Added Mastodon role

README.md

@@ -25,6 +25,7 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
 -   Jabber/[XMPP](http://xmpp.org/) instant messaging via [Prosody](http://prosody.im/).
 -   [Matrix](https://matrix.org/) via [Riot.im](https://about.riot.im).
+-   The [Mastodon](https://mastodon.social/about) social network.
 -   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [NextCloud](http://nextcloud.com/).
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
@@ -121,6 +122,7 @@ Create `A` or `CNAME` records which point to your server's IP address:
 * `git.example.com` (for gitea)
 * `status.example.com` (for monit)
 * `matrix.example.com` (for riot)
+* `social.example.com` (for mastodon)
 
 ### 6. Run the Ansible Playbooks
 

roles/common/files/letsencrypt-gencert

@@ -17,7 +17,7 @@ for domain in "$@"; do
   fi
 
   # subdomains - www.foo.com mail.foo.com ...
-  for sub in www mail autoconfig fathom news cloud git matrix status; do
+  for sub in www mail autoconfig fathom news cloud git matrix status social; do
     # only add if the DNS entry for the subdomain does actually exist
     if (getent hosts $sub.$domain > /dev/null); then
       if [ -z "$d" ]; then

roles/mastodon/defaults/main.yml

@@ -0,0 +1,21 @@
+mastodon_subdomain: "social"
+mastodon_domain: "{{ mastodon_subdomain }}.{{ domain }}"
+
+ruby_version: 2.6.0
+rbenv_version: v1.1.1
+ruby_build_version: v20181225
+
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+mastodon_db_username: mastodonuser
+mastodon_db_password: "{{ lookup('password', secret + '/' + 'mastodon_db_password length=32') }}"
+mastodon_db_database: mastodon
+
+mastodon_secret_key_base: "{{ lookup('password', secret + '/' + 'mastodon_secret_key_base length=128 chars=hexdigits') }}"
+mastodon_otp_secret: "{{ lookup('password', secret + '/' + 'mastodon_otp_secret length=128 chars=hexdigits') }}"
+
+# must match values in roles/common
+db_admin_username: 'postgres'
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"

roles/mastodon/files/etc_systemd_system_mastodon-sidekiq.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=mastodon-sidekiq
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory=/home/mastodon/mastodon
+Environment="RAILS_ENV=production"
+Environment="DB_POOL=5"
+ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 5 -q default -q push -q mailers -q pull
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/mastodon/files/etc_systemd_system_mastodon-streaming.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=mastodon-streaming
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory=/home/mastodon/mastodon
+Environment="NODE_ENV=production"
+Environment="PORT=4210"
+ExecStart=/usr/bin/npm run start
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/mastodon/files/etc_systemd_system_mastodon-web.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=mastodon-web
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory=/home/mastodon/mastodon
+Environment="RAILS_ENV=production"
+Environment="PORT=4220"
+ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/mastodon/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: restart apache
+  service: name=apache2 state=restarted
+
+- name: restart mastodon
+  service: name={{ item }} state=restarted
+  with_items:
+    - mastodon-web
+    - mastodon-streaming
+    - mastodon-sidekiq

