -- cgit v1.2.3 From f1ffd7d86f472ada8933ac412fd6b0c84f77719c Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sat, 19 Jan 2019 13:32:43 -0600 Subject: Fixed deprecated ansible syntax. --- roles/pleroma/defaults/main.yaml | 7 +++++++ roles/pleroma/tasks/main.yaml | 10 ++-------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 5d2569f..94ff9e4 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -19,3 +19,10 @@ pleroma_char_limit: 5000 pleroma_signup_open: "true" pleroma_db_host: "localhost" pleroma_db_superuser: "postgres" + +pleroma_apt_packages: + - "postgresql" + - "esl-erlang" + - "elixir" + - "build-essential" + - "git" diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index f34952b..b045b51 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -12,15 +12,9 @@ become: yes apt: upgrade="dist" update_cache="yes" cache_valid_time="3600" -- name: install extra apt packages +- name: install pleroma apt packages become: yes - apt: name="{{item}}" - with_items: - - "postgresql" - - "esl-erlang" - - "elixir" - - "build-essential" - - "git" + apt: name="{{pleroma_apt_packages}}" - name: add users become: yes -- cgit v1.2.3 From 93e5f20e2173a066b7b7b8e29bb8963a1e42ed1e Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sat, 19 Jan 2019 13:45:58 -0600 Subject: Location of mix changed. --- roles/pleroma/tasks/main.yaml | 2 +- roles/pleroma/templates/pleroma.service.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index b045b51..dfc9b0c 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -61,7 +61,7 @@ - "mix local.hex --force" - "mix local.rebar --force" - "mix deps.get" - # - "mix ecto.migrate" + - "mix ecto.migrate" notify: restart pleroma environment: MIX_ENV: "prod" diff --git a/roles/pleroma/templates/pleroma.service.j2 b/roles/pleroma/templates/pleroma.service.j2 index e024200..f34a641 100644 --- a/roles/pleroma/templates/pleroma.service.j2 +++ b/roles/pleroma/templates/pleroma.service.j2 @@ -10,7 +10,7 @@ WorkingDirectory=/home/{{pleroma_user}}/pleroma Environment="HOME=/home/{{pleroma_user}}" Environment="MIX_ENV=prod" Environment="PLUG_TMPDIR=/tmp/{{pleroma_user}}" -ExecStart=/usr/local/bin/mix phx.server +ExecStart=/usr/bin/mix phx.server ExecReload=/bin/kill $MAINPID KillMode=process Restart=on-failure -- cgit v1.2.3 From 08f54aca198c4acbeed0b1336cd5fc0a7afaae48 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 17 Nov 2019 08:14:06 -0600 Subject: Pleroma role updates. Added Postgresql role. --- roles/nginx/tasks/main.yaml | 6 ----- roles/pleroma/defaults/main.yaml | 14 ++++++++--- roles/pleroma/meta/main.yaml | 4 ---- roles/pleroma/tasks/main.yaml | 37 ++++++++++++++++++++++++------ roles/pleroma/templates/prod.secret.exs.j2 | 4 +++- roles/pleroma/templates/setup_db.psql.j2 | 3 +-- roles/postgresql/defaults/main.yaml | 10 ++++++++ roles/postgresql/handlers/main.yaml | 5 ++++ roles/postgresql/tasks/main.yaml | 27 ++++++++++++++++++++++ 9 files changed, 87 insertions(+), 23 deletions(-) delete mode 100644 roles/pleroma/meta/main.yaml create mode 100644 roles/postgresql/defaults/main.yaml create mode 100644 roles/postgresql/handlers/main.yaml create mode 100644 roles/postgresql/tasks/main.yaml diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 7a0589f..e255410 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -9,12 +9,6 @@ template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" notify: restart nginx -# https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx -- name: add certbot (letsencrypt) repo - become: yes - apt_repository: repo="ppa:certbot/certbot" - when: nginx_enable_ssl - - name: install nginx packages become: yes apt: name="python-certbot-nginx" diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 94ff9e4..1002817 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -20,9 +20,17 @@ pleroma_signup_open: "true" pleroma_db_host: "localhost" pleroma_db_superuser: "postgres" +pleroma_version: "v1.0.6" + pleroma_apt_packages: - - "postgresql" - - "esl-erlang" - "elixir" - - "build-essential" - "git" + - "build-essential" + + # - "erlang-dev" + # - "erlang-tools" + # - "erlang-parsetools" + # - "erlang-ssh" + # - "erlang-ssl" + # - "erlang-inets" + # - "erlang-xmerl" diff --git a/roles/pleroma/meta/main.yaml b/roles/pleroma/meta/main.yaml deleted file mode 100644 index d7aa38d..0000000 --- a/roles/pleroma/meta/main.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -dependencies: - - nginx diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index dfc9b0c..8cd1cb5 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -2,11 +2,11 @@ - name: add erland solutions key become: yes - apt_key: "url=http://packages.erlang-solutions.com/debian/erlang_solutions.asc" + apt_key: url="http://packages.erlang-solutions.com/debian/erlang_solutions.asc" - name: install erland solutions repo become: yes - apt_repository: repo="deb http://binaries.erlang-solutions.com/debian bionic contrib" + apt_repository: repo="deb http://binaries.erlang-solutions.com/debian buster contrib" - name: update apt package cache become: yes @@ -26,6 +26,7 @@ git: repo: "https://git.pleroma.social/pleroma/pleroma.git" dest: "~{{pleroma_user}}/pleroma" + version: "{{pleroma_version}}" force: yes - name: install pleroma config files @@ -36,7 +37,6 @@ group: "{{pleroma_user}}" mode: "0775" become: yes - become_user: "{{pleroma_user}}" with_items: - "setup_db.psql" - "prod.secret.exs" @@ -45,11 +45,18 @@ - name: install pleroma psql become: yes become_user: "{{pleroma_db_superuser}}" - command: "psql -f ~{{pleroma_user}}/pleroma/config/setup_db.psql -h {{pleroma_db_host}}" + command: "psql -f ~{{pleroma_user}}/pleroma/config/setup_db.psql" notify: restart pleroma - environment: - PGUSER: "{{pleroma_db_superuser}}" - PGPASSWORD: "{{pleroma_db_superpass}}" + +# - name: restore +# postgresql_db: +# state: "restore" +# db: "{{pleroma_user}}" +# target: "/tmp/{{pleroma_user}}-backup.sql" +# login_user: "{{pleroma_user}}" +# login_password: "{{pleroma_db_passwd}}" +# login_host: "{{pleroma_db_host}}" +# when: "{{pleroma_restore_db}}" - name: migrate db become: yes @@ -78,3 +85,19 @@ - name: enable pleroma systemd service systemd: name="{{pleroma_user}}" enabled="yes" state="started" become: yes + + +# - name: backup db +# postgresql_db: +# state: "dump" +# db: "{{pleroma_user}}" +# target: "/tmp/{{pleroma_user}}-backup.sql" +# login_user: "{{pleroma_user}}" +# login_password: "{{pleroma_db_passwd}}" +# login_host: "{{pleroma_db_host}}" + + + + + +# pg_dump -U pleroma_nth_io -h pleroma.ctzpnw3lfkwz.us-east-1.rds.amazonaws.com pleroma_nth_io -f pleroma_nth_io_dump.sql diff --git a/roles/pleroma/templates/prod.secret.exs.j2 b/roles/pleroma/templates/prod.secret.exs.j2 index 2c4d9f2..85b0bbb 100644 --- a/roles/pleroma/templates/prod.secret.exs.j2 +++ b/roles/pleroma/templates/prod.secret.exs.j2 @@ -27,4 +27,6 @@ config :pleroma, Pleroma.Repo, password: "{{pleroma_db_passwd}}", database: "{{pleroma_user}}", hostname: "{{pleroma_db_host}}", - pool_size: 10 + pool_size: 10, + timeout: 60000, + pool_timeout: 60000 diff --git a/roles/pleroma/templates/setup_db.psql.j2 b/roles/pleroma/templates/setup_db.psql.j2 index 459bec8..9a4af30 100644 --- a/roles/pleroma/templates/setup_db.psql.j2 +++ b/roles/pleroma/templates/setup_db.psql.j2 @@ -1,6 +1,5 @@ CREATE USER {{pleroma_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; -CREATE DATABASE {{pleroma_user}}; -ALTER DATABASE {{pleroma_user}} OWNER TO {{pleroma_user}}; +CREATE DATABASE {{pleroma_user}} WITH OWNER {{pleroma_user}}; \c {{pleroma_user}}; --Extensions made by ecto.migrate that need superuser access CREATE EXTENSION IF NOT EXISTS citext; diff --git a/roles/postgresql/defaults/main.yaml b/roles/postgresql/defaults/main.yaml new file mode 100644 index 0000000..ff230a9 --- /dev/null +++ b/roles/postgresql/defaults/main.yaml @@ -0,0 +1,10 @@ +--- + +postgresql_version: "11" +postgresql_config_path: "/etc/postgresql/{{postgresql_version}}/main/postgresql.conf" +postgresql_data_dir: "/var/lib/postgresql/{{postgresql_version}}/main" +postgresql_apt_packages: + - "postgresql-{{postgresql_version}}" + - "pgcli" + - "postgresql-client" + - "postgresql-common" diff --git a/roles/postgresql/handlers/main.yaml b/roles/postgresql/handlers/main.yaml new file mode 100644 index 0000000..d2eb688 --- /dev/null +++ b/roles/postgresql/handlers/main.yaml @@ -0,0 +1,5 @@ +--- + +- name: restart postgres + become: yes + systemd: name="postgresql" state="restarted" daemon_reload="yes" diff --git a/roles/postgresql/tasks/main.yaml b/roles/postgresql/tasks/main.yaml new file mode 100644 index 0000000..6195840 --- /dev/null +++ b/roles/postgresql/tasks/main.yaml @@ -0,0 +1,27 @@ +--- + +- name: install postgresql + become: yes + apt: name="{{postgresql_apt_packages}}" + +- name: configure postgresql data dir + become: yes + lineinfile: + path: "{{postgresql_config_path}}" + regexp: "^data_directory = " + line: "data_directory = '{{postgresql_data_dir}}'" + notify: restart postgres + +- name: create postgresql data dir + become: yes + file: + path: "{{postgresql_data_dir}}" + state: "directory" + mode: "0700" + owner: "postgres" + group: "postgres" + notify: restart postgres + +- name: ensure postgresql is started + become: yes + systemd: name="postgresql" enabled="yes" state="started" -- cgit v1.2.3 From 70cac415f331139506ee4de79a26de80153637c6 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 17 Nov 2019 08:23:59 -0600 Subject: Removed unused packages. --- roles/pleroma/defaults/main.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 1002817..28a2730 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -26,11 +26,3 @@ pleroma_apt_packages: - "elixir" - "git" - "build-essential" - - # - "erlang-dev" - # - "erlang-tools" - # - "erlang-parsetools" - # - "erlang-ssh" - # - "erlang-ssl" - # - "erlang-inets" - # - "erlang-xmerl" -- cgit v1.2.3 From 525128f23817b7417f9ed005f8d722e6deac4ad0 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 17 Nov 2019 08:51:19 -0600 Subject: Updated pleroma version from 1.0.6 to 1.1.5. --- roles/pleroma/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 28a2730..4039271 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -20,7 +20,7 @@ pleroma_signup_open: "true" pleroma_db_host: "localhost" pleroma_db_superuser: "postgres" -pleroma_version: "v1.0.6" +pleroma_version: "v1.1.5" pleroma_apt_packages: - "elixir" -- cgit v1.2.3 From 27b263eb5c72bf4cca0123a48faef5359c3bed97 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 17 Nov 2019 09:33:48 -0600 Subject: Added hardening settings. --- roles/pleroma/templates/pleroma.service.j2 | 16 ++++++++++++++++ roles/pleroma/templates/prod.secret.exs.j2 | 10 ++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/roles/pleroma/templates/pleroma.service.j2 b/roles/pleroma/templates/pleroma.service.j2 index f34a641..0effbf1 100644 --- a/roles/pleroma/templates/pleroma.service.j2 +++ b/roles/pleroma/templates/pleroma.service.j2 @@ -7,13 +7,29 @@ After=network.target postgresql.service [Service] User={{pleroma_user}} WorkingDirectory=/home/{{pleroma_user}}/pleroma + Environment="HOME=/home/{{pleroma_user}}" Environment="MIX_ENV=prod" Environment="PLUG_TMPDIR=/tmp/{{pleroma_user}}" + ExecStart=/usr/bin/mix phx.server ExecReload=/bin/kill $MAINPID KillMode=process Restart=on-failure +; Some security directives. +; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=true +; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. +ProtectHome=false +; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve(). +NoNewPrivileges=true +; Drops the sysadmin capability from the daemon. +CapabilityBoundingSet=~CAP_SYS_ADMIN + [Install] WantedBy=multi-user.target diff --git a/roles/pleroma/templates/prod.secret.exs.j2 b/roles/pleroma/templates/prod.secret.exs.j2 index 85b0bbb..c9b292d 100644 --- a/roles/pleroma/templates/prod.secret.exs.j2 +++ b/roles/pleroma/templates/prod.secret.exs.j2 @@ -2,8 +2,14 @@ use Mix.Config config :pleroma, Pleroma.Web.Endpoint, url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], - http: [port: {{pleroma_port}}], - secret_key_base: "{{pleroma_secret_key}}" + http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], + secret_key_base: "{{pleroma_secret_key}}", + secure_cookie_flag: true, + http_security: true + +config :pleroma, :http_security, + sts: true, + referrer_policy: "same-origin" config :pleroma, :instance, name: "{{pleroma_instance_name}}", -- cgit v1.2.3 From bf6a0bbecc2727fce62c3d80c5f9077ff9e65bc9 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 17 Nov 2019 13:06:07 -0600 Subject: Minor udpates. --- roles/pleroma/templates/prod.secret.exs.j2 | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/roles/pleroma/templates/prod.secret.exs.j2 b/roles/pleroma/templates/prod.secret.exs.j2 index c9b292d..d1504c3 100644 --- a/roles/pleroma/templates/prod.secret.exs.j2 +++ b/roles/pleroma/templates/prod.secret.exs.j2 @@ -1,13 +1,13 @@ use Mix.Config config :pleroma, Pleroma.Web.Endpoint, - url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], - http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], - secret_key_base: "{{pleroma_secret_key}}", - secure_cookie_flag: true, - http_security: true + url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], + http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], + secret_key_base: "{{pleroma_secret_key}}", + secure_cookie_flag: true config :pleroma, :http_security, + enabled: true, sts: true, referrer_policy: "same-origin" @@ -16,7 +16,8 @@ config :pleroma, :instance, description: "{{pleroma_desc}}", email: "{{pleroma_admin_email}}", limit: {{pleroma_char_limit}}, - registrations_open: {{pleroma_signup_open}} + registrations_open: {{pleroma_signup_open}}, + invites_enabled: {{pleroma_invites_enabled}} config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Dedupe] -- cgit v1.2.3 From 0f1c6a7f72437897b8474dfb71773a2a55e2fc81 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Tue, 26 Nov 2019 19:20:28 -0600 Subject: Updated pleroma to 1.1.6. --- roles/pleroma/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 4039271..08b0d88 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -20,7 +20,7 @@ pleroma_signup_open: "true" pleroma_db_host: "localhost" pleroma_db_superuser: "postgres" -pleroma_version: "v1.1.5" +pleroma_version: "v1.1.6" pleroma_apt_packages: - "elixir" -- cgit v1.2.3 From 94e7b91298aa0c3c981b7dd06adbff85bf420a15 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Tue, 26 Nov 2019 19:44:11 -0600 Subject: Fixed pgsql permissions. --- roles/pleroma/tasks/main.yaml | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index 8cd1cb5..4b844d6 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -29,23 +29,29 @@ version: "{{pleroma_version}}" force: yes -- name: install pleroma config files +- name: install pleroma config template: - src: "{{item}}.j2" - dest: "~{{pleroma_user}}/pleroma/config/{{item}}" + src: "prod.secret.exs.j2" + dest: "~{{pleroma_user}}/pleroma/config/prod.secret.exs" owner: "{{pleroma_user}}" group: "{{pleroma_user}}" - mode: "0775" + mode: "0700" become: yes - with_items: - - "setup_db.psql" - - "prod.secret.exs" notify: restart pleroma +- name: install pleroma db schema file + template: + src: "setup_db.psql.j2" + dest: "/tmp/setup_db.psql" + owner: "{{pleroma_db_superuser}}" + group: "{{pleroma_db_superuser}}" + mode: "0700" + become: yes + - name: install pleroma psql become: yes become_user: "{{pleroma_db_superuser}}" - command: "psql -f ~{{pleroma_user}}/pleroma/config/setup_db.psql" + command: "psql -f /tmp/setup_db.psql" notify: restart pleroma # - name: restore -- cgit v1.2.3 From 0a2ef74497a42a11244c468cf9b2c8099857ecb0 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 8 Dec 2019 14:56:04 -0600 Subject: Added certbot and cloudflare support. --- roles/nginx/defaults/main.yaml | 4 +- roles/nginx/tasks/main.yaml | 4 +- .../templates/pleroma.cloudflare.nginx.conf.j2 | 74 ++++++++++++++++++++++ roles/pleroma/templates/pleroma.nginx.conf.j2 | 4 +- 4 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 roles/pleroma/templates/pleroma.cloudflare.nginx.conf.j2 diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml index 8d65d55..c0db79d 100644 --- a/roles/nginx/defaults/main.yaml +++ b/roles/nginx/defaults/main.yaml @@ -2,7 +2,9 @@ nginx_port: 80 nginx_ssl_port: 443 -nginx_enable_ssl: No +nginx_ssl_cert: "/etc/letsencrypt/live/{{nginx_server_name}}/fullchain.pem" +nginx_ssl_privkey: "/etc/letsencrypt/live/{{nginx_server_name}}/privkey.pem" +nginx_enable_certbot: No nginx_server_name: "{{ansible_host}}" nginx_conf_dst: "{{nginx_server_name}}.nginx.conf" nginx_admin_email: "admin@{{nginx_server_name}}" diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index e255410..74c6d7e 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -13,13 +13,13 @@ become: yes apt: name="python-certbot-nginx" notify: restart nginx - when: nginx_enable_ssl + when: nginx_enable_certbot - name: install certbot in nginx become: yes command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" notify: restart nginx - when: nginx_enable_ssl + when: nginx_enable_certbot - name: disable default site become: yes diff --git a/roles/pleroma/templates/pleroma.cloudflare.nginx.conf.j2 b/roles/pleroma/templates/pleroma.cloudflare.nginx.conf.j2 new file mode 100644 index 0000000..284d280 --- /dev/null +++ b/roles/pleroma/templates/pleroma.cloudflare.nginx.conf.j2 @@ -0,0 +1,74 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_user}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_user}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen {{nginx_port}}; + # listen [::]:{{nginx_port}}; + server_name _; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen {{nginx_ssl_port}} ssl http2; + # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + server_name _; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + include /etc/letsencrypt/options-ssl-nginx.conf; + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_user}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/roles/pleroma/templates/pleroma.nginx.conf.j2 