Bläddra i källkod

Added Mastodon role

Thomas Buck 5 år sedan
förälder
incheckning
14dd6202ef

+ 2
- 0
README.md Visa fil

@@ -25,6 +25,7 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
25 25
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
26 26
 -   Jabber/[XMPP](http://xmpp.org/) instant messaging via [Prosody](http://prosody.im/).
27 27
 -   [Matrix](https://matrix.org/) via [Riot.im](https://about.riot.im).
28
+-   The [Mastodon](https://mastodon.social/about) social network.
28 29
 -   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
29 30
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [NextCloud](http://nextcloud.com/).
30 31
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
@@ -121,6 +122,7 @@ Create `A` or `CNAME` records which point to your server's IP address:
121 122
 * `git.example.com` (for gitea)
122 123
 * `status.example.com` (for monit)
123 124
 * `matrix.example.com` (for riot)
125
+* `social.example.com` (for mastodon)
124 126
 
125 127
 ### 6. Run the Ansible Playbooks
126 128
 

+ 1
- 1
roles/common/files/letsencrypt-gencert Visa fil

@@ -17,7 +17,7 @@ for domain in "$@"; do
17 17
   fi
18 18
 
19 19
   # subdomains - www.foo.com mail.foo.com ...
20
-  for sub in www mail autoconfig fathom news cloud git matrix status; do
20
+  for sub in www mail autoconfig fathom news cloud git matrix status social; do
21 21
     # only add if the DNS entry for the subdomain does actually exist
22 22
     if (getent hosts $sub.$domain > /dev/null); then
23 23
       if [ -z "$d" ]; then

+ 21
- 0
roles/mastodon/defaults/main.yml Visa fil

@@ -0,0 +1,21 @@
1
+mastodon_subdomain: "social"
2
+mastodon_domain: "{{ mastodon_subdomain }}.{{ domain }}"
3
+
4
+ruby_version: 2.6.0
5
+rbenv_version: v1.1.1
6
+ruby_build_version: v20181225
7
+
8
+secret_root: '{{ inventory_dir | realpath }}'
9
+secret_name: 'secret'
10
+secret: '{{ secret_root + "/" + secret_name }}'
11
+
12
+mastodon_db_username: mastodonuser
13
+mastodon_db_password: "{{ lookup('password', secret + '/' + 'mastodon_db_password length=32') }}"
14
+mastodon_db_database: mastodon
15
+
16
+mastodon_secret_key_base: "{{ lookup('password', secret + '/' + 'mastodon_secret_key_base length=128 chars=hexdigits') }}"
17
+mastodon_otp_secret: "{{ lookup('password', secret + '/' + 'mastodon_otp_secret length=128 chars=hexdigits') }}"
18
+
19
+# must match values in roles/common
20
+db_admin_username: 'postgres'
21
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"

+ 16
- 0
roles/mastodon/files/etc_systemd_system_mastodon-sidekiq.service Visa fil

@@ -0,0 +1,16 @@
1
+[Unit]
2
+Description=mastodon-sidekiq
3
+After=network.target
4
+
5
+[Service]
6
+Type=simple
7
+User=mastodon
8
+WorkingDirectory=/home/mastodon/mastodon
9
+Environment="RAILS_ENV=production"
10
+Environment="DB_POOL=5"
11
+ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 5 -q default -q push -q mailers -q pull
12
+TimeoutSec=15
13
+Restart=always
14
+
15
+[Install]
16
+WantedBy=multi-user.target

+ 16
- 0
roles/mastodon/files/etc_systemd_system_mastodon-streaming.service Visa fil

@@ -0,0 +1,16 @@
1
+[Unit]
2
+Description=mastodon-streaming
3
+After=network.target
4
+
5
+[Service]
6
+Type=simple
7
+User=mastodon
8
+WorkingDirectory=/home/mastodon/mastodon
9
+Environment="NODE_ENV=production"
10
+Environment="PORT=4210"
11
+ExecStart=/usr/bin/npm run start
12
+TimeoutSec=15
13
+Restart=always
14
+
15
+[Install]
16
+WantedBy=multi-user.target