roles/mastodon/tasks/main.yml

@@ -0,0 +1 @@
+- include: mastodon.yml tags=mastodon

roles/mastodon/tasks/mastodon.yml

@@ -0,0 +1,329 @@
+- name: Install Mastodon dependency repository keys
+  apt_key: url={{ item }} state=present
+  with_items:
+    - "https://dl.yarnpkg.com/debian/pubkey.gpg"
+    - "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
+  tags:
+    - dependencies
+
+- name: Install Mastodon dependency repositories
+  apt_repository: repo={{ item }} state=present
+  become: yes
+  with_items:
+    - "deb https://dl.yarnpkg.com/debian/ stable main"
+    - "deb https://deb.nodesource.com/node_8.x {{ ansible_distribution_release }} main"
+  tags:
+    - dependencies
+
+- name: Install Mastodon dependencies from official repositories
+  apt:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+  vars:
+    packages:
+    - autoconf
+    - bison
+    - build-essential
+    - curl
+    - cron
+    - ffmpeg
+    - file
+    - g++
+    - gcc
+    - git
+    - python
+    - imagemagick
+    - libffi-dev
+    - libgdbm-dev
+    - libicu-dev
+    - libidn11-dev
+    - libncurses5-dev
+    - libpq-dev
+    - libprotobuf-dev
+    - libreadline-dev
+    - libssl-dev
+    - libxml2-dev
+    - libxslt1-dev
+    - libyaml-dev
+    - nodejs
+    - pkg-config
+    - protobuf-compiler
+    - yarn
+    - zlib1g-dev
+    - python-psycopg2
+    - redis-server
+    - redis-tools
+  tags:
+    - dependencies
+
+- name: nodejs alternative
+  alternatives:
+    name: node
+    link: /usr/bin/node
+    path: /usr/bin/nodejs
+  tags:
+    - dependencies
+
+- name: Create Mastodon user
+  user:
+    name: mastodon
+    createhome: true
+    shell: /bin/bash
+    home: /home/mastodon
+
+- name: Stop old mastodon services
+  service: name={{ item }} state=stopped
+  with_items:
+    - mastodon-web
+    - mastodon-streaming
+    - mastodon-sidekiq
+  ignore_errors: True
+
+- name: Clone rbenv
+  git:
+    repo: "https://github.com/rbenv/rbenv.git"
+    dest: "~/.rbenv"
+    clone: true
+    version: "{{ rbenv_version }}"
+  become: true
+  become_user: mastodon
+
+- name: Clone ruby-build
+  git:
+    repo: "https://github.com/rbenv/ruby-build.git"
+    dest: "~/.rbenv/plugins/ruby-build"
+    clone: true
+    version: "{{ ruby_build_version }}"
+  register: ruby_build
+  become: true
+  become_user: mastodon
+
+- name: Configure rbenv
+  command: ./configure
+  args:
+    chdir: "~/.rbenv/src"
+  register: rbenv_configure
+  become: true
+  become_user: mastodon
+
+- name: Build rbenv
+  command: make
+  args:
+    chdir: "~/.rbenv/src"
+  when: rbenv_configure is succeeded
+  become: true
+  become_user: mastodon
+
+- name: Update profile settings
+  copy:
+    dest: "~/.bashrc"
+    content: |
+      export PATH="~/.rbenv/bin:${PATH}"
+      eval "$(rbenv init -)"
+  become: true
+  become_user: mastodon
+
+- name: Check if the Ruby version is already installed
+  shell: "~/.rbenv/bin/rbenv versions | grep -q {{ ruby_version }}"
+  register: ruby_installed
+  ignore_errors: yes
+  check_mode: no
+  become: true
+  become_user: mastodon
+
+- name: Install Ruby {{ ruby_version }}
+  shell: "~/.rbenv/bin/rbenv install {{ ruby_version }}"
+  args:
+    executable: /bin/bash
+  when: ruby_installed is failed
+  become: true
+  become_user: mastodon
+
+- name: Set the default Ruby version to {{ ruby_version }}
+  shell: "~/.rbenv/bin/rbenv global {{ ruby_version }}"
+  args:
+    executable: /bin/bash
+  register: default_ruby_version
+  become: true
+  become_user: mastodon
+
+- name: Install bundler
+  shell: 'export PATH="$HOME/.rbenv/bin:$PATH"; eval "$(rbenv init -)"; gem install bundler'
+  args:
+    executable: /bin/bash
+  when: default_ruby_version is succeeded
+  become: true
+  become_user: mastodon
+
+- name: Clone mastodon
+  git:
+    repo: "https://github.com/tootsuite/mastodon.git"
+    dest: "/home/mastodon/mastodon"
+    clone: true
+  become: true
+  become_user: mastodon
+
+- name: Update to latest version
+  shell: "git fetch; git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)"
+  args:
+    chdir: "/home/mastodon/mastodon"
+  become: true
+  become_user: mastodon
+
+- name: Bundle install
+  shell: "~/.rbenv/shims/bundle install -j$(getconf _NPROCESSORS_ONLN) --deployment --with development --without test"
+  args:
+    chdir: "/home/mastodon/mastodon"
+  become: true
+  become_user: mastodon
+
+- name: Yarn install
+  command: yarn install --pure-lockfile
+  args:
+    chdir: "/home/mastodon/mastodon"
+  become: true
+  become_user: mastodon
+
+- name: Install systemd sidekiq Service Files