b/roles/pleroma/templates/pleroma.nginx.conf.j2 index b760a44..1d5fb9d 100644 --- a/roles/pleroma/templates/pleroma.nginx.conf.j2 +++ b/roles/pleroma/templates/pleroma.nginx.conf.j2 @@ -33,8 +33,8 @@ server { # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; server_name {{nginx_server_name}}; - ssl_certificate /etc/letsencrypt/live/{{nginx_server_name}}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{nginx_server_name}}/privkey.pem; + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; -- cgit v1.2.3 From 9f784f33470fc8b70936c2980f53182ff21481a1 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 19 Jan 2020 13:40:16 -0600 Subject: Fixed admin email. --- roles/pleroma/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml index 08b0d88..dd15bd7 100644 --- a/roles/pleroma/defaults/main.yaml +++ b/roles/pleroma/defaults/main.yaml @@ -14,7 +14,7 @@ pleroma_link_scheme: "https" pleroma_instance_name: "{{pleroma_link_host}}" pleroma_desc: "A Pleroma fediverse instance." -pleroma_admin_email: "admin@{{pleroma_host}}" +pleroma_admin_email: "admin@{{pleroma_link_host}}" pleroma_char_limit: 5000 pleroma_signup_open: "true" pleroma_db_host: "localhost" -- cgit v1.2.3 From 36c11d8d18deec8dbc5a0e2483d9bfb6c73faae0 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 19 Jan 2020 13:41:08 -0600 Subject: Added WIP pleroma OTP role. --- roles/pleroma-otp/defaults/main.yaml | 30 ++++++ roles/pleroma-otp/files/pleroma@.service | 33 ++++++ roles/pleroma-otp/handlers/main.yaml | 5 + roles/pleroma-otp/tasks/main.yaml | 113 +++++++++++++++++++++ roles/pleroma-otp/templates/config.exs.j2 | 43 ++++++++ .../templates/pleroma.cloudflare.nginx.conf.j2 | 74 ++++++++++++++ roles/pleroma-otp/templates/pleroma.nginx.conf.j2 | 95 +++++++++++++++++ roles/pleroma-otp/templates/setup_db.psql.j2 | 7 ++ 8 files changed, 400 insertions(+) create mode 100644 roles/pleroma-otp/defaults/main.yaml create mode 100644 roles/pleroma-otp/files/pleroma@.service create mode 100644 roles/pleroma-otp/handlers/main.yaml create mode 100644 roles/pleroma-otp/tasks/main.yaml create mode 100644 roles/pleroma-otp/templates/config.exs.j2 create mode 100644 roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 create mode 100644 roles/pleroma-otp/templates/pleroma.nginx.conf.j2 create mode 100644 roles/pleroma-otp/templates/setup_db.psql.j2 diff --git a/roles/pleroma-otp/defaults/main.yaml b/roles/pleroma-otp/defaults/main.yaml new file mode 100644 index 0000000..13b31e5 --- /dev/null +++ b/roles/pleroma-otp/defaults/main.yaml @@ -0,0 +1,30 @@ +--- + +pleroma_host: "localhost" +pleroma_port: 4000 +pleroma_scheme: "http" + +pleroma_proxy_pass: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" + +pleroma_link_host: "localhost" +pleroma_link_port: "443" +pleroma_link_scheme: "https" + +pleroma_instance_name: "{{pleroma_link_host}}" +pleroma_desc: "A Pleroma fediverse instance." +pleroma_admin_email: "admin@{{pleroma_link_host}}" +pleroma_char_limit: 5000 +pleroma_signup_open: "true" +pleroma_db_host: "localhost" +pleroma_db_superuser: "postgres" + +pleroma_apt_packages: + - "curl" + - "unzip" + +pleroma_branch: "stable" +pleroma_flavor: "arm" + +pleroma_db: "{{pleroma_instance}}" +pleroma_db_user: "{{pleroma_instance}}" +pleroma_data_dir: "/var/lib/pleroma/instance_data" diff --git a/roles/pleroma-otp/files/pleroma@.service b/roles/pleroma-otp/files/pleroma@.service new file mode 100644 index 0000000..935b368 --- /dev/null +++ b/roles/pleroma-otp/files/pleroma@.service @@ -0,0 +1,33 @@ +[Unit] +Description=Pleroma social network instance %I +After=network.target postgresql.service + +[Service] +User=pleroma +WorkingDirectory=/opt/pleroma + +Environment="HOME=/opt/pleroma" +Environment="PLEROMA_CONFIG_PATH=/etc/pleroma/%i.config.exs" +Environment="PLUG_TMPDIR=/tmp/%i" + +ExecStart=/opt/pleroma/bin/pleroma daemon +ExecReload=/opt/pleroma/bin/pleroma stop +KillMode=process +Restart=on-failure + +; Some security directives. +; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=true +; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. +ProtectHome=false +; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve(). +NoNewPrivileges=true +; Drops the sysadmin capability from the daemon. +CapabilityBoundingSet=~CAP_SYS_ADMIN + +[Install] +WantedBy=multi-user.target diff --git a/roles/pleroma-otp/handlers/main.yaml b/roles/pleroma-otp/handlers/main.yaml new file mode 100644 index 0000000..f3f7461 --- /dev/null +++ b/roles/pleroma-otp/handlers/main.yaml @@ -0,0 +1,5 @@ +--- + +- name: "restart pleroma {{pleroma_instance}} instance" + become: yes + systemd: name="pleroma@{{pleroma_instance}}" state="restarted" daemon_reload="yes" diff --git a/roles/pleroma-otp/tasks/main.yaml b/roles/pleroma-otp/tasks/main.yaml new file mode 100644 index 0000000..65c524b --- /dev/null +++ b/roles/pleroma-otp/tasks/main.yaml @@ -0,0 +1,113 @@ +--- + +- name: install pleroma apt packages + become: yes + apt: name="{{pleroma_apt_packages}}" + +- name: add users + become: yes + user: name="pleroma" shell="/bin/false" home="/opt/pleroma" system="yes" + +- name: create config and data directory + become: yes + file: + path: "{{item}}" + state: "directory" + mode: "0755" + with_items: + - "{{pleroma_data_dir}}" + - "/etc/pleroma" + +- name: install pleroma config + template: + src: "config.exs.j2" + dest: "/etc/pleroma/{{pleroma_instance}}.config.exs" + mode: "0700" + become: yes + notify: "restart pleroma {{pleroma_instance}} instance" + +- name: create instance data directory + become: yes + file: + path: "{{item}}" + state: "directory" + owner: "pleroma" + group: "pleroma" + mode: "0755" + with_items: + - "{{pleroma_data_dir}}/{{pleroma_instance}}" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/static" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/static/emoji" + +# Set config path in systemd: PLEROMA_CONFIG_PATH + +# - name: install pleroma db schema file +# template: +# src: "setup_db.psql.j2" +# dest: "/tmp/setup_db.psql" +# owner: "{{pleroma_db_superuser}}" +# group: "{{pleroma_db_superuser}}" +# mode: "0700" +# become: yes + +# - name: install pleroma psql +# become: yes +# become_user: "{{pleroma_db_superuser}}" +# command: "psql -f /tmp/setup_db.psql" +# notify: restart pleroma + + + + + +# MIGERATION +# mv ~pleroma/uploads/* /var/lib/pleroma/uploads +# mv ~pleroma/instance/static /var/lib/pleroma/static +# mv ~pleroma/priv/static/emoji /var/lib/pleroma/static/emoji +# mv ~pleroma/config/prod.secret.exs /etc/pleroma/config.exs +# Change `use Mix.Config` at the top to `import Config` +# rm -r ~pleroma/* + + +- name: download and unarchive pleroma release + become: yes + unarchive: + src: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/{{pleroma_branch}}/download?job={{pleroma_flavor}}" + dest: "/tmp/" + remote_src: yes + creates: "/tmp/release" + notify: "restart pleroma {{pleroma_instance}} instance" + +- name: install pleroma release + become: yes + copy: remote_src="True" src="/tmp/release/" dest="/opt/pleroma/" + +# - name: Remove old files foo +# file: path="/path/to/foo" state="absent" + +# *** +# mv /tmp/release/* ~pleroma/ + + +# Copy the service into a proper directory +# cp ~pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service + +# - name: "configure pleroma systemd service" +# become: yes +# copy: +# src: "pleroma@.service" +# dest: "/lib/systemd/system/pleroma@.service" +# notify: "restart pleroma {{pleroma_instance}} instance" + +# - name: "ensure pleroma {{pleroma_instance}} instance is enabled and started" +# become: yes +# systemd: name="pleroma@{{pleroma_instance}}" enabled="yes" state="started" + +# - name: migrate db +# become: yes +# become_user: "pleroma" +# command: "/opt/pleroma/bin/pleroma_ctl migrate" +# args: +# chdir: "/opt/pleroma/" +# notify: restart pleroma diff --git a/roles/pleroma-otp/templates/config.exs.j2 b/roles/pleroma-otp/templates/config.exs.j2 new file mode 100644 index 0000000..06d1fb8 --- /dev/null +++ b/roles/pleroma-otp/templates/config.exs.j2 @@ -0,0 +1,43 @@ +use Mix.Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], + http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], + secret_key_base: "{{pleroma_secret_key}}", + secure_cookie_flag: true + +config :pleroma, :http_security, + enabled: true, + sts: true, + referrer_policy: "same-origin" + +config :pleroma, :instance, + name: "{{pleroma_instance_name}}", + description: "{{pleroma_desc}}", + email: "{{pleroma_admin_email}}", + limit: {{pleroma_char_limit}}, + registrations_open: {{pleroma_signup_open}}, + invites_enabled: {{pleroma_invites_enabled}} + +config :pleroma, Pleroma.Upload, + uploader: Pleroma.Uploaders.Local, + filters: [Pleroma.Upload.Filter.Dedupe] + +config :pleroma, Pleroma.Uploaders.Local, + uploads: "{{pleroma_data_dir}}/{{pleroma_instance}}/" + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + +# Configure your database +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "{{pleroma_db_user}}", + password: "{{pleroma_db_passwd}}", + database: "{{pleroma_db}}", + hostname: "{{pleroma_db_host}}", + pool_size: 10, + timeout: 60000, + pool_timeout: 60000 diff --git a/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 new file mode 100644 index 0000000..4363b88 --- /dev/null +++ b/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 @@ -0,0 +1,74 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen {{nginx_port}}; + # listen [::]:{{nginx_port}}; + server_name _; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen {{nginx_ssl_port}} ssl http2; + # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + server_name _; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + include /etc/letsencrypt/options-ssl-nginx.conf; + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/roles/pleroma-otp/templates/pleroma.nginx.conf.j2 b/roles/pleroma-otp/templates/pleroma.nginx.conf.j2 new file mode 100644 index 0000000..27c9165 --- /dev/null +++ b/roles/pleroma-otp/templates/pleroma.nginx.conf.j2 @@ -0,0 +1,95 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen {{nginx_port}}; + # listen [::]:{{nginx_port}}; + server_name {{nginx_server_name}}; + return 301 https://$server_name$request_uri; + + # Uncomment this if you need to use the 'webroot' method with certbot. Make sure + # that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and + # that is is accessible by the webserver. You may need to load this file with the ssl + # server block commented out, run certbot to get the certificate, and then uncomment it. + # + # location ~ /\.well-known/acme-challenge { + # root /pleroma/priv/static/; + # } +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen {{nginx_ssl_port}} ssl http2; + # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + server_name {{nginx_server_name}}; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + # if you do not want remote frontends to be able to access your Pleroma backend + # server, remove these lines. + # add_header 'Access-Control-Allow-Origin' '*' always; + # add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + # add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + # add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + # if ($request_method = OPTIONS) { + # return 204; + # } + # stop removing lines here. + + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + # Uncomment this only after you get HTTPS working. + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/roles/pleroma-otp/templates/setup_db.psql.j2 b/roles/pleroma-otp/templates/setup_db.psql.j2 new file mode 100644 index 0000000..1b27174 --- /dev/null +++ b/roles/pleroma-otp/templates/setup_db.psql.j2 @@ -0,0 +1,7 @@ +CREATE USER {{pleroma_db_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; +CREATE DATABASE {{pleroma_db}} WITH OWNER {{pleroma_db_user}}; +\c {{pleroma_db}}; +--Extensions made by ecto.migrate that need superuser access +CREATE EXTENSION IF NOT EXISTS citext; +CREATE EXTENSION IF NOT EXISTS pg_trgm; +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; -- cgit v1.2.3 From 63e8c1b3f3bc5b7382c8d36f262f250d59600c76 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 19 Jan 2020 15:33:08 -0600 Subject: Completed pleroma-otp role. --- roles/pleroma-otp/defaults/main.yaml | 6 +- roles/pleroma-otp/files/pleroma@.service | 7 +- roles/pleroma-otp/handlers/main.yaml | 4 +- roles/pleroma-otp/tasks/main.yaml | 104 +++++++++++++----------------- roles/pleroma-otp/templates/config.exs.j2 | 7 +- 5 files changed, 59 insertions(+), 69 deletions(-) diff --git a/roles/pleroma-otp/defaults/main.yaml b/roles/pleroma-otp/defaults/main.yaml index 13b31e5..bb3d043 100644 --- a/roles/pleroma-otp/defaults/main.yaml +++ b/roles/pleroma-otp/defaults/main.yaml @@ -23,8 +23,8 @@ pleroma_apt_packages: - "unzip" pleroma_branch: "stable" -pleroma_flavor: "arm" +pleroma_download_url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/{{pleroma_branch}}/download?job={{pleroma_flavor}}" -pleroma_db: "{{pleroma_instance}}" -pleroma_db_user: "{{pleroma_instance}}" +pleroma_db: "pleroma_{{pleroma_instance}}" +pleroma_db_user: "pleroma_{{pleroma_instance}}" pleroma_data_dir: "/var/lib/pleroma/instance_data" diff --git a/roles/pleroma-otp/files/pleroma@.service b/roles/pleroma-otp/files/pleroma@.service index 935b368..9de1f79 100644 --- a/roles/pleroma-otp/files/pleroma@.service +++ b/roles/pleroma-otp/files/pleroma@.service @@ -1,6 +1,6 @@ [Unit] -Description=Pleroma social network instance %I -After=network.target postgresql.service +Description=Pleroma social network instance "%I" +After=network.target postgresql.service nginx.service [Service] User=pleroma @@ -12,6 +12,7 @@ Environment="PLUG_TMPDIR=/tmp/%i" ExecStart=/opt/pleroma/bin/pleroma daemon ExecReload=/opt/pleroma/bin/pleroma stop + KillMode=process Restart=on-failure @@ -19,7 +20,7 @@ Restart=on-failure ; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. PrivateTmp=true ; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. -ProtectHome=false +ProtectHome=true ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. ProtectSystem=full ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. diff --git a/roles/pleroma-otp/handlers/main.yaml b/roles/pleroma-otp/handlers/main.yaml index f3f7461..60fdb61 100644 --- a/roles/pleroma-otp/handlers/main.yaml +++ b/roles/pleroma-otp/handlers/main.yaml @@ -1,5 +1,5 @@ --- -- name: "restart pleroma {{pleroma_instance}} instance" +- name: restart pleroma instance become: yes - systemd: name="pleroma@{{pleroma_instance}}" state="restarted" daemon_reload="yes" + systemd: name="pleroma@{{pleroma_instance}}.service" state="restarted" daemon_reload="yes" diff --git a/roles/pleroma-otp/tasks/main.yaml b/roles/pleroma-otp/tasks/main.yaml index 65c524b..d2020b1 100644 --- a/roles/pleroma-otp/tasks/main.yaml +++ b/roles/pleroma-otp/tasks/main.yaml @@ -17,14 +17,17 @@ with_items: - "{{pleroma_data_dir}}" - "/etc/pleroma" + - "/opt/pleroma" - name: install pleroma config template: src: "config.exs.j2" dest: "/etc/pleroma/{{pleroma_instance}}.config.exs" - mode: "0700" + owner: "pleroma" + group: "pleroma" + mode: "0600" become: yes - notify: "restart pleroma {{pleroma_instance}} instance" + notify: restart pleroma instance - name: create instance data directory become: yes @@ -40,74 +43,59 @@ - "{{pleroma_data_dir}}/{{pleroma_instance}}/static" - "{{pleroma_data_dir}}/{{pleroma_instance}}/static/emoji" -# Set config path in systemd: PLEROMA_CONFIG_PATH - -# - name: install pleroma db schema file -# template: -# src: "setup_db.psql.j2" -# dest: "/tmp/setup_db.psql" -# owner: "{{pleroma_db_superuser}}" -# group: "{{pleroma_db_superuser}}" -# mode: "0700" -# become: yes - -# - name: install pleroma psql -# become: yes -# become_user: "{{pleroma_db_superuser}}" -# command: "psql -f /tmp/setup_db.psql" -# notify: restart pleroma - - - - - -# MIGERATION -# mv ~pleroma/uploads/* /var/lib/pleroma/uploads -# mv ~pleroma/instance/static /var/lib/pleroma/static -# mv ~pleroma/priv/static/emoji /var/lib/pleroma/static/emoji -# mv ~pleroma/config/prod.secret.exs /etc/pleroma/config.exs -# Change `use Mix.Config` at the top to `import Config` -# rm -r ~pleroma/* +- name: install pleroma db schema file + template: + src: "setup_db.psql.j2" + dest: "/tmp/setup_db.psql" + owner: "{{pleroma_db_superuser}}" + group: "{{pleroma_db_superuser}}" + mode: "0600" + become: yes +- name: install pleroma psql + become: yes + become_user: "{{pleroma_db_superuser}}" + command: "psql -f /tmp/setup_db.psql" + notify: restart pleroma instance - name: download and unarchive pleroma release become: yes unarchive: - src: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/{{pleroma_branch}}/download?job={{pleroma_flavor}}" + src: "{{pleroma_download_url}}" dest: "/tmp/" remote_src: yes creates: "/tmp/release" - notify: "restart pleroma {{pleroma_instance}} instance" + notify: restart pleroma instance - name: install pleroma release become: yes - copy: remote_src="True" src="/tmp/release/" dest="/opt/pleroma/" - -# - name: Remove old files foo -# file: path="/path/to/foo" state="absent" - -# *** -# mv /tmp/release/* ~pleroma/ - - -# Copy the service into a proper directory -# cp ~pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service + copy: remote_src="True" src="/tmp/release/" dest="/opt/pleroma/" owner="pleroma" group="pleroma" + notify: restart pleroma instance -# - name: "configure pleroma systemd service" +# - name: remove tmp release folder # become: yes -# copy: -# src: "pleroma@.service" -# dest: "/lib/systemd/system/pleroma@.service" -# notify: "restart pleroma {{pleroma_instance}} instance" +# file: path="{{item}}" state="absent" +# with_items: +# - "/tmp/setup_db.psql" +# - "/tmp/release/" -# - name: "ensure pleroma {{pleroma_instance}} instance is enabled and started" -# become: yes -# systemd: name="pleroma@{{pleroma_instance}}" enabled="yes" state="started" +- name: "configure pleroma systemd service" + become: yes + copy: + src: "pleroma@.service" + dest: "/lib/systemd/system/pleroma@.service" + notify: restart pleroma instance -# - name: migrate db -# become: yes -# become_user: "pleroma" -# command: "/opt/pleroma/bin/pleroma_ctl migrate" -# args: -# chdir: "/opt/pleroma/" -# notify: restart pleroma +- name: "ensure pleroma {{pleroma_instance}} instance is enabled and started" + become: yes + systemd: name="pleroma@{{pleroma_instance}}.service" enabled="yes" state="started" + +- name: migrate db + become: yes + become_user: "pleroma" + command: "/opt/pleroma/bin/pleroma_ctl migrate" + args: + chdir: "/opt/pleroma/" + environment: + PLEROMA_CONFIG_PATH: "/etc/pleroma/{{pleroma_instance}}.config.exs" + notify: restart pleroma instance diff --git a/roles/pleroma-otp/templates/config.exs.j2 b/roles/pleroma-otp/templates/config.exs.j2 index 06d1fb8..d94be00 100644 --- a/roles/pleroma-otp/templates/config.exs.j2 +++ b/roles/pleroma-otp/templates/config.exs.j2 @@ -1,4 +1,4 @@ -use Mix.Config +import Config config :pleroma, Pleroma.Web.Endpoint, url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], @@ -17,14 +17,15 @@ config :pleroma, :instance, email: "{{pleroma_admin_email}}", limit: {{pleroma_char_limit}}, registrations_open: {{pleroma_signup_open}}, - invites_enabled: {{pleroma_invites_enabled}} + invites_enabled: {{pleroma_invites_enabled}}, + static_dir: "{{pleroma_data_dir}}/{{pleroma_instance}}/static/" config :pleroma, Pleroma.Upload, uploader: Pleroma.Uploaders.Local, filters: [Pleroma.Upload.Filter.Dedupe] config :pleroma, Pleroma.Uploaders.Local, - uploads: "{{pleroma_data_dir}}/{{pleroma_instance}}/" + uploads: "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads/" config :pleroma, :media_proxy, enabled: false, -- cgit v1.2.3 From 41a43640aa1a26656c5a749fba95ec8fa3a3a868 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 19 Jan 2020 16:57:51 -0600 Subject: Removed cruft from file. --- roles/pleroma/tasks/main.yaml | 32 +++----------------------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml index 4b844d6..7b8dba5 100644 --- a/roles/pleroma/tasks/main.yaml +++ b/roles/pleroma/tasks/main.yaml @@ -35,7 +35,7 @@ dest: "~{{pleroma_user}}/pleroma/config/prod.secret.exs" owner: "{{pleroma_user}}" group: "{{pleroma_user}}" - mode: "0700" + mode: "0600" become: yes notify: restart pleroma @@ -45,7 +45,7 @@ dest: "/tmp/setup_db.psql" owner: "{{pleroma_db_superuser}}" group: "{{pleroma_db_superuser}}" - mode: "0700" + mode: "0600" become: yes - name: install pleroma psql @@ -54,16 +54,6 @@ command: "psql -f /tmp/setup_db.psql" notify: restart pleroma -# - name: restore -# postgresql_db: -# state: "restore" -# db: "{{pleroma_user}}" -# target: "/tmp/{{pleroma_user}}-backup.sql" -# login_user: "{{pleroma_user}}" -# login_password: "{{pleroma_db_passwd}}" -# login_host: "{{pleroma_db_host}}" -# when: "{{pleroma_restore_db}}" - - name: migrate db become: yes become_user: "{{pleroma_user}}" @@ -85,25 +75,9 @@ dest: "/lib/systemd/system/{{pleroma_user}}.service" owner: "{{pleroma_user}}" group: "{{pleroma_user}}" - mode: "0770" + mode: "0660" become: yes - name: enable pleroma systemd service systemd: name="{{pleroma_user}}" enabled="yes" state="started" become: yes - - -# - name: backup db -# postgresql_db: -# state: "dump" -# db: "{{pleroma_user}}" -# target: "/tmp/{{pleroma_user}}-backup.sql" -# login_user: "{{pleroma_user}}" -# login_password: "{{pleroma_db_passwd}}" -# login_host: "{{pleroma_db_host}}" - - - - - -# pg_dump -U pleroma_nth_io -h pleroma.ctzpnw3lfkwz.us-east-1.rds.amazonaws.com pleroma_nth_io -f pleroma_nth_io_dump.sql -- cgit v1.2.3 From 9eb223531a017cca2c11a152ede197c8798b5684 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 19 Jan 2020 21:51:10 -0600 Subject: Got pleroma otp multi-instance working. --- roles/pleroma-otp/files/pleroma@.service | 3 ++- roles/pleroma-otp/tasks/main.yaml | 4 ++-- roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 | 4 ++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/pleroma-otp/files/pleroma@.service b/roles/pleroma-otp/files/pleroma@.service index 9de1f79..4967c63 100644 --- a/roles/pleroma-otp/files/pleroma@.service +++ b/roles/pleroma-otp/files/pleroma@.service @@ -9,8 +9,9 @@ WorkingDirectory=/opt/pleroma Environment="HOME=/opt/pleroma" Environment="PLEROMA_CONFIG_PATH=/etc/pleroma/%i.config.exs" Environment="PLUG_TMPDIR=/tmp/%i" +Environment="RELEASE_NODE=%i@127.0.0.1" -ExecStart=/opt/pleroma/bin/pleroma daemon +ExecStart=/opt/pleroma/bin/pleroma start ExecReload=/opt/pleroma/bin/pleroma stop KillMode=process diff --git a/roles/pleroma-otp/tasks/main.yaml b/roles/pleroma-otp/tasks/main.yaml index d2020b1..a78cf79 100644 --- a/roles/pleroma-otp/tasks/main.yaml +++ b/roles/pleroma-otp/tasks/main.yaml @@ -79,14 +79,14 @@ # - "/tmp/setup_db.psql" # - "/tmp/release/" -- name: "configure pleroma systemd service" +- name: configure pleroma systemd service become: yes copy: src: "pleroma@.service" dest: "/lib/systemd/system/pleroma@.service" notify: restart pleroma instance -- name: "ensure pleroma {{pleroma_instance}} instance is enabled and started" +- name: ensure pleroma instance is enabled and started become: yes systemd: name="pleroma@{{pleroma_instance}}.service" enabled="yes" state="started" diff --git a/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 index 4363b88..db4b255 100644 --- a/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 +++ b/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 @@ -12,7 +12,7 @@ proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_z server { listen {{nginx_port}}; # listen [::]:{{nginx_port}}; - server_name _; + server_name {{nginx_server_name}}; return 301 https://$host$request_uri; } @@ -22,7 +22,7 @@ ssl_session_cache shared:ssl_session_cache:10m; server { listen {{nginx_ssl_port}} ssl http2; # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; - server_name _; + server_name {{nginx_server_name}}; ssl_certificate {{nginx_ssl_cert}}; ssl_certificate_key {{nginx_ssl_privkey}}; -- cgit v1.2.3 From 1ed732d2f7c8de86e5c290bd38aaa63761654ac5 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 20 Jan 2020 13:18:18 -0600 Subject: Added pleroma instance backup to s3. --- roles/pleroma-otp/defaults/main.yaml | 10 ++++----- roles/pleroma-otp/files/pleroma-s3-backup.sh | 26 ++++++++++++++++++++++ roles/pleroma-otp/files/pleroma-s3-backup@.service | 9 ++++++++ roles/pleroma-otp/handlers/main.yaml | 4 ++++ roles/pleroma-otp/tasks/main.yaml | 20 ++++++++--------- roles/pleroma-otp/tasks/s3-backup.yaml | 20 +++++++++++++++++ 6 files changed, 73 insertions(+), 16 deletions(-) create mode 100644 roles/pleroma-otp/files/pleroma-s3-backup.sh create mode 100644 roles/pleroma-otp/files/pleroma-s3-backup@.service create mode 100644 roles/pleroma-otp/tasks/s3-backup.yaml diff --git a/roles/pleroma-otp/defaults/main.yaml b/roles/pleroma-otp/defaults/main.yaml index bb3d043..1726861 100644 --- a/roles/pleroma-otp/defaults/main.yaml +++ b/roles/pleroma-otp/defaults/main.yaml @@ -18,13 +18,11 @@ pleroma_signup_open: "true" pleroma_db_host: "localhost" pleroma_db_superuser: "postgres" -pleroma_apt_packages: - - "curl" - - "unzip" - -pleroma_branch: "stable" -pleroma_download_url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/{{pleroma_branch}}/download?job={{pleroma_flavor}}" +pleroma_download_url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{pleroma_flavor}}" pleroma_db: "pleroma_{{pleroma_instance}}" pleroma_db_user: "pleroma_{{pleroma_instance}}" pleroma_data_dir: "/var/lib/pleroma/instance_data" + +pleroma_s3_backup_enabled: true +pleroma_cleanup_tmp: false diff --git a/roles/pleroma-otp/files/pleroma-s3-backup.sh b/roles/pleroma-otp/files/pleroma-s3-backup.sh new file mode 100644 index 0000000..7c1d6d3 --- /dev/null +++ b/roles/pleroma-otp/files/pleroma-s3-backup.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +INSTANCE=$1 +DATE=`date --iso-8601` + +BUCKET="pleroma-${INSTANCE//_/-}-backup" +BACKUP_DIR="/tmp/s3-backup/$BUCKET" +BACKUP_TAR="/tmp/s3-backup/$BUCKET-$DATE.tgz" + +DB_NAME="pleroma_$INSTANCE" +CONFIG="/etc/pleroma/$INSTANCE.config.exs" + +UPLOADS_DIR=`grep uploads $CONFIG | cut -d '"' -f 2` +STATIC_DIR=`grep static $CONFIG | cut -d '"' -f 2` + +mkdir -m 775 -p "$BACKUP_DIR/" +chown root:postgres "$BACKUP_DIR/" + +su postgres -c "pg_dump -d $DB_NAME --format=custom -f $BACKUP_DIR/$DB_NAME.pgdump" +cp $CONFIG "$BACKUP_DIR/" +cp -r $UPLOADS_DIR "$BACKUP_DIR/" +cp -r $STATIC_DIR "$BACKUP_DIR/" + +tar -zc -f $BACKUP_TAR $BACKUP_DIR +aws s3 mb "s3://$BUCKET/" +aws s3 cp $BACKUP_TAR "s3://$BUCKET/" diff --git a/roles/pleroma-otp/files/pleroma-s3-backup@.service b/roles/pleroma-otp/files/pleroma-s3-backup@.service new file mode 100644 index 0000000..7459f02 --- /dev/null +++ b/roles/pleroma-otp/files/pleroma-s3-backup@.service @@ -0,0 +1,9 @@ +[Unit] +Description=Pleroma s3 backup for instance "%I" + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/pleroma-prepare-backup.sh %i + +[Install] +WantedBy=aws-s3-backup.target diff --git a/roles/pleroma-otp/handlers/main.yaml b/roles/pleroma-otp/handlers/main.yaml index 60fdb61..382fb67 100644 --- a/roles/pleroma-otp/handlers/main.yaml +++ b/roles/pleroma-otp/handlers/main.yaml @@ -3,3 +3,7 @@ - name: restart pleroma instance become: yes systemd: name="pleroma@{{pleroma_instance}}.service" state="restarted" daemon_reload="yes" + +- name: restart pleroma instance s3 backup + become: yes + systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" state="restarted" daemon_reload="yes" diff --git a/roles/pleroma-otp/tasks/main.yaml b/roles/pleroma-otp/tasks/main.yaml index a78cf79..d3e4f23 100644 --- a/roles/pleroma-otp/tasks/main.yaml +++ b/roles/pleroma-otp/tasks/main.yaml @@ -1,9 +1,5 @@ --- -- name: install pleroma apt packages - become: yes - apt: name="{{pleroma_apt_packages}}" - - name: add users become: yes user: name="pleroma" shell="/bin/false" home="/opt/pleroma" system="yes" @@ -72,12 +68,16 @@ copy: remote_src="True" src="/tmp/release/" dest="/opt/pleroma/" owner="pleroma" group="pleroma" notify: restart pleroma instance -# - name: remove tmp release folder -# become: yes -# file: path="{{item}}" state="absent" -# with_items: -# - "/tmp/setup_db.psql" -# - "/tmp/release/" +- name: remove tmp release folder + become: yes + file: path="{{item}}" state="absent" + with_items: + - "/tmp/setup_db.psql" + - "/tmp/release/" + when: pleroma_cleanup_tmp + +- import_tasks: s3-backup.yml + when: pleroma_s3_backup_enabled - name: configure pleroma systemd service become: yes diff --git a/roles/pleroma-otp/tasks/s3-backup.yaml b/roles/pleroma-otp/tasks/s3-backup.yaml new file mode 100644 index 0000000..e00cacc --- /dev/null +++ b/roles/pleroma-otp/tasks/s3-backup.yaml @@ -0,0 +1,20 @@ +--- + +- name: create s3 backup shell script + become: yes + copy: + src: "pleroma-s3-backup.sh" + dest: "/usr/local/bin/pleroma-s3-backup.sh" + mode: "0755" + +- name: configure s3 backup systemd service + become: yes + copy: + src: "pleroma-s3-backup@.service" + dest: "/lib/systemd/system/pleroma-s3-backup@.service" + mode: "0755" + notify: restart pleroma instance s3 backup + +- name: ensure s3 backup is enabled + become: yes + systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" state="started" -- cgit v1.2.3 From e03a74821c63ab23ffcea118c05df188a687298d Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 20 Jan 2020 13:54:14 -0600 Subject: Fixed systemd timer states. --- roles/pleroma-otp/files/pleroma-s3-backup@.service | 2 +- roles/pleroma-otp/handlers/main.yaml | 2 +- roles/pleroma-otp/tasks/main.yaml | 2 +- roles/pleroma-otp/tasks/s3-backup.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/pleroma-otp/files/pleroma-s3-backup@.service b/roles/pleroma-otp/files/pleroma-s3-backup@.service index 7459f02..a64cae3 100644 --- a/roles/pleroma-otp/files/pleroma-s3-backup@.service +++ b/roles/pleroma-otp/files/pleroma-s3-backup@.service @@ -3,7 +3,7 @@ Description=Pleroma s3 backup for instance "%I" [Service] Type=oneshot -ExecStart=/usr/local/bin/pleroma-prepare-backup.sh %i +ExecStart=/usr/local/bin/pleroma-s3-backup.sh %i [Install] WantedBy=aws-s3-backup.target diff --git a/roles/pleroma-otp/handlers/main.yaml b/roles/pleroma-otp/handlers/main.yaml index 382fb67..0fad634 100644 --- a/roles/pleroma-otp/handlers/main.yaml +++ b/roles/pleroma-otp/handlers/main.yaml @@ -6,4 +6,4 @@ - name: restart pleroma instance s3 backup become: yes - systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" state="restarted" daemon_reload="yes" + systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" daemon_reload="yes" diff --git a/roles/pleroma-otp/tasks/main.yaml b/roles/pleroma-otp/tasks/main.yaml index d3e4f23..5276935 100644 --- a/roles/pleroma-otp/tasks/main.yaml +++ b/roles/pleroma-otp/tasks/main.yaml @@ -76,7 +76,7 @@ - "/tmp/release/" when: pleroma_cleanup_tmp -- import_tasks: s3-backup.yml +- import_tasks: s3-backup.yaml when: pleroma_s3_backup_enabled - name: configure pleroma systemd service diff --git a/roles/pleroma-otp/tasks/s3-backup.yaml b/roles/pleroma-otp/tasks/s3-backup.yaml index e00cacc..72baa3c 100644 --- a/roles/pleroma-otp/tasks/s3-backup.yaml +++ b/roles/pleroma-otp/tasks/s3-backup.yaml @@ -17,4 +17,4 @@ - name: ensure s3 backup is enabled become: yes - systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" state="started" + systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" -- cgit v1.2.3 From 05623c696acbe7b830b9222165578be4b0bf83f4 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 20 Jan 2020 14:17:24 -0600 Subject: Fixed file perms on backup service. --- roles/pleroma-otp/tasks/s3-backup.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pleroma-otp/tasks/s3-backup.yaml b/roles/pleroma-otp/tasks/s3-backup.yaml index 72baa3c..12eaded 100644 --- a/roles/pleroma-otp/tasks/s3-backup.yaml +++ b/roles/pleroma-otp/tasks/s3-backup.yaml @@ -12,7 +12,7 @@ copy: src: "pleroma-s3-backup@.service" dest: "/lib/systemd/system/pleroma-s3-backup@.service" - mode: "0755" + mode: "0644" notify: restart pleroma instance s3 backup - name: ensure s3 backup is enabled -- cgit v1.2.3 From e5a66971edd1a41323576915d9a8c47dc200c95d Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 20 Jan 2020 14:19:05 -0600 Subject: Removed pleroma src based install. --- roles/pleroma/defaults/main.yaml | 28 ------- roles/pleroma/handlers/main.yaml | 5 -- roles/pleroma/tasks/main.yaml | 83 ------------------- .../templates/pleroma.cloudflare.nginx.conf.j2 | 74 ----------------- roles/pleroma/templates/pleroma.nginx.conf.j2 | 95 ---------------------- roles/pleroma/templates/pleroma.service.j2 | 35 -------- roles/pleroma/templates/prod.secret.exs.j2 | 39 --------- roles/pleroma/templates/setup_db.psql.j2 | 7 -- 8 files changed, 366 deletions(-) delete mode 100644 roles/pleroma/defaults/main.yaml delete mode 100644 roles/pleroma/handlers/main.yaml delete mode 100644 roles/pleroma/tasks/main.yaml delete mode 100644 roles/pleroma/templates/pleroma.cloudflare.nginx.conf.j2 delete mode 100644 roles/pleroma/templates/pleroma.nginx.conf.j2 delete mode 100644 roles/pleroma/templates/pleroma.service.j2 delete mode 100644 roles/pleroma/templates/prod.secret.exs.j2 delete mode 100644 roles/pleroma/templates/setup_db.psql.j2 diff --git a/roles/pleroma/defaults/main.yaml b/roles/pleroma/defaults/main.yaml deleted file mode 100644 index dd15bd7..0000000 --- a/roles/pleroma/defaults/main.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -pleroma_user: "pleroma" - -pleroma_host: "localhost" -pleroma_port: 4000 -pleroma_scheme: "http" - -pleroma_proxy_pass: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" - -pleroma_link_host: "localhost" -pleroma_link_port: "443" -pleroma_link_scheme: "https" - -pleroma_instance_name: "{{pleroma_link_host}}" -pleroma_desc: "A Pleroma fediverse instance." -pleroma_admin_email: "admin@{{pleroma_link_host}}" -pleroma_char_limit: 5000 -pleroma_signup_open: "true" -pleroma_db_host: "localhost" -pleroma_db_superuser: "postgres" - -pleroma_version: "v1.1.6" - -pleroma_apt_packages: - - "elixir" - - "git" - - "build-essential" diff --git a/roles/pleroma/handlers/main.yaml b/roles/pleroma/handlers/main.yaml deleted file mode 100644 index b935f8d..0000000 --- a/roles/pleroma/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart pleroma - become: yes - systemd: name="{{pleroma_user}}" state="restarted" daemon_reload="yes" diff --git a/roles/pleroma/tasks/main.yaml b/roles/pleroma/tasks/main.yaml deleted file mode 100644 index 7b8dba5..0000000 --- a/roles/pleroma/tasks/main.