+ 17
- 0
roles/mastodon/files/etc_systemd_system_mastodon-web.service Visa fil

@@ -0,0 +1,17 @@
1
+[Unit]
2
+Description=mastodon-web
3
+After=network.target
4
+
5
+[Service]
6
+Type=simple
7
+User=mastodon
8
+WorkingDirectory=/home/mastodon/mastodon
9
+Environment="RAILS_ENV=production"
10
+Environment="PORT=4220"
11
+ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
12
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
13
+TimeoutSec=15
14
+Restart=always
15
+
16
+[Install]
17
+WantedBy=multi-user.target

+ 9
- 0
roles/mastodon/handlers/main.yml Visa fil

@@ -0,0 +1,9 @@
1
+- name: restart apache
2
+  service: name=apache2 state=restarted
3
+
4
+- name: restart mastodon
5
+  service: name={{ item }} state=restarted
6
+  with_items:
7
+    - mastodon-web
8
+    - mastodon-streaming
9
+    - mastodon-sidekiq

+ 1
- 0
roles/mastodon/tasks/main.yml Visa fil

@@ -0,0 +1 @@
1
+- include: mastodon.yml tags=mastodon

+ 329
- 0
roles/mastodon/tasks/mastodon.yml Visa fil

@@ -0,0 +1,329 @@
1
+- name: Install Mastodon dependency repository keys
2
+  apt_key: url={{ item }} state=present
3
+  with_items:
4
+    - "https://dl.yarnpkg.com/debian/pubkey.gpg"
5
+    - "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
6
+  tags:
7
+    - dependencies
8
+
9
+- name: Install Mastodon dependency repositories
10
+  apt_repository: repo={{ item }} state=present
11
+  become: yes
12
+  with_items:
13
+    - "deb https://dl.yarnpkg.com/debian/ stable main"
14
+    - "deb https://deb.nodesource.com/node_8.x {{ ansible_distribution_release }} main"
15
+  tags:
16
+    - dependencies
17
+
18
+- name: Install Mastodon dependencies from official repositories
19
+  apt:
20
+    name: "{{ packages }}"
21
+    state: present
22
+    update_cache: yes
23
+  vars:
24
+    packages:
25
+    - autoconf
26
+    - bison
27
+    - build-essential
28
+    - curl
29
+    - cron
30
+    - ffmpeg
31
+    - file
32
+    - g++
33
+    - gcc
34
+    - git
35
+    - python
36
+    - imagemagick
37
+    - libffi-dev
38
+    - libgdbm-dev
39
+    - libicu-dev
40
+    - libidn11-dev
41
+    - libncurses5-dev
42
+    - libpq-dev
43
+    - libprotobuf-dev
44
+    - libreadline-dev
45
+    - libssl-dev
46
+    - libxml2-dev
47
+    - libxslt1-dev
48
+    - libyaml-dev
49
+    - nodejs
50
+    - pkg-config
51
+    - protobuf-compiler
52
+    - yarn
53
+    - zlib1g-dev
54
+    - python-psycopg2
55
+    - redis-server
56
+    - redis-tools
57
+  tags:
58
+    - dependencies
59
+
60
+- name: nodejs alternative
61
+  alternatives:
62
+    name: node
63
+    link: /usr/bin/node
64
+    path: /usr/bin/nodejs
65
+  tags:
66
+    - dependencies
67
+
68
+- name: Create Mastodon user
69
+  user:
70
+    name: mastodon
71
+    createhome: true
72
+    shell: /bin/bash
73
+    home: /home/mastodon
74
+
75
+- name: Stop old mastodon services
76
+  service: name={{ item }} state=stopped
77
+  with_items:
78
+    - mastodon-web
79
+    - mastodon-streaming
80
+    - mastodon-sidekiq
81
+  ignore_errors: True
82
+
83
+- name: Clone rbenv
84
+  git:
85
+    repo: "https://github.com/rbenv/rbenv.git"
86
+    dest: "~/.rbenv"
87
+    clone: true
88
+    version: "{{ rbenv_version }}"
89
+  become: true
90
+  become_user: mastodon
91
+
92
+- name: Clone ruby-build
93
+  git:
94
+    repo: "https://github.com/rbenv/ruby-build.git"
95
+    dest: "~/.rbenv/plugins/ruby-build"
96
+    clone: true
97
+    version: "{{ ruby_build_version }}"
98
+  register: ruby_build
99
+  become: true
100
+  become_user: mastodon
101
+
102
+- name: Configure rbenv
103
+  command: ./configure
104
+  args:
105
+    chdir: "~/.rbenv/src"
106
+  register: rbenv_configure
107
+  become: true
108
+  become_user: mastodon
109
+
110
+- name: Build rbenv
111
+  command: make