+  copy:
+    src: etc_systemd_system_mastodon-sidekiq.service
+    dest: /etc/systemd/system/mastodon-sidekiq.service
+    owner: root
+    group: root
+
+- name: Install systemd web Service Files
+  copy:
+    src: etc_systemd_system_mastodon-web.service
+    dest: /etc/systemd/system/mastodon-web.service
+    owner: root
+    group: root
+
+- name: Install systemd streaming Service Files
+  copy:
+    src: etc_systemd_system_mastodon-streaming.service
+    dest: /etc/systemd/system/mastodon-streaming.service
+    owner: root
+    group: root
+
+- name: Media cleanup cronjob
+  cron:
+    name: "media cleanup"
+    minute: "15"
+    hour: "1"
+    job: '/bin/bash -c ''export PATH="$HOME/.rbenv/bin:$PATH"; eval "$(rbenv init -)"; cd /home/mastodon/mastodon && RAILS_ENV=production ./bin/tootctl media remove'''
+  become: true
+  become_user: mastodon
+
+- name: Add mastodon postgres user
+  postgresql_user:
+    login_host=localhost
+    login_user={{ db_admin_username }}
+    login_password="{{ db_admin_password }}"
+    name={{ mastodon_db_username }}
+    password="{{ mastodon_db_password }}"
+    role_attr_flags=CREATEDB
+    encrypted=yes
+    state=present
+
+- name: Create mastodon database
+  postgresql_db:
+    login_host=localhost
+    login_user={{ db_admin_username }}
+    login_password="{{ db_admin_password }}"
+    name={{ mastodon_db_database }}
+    state=present
+    owner={{ mastodon_db_username }}
+
+- name: Create mastodon data directory
+  file: state=directory path=/data/{{ item }} owner=mastodon group=www-data
+  with_items:
+    - mastodon
+    - mastodon/public-system
+
+- name: Generate VAPID keys
+  shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rake mastodon:webpush:generate_vapid_key > /home/mastodon/vapid_keys_generated"
+  args:
+    chdir: /home/mastodon/mastodon
+    creates: /home/mastodon/vapid_keys_generated
+  become: true
+  become_user: mastodon
+
+- name: Remove previous mastodon config
+  file: state=absent path=/home/mastodon/mastodon/.env.production
+
+- name: Install mastodon config
+  template:
+    src: home_mastodon_mastodon_env.j2
+    dest: /home/mastodon/mastodon/.env.production
+    owner: mastodon
+    group: mastodon
+  notify: restart mastodon
+
+- name: Append VAPID keys to new config
+  shell: "cat /home/mastodon/vapid_keys_generated >> /home/mastodon/mastodon/.env.production"
+  become: true
+  become_user: mastodon
+
+- name: Set mastodon ownership
+  action: file owner=mastodon group=www-data path=/home/mastodon/mastodon recurse=yes state=directory
+
+# This is a no-op in case nothing has to be upgraded
+- name: Migrate database
+  shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails db:migrate"
+  args:
+    chdir: "/home/mastodon/mastodon"
+  become: true
+  become_user: mastodon
+
+# MAY be needed on upgrades, but takes a long time, so commented out for now. See:
+# https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Updating-Mastodon-Guide.md#pre-compiling-updated-assets
+#- name: Precompile assets
+#  shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails assets:precompile"
+#  args:
+#    chdir: "/home/mastodon/mastodon"
+#  become: true
+#  become_user: mastodon
+
+- name: Register new Mastodon services
+  systemd: name={{ item }} daemon_reload=yes enabled=yes
+  with_items:
+    - mastodon-web
+    - mastodon-streaming
+    - mastodon-sidekiq
+
+- name: Start new Mastodon services
+  service: name={{ item }} state=restarted
+  with_items:
+    - mastodon-web
+    - mastodon-streaming
+    - mastodon-sidekiq
+
+- name: Add redirect to well-known
+  template:
+    src=var_www_well-known_host-meta.j2
+    dest=/var/www/well-known/host-meta
+    owner=www-data
+    group=www-data
+
+- name: Enable Apache websockets proxy module
+  command: a2enmod proxy_wstunnel creates=/etc/apache2/mods-enabled/proxy_wstunnel.load
+  notify: restart apache
+
+- name: Enable Apache alias module
+  command: a2enmod alias creates=/etc/apache2/mods-enabled/alias.load
+  notify: restart apache
+
+- name: Create the Apache Matrix sites config files
+  template:
+    src=etc_apache2_sites-available_mastodon.j2
+    dest=/etc/apache2/sites-available/mastodon_{{ item.name }}.conf
+    owner=root
+    group=root
+  with_items: "{{ virtual_domains }}"
+  notify: restart apache
+
+- name: Enable Apache sites (creates new sites-enabled symlinks)
+  command: a2ensite mastodon_{{ item }}.conf creates=/etc/apache2/sites-enabled/mastodon_{{ item }}.conf
+  notify: restart apache
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"