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- - -- name: add erland solutions key - become: yes - apt_key: url="http://packages.erlang-solutions.com/debian/erlang_solutions.asc" - -- name: install erland solutions repo - become: yes - apt_repository: repo="deb http://binaries.erlang-solutions.com/debian buster contrib" - -- name: update apt package cache - become: yes - apt: upgrade="dist" update_cache="yes" cache_valid_time="3600" - -- name: install pleroma apt packages - become: yes - apt: name="{{pleroma_apt_packages}}" - -- name: add users - become: yes - user: name="{{pleroma_user}}" shell="/bin/bash" - -- name: checkout plemora - become: yes - become_user: "{{pleroma_user}}" - git: - repo: "https://git.pleroma.social/pleroma/pleroma.git" - dest: "~{{pleroma_user}}/pleroma" - version: "{{pleroma_version}}" - force: yes - -- name: install pleroma config - template: - src: "prod.secret.exs.j2" - dest: "~{{pleroma_user}}/pleroma/config/prod.secret.exs" - owner: "{{pleroma_user}}" - group: "{{pleroma_user}}" - mode: "0600" - become: yes - notify: restart pleroma - -- name: install pleroma db schema file - template: - src: "setup_db.psql.j2" - dest: "/tmp/setup_db.psql" - owner: "{{pleroma_db_superuser}}" - group: "{{pleroma_db_superuser}}" - mode: "0600" - become: yes - -- name: install pleroma psql - become: yes - become_user: "{{pleroma_db_superuser}}" - command: "psql -f /tmp/setup_db.psql" - notify: restart pleroma - -- name: migrate db - become: yes - become_user: "{{pleroma_user}}" - command: "{{item}}" - args: - chdir: "~{{pleroma_user}}/pleroma/" - with_items: - - "mix local.hex --force" - - "mix local.rebar --force" - - "mix deps.get" - - "mix ecto.migrate" - notify: restart pleroma - environment: - MIX_ENV: "prod" - -- name: install pleroma systemd service - template: - src: "pleroma.service.j2" - dest: "/lib/systemd/system/{{pleroma_user}}.service" - owner: "{{pleroma_user}}" - group: "{{pleroma_user}}" - mode: "0660" - become: yes - -- name: enable pleroma systemd service - systemd: name="{{pleroma_user}}" enabled="yes" state="started" - become: yes diff --git a/roles/pleroma/templates/pleroma.cloudflare.nginx.conf.j2 b/roles/pleroma/templates/pleroma.cloudflare.nginx.conf.j2 deleted file mode 100644 index 284d280..0000000 --- a/roles/pleroma/templates/pleroma.cloudflare.nginx.conf.j2 +++ /dev/null @@ -1,74 +0,0 @@ -# default nginx site config for Pleroma -# -# Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it -# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. - -proxy_cache_path /tmp/{{pleroma_user}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_user}}-pleroma_media_cache:10m max_size=10g - inactive=720m use_temp_path=off; - -server { - listen {{nginx_port}}; - # listen [::]:{{nginx_port}}; - server_name _; - return 301 https://$host$request_uri; -} - -# Enable SSL session caching for improved performance -ssl_session_cache shared:ssl_session_cache:10m; - -server { - listen {{nginx_ssl_port}} ssl http2; - # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; - server_name _; - - ssl_certificate {{nginx_ssl_cert}}; - ssl_certificate_key {{nginx_ssl_privkey}}; - include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - ssl_stapling on; - ssl_stapling_verify on; - - add_header Strict-Transport-Security "max-age=31536000" always; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - # the nginx default is 1m, not enough for large media uploads - client_max_body_size 16m; - - location / { - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass {{pleroma_proxy_pass}}; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache {{pleroma_user}}-pleroma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass {{pleroma_proxy_pass}}; - } -} diff --git a/roles/pleroma/templates/pleroma.nginx.conf.j2 b/roles/pleroma/templates/pleroma.nginx.conf.j2 deleted file mode 100644 index 1d5fb9d..0000000 --- a/roles/pleroma/templates/pleroma.nginx.conf.j2 +++ /dev/null @@ -1,95 +0,0 @@ -# default nginx site config for Pleroma -# -# Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it -# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. - -proxy_cache_path /tmp/{{pleroma_user}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_user}}-pleroma_media_cache:10m max_size=10g - inactive=720m use_temp_path=off; - -server { - listen {{nginx_port}}; - # listen [::]:{{nginx_port}}; - server_name {{nginx_server_name}}; - return 301 https://$server_name$request_uri; - - # Uncomment this if you need to use the 'webroot' method with certbot. Make sure - # that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and - # that is is accessible by the webserver. You may need to load this file with the ssl - # server block commented out, run certbot to get the certificate, and then uncomment it. - # - # location ~ /\.well-known/acme-challenge { - # root /pleroma/priv/static/; - # } -} - -# Enable SSL session caching for improved performance -ssl_session_cache shared:ssl_session_cache:10m; - -server { - listen {{nginx_ssl_port}} ssl http2; - # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; - server_name {{nginx_server_name}}; - - ssl_certificate {{nginx_ssl_cert}}; - ssl_certificate_key {{nginx_ssl_privkey}}; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - ssl_stapling on; - ssl_stapling_verify on; - - add_header Strict-Transport-Security "max-age=31536000" always; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - # the nginx default is 1m, not enough for large media uploads - client_max_body_size 16m; - - location / { - # if you do not want remote frontends to be able to access your Pleroma backend - # server, remove these lines. - # add_header 'Access-Control-Allow-Origin' '*' always; - # add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; - # add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; - # add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; - # if ($request_method = OPTIONS) { - # return 204; - # } - # stop removing lines here. - - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - # Uncomment this only after you get HTTPS working. - # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass {{pleroma_proxy_pass}}; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache {{pleroma_user}}-pleroma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass {{pleroma_proxy_pass}}; - } -} diff --git a/roles/pleroma/templates/pleroma.service.j2 b/roles/pleroma/templates/pleroma.service.j2 deleted file mode 100644 index 0effbf1..0000000 --- a/roles/pleroma/templates/pleroma.service.j2 +++ /dev/null @@ -1,35 +0,0 @@ -# {{ansible_managed}} - -[Unit] -Description=Pleroma social network -After=network.target postgresql.service - -[Service] -User={{pleroma_user}} -WorkingDirectory=/home/{{pleroma_user}}/pleroma - -Environment="HOME=/home/{{pleroma_user}}" -Environment="MIX_ENV=prod" -Environment="PLUG_TMPDIR=/tmp/{{pleroma_user}}" - -ExecStart=/usr/bin/mix phx.server -ExecReload=/bin/kill $MAINPID -KillMode=process -Restart=on-failure - -; Some security directives. -; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. -PrivateTmp=true -; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. -ProtectHome=false -; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. -ProtectSystem=full -; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. -PrivateDevices=false -; Ensures that the service process and all its children can never gain new privileges through execve(). -NoNewPrivileges=true -; Drops the sysadmin capability from the daemon. -CapabilityBoundingSet=~CAP_SYS_ADMIN - -[Install] -WantedBy=multi-user.target diff --git a/roles/pleroma/templates/prod.secret.exs.j2 b/roles/pleroma/templates/prod.secret.exs.j2 deleted file mode 100644 index d1504c3..0000000 --- a/roles/pleroma/templates/prod.secret.exs.j2 +++ /dev/null @@ -1,39 +0,0 @@ -use Mix.Config - -config :pleroma, Pleroma.Web.Endpoint, - url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], - http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], - secret_key_base: "{{pleroma_secret_key}}", - secure_cookie_flag: true - -config :pleroma, :http_security, - enabled: true, - sts: true, - referrer_policy: "same-origin" - -config :pleroma, :instance, - name: "{{pleroma_instance_name}}", - description: "{{pleroma_desc}}", - email: "{{pleroma_admin_email}}", - limit: {{pleroma_char_limit}}, - registrations_open: {{pleroma_signup_open}}, - invites_enabled: {{pleroma_invites_enabled}} - -config :pleroma, Pleroma.Upload, - filters: [Pleroma.Upload.Filter.Dedupe] - -config :pleroma, :media_proxy, - enabled: false, - redirect_on_failure: true - #base_url: "https://cache.pleroma.social" - -# Configure your database -config :pleroma, Pleroma.Repo, - adapter: Ecto.Adapters.Postgres, - username: "{{pleroma_user}}", - password: "{{pleroma_db_passwd}}", - database: "{{pleroma_user}}", - hostname: "{{pleroma_db_host}}", - pool_size: 10, - timeout: 60000, - pool_timeout: 60000 diff --git a/roles/pleroma/templates/setup_db.psql.j2 b/roles/pleroma/templates/setup_db.psql.j2 deleted file mode 100644 index 9a4af30..0000000 --- a/roles/pleroma/templates/setup_db.psql.j2 +++ /dev/null @@ -1,7 +0,0 @@ -CREATE USER {{pleroma_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; -CREATE DATABASE {{pleroma_user}} WITH OWNER {{pleroma_user}}; -\c {{pleroma_user}}; ---Extensions made by ecto.migrate that need superuser access -CREATE EXTENSION IF NOT EXISTS citext; -CREATE EXTENSION IF NOT EXISTS pg_trgm; -CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; -- cgit v1.2.3 From 11746a2c064018a642486b208b2fdcaeae8ea8e5 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 20 Jan 2020 15:26:33 -0600 Subject: Made pleroma roles idempotent. --- roles/nginx/tasks/main.yaml | 2 +- roles/pleroma-otp/tasks/main.yaml | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 74c6d7e..5cace24 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -18,7 +18,7 @@ - name: install certbot in nginx become: yes command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" - notify: restart nginx + changed_when: false when: nginx_enable_certbot - name: disable default site diff --git a/roles/pleroma-otp/tasks/main.yaml b/roles/pleroma-otp/tasks/main.yaml index 5276935..115db24 100644 --- a/roles/pleroma-otp/tasks/main.yaml +++ b/roles/pleroma-otp/tasks/main.yaml @@ -40,19 +40,20 @@ - "{{pleroma_data_dir}}/{{pleroma_instance}}/static/emoji" - name: install pleroma db schema file + become: yes template: src: "setup_db.psql.j2" - dest: "/tmp/setup_db.psql" + dest: "/tmp/setup_db_{{pleroma_instance}}.psql" owner: "{{pleroma_db_superuser}}" group: "{{pleroma_db_superuser}}" mode: "0600" - become: yes + changed_when: false - name: install pleroma psql become: yes become_user: "{{pleroma_db_superuser}}" - command: "psql -f /tmp/setup_db.psql" - notify: restart pleroma instance + command: "psql -f /tmp/setup_db_{{pleroma_instance}}.psql" + changed_when: false - name: download and unarchive pleroma release become: yes @@ -98,4 +99,4 @@ chdir: "/opt/pleroma/" environment: PLEROMA_CONFIG_PATH: "/etc/pleroma/{{pleroma_instance}}.config.exs" - notify: restart pleroma instance + changed_when: false -- cgit v1.2.3 From c17f28aafd1f15a8c26835196956c1c209ec5ff3 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 9 Feb 2020 12:08:03 -0600 Subject: Moved roles to top level dir. --- Vagrantfile | 25 ----- nginx/defaults/main.yaml | 10 ++ nginx/handlers/main.yaml | 5 + nginx/tasks/main.yaml | 39 ++++++++ pleroma-otp/defaults/main.yaml | 28 ++++++ pleroma-otp/files/pleroma-s3-backup.sh | 26 ++++++ pleroma-otp/files/pleroma-s3-backup@.service | 9 ++ pleroma-otp/files/pleroma@.service | 35 +++++++ pleroma-otp/handlers/main.yaml | 9 ++ pleroma-otp/tasks/main.yaml | 102 +++++++++++++++++++++ pleroma-otp/tasks/s3-backup.yaml | 20 ++++ pleroma-otp/templates/config.exs.j2 | 44 +++++++++ .../templates/pleroma.cloudflare.nginx.conf.j2 | 74 +++++++++++++++ pleroma-otp/templates/pleroma.nginx.conf.j2 | 74 +++++++++++++++ pleroma-otp/templates/setup_db.psql.j2 | 7 ++ postgresql/defaults/main.yaml | 10 ++ postgresql/handlers/main.yaml | 5 + postgresql/tasks/main.yaml | 27 ++++++ roles/nginx/defaults/main.yaml | 10 -- roles/nginx/handlers/main.yaml | 5 - roles/nginx/tasks/main.yaml | 39 -------- roles/pleroma-otp/defaults/main.yaml | 28 ------ roles/pleroma-otp/files/pleroma-s3-backup.sh | 26 ------ roles/pleroma-otp/files/pleroma-s3-backup@.service | 9 -- roles/pleroma-otp/files/pleroma@.service | 35 ------- roles/pleroma-otp/handlers/main.yaml | 9 -- roles/pleroma-otp/tasks/main.yaml | 102 --------------------- roles/pleroma-otp/tasks/s3-backup.yaml | 20 ---- roles/pleroma-otp/templates/config.exs.j2 | 44 --------- .../templates/pleroma.cloudflare.nginx.conf.j2 | 74 --------------- roles/pleroma-otp/templates/pleroma.nginx.conf.j2 | 95 ------------------- roles/pleroma-otp/templates/setup_db.psql.j2 | 7 -- roles/postgresql/defaults/main.yaml | 10 -- roles/postgresql/handlers/main.yaml | 5 - roles/postgresql/tasks/main.yaml | 27 ------ 35 files changed, 524 insertions(+), 570 deletions(-) delete mode 100644 Vagrantfile create mode 100644 nginx/defaults/main.yaml create mode 100644 nginx/handlers/main.yaml create mode 100644 nginx/tasks/main.yaml create mode 100644 pleroma-otp/defaults/main.yaml create mode 100644 pleroma-otp/files/pleroma-s3-backup.sh create mode 100644 pleroma-otp/files/pleroma-s3-backup@.service create mode 100644 pleroma-otp/files/pleroma@.service create mode 100644 pleroma-otp/handlers/main.yaml create mode 100644 pleroma-otp/tasks/main.yaml create mode 100644 pleroma-otp/tasks/s3-backup.yaml create mode 100644 pleroma-otp/templates/config.exs.j2 create mode 100644 pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 create mode 100644 pleroma-otp/templates/pleroma.nginx.conf.j2 create mode 100644 pleroma-otp/templates/setup_db.psql.j2 create mode 100644 postgresql/defaults/main.yaml create mode 100644 postgresql/handlers/main.yaml create mode 100644 postgresql/tasks/main.yaml delete mode 100644 roles/nginx/defaults/main.yaml delete mode 100644 roles/nginx/handlers/main.yaml delete mode 100644 roles/nginx/tasks/main.yaml delete mode 100644 roles/pleroma-otp/defaults/main.yaml delete mode 100644 roles/pleroma-otp/files/pleroma-s3-backup.sh delete mode 100644 roles/pleroma-otp/files/pleroma-s3-backup@.service delete mode 100644 roles/pleroma-otp/files/pleroma@.service delete mode 100644 roles/pleroma-otp/handlers/main.yaml delete mode 100644 roles/pleroma-otp/tasks/main.yaml delete mode 100644 roles/pleroma-otp/tasks/s3-backup.yaml delete mode 100644 roles/pleroma-otp/templates/config.exs.j2 delete mode 100644 roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 delete mode 100644 roles/pleroma-otp/templates/pleroma.nginx.conf.j2 delete mode 100644 roles/pleroma-otp/templates/setup_db.psql.j2 delete mode 100644 roles/postgresql/defaults/main.yaml delete mode 100644 roles/postgresql/handlers/main.yaml delete mode 100644 roles/postgresql/tasks/main.yaml diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 25d5b54..0000000 --- a/Vagrantfile +++ /dev/null @@ -1,25 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - config.vm.box = "ubuntu/bionic64" - - config.vm.network "forwarded_port", guest: 4000, host: 4000 - config.vm.network "forwarded_port", guest: 80, host: 8080 - # config.vm.synced_folder "../data", "/vagrant_data" - - # config.vm.provider "virtualbox" do |vb| - # # Display the VirtualBox GUI when booting the machine - # vb.gui = true - # - # # Customize the amount of memory on the VM: - # vb.memory = "1024" - # end - - config.vm.provision "ansible" do |ansible| - ansible.limit = "all,localhost" - # ansible.verbose = "vvv" - ansible.playbook = "main.yaml" - ansible.compatibility_mode = "2.0" - end -end diff --git a/nginx/defaults/main.yaml b/nginx/defaults/main.yaml new file mode 100644 index 0000000..c0db79d --- /dev/null +++ b/nginx/defaults/main.yaml @@ -0,0 +1,10 @@ +--- + +nginx_port: 80 +nginx_ssl_port: 443 +nginx_ssl_cert: "/etc/letsencrypt/live/{{nginx_server_name}}/fullchain.pem" +nginx_ssl_privkey: "/etc/letsencrypt/live/{{nginx_server_name}}/privkey.pem" +nginx_enable_certbot: No +nginx_server_name: "{{ansible_host}}" +nginx_conf_dst: "{{nginx_server_name}}.nginx.conf" +nginx_admin_email: "admin@{{nginx_server_name}}" diff --git a/nginx/handlers/main.yaml b/nginx/handlers/main.yaml new file mode 100644 index 0000000..1feca07 --- /dev/null +++ b/nginx/handlers/main.yaml @@ -0,0 +1,5 @@ +--- + +- name: restart nginx + become: yes + systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/nginx/tasks/main.yaml b/nginx/tasks/main.yaml new file mode 100644 index 0000000..5cace24 --- /dev/null +++ b/nginx/tasks/main.yaml @@ -0,0 +1,39 @@ +--- + +- name: install nginx packages + become: yes + apt: name="nginx" + +- name: install site + become: yes + template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" + notify: restart nginx + +- name: install nginx packages + become: yes + apt: name="python-certbot-nginx" + notify: restart nginx + when: nginx_enable_certbot + +- name: install certbot in nginx + become: yes + command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" + changed_when: false + when: nginx_enable_certbot + +- name: disable default site + become: yes + file: path="/etc/nginx/sites-enabled/default" state="absent" + notify: restart nginx + +- name: enable site + become: yes + file: + src: "/etc/nginx/sites-available/{{nginx_conf_dst}}" + dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}" + state: "link" + notify: restart nginx + +- name: enable nginx service + become: yes + systemd: name="nginx" enabled="yes" state="started" diff --git a/pleroma-otp/defaults/main.yaml b/pleroma-otp/defaults/main.yaml new file mode 100644 index 0000000..1726861 --- /dev/null +++ b/pleroma-otp/defaults/main.yaml @@ -0,0 +1,28 @@ +--- + +pleroma_host: "localhost" +pleroma_port: 4000 +pleroma_scheme: "http" + +pleroma_proxy_pass: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" + +pleroma_link_host: "localhost" +pleroma_link_port: "443" +pleroma_link_scheme: "https" + +pleroma_instance_name: "{{pleroma_link_host}}" +pleroma_desc: "A Pleroma fediverse instance." +pleroma_admin_email: "admin@{{pleroma_link_host}}" +pleroma_char_limit: 5000 +pleroma_signup_open: "true" +pleroma_db_host: "localhost" +pleroma_db_superuser: "postgres" + +pleroma_download_url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{pleroma_flavor}}" + +pleroma_db: "pleroma_{{pleroma_instance}}" +pleroma_db_user: "pleroma_{{pleroma_instance}}" +pleroma_data_dir: "/var/lib/pleroma/instance_data" + +pleroma_s3_backup_enabled: true +pleroma_cleanup_tmp: false diff --git a/pleroma-otp/files/pleroma-s3-backup.sh b/pleroma-otp/files/pleroma-s3-backup.sh new file mode 100644 index 0000000..7c1d6d3 --- /dev/null +++ b/pleroma-otp/files/pleroma-s3-backup.