112
+  args:
113
+    chdir: "~/.rbenv/src"
114
+  when: rbenv_configure is succeeded
115
+  become: true
116
+  become_user: mastodon
117
+
118
+- name: Update profile settings
119
+  copy:
120
+    dest: "~/.bashrc"
121
+    content: |
122
+      export PATH="~/.rbenv/bin:${PATH}"
123
+      eval "$(rbenv init -)"
124
+  become: true
125
+  become_user: mastodon
126
+
127
+- name: Check if the Ruby version is already installed
128
+  shell: "~/.rbenv/bin/rbenv versions | grep -q {{ ruby_version }}"
129
+  register: ruby_installed
130
+  ignore_errors: yes
131
+  check_mode: no
132
+  become: true
133
+  become_user: mastodon
134
+
135
+- name: Install Ruby {{ ruby_version }}
136
+  shell: "~/.rbenv/bin/rbenv install {{ ruby_version }}"
137
+  args:
138
+    executable: /bin/bash
139
+  when: ruby_installed is failed
140
+  become: true
141
+  become_user: mastodon
142
+
143
+- name: Set the default Ruby version to {{ ruby_version }}
144
+  shell: "~/.rbenv/bin/rbenv global {{ ruby_version }}"
145
+  args:
146
+    executable: /bin/bash
147
+  register: default_ruby_version
148
+  become: true
149
+  become_user: mastodon
150
+
151
+- name: Install bundler
152
+  shell: 'export PATH="$HOME/.rbenv/bin:$PATH"; eval "$(rbenv init -)"; gem install bundler'
153
+  args:
154
+    executable: /bin/bash
155
+  when: default_ruby_version is succeeded
156
+  become: true
157
+  become_user: mastodon
158
+
159
+- name: Clone mastodon
160
+  git:
161
+    repo: "https://github.com/tootsuite/mastodon.git"
162
+    dest: "/home/mastodon/mastodon"
163
+    clone: true
164
+  become: true
165
+  become_user: mastodon
166
+
167
+- name: Update to latest version
168
+  shell: "git fetch; git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)"
169
+  args:
170
+    chdir: "/home/mastodon/mastodon"
171
+  become: true
172
+  become_user: mastodon
173
+
174
+- name: Bundle install
175
+  shell: "~/.rbenv/shims/bundle install -j$(getconf _NPROCESSORS_ONLN) --deployment --with development --without test"
176
+  args:
177
+    chdir: "/home/mastodon/mastodon"
178
+  become: true
179
+  become_user: mastodon
180
+
181
+- name: Yarn install
182
+  command: yarn install --pure-lockfile
183
+  args:
184
+    chdir: "/home/mastodon/mastodon"
185
+  become: true
186
+  become_user: mastodon
187
+
188
+- name: Install systemd sidekiq Service Files
189
+  copy:
190
+    src: etc_systemd_system_mastodon-sidekiq.service
191
+    dest: /etc/systemd/system/mastodon-sidekiq.service
192
+    owner: root
193
+    group: root
194
+
195
+- name: Install systemd web Service Files
196
+  copy:
197
+    src: etc_systemd_system_mastodon-web.service
198
+    dest: /etc/systemd/system/mastodon-web.service
199
+    owner: root
200
+    group: root
201
+
202
+- name: Install systemd streaming Service Files
203
+  copy:
204
+    src: etc_systemd_system_mastodon-streaming.service
205
+    dest: /etc/systemd/system/mastodon-streaming.service
206
+    owner: root
207
+    group: root
208
+
209
+- name: Media cleanup cronjob
210
+  cron:
211
+    name: "media cleanup"
212
+    minute: "15"
213
+    hour: "1"
214
+    job: '/bin/bash -c ''export PATH="$HOME/.rbenv/bin:$PATH"; eval "$(rbenv init -)"; cd /home/mastodon/mastodon && RAILS_ENV=production ./bin/tootctl media remove'''
215
+  become: true
216
+  become_user: mastodon
217
+
218
+- name: Add mastodon postgres user
219
+  postgresql_user:
220
+    login_host=localhost
221
+    login_user={{ db_admin_username }}
222
+    login_password="{{ db_admin_password }}"
223
+    name={{ mastodon_db_username }}
224
+    password="{{ mastodon_db_password }}"
225
+    role_attr_flags=CREATEDB
226
+    encrypted=yes
227
+    state=present
228
+
229
+- name: Create mastodon database
230