roles/mastodon/templates/etc_apache2_sites-available_mastodon.j2

@@ -0,0 +1,45 @@
+<VirtualHost *:80>
+    ServerName {{ mastodon_subdomain }}.{{ item.name }}
+
+    Redirect temp / https://{{ mastodon_subdomain }}.{{ item.name }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ mastodon_subdomain }}.{{ item.name }}
+
+    SSLEngine               On
+    DocumentRoot            "/home/mastodon/mastodon/public"
+    Alias                   "/system" "/data/mastodon/public-system"
+
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    Header always set Strict-Transport-Security "max-age=31536000"
+
+    <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
+        Header always set Cache-Control "public, max-age=31536000, immutable"
+        Require all granted
+    </LocationMatch>
+
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ProxyPass /500.html !
+    ProxyPass /sw.js !
+    ProxyPass /robots.txt !
+    ProxyPass /manifest.json !
+    ProxyPass /browserconfig.xml !
+    ProxyPass /mask-icon.svg !
+    ProxyPassMatch ^(/.*\.(png|ico)$) !
+    ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
+
+    ProxyPass /api/v1/streaming/ ws://localhost:4210/
+    ProxyPassReverse /api/v1/streaming/ ws://localhost:4210/
+
+    ProxyPass / http://localhost:4220/
+    ProxyPassReverse / http://localhost:4220/
+
+    ErrorDocument 500 /500.html
+    ErrorDocument 501 /500.html
+    ErrorDocument 502 /500.html
+    ErrorDocument 503 /500.html
+    ErrorDocument 504 /500.html
+</VirtualHost>