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +INSTANCE=$1 +DATE=`date --iso-8601` + +BUCKET="pleroma-${INSTANCE//_/-}-backup" +BACKUP_DIR="/tmp/s3-backup/$BUCKET" +BACKUP_TAR="/tmp/s3-backup/$BUCKET-$DATE.tgz" + +DB_NAME="pleroma_$INSTANCE" +CONFIG="/etc/pleroma/$INSTANCE.config.exs" + +UPLOADS_DIR=`grep uploads $CONFIG | cut -d '"' -f 2` +STATIC_DIR=`grep static $CONFIG | cut -d '"' -f 2` + +mkdir -m 775 -p "$BACKUP_DIR/" +chown root:postgres "$BACKUP_DIR/" + +su postgres -c "pg_dump -d $DB_NAME --format=custom -f $BACKUP_DIR/$DB_NAME.pgdump" +cp $CONFIG "$BACKUP_DIR/" +cp -r $UPLOADS_DIR "$BACKUP_DIR/" +cp -r $STATIC_DIR "$BACKUP_DIR/" + +tar -zc -f $BACKUP_TAR $BACKUP_DIR +aws s3 mb "s3://$BUCKET/" +aws s3 cp $BACKUP_TAR "s3://$BUCKET/" diff --git a/pleroma-otp/files/pleroma-s3-backup@.service b/pleroma-otp/files/pleroma-s3-backup@.service new file mode 100644 index 0000000..a64cae3 --- /dev/null +++ b/pleroma-otp/files/pleroma-s3-backup@.service @@ -0,0 +1,9 @@ +[Unit] +Description=Pleroma s3 backup for instance "%I" + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/pleroma-s3-backup.sh %i + +[Install] +WantedBy=aws-s3-backup.target diff --git a/pleroma-otp/files/pleroma@.service b/pleroma-otp/files/pleroma@.service new file mode 100644 index 0000000..4967c63 --- /dev/null +++ b/pleroma-otp/files/pleroma@.service @@ -0,0 +1,35 @@ +[Unit] +Description=Pleroma social network instance "%I" +After=network.target postgresql.service nginx.service + +[Service] +User=pleroma +WorkingDirectory=/opt/pleroma + +Environment="HOME=/opt/pleroma" +Environment="PLEROMA_CONFIG_PATH=/etc/pleroma/%i.config.exs" +Environment="PLUG_TMPDIR=/tmp/%i" +Environment="RELEASE_NODE=%i@127.0.0.1" + +ExecStart=/opt/pleroma/bin/pleroma start +ExecReload=/opt/pleroma/bin/pleroma stop + +KillMode=process +Restart=on-failure + +; Some security directives. +; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=true +; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. +ProtectHome=true +; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve(). +NoNewPrivileges=true +; Drops the sysadmin capability from the daemon. +CapabilityBoundingSet=~CAP_SYS_ADMIN + +[Install] +WantedBy=multi-user.target diff --git a/pleroma-otp/handlers/main.yaml b/pleroma-otp/handlers/main.yaml new file mode 100644 index 0000000..0fad634 --- /dev/null +++ b/pleroma-otp/handlers/main.yaml @@ -0,0 +1,9 @@ +--- + +- name: restart pleroma instance + become: yes + systemd: name="pleroma@{{pleroma_instance}}.service" state="restarted" daemon_reload="yes" + +- name: restart pleroma instance s3 backup + become: yes + systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" daemon_reload="yes" diff --git a/pleroma-otp/tasks/main.yaml b/pleroma-otp/tasks/main.yaml new file mode 100644 index 0000000..115db24 --- /dev/null +++ b/pleroma-otp/tasks/main.yaml @@ -0,0 +1,102 @@ +--- + +- name: add users + become: yes + user: name="pleroma" shell="/bin/false" home="/opt/pleroma" system="yes" + +- name: create config and data directory + become: yes + file: + path: "{{item}}" + state: "directory" + mode: "0755" + with_items: + - "{{pleroma_data_dir}}" + - "/etc/pleroma" + - "/opt/pleroma" + +- name: install pleroma config + template: + src: "config.exs.j2" + dest: "/etc/pleroma/{{pleroma_instance}}.config.exs" + owner: "pleroma" + group: "pleroma" + mode: "0600" + become: yes + notify: restart pleroma instance + +- name: create instance data directory + become: yes + file: + path: "{{item}}" + state: "directory" + owner: "pleroma" + group: "pleroma" + mode: "0755" + with_items: + - "{{pleroma_data_dir}}/{{pleroma_instance}}" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/static" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/static/emoji" + +- name: install pleroma db schema file + become: yes + template: + src: "setup_db.psql.j2" + dest: "/tmp/setup_db_{{pleroma_instance}}.psql" + owner: "{{pleroma_db_superuser}}" + group: "{{pleroma_db_superuser}}" + mode: "0600" + changed_when: false + +- name: install pleroma psql + become: yes + become_user: "{{pleroma_db_superuser}}" + command: "psql -f /tmp/setup_db_{{pleroma_instance}}.psql" + changed_when: false + +- name: download and unarchive pleroma release + become: yes + unarchive: + src: "{{pleroma_download_url}}" + dest: "/tmp/" + remote_src: yes + creates: "/tmp/release" + notify: restart pleroma instance + +- name: install pleroma release + become: yes + copy: remote_src="True" src="/tmp/release/" dest="/opt/pleroma/" owner="pleroma" group="pleroma" + notify: restart pleroma instance + +- name: remove tmp release folder + become: yes + file: path="{{item}}" state="absent" + with_items: + - "/tmp/setup_db.psql" + - "/tmp/release/" + when: pleroma_cleanup_tmp + +- import_tasks: s3-backup.yaml + when: pleroma_s3_backup_enabled + +- name: configure pleroma systemd service + become: yes + copy: + src: "pleroma@.service" + dest: "/lib/systemd/system/pleroma@.service" + notify: restart pleroma instance + +- name: ensure pleroma instance is enabled and started + become: yes + systemd: name="pleroma@{{pleroma_instance}}.service" enabled="yes" state="started" + +- name: migrate db + become: yes + become_user: "pleroma" + command: "/opt/pleroma/bin/pleroma_ctl migrate" + args: + chdir: "/opt/pleroma/" + environment: + PLEROMA_CONFIG_PATH: "/etc/pleroma/{{pleroma_instance}}.config.exs" + changed_when: false diff --git a/pleroma-otp/tasks/s3-backup.yaml b/pleroma-otp/tasks/s3-backup.yaml new file mode 100644 index 0000000..12eaded --- /dev/null +++ b/pleroma-otp/tasks/s3-backup.yaml @@ -0,0 +1,20 @@ +--- + +- name: create s3 backup shell script + become: yes + copy: + src: "pleroma-s3-backup.sh" + dest: "/usr/local/bin/pleroma-s3-backup.sh" + mode: "0755" + +- name: configure s3 backup systemd service + become: yes + copy: + src: "pleroma-s3-backup@.service" + dest: "/lib/systemd/system/pleroma-s3-backup@.service" + mode: "0644" + notify: restart pleroma instance s3 backup + +- name: ensure s3 backup is enabled + become: yes + systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" diff --git a/pleroma-otp/templates/config.exs.j2 b/pleroma-otp/templates/config.exs.j2 new file mode 100644 index 0000000..d94be00 --- /dev/null +++ b/pleroma-otp/templates/config.exs.j2 @@ -0,0 +1,44 @@ +import Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], + http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], + secret_key_base: "{{pleroma_secret_key}}", + secure_cookie_flag: true + +config :pleroma, :http_security, + enabled: true, + sts: true, + referrer_policy: "same-origin" + +config :pleroma, :instance, + name: "{{pleroma_instance_name}}", + description: "{{pleroma_desc}}", + email: "{{pleroma_admin_email}}", + limit: {{pleroma_char_limit}}, + registrations_open: {{pleroma_signup_open}}, + invites_enabled: {{pleroma_invites_enabled}}, + static_dir: "{{pleroma_data_dir}}/{{pleroma_instance}}/static/" + +config :pleroma, Pleroma.Upload, + uploader: Pleroma.Uploaders.Local, + filters: [Pleroma.Upload.Filter.Dedupe] + +config :pleroma, Pleroma.Uploaders.Local, + uploads: "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads/" + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + +# Configure your database +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "{{pleroma_db_user}}", + password: "{{pleroma_db_passwd}}", + database: "{{pleroma_db}}", + hostname: "{{pleroma_db_host}}", + pool_size: 10, + timeout: 60000, + pool_timeout: 60000 diff --git a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 new file mode 100644 index 0000000..db4b255 --- /dev/null +++ b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 @@ -0,0 +1,74 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen {{nginx_port}}; + # listen [::]:{{nginx_port}}; + server_name {{nginx_server_name}}; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen {{nginx_ssl_port}} ssl http2; + # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + server_name {{nginx_server_name}}; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + include /etc/letsencrypt/options-ssl-nginx.conf; + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/pleroma-otp/templates/pleroma.nginx.conf.j2 b/pleroma-otp/templates/pleroma.nginx.conf.j2 new file mode 100644 index 0000000..af066ea --- /dev/null +++ b/pleroma-otp/templates/pleroma.nginx.conf.j2 @@ -0,0 +1,74 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen {{nginx_port}}; + # listen [::]:{{nginx_port}}; + server_name {{nginx_server_name}}; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen {{nginx_ssl_port}} ssl http2; + # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + server_name {{nginx_server_name}}; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/pleroma-otp/templates/setup_db.psql.j2 b/pleroma-otp/templates/setup_db.psql.j2 new file mode 100644 index 0000000..1b27174 --- /dev/null +++ b/pleroma-otp/templates/setup_db.psql.j2 @@ -0,0 +1,7 @@ +CREATE USER {{pleroma_db_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; +CREATE DATABASE {{pleroma_db}} WITH OWNER {{pleroma_db_user}}; +\c {{pleroma_db}}; +--Extensions made by ecto.migrate that need superuser access +CREATE EXTENSION IF NOT EXISTS citext; +CREATE EXTENSION IF NOT EXISTS pg_trgm; +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; diff --git a/postgresql/defaults/main.yaml b/postgresql/defaults/main.yaml new file mode 100644 index 0000000..ff230a9 --- /dev/null +++ b/postgresql/defaults/main.yaml @@ -0,0 +1,10 @@ +--- + +postgresql_version: "11" +postgresql_config_path: "/etc/postgresql/{{postgresql_version}}/main/postgresql.conf" +postgresql_data_dir: "/var/lib/postgresql/{{postgresql_version}}/main" +postgresql_apt_packages: + - "postgresql-{{postgresql_version}}" + - "pgcli" + - "postgresql-client" + - "postgresql-common" diff --git a/postgresql/handlers/main.yaml b/postgresql/handlers/main.yaml new file mode 100644 index 0000000..d2eb688 --- /dev/null +++ b/postgresql/handlers/main.yaml @@ -0,0 +1,5 @@ +--- + +- name: restart postgres + become: yes + systemd: name="postgresql" state="restarted" daemon_reload="yes" diff --git a/postgresql/tasks/main.yaml b/postgresql/tasks/main.yaml new file mode 100644 index 0000000..6195840 --- /dev/null +++ b/postgresql/tasks/main.yaml @@ -0,0 +1,27 @@ +--- + +- name: install postgresql + become: yes + apt: name="{{postgresql_apt_packages}}" + +- name: configure postgresql data dir + become: yes + lineinfile: + path: "{{postgresql_config_path}}" + regexp: "^data_directory = " + line: "data_directory = '{{postgresql_data_dir}}'" + notify: restart postgres + +- name: create postgresql data dir + become: yes + file: + path: "{{postgresql_data_dir}}" + state: "directory" + mode: "0700" + owner: "postgres" + group: "postgres" + notify: restart postgres + +- name: ensure postgresql is started + become: yes + systemd: name="postgresql" enabled="yes" state="started" diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml deleted file mode 100644 index c0db79d..0000000 --- a/roles/nginx/defaults/main.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -nginx_port: 80 -nginx_ssl_port: 443 -nginx_ssl_cert: "/etc/letsencrypt/live/{{nginx_server_name}}/fullchain.pem" -nginx_ssl_privkey: "/etc/letsencrypt/live/{{nginx_server_name}}/privkey.pem" -nginx_enable_certbot: No -nginx_server_name: "{{ansible_host}}" -nginx_conf_dst: "{{nginx_server_name}}.nginx.conf" -nginx_admin_email: "admin@{{nginx_server_name}}" diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml deleted file mode 100644 index 1feca07..0000000 --- a/roles/nginx/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart nginx - become: yes - systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml deleted file mode 100644 index 5cace24..0000000 --- a/roles/nginx/tasks/main.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: install nginx packages - become: yes - apt: name="nginx" - -- name: install site - become: yes - template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" - notify: restart nginx - -- name: install nginx packages - become: yes - apt: name="python-certbot-nginx" - notify: restart nginx - when: nginx_enable_certbot - -- name: install certbot in nginx - become: yes - command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" - changed_when: false - when: nginx_enable_certbot - -- name: disable default site - become: yes - file: path="/etc/nginx/sites-enabled/default" state="absent" - notify: restart nginx - -- name: enable site - become: yes - file: - src: "/etc/nginx/sites-available/{{nginx_conf_dst}}" - dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}" - state: "link" - notify: restart nginx - -- name: enable nginx service - become: yes - systemd: name="nginx" enabled="yes" state="started" diff --git a/roles/pleroma-otp/defaults/main.yaml b/roles/pleroma-otp/defaults/main.yaml deleted file mode 100644 index 1726861..0000000 --- a/roles/pleroma-otp/defaults/main.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -pleroma_host: "localhost" -pleroma_port: 4000 -pleroma_scheme: "http" - -pleroma_proxy_pass: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" - -pleroma_link_host: "localhost" -pleroma_link_port: "443" -pleroma_link_scheme: "https" - -pleroma_instance_name: "{{pleroma_link_host}}" -pleroma_desc: "A Pleroma fediverse instance." -pleroma_admin_email: "admin@{{pleroma_link_host}}" -pleroma_char_limit: 5000 -pleroma_signup_open: "true" -pleroma_db_host: "localhost" -pleroma_db_superuser: "postgres" - -pleroma_download_url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{pleroma_flavor}}" - -pleroma_db: "pleroma_{{pleroma_instance}}" -pleroma_db_user: "pleroma_{{pleroma_instance}}" -pleroma_data_dir: "/var/lib/pleroma/instance_data" - -pleroma_s3_backup_enabled: true -pleroma_cleanup_tmp: false diff --git a/roles/pleroma-otp/files/pleroma-s3-backup.sh b/roles/pleroma-otp/files/pleroma-s3-backup.sh deleted file mode 100644 index 7c1d6d3..0000000 --- a/roles/pleroma-otp/files/pleroma-s3-backup.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -INSTANCE=$1 -DATE=`date --iso-8601` - -BUCKET="pleroma-${INSTANCE//_/-}-backup" -BACKUP_DIR="/tmp/s3-backup/$BUCKET" -BACKUP_TAR="/tmp/s3-backup/$BUCKET-$DATE.tgz" - -DB_NAME="pleroma_$INSTANCE" -CONFIG="/etc/pleroma/$INSTANCE.config.exs" - -UPLOADS_DIR=`grep uploads $CONFIG | cut -d '"' -f 2` -STATIC_DIR=`grep static $CONFIG | cut -d '"' -f 2` - -mkdir -m 775 -p "$BACKUP_DIR/" -chown root:postgres "$BACKUP_DIR/" - -su postgres -c "pg_dump -d $DB_NAME --format=custom -f $BACKUP_DIR/$DB_NAME.pgdump" -cp $CONFIG "$BACKUP_DIR/" -cp -r $UPLOADS_DIR "$BACKUP_DIR/" -cp -r $STATIC_DIR "$BACKUP_DIR/" - -tar -zc -f $BACKUP_TAR $BACKUP_DIR -aws s3 mb "s3://$BUCKET/" -aws s3 cp $BACKUP_TAR "s3://$BUCKET/" diff --git a/roles/pleroma-otp/files/pleroma-s3-backup@.service b/roles/pleroma-otp/files/pleroma-s3-backup@.service deleted file mode 100644 index a64cae3..0000000 --- a/roles/pleroma-otp/files/pleroma-s3-backup@.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Pleroma s3 backup for instance "%I" - -[Service] -Type=oneshot -ExecStart=/usr/local/bin/pleroma-s3-backup.sh %i - -[Install] -WantedBy=aws-s3-backup.target diff --git a/roles/pleroma-otp/files/pleroma@.service b/roles/pleroma-otp/files/pleroma@.service deleted file mode 100644 index 4967c63..0000000 --- a/roles/pleroma-otp/files/pleroma@.service +++ /dev/null @@ -1,35 +0,0 @@ -[Unit] -Description=Pleroma social network instance "%I" -After=network.target postgresql.service nginx.service - -[Service] -User=pleroma -WorkingDirectory=/opt/pleroma - -Environment="HOME=/opt/pleroma" -Environment="PLEROMA_CONFIG_PATH=/etc/pleroma/%i.config.exs" -Environment="PLUG_TMPDIR=/tmp/%i" -Environment="RELEASE_NODE=%i@127.0.0.1" - -ExecStart=/opt/pleroma/bin/pleroma start -ExecReload=/opt/pleroma/bin/pleroma stop - -KillMode=process -Restart=on-failure - -; Some security directives. -; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. -PrivateTmp=true -; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. -ProtectHome=true -; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. -ProtectSystem=full -; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. -PrivateDevices=false -; Ensures that the service process and all its children can never gain new privileges through execve(). -NoNewPrivileges=true -; Drops the sysadmin capability from the daemon. -CapabilityBoundingSet=~CAP_SYS_ADMIN - -[Install] -WantedBy=multi-user.target diff --git a/roles/pleroma-otp/handlers/main.yaml b/roles/pleroma-otp/handlers/main.yaml deleted file mode 100644 index 0fad634..0000000 --- a/roles/pleroma-otp/handlers/main.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: restart pleroma instance - become: yes - systemd: name="pleroma@{{pleroma_instance}}.service" state="restarted" daemon_reload="yes" - -- name: restart pleroma instance s3 backup - become: yes - systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" daemon_reload="yes" diff --git a/roles/pleroma-otp/tasks/main.yaml b/roles/pleroma-otp/tasks/main.yaml deleted file mode 100644 index 115db24..0000000 --- a/roles/pleroma-otp/tasks/main.yaml +++ /dev/null @@ -1,102 +0,0 @@ ---- - -- name: add users - become: yes - user: name="pleroma" shell="/bin/false" home="/opt/pleroma" system="yes" - -- name: create config and data directory - become: yes - file: - path: "{{item}}" - state: "directory" - mode: "0755" - with_items: - - "{{pleroma_data_dir}}" - - "/etc/pleroma" - - "/opt/pleroma" - -- name: install pleroma config - template: - src: "config.exs.j2" - dest: "/etc/pleroma/{{pleroma_instance}}.config.exs" - owner: "pleroma" - group: "pleroma" - mode: "0600" - become: yes - notify: restart pleroma instance - -- name: create instance data directory - become: yes - file: - path: "{{item}}" - state: "directory" - owner: "pleroma" - group: "pleroma" - mode: "0755" - with_items: - - "{{pleroma_data_dir}}/{{pleroma_instance}}" - - "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads" - - "{{pleroma_data_dir}}/{{pleroma_instance}}/static" - - "{{pleroma_data_dir}}/{{pleroma_instance}}/static/emoji" - -- name: install pleroma db schema file - become: yes - template: - src: "setup_db.psql.j2" - dest: "/tmp/setup_db_{{pleroma_instance}}.psql" - owner: "{{pleroma_db_superuser}}" - group: "{{pleroma_db_superuser}}" - mode: "0600" - changed_when: false - -- name: install pleroma psql - become: yes - become_user: "{{pleroma_db_superuser}}" - command: "psql -f /tmp/setup_db_{{pleroma_instance}}.psql" - changed_when: false - -- name: download and unarchive pleroma release - become: yes - unarchive: - src: "{{pleroma_download_url}}" - dest: "/tmp/" - remote_src: yes - creates: "/tmp/release" - notify: restart pleroma instance - -- name: install pleroma release - become: yes - copy: remote_src="True" src="/tmp/release/" dest="/opt/pleroma/" owner="pleroma" group="pleroma" - notify: restart pleroma instance - -- name: remove tmp release folder - become: yes - file: path="{{item}}" state="absent" - with_items: - - "/tmp/setup_db.psql" - - "/tmp/release/" - when: pleroma_cleanup_tmp - -- import_tasks: s3-backup.yaml - when: pleroma_s3_backup_enabled - -- name: configure pleroma systemd service - become: yes - copy: - src: "pleroma@.service" - dest: "/lib/systemd/system/pleroma@.service" - notify: restart pleroma instance - -- name: ensure pleroma instance is enabled and started - become: yes - systemd: name="pleroma@{{pleroma_instance}}.service" enabled="yes" state="started" - -- name: migrate db - become: yes - become_user: "pleroma" - command: "/opt/pleroma/bin/pleroma_ctl migrate" - args: - chdir: "/opt/pleroma/" - environment: - PLEROMA_CONFIG_PATH: "/etc/pleroma/{{pleroma_instance}}.config.exs" - changed_when: false diff --git a/roles/pleroma-otp/tasks/s3-backup.yaml b/roles/pleroma-otp/tasks/s3-backup.yaml deleted file mode 100644 index 12eaded..0000000 --- a/roles/pleroma-otp/tasks/s3-backup.