+  postgresql_db:
231
+    login_host=localhost
232
+    login_user={{ db_admin_username }}
233
+    login_password="{{ db_admin_password }}"
234
+    name={{ mastodon_db_database }}
235
+    state=present
236
+    owner={{ mastodon_db_username }}
237
+
238
+- name: Create mastodon data directory
239
+  file: state=directory path=/data/{{ item }} owner=mastodon group=www-data
240
+  with_items:
241
+    - mastodon
242
+    - mastodon/public-system
243
+
244
+- name: Generate VAPID keys
245
+  shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rake mastodon:webpush:generate_vapid_key > /home/mastodon/vapid_keys_generated"
246
+  args:
247
+    chdir: /home/mastodon/mastodon
248
+    creates: /home/mastodon/vapid_keys_generated
249
+  become: true
250
+  become_user: mastodon
251
+
252
+- name: Remove previous mastodon config
253
+  file: state=absent path=/home/mastodon/mastodon/.env.production
254
+
255
+- name: Install mastodon config
256
+  template:
257
+    src: home_mastodon_mastodon_env.j2
258
+    dest: /home/mastodon/mastodon/.env.production
259
+    owner: mastodon
260
+    group: mastodon
261
+  notify: restart mastodon
262
+
263
+- name: Append VAPID keys to new config
264
+  shell: "cat /home/mastodon/vapid_keys_generated >> /home/mastodon/mastodon/.env.production"
265
+  become: true
266
+  become_user: mastodon
267
+
268
+- name: Set mastodon ownership
269
+  action: file owner=mastodon group=www-data path=/home/mastodon/mastodon recurse=yes state=directory
270
+
271
+# This is a no-op in case nothing has to be upgraded
272
+- name: Migrate database
273
+  shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails db:migrate"
274
+  args:
275
+    chdir: "/home/mastodon/mastodon"
276
+  become: true
277
+  become_user: mastodon
278
+
279
+# MAY be needed on upgrades, but takes a long time, so commented out for now. See:
280
+# https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Updating-Mastodon-Guide.md#pre-compiling-updated-assets
281
+#- name: Precompile assets
282
+#  shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails assets:precompile"
283
+#  args:
284
+#    chdir: "/home/mastodon/mastodon"
285
+#  become: true
286
+#  become_user: mastodon
287
+
288
+- name: Register new Mastodon services
289
+  systemd: name={{ item }} daemon_reload=yes enabled=yes
290
+  with_items:
291
+    - mastodon-web
292
+    - mastodon-streaming
293
+    - mastodon-sidekiq
294
+
295
+- name: Start new Mastodon services
296
+  service: name={{ item }} state=restarted
297
+  with_items:
298
+    - mastodon-web
299
+    - mastodon-streaming
300
+    - mastodon-sidekiq
301
+
302
+- name: Add redirect to well-known
303
+  template:
304
+    src=var_www_well-known_host-meta.j2
305
+    dest=/var/www/well-known/host-meta
306
+    owner=www-data
307
+    group=www-data
308
+
309
+- name: Enable Apache websockets proxy module
310
+  command: a2enmod proxy_wstunnel creates=/etc/apache2/mods-enabled/proxy_wstunnel.load
311
+  notify: restart apache
312
+
313
+- name: Enable Apache alias module
314
+  command: a2enmod alias creates=/etc/apache2/mods-enabled/alias.load
315
+  notify: restart apache
316
+
317
+- name: Create the Apache Matrix sites config files
318
+  template:
319
+    src=etc_apache2_sites-available_mastodon.j2
320
+    dest=/etc/apache2/sites-available/mastodon_{{ item.name }}.conf
321
+    owner=root
322
+    group=root
323
+  with_items: "{{ virtual_domains }}"
324
+  notify: restart apache
325
+
326
+- name: Enable Apache sites (creates new sites-enabled symlinks)
327
+  command: a2ensite mastodon_{{ item }}.conf creates=/etc/apache2/sites-enabled/mastodon_{{ item }}.conf
328
+  notify: restart apache
329
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"