roles/mastodon/templates/home_mastodon_mastodon_env.j2

@@ -0,0 +1,228 @@
+REDIS_HOST=localhost
+REDIS_PORT=6379
+
+DB_HOST=localhost
+DB_USER={{ mastodon_db_username }}
+DB_NAME={{ mastodon_db_database }}
+DB_PASS={{ mastodon_db_password }}
+DB_PORT=5432
+
+# Federation
+# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation.
+# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
+LOCAL_DOMAIN={{ domain }}
+
+# Use this only if you need to run mastodon on a different domain than the one used for federation.
+# You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md
+# DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING.
+WEB_DOMAIN={{ mastodon_domain }}
+
+# Use this if you want to have several aliases handler@example1.com
+# handler@example2.com etc. for the same user. LOCAL_DOMAIN should not
+# be added. Comma separated values
+ALTERNATE_DOMAINS={{ virtual_domains | json_query('[?name != `' + domain + '`].name') | join(',') }}
+
+# Application secrets
+# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+SECRET_KEY_BASE={{ mastodon_secret_key_base }}
+OTP_SECRET={{ mastodon_otp_secret }}
+
+# VAPID keys (used for push notifications)
+# You can generate the keys using the following command (first is the private key, second is the public one)
+# You should only generate this once per instance. If you later decide to change it, all push subscription will
+# be invalidated, requiring the users to access the website again to resubscribe.
+#
+# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
+#
+# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
+#VAPID_PRIVATE_KEY=
+#VAPID_PUBLIC_KEY=
+# These values have been generated and appended to the end of this file by ansible!
+
+# Registrations
+# Single user mode will disable registrations and redirect frontpage to the first profile
+# SINGLE_USER_MODE=true
+# Prevent registrations with following e-mail domains
+# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
+# Only allow registrations with the following e-mail domains
+EMAIL_DOMAIN_WHITELIST={{ virtual_domains | json_query('[*].name') | join('|') }}
+
+# Optionally change default language
+# DEFAULT_LOCALE=de
+
+# E-mail configuration
+# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
+# If you want to use an SMTP server without authentication (e.g local Postfix relay)
+# then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and
+# *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough).
+SMTP_SERVER=localhost
+SMTP_PORT=25
+#SMTP_LOGIN=
+#SMTP_PASSWORD=
+SMTP_FROM_ADDRESS=mastodon@{{ domain }}
+#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN
+#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
+SMTP_AUTH_METHOD=none
+#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt
+SMTP_OPENSSL_VERIFY_MODE=none
+#SMTP_ENABLE_STARTTLS_AUTO=true
+#SMTP_TLS=true
+
+# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files.
+PAPERCLIP_ROOT_PATH=/data/mastodon/public-system
+PAPERCLIP_ROOT_URL=/system
+
+# Optional asset host for multi-server setups
+# The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN
+# if WEB_DOMAIN is not set. For example, the server may have the
+# following header field:
+# Access-Control-Allow-Origin: https://example.com/
+# CDN_HOST=https://assets.example.com
+
+# S3 (optional)
+# The attachment host must allow cross origin request from WEB_DOMAIN or
+# LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the
+# following header field:
+# Access-Control-Allow-Origin: https://192.168.1.123:9000/
+# S3_ENABLED=true
+# S3_BUCKET=
+# AWS_ACCESS_KEY_ID=
+# AWS_SECRET_ACCESS_KEY=
+# S3_REGION=
+# S3_PROTOCOL=http
+# S3_HOSTNAME=192.168.1.123:9000
+
+# S3 (Minio Config (optional) Please check Minio instance for details)
+# The attachment host must allow cross origin request - see the description
+# above.
+# S3_ENABLED=true
+# S3_BUCKET=
+# AWS_ACCESS_KEY_ID=
+# AWS_SECRET_ACCESS_KEY=
+# S3_REGION=
+# S3_PROTOCOL=https
+# S3_HOSTNAME=
+# S3_ENDPOINT=
+# S3_SIGNATURE_VERSION=
+
+# Swift (optional)
+# The attachment host must allow cross origin request - see the description
+# above.
+# SWIFT_ENABLED=true
+# SWIFT_USERNAME=
+# For Keystone V3, the value for SWIFT_TENANT should be the project name
+# SWIFT_TENANT=
+# SWIFT_PASSWORD=
+# Some OpenStack V3 providers require PROJECT_ID (optional)
+# SWIFT_PROJECT_ID=
+# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid
+# issues with token rate-limiting during high load.
+# SWIFT_AUTH_URL=
+# SWIFT_CONTAINER=
+# SWIFT_OBJECT_URL=
+# SWIFT_REGION=
+# Defaults to 'default'
+# SWIFT_DOMAIN_NAME=
+# Defaults to 60 seconds. Set to 0 to disable
+# SWIFT_CACHE_TTL=
+
+# Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare)
+# S3_ALIAS_HOST=
+
+# Streaming API integration
+# STREAMING_API_BASE_URL=
+
+# Advanced settings
+# If you need to use pgBouncer, you need to disable prepared statements:
+# PREPARED_STATEMENTS=false
+
+# Cluster number setting for streaming API server.
+# If you comment out following line, cluster number will be `numOfCpuCores - 1`.
+STREAMING_CLUSTER_NUM=1
+
+# Docker mastodon user
+# If you use Docker, you may want to assign UID/GID manually.
+# UID=1000
+# GID=1000
+
+# LDAP authentication (optional)
+# LDAP_ENABLED=true
+# LDAP_HOST=localhost
+# LDAP_PORT=389
+# LDAP_METHOD=simple_tls
+# LDAP_BASE=
+# LDAP_BIND_DN=
+# LDAP_PASSWORD=
+# LDAP_UID=cn
+# LDAP_SEARCH_FILTER="%{uid}=%{email}"
+
+# PAM authentication (optional)
+# PAM authentication uses for the email generation the "email" pam variable
+# and optional as fallback PAM_DEFAULT_SUFFIX
+# The pam environment variable "email" is provided by:
+# https://github.com/devkral/pam_email_extractor
+# PAM_ENABLED=true
+# Fallback email domain for email address generation (LOCAL_DOMAIN by default)
+# PAM_EMAIL_DOMAIN=example.com
+# Name of the pam service (pam "auth" section is evaluated)
+# PAM_DEFAULT_SERVICE=rpam
+# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default)
+# PAM_CONTROLLED_SERVICE=rpam
+
+# Global OAuth settings (optional) :
+# If you have only one strategy, you may want to enable this
+# OAUTH_REDIRECT_AT_SIGN_IN=true
+
+# Optional CAS authentication (cf. omniauth-cas) :
+# CAS_ENABLED=true
+# CAS_URL=https://sso.myserver.com/
+# CAS_HOST=sso.myserver.com/
+# CAS_PORT=443
+# CAS_SSL=true
+# CAS_VALIDATE_URL=
+# CAS_CALLBACK_URL=
+# CAS_LOGOUT_URL=
+# CAS_LOGIN_URL=
+# CAS_UID_FIELD='user'
+# CAS_CA_PATH=
+# CAS_DISABLE_SSL_VERIFICATION=false
+# CAS_UID_KEY='user'
+# CAS_NAME_KEY='name'
+# CAS_EMAIL_KEY='email'
+# CAS_NICKNAME_KEY='nickname'
+# CAS_FIRST_NAME_KEY='firstname'
+# CAS_LAST_NAME_KEY='lastname'
+# CAS_LOCATION_KEY='location'
+# CAS_IMAGE_KEY='image'
+# CAS_PHONE_KEY='phone'
+
+# Optional SAML authentication (cf. omniauth-saml)
+# SAML_ENABLED=true
+# SAML_ACS_URL=
+# SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback
+# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
+# SAML_IDP_CERT=
+# SAML_IDP_CERT_FINGERPRINT=
+# SAML_NAME_IDENTIFIER_FORMAT=
+# SAML_CERT=
+# SAML_PRIVATE_KEY=
+# SAML_SECURITY_WANT_ASSERTION_SIGNED=true
+# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
+# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
+# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1"
+# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
+# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42"
+# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4"
+# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
+# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
+# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
+
+# Use HTTP proxy for outgoing request (optional)
+# http_proxy=http://gateway.local:8118
+# Access control for hidden service.
+# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
+
+
+# VAPID keys (used for push notifications)
+# (added automatically by ansible)