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: create s3 backup shell script - become: yes - copy: - src: "pleroma-s3-backup.sh" - dest: "/usr/local/bin/pleroma-s3-backup.sh" - mode: "0755" - -- name: configure s3 backup systemd service - become: yes - copy: - src: "pleroma-s3-backup@.service" - dest: "/lib/systemd/system/pleroma-s3-backup@.service" - mode: "0644" - notify: restart pleroma instance s3 backup - -- name: ensure s3 backup is enabled - become: yes - systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" diff --git a/roles/pleroma-otp/templates/config.exs.j2 b/roles/pleroma-otp/templates/config.exs.j2 deleted file mode 100644 index d94be00..0000000 --- a/roles/pleroma-otp/templates/config.exs.j2 +++ /dev/null @@ -1,44 +0,0 @@ -import Config - -config :pleroma, Pleroma.Web.Endpoint, - url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], - http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], - secret_key_base: "{{pleroma_secret_key}}", - secure_cookie_flag: true - -config :pleroma, :http_security, - enabled: true, - sts: true, - referrer_policy: "same-origin" - -config :pleroma, :instance, - name: "{{pleroma_instance_name}}", - description: "{{pleroma_desc}}", - email: "{{pleroma_admin_email}}", - limit: {{pleroma_char_limit}}, - registrations_open: {{pleroma_signup_open}}, - invites_enabled: {{pleroma_invites_enabled}}, - static_dir: "{{pleroma_data_dir}}/{{pleroma_instance}}/static/" - -config :pleroma, Pleroma.Upload, - uploader: Pleroma.Uploaders.Local, - filters: [Pleroma.Upload.Filter.Dedupe] - -config :pleroma, Pleroma.Uploaders.Local, - uploads: "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads/" - -config :pleroma, :media_proxy, - enabled: false, - redirect_on_failure: true - #base_url: "https://cache.pleroma.social" - -# Configure your database -config :pleroma, Pleroma.Repo, - adapter: Ecto.Adapters.Postgres, - username: "{{pleroma_db_user}}", - password: "{{pleroma_db_passwd}}", - database: "{{pleroma_db}}", - hostname: "{{pleroma_db_host}}", - pool_size: 10, - timeout: 60000, - pool_timeout: 60000 diff --git a/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 deleted file mode 100644 index db4b255..0000000 --- a/roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 +++ /dev/null @@ -1,74 +0,0 @@ -# default nginx site config for Pleroma -# -# Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it -# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. - -proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g - inactive=720m use_temp_path=off; - -server { - listen {{nginx_port}}; - # listen [::]:{{nginx_port}}; - server_name {{nginx_server_name}}; - return 301 https://$host$request_uri; -} - -# Enable SSL session caching for improved performance -ssl_session_cache shared:ssl_session_cache:10m; - -server { - listen {{nginx_ssl_port}} ssl http2; - # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; - server_name {{nginx_server_name}}; - - ssl_certificate {{nginx_ssl_cert}}; - ssl_certificate_key {{nginx_ssl_privkey}}; - include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - ssl_stapling on; - ssl_stapling_verify on; - - add_header Strict-Transport-Security "max-age=31536000" always; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - # the nginx default is 1m, not enough for large media uploads - client_max_body_size 16m; - - location / { - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass {{pleroma_proxy_pass}}; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache {{pleroma_instance}}-pleroma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass {{pleroma_proxy_pass}}; - } -} diff --git a/roles/pleroma-otp/templates/pleroma.nginx.conf.j2 b/roles/pleroma-otp/templates/pleroma.nginx.conf.j2 deleted file mode 100644 index 27c9165..0000000 --- a/roles/pleroma-otp/templates/pleroma.nginx.conf.j2 +++ /dev/null @@ -1,95 +0,0 @@ -# default nginx site config for Pleroma -# -# Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it -# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. - -proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g - inactive=720m use_temp_path=off; - -server { - listen {{nginx_port}}; - # listen [::]:{{nginx_port}}; - server_name {{nginx_server_name}}; - return 301 https://$server_name$request_uri; - - # Uncomment this if you need to use the 'webroot' method with certbot. Make sure - # that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and - # that is is accessible by the webserver. You may need to load this file with the ssl - # server block commented out, run certbot to get the certificate, and then uncomment it. - # - # location ~ /\.well-known/acme-challenge { - # root /pleroma/priv/static/; - # } -} - -# Enable SSL session caching for improved performance -ssl_session_cache shared:ssl_session_cache:10m; - -server { - listen {{nginx_ssl_port}} ssl http2; - # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; - server_name {{nginx_server_name}}; - - ssl_certificate {{nginx_ssl_cert}}; - ssl_certificate_key {{nginx_ssl_privkey}}; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - ssl_stapling on; - ssl_stapling_verify on; - - add_header Strict-Transport-Security "max-age=31536000" always; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - # the nginx default is 1m, not enough for large media uploads - client_max_body_size 16m; - - location / { - # if you do not want remote frontends to be able to access your Pleroma backend - # server, remove these lines. - # add_header 'Access-Control-Allow-Origin' '*' always; - # add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; - # add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; - # add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; - # if ($request_method = OPTIONS) { - # return 204; - # } - # stop removing lines here. - - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - # Uncomment this only after you get HTTPS working. - # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass {{pleroma_proxy_pass}}; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache {{pleroma_instance}}-pleroma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass {{pleroma_proxy_pass}}; - } -} diff --git a/roles/pleroma-otp/templates/setup_db.psql.j2 b/roles/pleroma-otp/templates/setup_db.psql.j2 deleted file mode 100644 index 1b27174..0000000 --- a/roles/pleroma-otp/templates/setup_db.psql.j2 +++ /dev/null @@ -1,7 +0,0 @@ -CREATE USER {{pleroma_db_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; -CREATE DATABASE {{pleroma_db}} WITH OWNER {{pleroma_db_user}}; -\c {{pleroma_db}}; ---Extensions made by ecto.migrate that need superuser access -CREATE EXTENSION IF NOT EXISTS citext; -CREATE EXTENSION IF NOT EXISTS pg_trgm; -CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; diff --git a/roles/postgresql/defaults/main.yaml b/roles/postgresql/defaults/main.yaml deleted file mode 100644 index ff230a9..0000000 --- a/roles/postgresql/defaults/main.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -postgresql_version: "11" -postgresql_config_path: "/etc/postgresql/{{postgresql_version}}/main/postgresql.conf" -postgresql_data_dir: "/var/lib/postgresql/{{postgresql_version}}/main" -postgresql_apt_packages: - - "postgresql-{{postgresql_version}}" - - "pgcli" - - "postgresql-client" - - "postgresql-common" diff --git a/roles/postgresql/handlers/main.yaml b/roles/postgresql/handlers/main.yaml deleted file mode 100644 index d2eb688..0000000 --- a/roles/postgresql/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart postgres - become: yes - systemd: name="postgresql" state="restarted" daemon_reload="yes" diff --git a/roles/postgresql/tasks/main.yaml b/roles/postgresql/tasks/main.yaml deleted file mode 100644 index 6195840..0000000 --- a/roles/postgresql/tasks/main.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: install postgresql - become: yes - apt: name="{{postgresql_apt_packages}}" - -- name: configure postgresql data dir - become: yes - lineinfile: - path: "{{postgresql_config_path}}" - regexp: "^data_directory = " - line: "data_directory = '{{postgresql_data_dir}}'" - notify: restart postgres - -- name: create postgresql data dir - become: yes - file: - path: "{{postgresql_data_dir}}" - state: "directory" - mode: "0700" - owner: "postgres" - group: "postgres" - notify: restart postgres - -- name: ensure postgresql is started - become: yes - systemd: name="postgresql" enabled="yes" state="started" -- cgit v1.2.3 From 61d5e897096e1fafe9cf51353f58624dfd9121f3 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 26 Apr 2020 14:14:18 -0500 Subject: Remove openssl configs. --- pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 index db4b255..d8f538d 100644 --- a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 +++ b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 @@ -26,7 +26,7 @@ server { ssl_certificate {{nginx_ssl_cert}}; ssl_certificate_key {{nginx_ssl_privkey}}; - include /etc/letsencrypt/options-ssl-nginx.conf; + # include /etc/letsencrypt/options-ssl-nginx.conf; # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; -- cgit v1.2.3 From 62e5f815084c978783f9a1789da9a7506d96d6f5 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sat, 2 May 2020 18:37:45 -0500 Subject: Added pleroma web root. --- .../pleroma.cloudflare.index.nginx.conf.j2 | 79 ++++++++++++++++++++++ .../templates/pleroma.cloudflare.nginx.conf.j2 | 15 ++-- .../templates/pleroma.letsencrypt.nginx.conf.j2 | 74 ++++++++++++++++++++ pleroma-otp/templates/pleroma.nginx.conf.j2 | 74 -------------------- 4 files changed, 163 insertions(+), 79 deletions(-) create mode 100644 pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 create mode 100644 pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 delete mode 100644 pleroma-otp/templates/pleroma.nginx.conf.j2 diff --git a/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 new file mode 100644 index 0000000..dd32eae --- /dev/null +++ b/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 @@ -0,0 +1,79 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen {{nginx_port}}; + # listen [::]:{{nginx_port}}; + server_name {{nginx_server_name}}; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen {{nginx_ssl_port}} ssl http2; + # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + server_name {{nginx_server_name}}; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + root {{nginx_html_root}}; + + location = / { + index index.html; + } + + location / { + try_files $uri @pleroma; + } + + location @pleroma { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 index d8f538d..dd32eae 100644 --- a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 +++ b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 @@ -26,12 +26,7 @@ server { ssl_certificate {{nginx_ssl_cert}}; ssl_certificate_key {{nginx_ssl_privkey}}; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - ssl_stapling on; - ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=31536000" always; @@ -45,7 +40,17 @@ server { # the nginx default is 1m, not enough for large media uploads client_max_body_size 16m; + root {{nginx_html_root}}; + + location = / { + index index.html; + } + location / { + try_files $uri @pleroma; + } + + location @pleroma { add_header X-XSS-Protection "1; mode=block"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options DENY; diff --git a/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 b/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 new file mode 100644 index 0000000..af066ea --- /dev/null +++ b/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 @@ -0,0 +1,74 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen {{nginx_port}}; + # listen [::]:{{nginx_port}}; + server_name {{nginx_server_name}}; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen {{nginx_ssl_port}} ssl http2; + # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + server_name {{nginx_server_name}}; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/pleroma-otp/templates/pleroma.nginx.conf.j2 b/pleroma-otp/templates/pleroma.nginx.conf.j2 deleted file mode 100644 index af066ea..0000000 --- a/pleroma-otp/templates/pleroma.nginx.conf.j2 +++ /dev/null @@ -1,74 +0,0 @@ -# default nginx site config for Pleroma -# -# Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it -# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. - -proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g - inactive=720m use_temp_path=off; - -server { - listen {{nginx_port}}; - # listen [::]:{{nginx_port}}; - server_name {{nginx_server_name}}; - return 301 https://$host$request_uri; -} - -# Enable SSL session caching for improved performance -ssl_session_cache shared:ssl_session_cache:10m; - -server { - listen {{nginx_ssl_port}} ssl http2; - # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; - server_name {{nginx_server_name}}; - - ssl_certificate {{nginx_ssl_cert}}; - ssl_certificate_key {{nginx_ssl_privkey}}; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - ssl_stapling on; - ssl_stapling_verify on; - - add_header Strict-Transport-Security "max-age=31536000" always; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - # the nginx default is 1m, not enough for large media uploads - client_max_body_size 16m; - - location / { - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass {{pleroma_proxy_pass}}; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache {{pleroma_instance}}-pleroma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass {{pleroma_proxy_pass}}; - } -} -- cgit v1.2.3 From df97a42c72803b02fd768c8279185ddf911f4c2b Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 4 May 2020 17:47:21 -0500 Subject: Removed static hosting from cf nginx. --- pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 index dd32eae..5c69a5c 100644 --- a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 +++ b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 @@ -40,17 +40,7 @@ server { # the nginx default is 1m, not enough for large media uploads client_max_body_size 16m; - root {{nginx_html_root}}; - - location = / { - index index.html; - } - location / { - try_files $uri @pleroma; - } - - location @pleroma { add_header X-XSS-Protection "1; mode=block"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options DENY; -- cgit v1.2.3 From 7d94eaf442cd713d1e9a5c8467c552b736c4d907 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sat, 16 May 2020 10:23:19 -0500 Subject: Minor style change. --- pleroma-otp/tasks/main.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pleroma-otp/tasks/main.yaml b/pleroma-otp/tasks/main.yaml index 115db24..68bc1c8 100644 --- a/pleroma-otp/tasks/main.yaml +++ b/pleroma-otp/tasks/main.yaml @@ -66,7 +66,12 @@ - name: install pleroma release become: yes - copy: remote_src="True" src="/tmp/release/" dest="/opt/pleroma/" owner="pleroma" group="pleroma" + copy: + remote_src: true + src: "/tmp/release/" + dest: "/opt/pleroma/" + owner: "pleroma" + group: "pleroma" notify: restart pleroma instance - name: remove tmp release folder -- cgit v1.2.3 From d8965efa679aad0ee0db05459b4bff158a8c5f19 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sat, 16 May 2020 12:57:37 -0500 Subject: Made pleroma role idempotent. --- pleroma-otp/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pleroma-otp/tasks/main.yaml b/pleroma-otp/tasks/main.yaml index 68bc1c8..66fe10f 100644 --- a/pleroma-otp/tasks/main.yaml +++ b/pleroma-otp/tasks/main.yaml @@ -72,7 +72,7 @@ dest: "/opt/pleroma/" owner: "pleroma" group: "pleroma" - notify: restart pleroma instance + changed_when: false - name: remove tmp release folder become: yes -- cgit v1.2.3 From ec4bb6bcf789d0312e35ddfa96780931c3b446ea Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Mon, 8 Jun 2020 17:18:28 -0500 Subject: Changed index to www redirect. --- pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 index dd32eae..0594f81 100644 --- a/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 +++ b/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 @@ -40,10 +40,8 @@ server { # the nginx default is 1m, not enough for large media uploads client_max_body_size 16m; - root {{nginx_html_root}}; - location = / { - index index.html; + return 301 http://www.$host$request_uri; } location / { -- cgit v1.2.3 From 123969bbffd4979597826634cef2dcd2cf364456 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Tue, 9 Jun 2020 19:21:58 -0500 Subject: Moved postgres and nginx roles to ansible-roles. --- nginx/defaults/main.yaml | 10 ---------- nginx/handlers/main.yaml | 5 ----- nginx/tasks/main.yaml | 39 --------------------------------------- postgresql/defaults/main.yaml | 10 ---------- postgresql/handlers/main.yaml | 5 ----- postgresql/tasks/main.yaml | 27 --------------------------- 6 files changed, 96 deletions(-) delete mode 100644 nginx/defaults/main.yaml delete mode 100644 nginx/handlers/main.yaml delete mode 100644 nginx/tasks/main.yaml delete mode 100644 postgresql/defaults/main.yaml delete mode 100644 postgresql/handlers/main.yaml delete mode 100644 postgresql/tasks/main.yaml diff --git a/nginx/defaults/main.yaml b/nginx/defaults/main.yaml deleted file mode 100644 index c0db79d..0000000 --- a/nginx/defaults/main.