+ 45
- 0
roles/mastodon/templates/etc_apache2_sites-available_mastodon.j2 Visa fil

@@ -0,0 +1,45 @@
1
+<VirtualHost *:80>
2
+    ServerName {{ mastodon_subdomain }}.{{ item.name }}
3
+
4
+    Redirect temp / https://{{ mastodon_subdomain }}.{{ item.name }}/
5
+</VirtualHost>
6
+
7
+<VirtualHost *:443>
8
+    ServerName {{ mastodon_subdomain }}.{{ item.name }}
9
+
10
+    SSLEngine               On
11
+    DocumentRoot            "/home/mastodon/mastodon/public"
12
+    Alias                   "/system" "/data/mastodon/public-system"
13
+
14
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
15
+    Header always set Strict-Transport-Security "max-age=31536000"
16
+
17
+    <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
18
+        Header always set Cache-Control "public, max-age=31536000, immutable"
19
+        Require all granted
20
+    </LocationMatch>
21
+
22
+    ProxyPreserveHost On
23
+    RequestHeader set X-Forwarded-Proto "https"
24
+
25
+    ProxyPass /500.html !
26
+    ProxyPass /sw.js !
27
+    ProxyPass /robots.txt !
28
+    ProxyPass /manifest.json !
29
+    ProxyPass /browserconfig.xml !
30
+    ProxyPass /mask-icon.svg !
31
+    ProxyPassMatch ^(/.*\.(png|ico)$) !
32
+    ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
33
+
34
+    ProxyPass /api/v1/streaming/ ws://localhost:4210/
35
+    ProxyPassReverse /api/v1/streaming/ ws://localhost:4210/
36
+
37
+    ProxyPass / http://localhost:4220/
38
+    ProxyPassReverse / http://localhost:4220/
39
+
40
+    ErrorDocument 500 /500.html
41
+    ErrorDocument 501 /500.html
42
+    ErrorDocument 502 /500.html
43
+    ErrorDocument 503 /500.html
44
+    ErrorDocument 504 /500.html
45
+</VirtualHost>