roles/mastodon/templates/var_www_well-known_host-meta.j2

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
+  <Link rel="lrdd" type="application/xrd+xml" template="https://{{ mastodon_domain }}/.well-known/webfinger?resource={uri}"/>
+</XRD>

roles/monitoring/files/etc_monit_conf.d_mastodon

@@ -0,0 +1,22 @@
+check process mastodon-web matching "puma [0-9.]* \(tcp://0.0.0.0:4220\) \[mastodon\]"
+  group social
+  start program = "/bin/systemctl start mastodon-web"
+  stop program = "/bin/systemctl stop mastodon-web"
+  if failed port 4220 type tcp
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout
+
+check process mastodon-streaming matching "/home/mastodon/mastodon/streaming/index.js"
+  group social
+  start program = "/bin/systemctl start mastodon-streaming"
+  stop program = "/bin/systemctl stop mastodon-streaming"
+  if failed port 4210 type tcp
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout
+
+check process mastodon-sidekiq matching "sidekiq [0-9.]* mastodon"
+  group social
+  start program = "/bin/systemctl start mastodon-sidekiq"
+  stop program = "/bin/systemctl stop mastodon-sidekiq"

roles/monitoring/tasks/monit.yml

@@ -44,6 +44,10 @@
   stat: path=/etc/matrix-synapse/homeserver.yaml
   register: synapse_config_file
 
+- name: Determine if Mastodon is installed
+  stat: path=/home/mastodon/mastodon
+  register: mastodon_config_file
+
 - name: Copy ZNC monit service config files into place
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
   notify: restart monit
@@ -79,6 +83,11 @@
   notify: restart monit
   when: synapse_config_file.stat.exists == True
 
+- name: Copy Mastodon monit service config files into place
+  copy: src=etc_monit_conf.d_mastodon dest=/etc/monit/conf.d/mastodon
+  notify: restart monit
+  when: mastodon_config_file.stat.exists == True
+
 - name: Copy monit service config files into place
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
   with_items:
@@ -90,6 +99,8 @@
     - tomcat
   notify: restart monit
 
+# TODO add to fail2ban when monit_page_public == 1
+
 - name: Create the Apache monit sites config files
   template:
     src=etc_apache2_sites-available_monit.j2

site.yml

@@ -17,5 +17,6 @@
     - ircbouncer
     - xmpp
     - matrix
+    - mastodon
     - vpn
     - monitoring  # Monitoring role should be last. See roles/monitoring/README.md