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -nginx_port: 80 -nginx_ssl_port: 443 -nginx_ssl_cert: "/etc/letsencrypt/live/{{nginx_server_name}}/fullchain.pem" -nginx_ssl_privkey: "/etc/letsencrypt/live/{{nginx_server_name}}/privkey.pem" -nginx_enable_certbot: No -nginx_server_name: "{{ansible_host}}" -nginx_conf_dst: "{{nginx_server_name}}.nginx.conf" -nginx_admin_email: "admin@{{nginx_server_name}}" diff --git a/nginx/handlers/main.yaml b/nginx/handlers/main.yaml deleted file mode 100644 index 1feca07..0000000 --- a/nginx/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart nginx - become: yes - systemd: name="nginx" state="restarted" daemon_reload="yes" diff --git a/nginx/tasks/main.yaml b/nginx/tasks/main.yaml deleted file mode 100644 index 5cace24..0000000 --- a/nginx/tasks/main.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: install nginx packages - become: yes - apt: name="nginx" - -- name: install site - become: yes - template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}" - notify: restart nginx - -- name: install nginx packages - become: yes - apt: name="python-certbot-nginx" - notify: restart nginx - when: nginx_enable_certbot - -- name: install certbot in nginx - become: yes - command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}" - changed_when: false - when: nginx_enable_certbot - -- name: disable default site - become: yes - file: path="/etc/nginx/sites-enabled/default" state="absent" - notify: restart nginx - -- name: enable site - become: yes - file: - src: "/etc/nginx/sites-available/{{nginx_conf_dst}}" - dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}" - state: "link" - notify: restart nginx - -- name: enable nginx service - become: yes - systemd: name="nginx" enabled="yes" state="started" diff --git a/postgresql/defaults/main.yaml b/postgresql/defaults/main.yaml deleted file mode 100644 index ff230a9..0000000 --- a/postgresql/defaults/main.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -postgresql_version: "11" -postgresql_config_path: "/etc/postgresql/{{postgresql_version}}/main/postgresql.conf" -postgresql_data_dir: "/var/lib/postgresql/{{postgresql_version}}/main" -postgresql_apt_packages: - - "postgresql-{{postgresql_version}}" - - "pgcli" - - "postgresql-client" - - "postgresql-common" diff --git a/postgresql/handlers/main.yaml b/postgresql/handlers/main.yaml deleted file mode 100644 index d2eb688..0000000 --- a/postgresql/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart postgres - become: yes - systemd: name="postgresql" state="restarted" daemon_reload="yes" diff --git a/postgresql/tasks/main.yaml b/postgresql/tasks/main.yaml deleted file mode 100644 index 6195840..0000000 --- a/postgresql/tasks/main.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: install postgresql - become: yes - apt: name="{{postgresql_apt_packages}}" - -- name: configure postgresql data dir - become: yes - lineinfile: - path: "{{postgresql_config_path}}" - regexp: "^data_directory = " - line: "data_directory = '{{postgresql_data_dir}}'" - notify: restart postgres - -- name: create postgresql data dir - become: yes - file: - path: "{{postgresql_data_dir}}" - state: "directory" - mode: "0700" - owner: "postgres" - group: "postgres" - notify: restart postgres - -- name: ensure postgresql is started - become: yes - systemd: name="postgresql" enabled="yes" state="started" -- cgit v1.2.3 From 69d81dc21078452b46e79b9c93882f98b9bf28d6 Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Sun, 14 Jun 2020 09:36:33 -0500 Subject: Added dep for ubuntu --- pleroma-otp/tasks/main.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pleroma-otp/tasks/main.yaml b/pleroma-otp/tasks/main.yaml index 66fe10f..8a1e032 100644 --- a/pleroma-otp/tasks/main.yaml +++ b/pleroma-otp/tasks/main.yaml @@ -4,6 +4,10 @@ become: yes user: name="pleroma" shell="/bin/false" home="/opt/pleroma" system="yes" +- name: apt install pleroma dependencies + become: yes + apt: name="libtinfo5" + - name: create config and data directory become: yes file: -- cgit v1.2.3 From 3d9e1d8d39686d3ccffb90ff52bcda399e68bc7c Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Tue, 16 Jun 2020 10:54:59 -0500 Subject: Updated for better nginx usage. --- pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 | 6 ++---- pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 | 6 ++---- pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 | 6 ++---- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 index 0594f81..20ccc78 100644 --- a/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 +++ b/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 @@ -10,8 +10,7 @@ proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_z inactive=720m use_temp_path=off; server { - listen {{nginx_port}}; - # listen [::]:{{nginx_port}}; + listen 80; server_name {{nginx_server_name}}; return 301 https://$host$request_uri; } @@ -20,8 +19,7 @@ server { ssl_session_cache shared:ssl_session_cache:10m; server { - listen {{nginx_ssl_port}} ssl http2; - # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + listen 443 ssl http2; server_name {{nginx_server_name}}; ssl_certificate {{nginx_ssl_cert}}; diff --git a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 index 5c69a5c..e64b00c 100644 --- a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 +++ b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 @@ -10,8 +10,7 @@ proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_z inactive=720m use_temp_path=off; server { - listen {{nginx_port}}; - # listen [::]:{{nginx_port}}; + listen 80; server_name {{nginx_server_name}}; return 301 https://$host$request_uri; } @@ -20,8 +19,7 @@ server { ssl_session_cache shared:ssl_session_cache:10m; server { - listen {{nginx_ssl_port}} ssl http2; - # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + listen 443 ssl http2; server_name {{nginx_server_name}}; ssl_certificate {{nginx_ssl_cert}}; diff --git a/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 b/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 index af066ea..5a43748 100644 --- a/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 +++ b/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 @@ -10,8 +10,7 @@ proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_z inactive=720m use_temp_path=off; server { - listen {{nginx_port}}; - # listen [::]:{{nginx_port}}; + listen 80; server_name {{nginx_server_name}}; return 301 https://$host$request_uri; } @@ -20,8 +19,7 @@ server { ssl_session_cache shared:ssl_session_cache:10m; server { - listen {{nginx_ssl_port}} ssl http2; - # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on; + listen 443 ssl http2; server_name {{nginx_server_name}}; ssl_certificate {{nginx_ssl_cert}}; -- cgit v1.2.3 From d5a690b1e03a998510d48d2f39d1a224c64d82ff Mon Sep 17 00:00:00 2001 From: Luke Hoersten Date: Wed, 1 Jul 2020 12:16:48 -0500 Subject: Split out aws s3 and otp roles. --- pleroma-otp/defaults/main.yaml | 28 ------ pleroma-otp/files/pleroma-s3-backup.sh | 26 ----- pleroma-otp/files/pleroma-s3-backup@.service | 9 -- pleroma-otp/files/pleroma@.service | 35 ------- pleroma-otp/handlers/main.yaml | 9 -- pleroma-otp/tasks/main.yaml | 111 --------------------- pleroma-otp/tasks/s3-backup.yaml | 20 ---- pleroma-otp/templates/config.exs.j2 | 44 -------- .../pleroma.cloudflare.index.nginx.conf.j2 | 75 -------------- .../templates/pleroma.cloudflare.nginx.conf.j2 | 67 ------------- .../templates/pleroma.letsencrypt.nginx.conf.j2 | 72 ------------- pleroma-otp/templates/setup_db.psql.j2 | 7 -- pleroma/aws-s3-backup/files/pleroma-s3-backup.sh | 26 +++++ .../aws-s3-backup/files/pleroma-s3-backup@.service | 9 ++ pleroma/aws-s3-backup/meta/main.yaml | 4 + pleroma/aws-s3-backup/tasks/main.yaml | 20 ++++ pleroma/otp/defaults/main.yaml | 27 +++++ pleroma/otp/files/pleroma@.service | 35 +++++++ pleroma/otp/handlers/main.yaml | 9 ++ pleroma/otp/tasks/main.yaml | 108 ++++++++++++++++++++ pleroma/otp/templates/config.exs.j2 | 44 ++++++++ .../pleroma.cloudflare.index.nginx.conf.j2 | 75 ++++++++++++++ .../otp/templates/pleroma.cloudflare.nginx.conf.j2 | 67 +++++++++++++ .../templates/pleroma.letsencrypt.nginx.conf.j2 | 72 +++++++++++++ pleroma/otp/templates/setup_db.psql.j2 | 7 ++ 25 files changed, 503 insertions(+), 503 deletions(-) delete mode 100644 pleroma-otp/defaults/main.yaml delete mode 100644 pleroma-otp/files/pleroma-s3-backup.sh delete mode 100644 pleroma-otp/files/pleroma-s3-backup@.service delete mode 100644 pleroma-otp/files/pleroma@.service delete mode 100644 pleroma-otp/handlers/main.yaml delete mode 100644 pleroma-otp/tasks/main.yaml delete mode 100644 pleroma-otp/tasks/s3-backup.yaml delete mode 100644 pleroma-otp/templates/config.exs.j2 delete mode 100644 pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 delete mode 100644 pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 delete mode 100644 pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 delete mode 100644 pleroma-otp/templates/setup_db.psql.j2 create mode 100644 pleroma/aws-s3-backup/files/pleroma-s3-backup.sh create mode 100644 pleroma/aws-s3-backup/files/pleroma-s3-backup@.service create mode 100644 pleroma/aws-s3-backup/meta/main.yaml create mode 100644 pleroma/aws-s3-backup/tasks/main.yaml create mode 100644 pleroma/otp/defaults/main.yaml create mode 100644 pleroma/otp/files/pleroma@.service create mode 100644 pleroma/otp/handlers/main.yaml create mode 100644 pleroma/otp/tasks/main.yaml create mode 100644 pleroma/otp/templates/config.exs.j2 create mode 100644 pleroma/otp/templates/pleroma.cloudflare.index.nginx.conf.j2 create mode 100644 pleroma/otp/templates/pleroma.cloudflare.nginx.conf.j2 create mode 100644 pleroma/otp/templates/pleroma.letsencrypt.nginx.conf.j2 create mode 100644 pleroma/otp/templates/setup_db.psql.j2 diff --git a/pleroma-otp/defaults/main.yaml b/pleroma-otp/defaults/main.yaml deleted file mode 100644 index 1726861..0000000 --- a/pleroma-otp/defaults/main.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -pleroma_host: "localhost" -pleroma_port: 4000 -pleroma_scheme: "http" - -pleroma_proxy_pass: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" - -pleroma_link_host: "localhost" -pleroma_link_port: "443" -pleroma_link_scheme: "https" - -pleroma_instance_name: "{{pleroma_link_host}}" -pleroma_desc: "A Pleroma fediverse instance." -pleroma_admin_email: "admin@{{pleroma_link_host}}" -pleroma_char_limit: 5000 -pleroma_signup_open: "true" -pleroma_db_host: "localhost" -pleroma_db_superuser: "postgres" - -pleroma_download_url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{pleroma_flavor}}" - -pleroma_db: "pleroma_{{pleroma_instance}}" -pleroma_db_user: "pleroma_{{pleroma_instance}}" -pleroma_data_dir: "/var/lib/pleroma/instance_data" - -pleroma_s3_backup_enabled: true -pleroma_cleanup_tmp: false diff --git a/pleroma-otp/files/pleroma-s3-backup.sh b/pleroma-otp/files/pleroma-s3-backup.sh deleted file mode 100644 index 7c1d6d3..0000000 --- a/pleroma-otp/files/pleroma-s3-backup.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -INSTANCE=$1 -DATE=`date --iso-8601` - -BUCKET="pleroma-${INSTANCE//_/-}-backup" -BACKUP_DIR="/tmp/s3-backup/$BUCKET" -BACKUP_TAR="/tmp/s3-backup/$BUCKET-$DATE.tgz" - -DB_NAME="pleroma_$INSTANCE" -CONFIG="/etc/pleroma/$INSTANCE.config.exs" - -UPLOADS_DIR=`grep uploads $CONFIG | cut -d '"' -f 2` -STATIC_DIR=`grep static $CONFIG | cut -d '"' -f 2` - -mkdir -m 775 -p "$BACKUP_DIR/" -chown root:postgres "$BACKUP_DIR/" - -su postgres -c "pg_dump -d $DB_NAME --format=custom -f $BACKUP_DIR/$DB_NAME.pgdump" -cp $CONFIG "$BACKUP_DIR/" -cp -r $UPLOADS_DIR "$BACKUP_DIR/" -cp -r $STATIC_DIR "$BACKUP_DIR/" - -tar -zc -f $BACKUP_TAR $BACKUP_DIR -aws s3 mb "s3://$BUCKET/" -aws s3 cp $BACKUP_TAR "s3://$BUCKET/" diff --git a/pleroma-otp/files/pleroma-s3-backup@.service b/pleroma-otp/files/pleroma-s3-backup@.service deleted file mode 100644 index a64cae3..0000000 --- a/pleroma-otp/files/pleroma-s3-backup@.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Pleroma s3 backup for instance "%I" - -[Service] -Type=oneshot -ExecStart=/usr/local/bin/pleroma-s3-backup.sh %i - -[Install] -WantedBy=aws-s3-backup.target diff --git a/pleroma-otp/files/pleroma@.service b/pleroma-otp/files/pleroma@.service deleted file mode 100644 index 4967c63..0000000 --- a/pleroma-otp/files/pleroma@.service +++ /dev/null @@ -1,35 +0,0 @@ -[Unit] -Description=Pleroma social network instance "%I" -After=network.target postgresql.service nginx.service - -[Service] -User=pleroma -WorkingDirectory=/opt/pleroma - -Environment="HOME=/opt/pleroma" -Environment="PLEROMA_CONFIG_PATH=/etc/pleroma/%i.config.exs" -Environment="PLUG_TMPDIR=/tmp/%i" -Environment="RELEASE_NODE=%i@127.0.0.1" - -ExecStart=/opt/pleroma/bin/pleroma start -ExecReload=/opt/pleroma/bin/pleroma stop - -KillMode=process -Restart=on-failure - -; Some security directives. -; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. -PrivateTmp=true -; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. -ProtectHome=true -; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. -ProtectSystem=full -; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. -PrivateDevices=false -; Ensures that the service process and all its children can never gain new privileges through execve(). -NoNewPrivileges=true -; Drops the sysadmin capability from the daemon. -CapabilityBoundingSet=~CAP_SYS_ADMIN - -[Install] -WantedBy=multi-user.target diff --git a/pleroma-otp/handlers/main.yaml b/pleroma-otp/handlers/main.yaml deleted file mode 100644 index 0fad634..0000000 --- a/pleroma-otp/handlers/main.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: restart pleroma instance - become: yes - systemd: name="pleroma@{{pleroma_instance}}.service" state="restarted" daemon_reload="yes" - -- name: restart pleroma instance s3 backup - become: yes - systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" daemon_reload="yes" diff --git a/pleroma-otp/tasks/main.yaml b/pleroma-otp/tasks/main.yaml deleted file mode 100644 index 8a1e032..0000000 --- a/pleroma-otp/tasks/main.yaml +++ /dev/null @@ -1,111 +0,0 @@ ---- - -- name: add users - become: yes - user: name="pleroma" shell="/bin/false" home="/opt/pleroma" system="yes" - -- name: apt install pleroma dependencies - become: yes - apt: name="libtinfo5" - -- name: create config and data directory - become: yes - file: - path: "{{item}}" - state: "directory" - mode: "0755" - with_items: - - "{{pleroma_data_dir}}" - - "/etc/pleroma" - - "/opt/pleroma" - -- name: install pleroma config - template: - src: "config.exs.j2" - dest: "/etc/pleroma/{{pleroma_instance}}.config.exs" - owner: "pleroma" - group: "pleroma" - mode: "0600" - become: yes - notify: restart pleroma instance - -- name: create instance data directory - become: yes - file: - path: "{{item}}" - state: "directory" - owner: "pleroma" - group: "pleroma" - mode: "0755" - with_items: - - "{{pleroma_data_dir}}/{{pleroma_instance}}" - - "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads" - - "{{pleroma_data_dir}}/{{pleroma_instance}}/static" - - "{{pleroma_data_dir}}/{{pleroma_instance}}/static/emoji" - -- name: install pleroma db schema file - become: yes - template: - src: "setup_db.psql.j2" - dest: "/tmp/setup_db_{{pleroma_instance}}.psql" - owner: "{{pleroma_db_superuser}}" - group: "{{pleroma_db_superuser}}" - mode: "0600" - changed_when: false - -- name: install pleroma psql - become: yes - become_user: "{{pleroma_db_superuser}}" - command: "psql -f /tmp/setup_db_{{pleroma_instance}}.psql" - changed_when: false - -- name: download and unarchive pleroma release - become: yes - unarchive: - src: "{{pleroma_download_url}}" - dest: "/tmp/" - remote_src: yes - creates: "/tmp/release" - notify: restart pleroma instance - -- name: install pleroma release - become: yes - copy: - remote_src: true - src: "/tmp/release/" - dest: "/opt/pleroma/" - owner: "pleroma" - group: "pleroma" - changed_when: false - -- name: remove tmp release folder - become: yes - file: path="{{item}}" state="absent" - with_items: - - "/tmp/setup_db.psql" - - "/tmp/release/" - when: pleroma_cleanup_tmp - -- import_tasks: s3-backup.yaml - when: pleroma_s3_backup_enabled - -- name: configure pleroma systemd service - become: yes - copy: - src: "pleroma@.service" - dest: "/lib/systemd/system/pleroma@.service" - notify: restart pleroma instance - -- name: ensure pleroma instance is enabled and started - become: yes - systemd: name="pleroma@{{pleroma_instance}}.service" enabled="yes" state="started" - -- name: migrate db - become: yes - become_user: "pleroma" - command: "/opt/pleroma/bin/pleroma_ctl migrate" - args: - chdir: "/opt/pleroma/" - environment: - PLEROMA_CONFIG_PATH: "/etc/pleroma/{{pleroma_instance}}.config.exs" - changed_when: false diff --git a/pleroma-otp/tasks/s3-backup.yaml b/pleroma-otp/tasks/s3-backup.yaml deleted file mode 100644 index 12eaded..0000000 --- a/pleroma-otp/tasks/s3-backup.