+ 228
- 0
roles/mastodon/templates/home_mastodon_mastodon_env.j2 Visa fil

@@ -0,0 +1,228 @@
1
+REDIS_HOST=localhost
2
+REDIS_PORT=6379
3
+
4
+DB_HOST=localhost
5
+DB_USER={{ mastodon_db_username }}
6
+DB_NAME={{ mastodon_db_database }}
7
+DB_PASS={{ mastodon_db_password }}
8
+DB_PORT=5432
9
+
10
+# Federation
11
+# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation.
12
+# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
13
+LOCAL_DOMAIN={{ domain }}
14
+
15
+# Use this only if you need to run mastodon on a different domain than the one used for federation.
16
+# You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md
17
+# DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING.
18
+WEB_DOMAIN={{ mastodon_domain }}
19
+
20
+# Use this if you want to have several aliases handler@example1.com
21
+# handler@example2.com etc. for the same user. LOCAL_DOMAIN should not
22
+# be added. Comma separated values
23
+ALTERNATE_DOMAINS={{ virtual_domains | json_query('[?name != `' + domain + '`].name') | join(',') }}
24
+
25
+# Application secrets
26
+# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
27
+SECRET_KEY_BASE={{ mastodon_secret_key_base }}
28
+OTP_SECRET={{ mastodon_otp_secret }}
29
+
30
+# VAPID keys (used for push notifications)
31
+# You can generate the keys using the following command (first is the private key, second is the public one)
32
+# You should only generate this once per instance. If you later decide to change it, all push subscription will
33
+# be invalidated, requiring the users to access the website again to resubscribe.
34
+#
35
+# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
36
+#
37
+# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
38
+#VAPID_PRIVATE_KEY=
39
+#VAPID_PUBLIC_KEY=
40
+# These values have been generated and appended to the end of this file by ansible!
41
+
42
+# Registrations
43
+# Single user mode will disable registrations and redirect frontpage to the first profile
44
+# SINGLE_USER_MODE=true
45
+# Prevent registrations with following e-mail domains
46
+# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
47
+# Only allow registrations with the following e-mail domains
48
+EMAIL_DOMAIN_WHITELIST={{ virtual_domains | json_query('[*].name') | join('|') }}
49
+
50
+# Optionally change default language
51
+# DEFAULT_LOCALE=de
52
+
53
+# E-mail configuration
54
+# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
55
+# If you want to use an SMTP server without authentication (e.g local Postfix relay)
56
+# then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and
57
+# *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough).
58
+SMTP_SERVER=localhost
59
+SMTP_PORT=25
60
+#SMTP_LOGIN=
61
+#SMTP_PASSWORD=
62
+SMTP_FROM_ADDRESS=mastodon@{{ domain }}
63
+#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN
64
+#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
65
+SMTP_AUTH_METHOD=none
66
+#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt
67
+SMTP_OPENSSL_VERIFY_MODE=none
68
+#SMTP_ENABLE_STARTTLS_AUTO=true
69
+#SMTP_TLS=true
70
+
71
+# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files.
72
+PAPERCLIP_ROOT_PATH=/data/mastodon/public-system
73
+PAPERCLIP_ROOT_URL=/system
74
+
75
+# Optional asset host for multi-server setups
76
+# The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN
77
+# if WEB_DOMAIN is not set. For example, the server may have the
78
+# following header field:
79
+# Access-Control-Allow-Origin: https://example.com/
80
+# CDN_HOST=https://assets.example.com
81
+
82
+# S3 (optional)
83
+# The attachment host must allow cross origin request from WEB_DOMAIN or
84
+# LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the
85
+# following header field:
86
+# Access-Control-Allow-Origin: https://192.168.1.123:9000/
87
+# S3_ENABLED=true
88
+# S3_BUCKET=
89
+# AWS_ACCESS_KEY_ID=
90
+# AWS_SECRET_ACCESS_KEY=
91
+# S3_REGION=
92
+# S3_PROTOCOL=http
93
+# S3_HOSTNAME=192.168.1.123:9000
94
+
95
+# S3 (Minio Config (optional) Please check Minio instance for details)
96
+# The attachment host must allow cross origin request - see the description
97
+# above.
98
+# S3_ENABLED=true
99
+# S3_BUCKET=
100
+# AWS_ACCESS_KEY_ID=
101
+# AWS_SECRET_ACCESS_KEY=
102
+# S3_REGION=
103
+# S3_PROTOCOL=https
104
+# S3_HOSTNAME=
105
+# S3_ENDPOINT=
106
+# S3_SIGNATURE_VERSION=
107
+
108
+# Swift (optional)
109
+# The attachment host must allow cross origin request - see the description
110
+# above.
111
+# SWIFT_ENABLED=true
112
+# SWIFT_USERNAME=
113
+# For Keystone V3, the value for SWIFT_TENANT should be the project name
114
+# SWIFT_TENANT=
115
+# SWIFT_PASSWORD=
116
+# Some OpenStack V3 providers require PROJECT_ID (optional)
117
+# SWIFT_PROJECT_ID=
118
+# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid
119
+# issues with token rate-limiting during high load.
120
+# SWIFT_AUTH_URL=
121
+# SWIFT_CONTAINER=
122
+# SWIFT_OBJECT_URL=
123
+# SWIFT_REGION=
124
+# Defaults to 'default'
125
+# SWIFT_DOMAIN_NAME=
126
+# Defaults to 60 seconds. Set to 0 to disable
127
+# SWIFT_CACHE_TTL=
128
+
129
+# Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare)
130
+# S3_ALIAS_HOST=
131
+
132
+# Streaming API integration
133
+# STREAMING_API_BASE_URL=
134
+
135
+# Advanced settings
136
+# If you need to use pgBouncer, you need to disable prepared statements:
137
+# PREPARED_STATEMENTS=false
138
+
139
+# Cluster number setting for streaming API server.
140
+# If you comment out following line, cluster number will be `numOfCpuCores - 1`.
141
+STREAMING_CLUSTER_NUM=1
142
+
143
+# Docker mastodon user
144
+# If you use Docker, you may want to assign UID/GID manually.
145
+# UID=1000
146
+# GID=1000
147
+
148
+# LDAP authentication (optional)
149
+# LDAP_ENABLED=true
150
+# LDAP_HOST=localhost
151
+# LDAP_PORT=389
152
+# LDAP_METHOD=simple_tls
153
+# LDAP_BASE=
154
+# LDAP_BIND_DN=
155
+# LDAP_PASSWORD=
156
+# LDAP_UID=cn
157
+# LDAP_SEARCH_FILTER="%{uid}=%{email}"
158
+
159
+# PAM authentication (optional)
160
+# PAM authentication uses for the email generation the "email" pam variable
161
+# and optional as fallback PAM_DEFAULT_SUFFIX
162
+# The pam environment variable "email" is provided by:
163
+# https://github.com/devkral/pam_email_extractor
164
+# PAM_ENABLED=true
165
+# Fallback email domain for email address generation (LOCAL_DOMAIN by default)
166
+# PAM_EMAIL_DOMAIN=example.com
167
+# Name of the pam service (pam "auth" section is evaluated)
168
+# PAM_DEFAULT_SERVICE=rpam
169
+# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default)
170
+# PAM_CONTROLLED_SERVICE=rpam
171
+
172
+# Global OAuth settings (optional) :
173
+# If you have only one strategy, you may want to enable this
174
+# OAUTH_REDIRECT_AT_SIGN_IN=true
175
+
176
+# Optional CAS authentication (cf. omniauth-cas) :
177
+# CAS_ENABLED=true
178
+# CAS_URL=https://sso.myserver.com/
179
+# CAS_HOST=sso.myserver.com/
180
+# CAS_PORT=443
181
+# CAS_SSL=true
182
+# CAS_VALIDATE_URL=
183
+# CAS_CALLBACK_URL=
184
+# CAS_LOGOUT_URL=
185
+# CAS_LOGIN_URL=
186
+# CAS_UID_FIELD='user'
187
+# CAS_CA_PATH=
188
+# CAS_DISABLE_SSL_VERIFICATION=false
189
+# CAS_UID_KEY='user'
190
+# CAS_NAME_KEY='name'
191
+# CAS_EMAIL_KEY='email'
192
+# CAS_NICKNAME_KEY='nickname'
193
+# CAS_FIRST_NAME_KEY='firstname'
194
+# CAS_LAST_NAME_KEY='lastname'
195
+# CAS_LOCATION_KEY='location'
196
+# CAS_IMAGE_KEY='image'
197
+# CAS_PHONE_KEY='phone'
198
+
199
+# Optional SAML authentication (cf. omniauth-saml)
200
+# SAML_ENABLED=true
201
+# SAML_ACS_URL=
202
+# SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback
203
+# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
204
+# SAML_IDP_CERT=
205
+# SAML_IDP_CERT_FINGERPRINT=
206
+# SAML_NAME_IDENTIFIER_FORMAT=
207
+# SAML_CERT=
208
+# SAML_PRIVATE_KEY=
209
+# SAML_SECURITY_WANT_ASSERTION_SIGNED=true
210
+# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
211
+# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
212
+# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1"
213
+# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
214
+# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
215
+# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42"
216
+# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4"
217
+# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
218
+# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
219
+# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
220
+
221
+# Use HTTP proxy for outgoing request (optional)
222
+# http_proxy=http://gateway.local:8118
223
+# Access control for hidden service.
224
+# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
225
+
226
+
227
+# VAPID keys (used for push notifications)
228
+# (added automatically by ansible)