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: create s3 backup shell script - become: yes - copy: - src: "pleroma-s3-backup.sh" - dest: "/usr/local/bin/pleroma-s3-backup.sh" - mode: "0755" - -- name: configure s3 backup systemd service - become: yes - copy: - src: "pleroma-s3-backup@.service" - dest: "/lib/systemd/system/pleroma-s3-backup@.service" - mode: "0644" - notify: restart pleroma instance s3 backup - -- name: ensure s3 backup is enabled - become: yes - systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" diff --git a/pleroma-otp/templates/config.exs.j2 b/pleroma-otp/templates/config.exs.j2 deleted file mode 100644 index d94be00..0000000 --- a/pleroma-otp/templates/config.exs.j2 +++ /dev/null @@ -1,44 +0,0 @@ -import Config - -config :pleroma, Pleroma.Web.Endpoint, - url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], - http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], - secret_key_base: "{{pleroma_secret_key}}", - secure_cookie_flag: true - -config :pleroma, :http_security, - enabled: true, - sts: true, - referrer_policy: "same-origin" - -config :pleroma, :instance, - name: "{{pleroma_instance_name}}", - description: "{{pleroma_desc}}", - email: "{{pleroma_admin_email}}", - limit: {{pleroma_char_limit}}, - registrations_open: {{pleroma_signup_open}}, - invites_enabled: {{pleroma_invites_enabled}}, - static_dir: "{{pleroma_data_dir}}/{{pleroma_instance}}/static/" - -config :pleroma, Pleroma.Upload, - uploader: Pleroma.Uploaders.Local, - filters: [Pleroma.Upload.Filter.Dedupe] - -config :pleroma, Pleroma.Uploaders.Local, - uploads: "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads/" - -config :pleroma, :media_proxy, - enabled: false, - redirect_on_failure: true - #base_url: "https://cache.pleroma.social" - -# Configure your database -config :pleroma, Pleroma.Repo, - adapter: Ecto.Adapters.Postgres, - username: "{{pleroma_db_user}}", - password: "{{pleroma_db_passwd}}", - database: "{{pleroma_db}}", - hostname: "{{pleroma_db_host}}", - pool_size: 10, - timeout: 60000, - pool_timeout: 60000 diff --git a/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 deleted file mode 100644 index 20ccc78..0000000 --- a/pleroma-otp/templates/pleroma.cloudflare.index.nginx.conf.j2 +++ /dev/null @@ -1,75 +0,0 @@ -# default nginx site config for Pleroma -# -# Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it -# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. - -proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g - inactive=720m use_temp_path=off; - -server { - listen 80; - server_name {{nginx_server_name}}; - return 301 https://$host$request_uri; -} - -# Enable SSL session caching for improved performance -ssl_session_cache shared:ssl_session_cache:10m; - -server { - listen 443 ssl http2; - server_name {{nginx_server_name}}; - - ssl_certificate {{nginx_ssl_cert}}; - ssl_certificate_key {{nginx_ssl_privkey}}; - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - - add_header Strict-Transport-Security "max-age=31536000" always; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - # the nginx default is 1m, not enough for large media uploads - client_max_body_size 16m; - - location = / { - return 301 http://www.$host$request_uri; - } - - location / { - try_files $uri @pleroma; - } - - location @pleroma { - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass {{pleroma_proxy_pass}}; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache {{pleroma_instance}}-pleroma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass {{pleroma_proxy_pass}}; - } -} diff --git a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 b/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 deleted file mode 100644 index e64b00c..0000000 --- a/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2 +++ /dev/null @@ -1,67 +0,0 @@ -# default nginx site config for Pleroma -# -# Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it -# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. - -proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g - inactive=720m use_temp_path=off; - -server { - listen 80; - server_name {{nginx_server_name}}; - return 301 https://$host$request_uri; -} - -# Enable SSL session caching for improved performance -ssl_session_cache shared:ssl_session_cache:10m; - -server { - listen 443 ssl http2; - server_name {{nginx_server_name}}; - - ssl_certificate {{nginx_ssl_cert}}; - ssl_certificate_key {{nginx_ssl_privkey}}; - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - - add_header Strict-Transport-Security "max-age=31536000" always; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - # the nginx default is 1m, not enough for large media uploads - client_max_body_size 16m; - - location / { - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass {{pleroma_proxy_pass}}; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache {{pleroma_instance}}-pleroma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass {{pleroma_proxy_pass}}; - } -} diff --git a/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 b/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 deleted file mode 100644 index 5a43748..0000000 --- a/pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2 +++ /dev/null @@ -1,72 +0,0 @@ -# default nginx site config for Pleroma -# -# Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it -# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. - -proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g - inactive=720m use_temp_path=off; - -server { - listen 80; - server_name {{nginx_server_name}}; - return 301 https://$host$request_uri; -} - -# Enable SSL session caching for improved performance -ssl_session_cache shared:ssl_session_cache:10m; - -server { - listen 443 ssl http2; - server_name {{nginx_server_name}}; - - ssl_certificate {{nginx_ssl_cert}}; - ssl_certificate_key {{nginx_ssl_privkey}}; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - ssl_stapling on; - ssl_stapling_verify on; - - add_header Strict-Transport-Security "max-age=31536000" always; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - # the nginx default is 1m, not enough for large media uploads - client_max_body_size 16m; - - location / { - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass {{pleroma_proxy_pass}}; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache {{pleroma_instance}}-pleroma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass {{pleroma_proxy_pass}}; - } -} diff --git a/pleroma-otp/templates/setup_db.psql.j2 b/pleroma-otp/templates/setup_db.psql.j2 deleted file mode 100644 index 1b27174..0000000 --- a/pleroma-otp/templates/setup_db.psql.j2 +++ /dev/null @@ -1,7 +0,0 @@ -CREATE USER {{pleroma_db_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; -CREATE DATABASE {{pleroma_db}} WITH OWNER {{pleroma_db_user}}; -\c {{pleroma_db}}; ---Extensions made by ecto.migrate that need superuser access -CREATE EXTENSION IF NOT EXISTS citext; -CREATE EXTENSION IF NOT EXISTS pg_trgm; -CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; diff --git a/pleroma/aws-s3-backup/files/pleroma-s3-backup.sh b/pleroma/aws-s3-backup/files/pleroma-s3-backup.sh new file mode 100644 index 0000000..7c1d6d3 --- /dev/null +++ b/pleroma/aws-s3-backup/files/pleroma-s3-backup.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +INSTANCE=$1 +DATE=`date --iso-8601` + +BUCKET="pleroma-${INSTANCE//_/-}-backup" +BACKUP_DIR="/tmp/s3-backup/$BUCKET" +BACKUP_TAR="/tmp/s3-backup/$BUCKET-$DATE.tgz" + +DB_NAME="pleroma_$INSTANCE" +CONFIG="/etc/pleroma/$INSTANCE.config.exs" + +UPLOADS_DIR=`grep uploads $CONFIG | cut -d '"' -f 2` +STATIC_DIR=`grep static $CONFIG | cut -d '"' -f 2` + +mkdir -m 775 -p "$BACKUP_DIR/" +chown root:postgres "$BACKUP_DIR/" + +su postgres -c "pg_dump -d $DB_NAME --format=custom -f $BACKUP_DIR/$DB_NAME.pgdump" +cp $CONFIG "$BACKUP_DIR/" +cp -r $UPLOADS_DIR "$BACKUP_DIR/" +cp -r $STATIC_DIR "$BACKUP_DIR/" + +tar -zc -f $BACKUP_TAR $BACKUP_DIR +aws s3 mb "s3://$BUCKET/" +aws s3 cp $BACKUP_TAR "s3://$BUCKET/" diff --git a/pleroma/aws-s3-backup/files/pleroma-s3-backup@.service b/pleroma/aws-s3-backup/files/pleroma-s3-backup@.service new file mode 100644 index 0000000..a64cae3 --- /dev/null +++ b/pleroma/aws-s3-backup/files/pleroma-s3-backup@.service @@ -0,0 +1,9 @@ +[Unit] +Description=Pleroma s3 backup for instance "%I" + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/pleroma-s3-backup.sh %i + +[Install] +WantedBy=aws-s3-backup.target diff --git a/pleroma/aws-s3-backup/meta/main.yaml b/pleroma/aws-s3-backup/meta/main.yaml new file mode 100644 index 0000000..f9c6f63 --- /dev/null +++ b/pleroma/aws-s3-backup/meta/main.yaml @@ -0,0 +1,4 @@ +--- + +dependencies: + - aws-s3-backup diff --git a/pleroma/aws-s3-backup/tasks/main.yaml b/pleroma/aws-s3-backup/tasks/main.yaml new file mode 100644 index 0000000..12eaded --- /dev/null +++ b/pleroma/aws-s3-backup/tasks/main.yaml @@ -0,0 +1,20 @@ +--- + +- name: create s3 backup shell script + become: yes + copy: + src: "pleroma-s3-backup.sh" + dest: "/usr/local/bin/pleroma-s3-backup.sh" + mode: "0755" + +- name: configure s3 backup systemd service + become: yes + copy: + src: "pleroma-s3-backup@.service" + dest: "/lib/systemd/system/pleroma-s3-backup@.service" + mode: "0644" + notify: restart pleroma instance s3 backup + +- name: ensure s3 backup is enabled + become: yes + systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" diff --git a/pleroma/otp/defaults/main.yaml b/pleroma/otp/defaults/main.yaml new file mode 100644 index 0000000..464c829 --- /dev/null +++ b/pleroma/otp/defaults/main.yaml @@ -0,0 +1,27 @@ +--- + +pleroma_host: "localhost" +pleroma_port: 4000 +pleroma_scheme: "http" + +pleroma_proxy_pass: "{{pleroma_scheme}}://{{pleroma_host}}:{{pleroma_port}}" + +pleroma_link_host: "localhost" +pleroma_link_port: "443" +pleroma_link_scheme: "https" + +pleroma_instance_name: "{{pleroma_link_host}}" +pleroma_desc: "A Pleroma fediverse instance." +pleroma_admin_email: "admin@{{pleroma_link_host}}" +pleroma_char_limit: 5000 +pleroma_signup_open: "true" +pleroma_db_host: "localhost" +pleroma_db_superuser: "postgres" + +pleroma_download_url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{pleroma_flavor}}" + +pleroma_db: "pleroma_{{pleroma_instance}}" +pleroma_db_user: "pleroma_{{pleroma_instance}}" +pleroma_data_dir: "/var/lib/pleroma/instance_data" + +pleroma_cleanup_tmp: false diff --git a/pleroma/otp/files/pleroma@.service b/pleroma/otp/files/pleroma@.service new file mode 100644 index 0000000..4967c63 --- /dev/null +++ b/pleroma/otp/files/pleroma@.service @@ -0,0 +1,35 @@ +[Unit] +Description=Pleroma social network instance "%I" +After=network.target postgresql.service nginx.service + +[Service] +User=pleroma +WorkingDirectory=/opt/pleroma + +Environment="HOME=/opt/pleroma" +Environment="PLEROMA_CONFIG_PATH=/etc/pleroma/%i.config.exs" +Environment="PLUG_TMPDIR=/tmp/%i" +Environment="RELEASE_NODE=%i@127.0.0.1" + +ExecStart=/opt/pleroma/bin/pleroma start +ExecReload=/opt/pleroma/bin/pleroma stop + +KillMode=process +Restart=on-failure + +; Some security directives. +; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=true +; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. +ProtectHome=true +; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve(). +NoNewPrivileges=true +; Drops the sysadmin capability from the daemon. +CapabilityBoundingSet=~CAP_SYS_ADMIN + +[Install] +WantedBy=multi-user.target diff --git a/pleroma/otp/handlers/main.yaml b/pleroma/otp/handlers/main.yaml new file mode 100644 index 0000000..0fad634 --- /dev/null +++ b/pleroma/otp/handlers/main.yaml @@ -0,0 +1,9 @@ +--- + +- name: restart pleroma instance + become: yes + systemd: name="pleroma@{{pleroma_instance}}.service" state="restarted" daemon_reload="yes" + +- name: restart pleroma instance s3 backup + become: yes + systemd: name="pleroma-s3-backup@{{pleroma_instance}}.service" enabled="yes" daemon_reload="yes" diff --git a/pleroma/otp/tasks/main.yaml b/pleroma/otp/tasks/main.yaml new file mode 100644 index 0000000..c031666 --- /dev/null +++ b/pleroma/otp/tasks/main.yaml @@ -0,0 +1,108 @@ +--- + +- name: add users + become: yes + user: name="pleroma" shell="/bin/false" home="/opt/pleroma" system="yes" + +- name: apt install pleroma dependencies + become: yes + apt: name="libtinfo5" + +- name: create config and data directory + become: yes + file: + path: "{{item}}" + state: "directory" + mode: "0755" + with_items: + - "{{pleroma_data_dir}}" + - "/etc/pleroma" + - "/opt/pleroma" + +- name: install pleroma config + template: + src: "config.exs.j2" + dest: "/etc/pleroma/{{pleroma_instance}}.config.exs" + owner: "pleroma" + group: "pleroma" + mode: "0600" + become: yes + notify: restart pleroma instance + +- name: create instance data directory + become: yes + file: + path: "{{item}}" + state: "directory" + owner: "pleroma" + group: "pleroma" + mode: "0755" + with_items: + - "{{pleroma_data_dir}}/{{pleroma_instance}}" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/static" + - "{{pleroma_data_dir}}/{{pleroma_instance}}/static/emoji" + +- name: install pleroma db schema file + become: yes + template: + src: "setup_db.psql.j2" + dest: "/tmp/setup_db_{{pleroma_instance}}.psql" + owner: "{{pleroma_db_superuser}}" + group: "{{pleroma_db_superuser}}" + mode: "0600" + changed_when: false + +- name: install pleroma psql + become: yes + become_user: "{{pleroma_db_superuser}}" + command: "psql -f /tmp/setup_db_{{pleroma_instance}}.psql" + changed_when: false + +- name: download and unarchive pleroma release + become: yes + unarchive: + src: "{{pleroma_download_url}}" + dest: "/tmp/" + remote_src: yes + creates: "/tmp/release" + notify: restart pleroma instance + +- name: install pleroma release + become: yes + copy: + remote_src: true + src: "/tmp/release/" + dest: "/opt/pleroma/" + owner: "pleroma" + group: "pleroma" + changed_when: false + +- name: remove tmp release folder + become: yes + file: path="{{item}}" state="absent" + with_items: + - "/tmp/setup_db.psql" + - "/tmp/release/" + when: pleroma_cleanup_tmp + +- name: configure pleroma systemd service + become: yes + copy: + src: "pleroma@.service" + dest: "/lib/systemd/system/pleroma@.service" + notify: restart pleroma instance + +- name: ensure pleroma instance is enabled and started + become: yes + systemd: name="pleroma@{{pleroma_instance}}.service" enabled="yes" state="started" + +- name: migrate db + become: yes + become_user: "pleroma" + command: "/opt/pleroma/bin/pleroma_ctl migrate" + args: + chdir: "/opt/pleroma/" + environment: + PLEROMA_CONFIG_PATH: "/etc/pleroma/{{pleroma_instance}}.config.exs" + changed_when: false diff --git a/pleroma/otp/templates/config.exs.j2 b/pleroma/otp/templates/config.exs.j2 new file mode 100644 index 0000000..d94be00 --- /dev/null +++ b/pleroma/otp/templates/config.exs.j2 @@ -0,0 +1,44 @@ +import Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], + http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], + secret_key_base: "{{pleroma_secret_key}}", + secure_cookie_flag: true + +config :pleroma, :http_security, + enabled: true, + sts: true, + referrer_policy: "same-origin" + +config :pleroma, :instance, + name: "{{pleroma_instance_name}}", + description: "{{pleroma_desc}}", + email: "{{pleroma_admin_email}}", + limit: {{pleroma_char_limit}}, + registrations_open: {{pleroma_signup_open}}, + invites_enabled: {{pleroma_invites_enabled}}, + static_dir: "{{pleroma_data_dir}}/{{pleroma_instance}}/static/" + +config :pleroma, Pleroma.Upload, + uploader: Pleroma.Uploaders.Local, + filters: [Pleroma.Upload.Filter.Dedupe] + +config :pleroma, Pleroma.Uploaders.Local, + uploads: "{{pleroma_data_dir}}/{{pleroma_instance}}/uploads/" + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + +# Configure your database +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "{{pleroma_db_user}}", + password: "{{pleroma_db_passwd}}", + database: "{{pleroma_db}}", + hostname: "{{pleroma_db_host}}", + pool_size: 10, + timeout: 60000, + pool_timeout: 60000 diff --git a/pleroma/otp/templates/pleroma.cloudflare.index.nginx.conf.j2 b/pleroma/otp/templates/pleroma.cloudflare.index.nginx.conf.j2 new file mode 100644 index 0000000..20ccc78 --- /dev/null +++ b/pleroma/otp/templates/pleroma.cloudflare.index.nginx.conf.j2 @@ -0,0 +1,75 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen 80; + server_name {{nginx_server_name}}; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen 443 ssl http2; + server_name {{nginx_server_name}}; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location = / { + return 301 http://www.$host$request_uri; + } + + location / { + try_files $uri @pleroma; + } + + location @pleroma { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/pleroma/otp/templates/pleroma.cloudflare.nginx.conf.j2 b/pleroma/otp/templates/pleroma.cloudflare.nginx.conf.j2 new file mode 100644 index 0000000..e64b00c --- /dev/null +++ b/pleroma/otp/templates/pleroma.cloudflare.nginx.conf.j2 @@ -0,0 +1,67 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen 80; + server_name {{nginx_server_name}}; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen 443 ssl http2; + server_name {{nginx_server_name}}; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/pleroma/otp/templates/pleroma.letsencrypt.nginx.conf.j2 b/pleroma/otp/templates/pleroma.letsencrypt.nginx.conf.j2 new file mode 100644 index 0000000..5a43748 --- /dev/null +++ b/pleroma/otp/templates/pleroma.letsencrypt.nginx.conf.j2 @@ -0,0 +1,72 @@ +# default nginx site config for Pleroma +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + listen 80; + server_name {{nginx_server_name}}; + return 301 https://$host$request_uri; +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + listen 443 ssl http2; + server_name {{nginx_server_name}}; + + ssl_certificate {{nginx_ssl_cert}}; + ssl_certificate_key {{nginx_ssl_privkey}}; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + add_header Strict-Transport-Security "max-age=31536000" always; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_pass {{pleroma_proxy_pass}}; + + client_max_body_size 16m; + } + + location /proxy { + proxy_cache {{pleroma_instance}}-pleroma_media_cache; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_pass {{pleroma_proxy_pass}}; + } +} diff --git a/pleroma/otp/templates/setup_db.psql.j2 b/pleroma/otp/templates/setup_db.psql.j2 new file mode 100644 index 0000000..1b27174 --- /dev/null +++ b/pleroma/otp/templates/setup_db.psql.j2 @@ -0,0 +1,7 @@ +CREATE USER {{pleroma_db_user}} WITH ENCRYPTED PASSWORD '{{pleroma_db_passwd}}'; +CREATE DATABASE {{pleroma_db}} WITH OWNER {{pleroma_db_user}}; +\c {{pleroma_db}}; +--Extensions made by ecto.migrate that need superuser access +CREATE EXTENSION IF NOT EXISTS citext; +CREATE EXTENSION IF NOT EXISTS pg_trgm; +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; -- cgit v1.2.3