+ 4
- 0
roles/mastodon/templates/var_www_well-known_host-meta.j2 Visa fil

@@ -0,0 +1,4 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
3
+  <Link rel="lrdd" type="application/xrd+xml" template="https://{{ mastodon_domain }}/.well-known/webfinger?resource={uri}"/>
4
+</XRD>

+ 22
- 0
roles/monitoring/files/etc_monit_conf.d_mastodon Visa fil

@@ -0,0 +1,22 @@
1
+check process mastodon-web matching "puma [0-9.]* \(tcp://0.0.0.0:4220\) \[mastodon\]"
2
+  group social
3
+  start program = "/bin/systemctl start mastodon-web"
4
+  stop program = "/bin/systemctl stop mastodon-web"
5
+  if failed port 4220 type tcp
6
+    with timeout 10 seconds
7
+    then restart
8
+  if 5 restarts within 5 cycles then timeout
9
+
10
+check process mastodon-streaming matching "/home/mastodon/mastodon/streaming/index.js"
11
+  group social
12
+  start program = "/bin/systemctl start mastodon-streaming"
13
+  stop program = "/bin/systemctl stop mastodon-streaming"
14
+  if failed port 4210 type tcp
15
+    with timeout 10 seconds
16
+    then restart
17
+  if 5 restarts within 5 cycles then timeout
18
+
19
+check process mastodon-sidekiq matching "sidekiq [0-9.]* mastodon"
20
+  group social
21
+  start program = "/bin/systemctl start mastodon-sidekiq"
22
+  stop program = "/bin/systemctl stop mastodon-sidekiq"

+ 11
- 0
roles/monitoring/tasks/monit.yml Visa fil

@@ -44,6 +44,10 @@
44 44
   stat: path=/etc/matrix-synapse/homeserver.yaml
45 45
   register: synapse_config_file
46 46
 
47
+- name: Determine if Mastodon is installed
48
+  stat: path=/home/mastodon/mastodon
49
+  register: mastodon_config_file
50
+
47 51
 - name: Copy ZNC monit service config files into place
48 52
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
49 53
   notify: restart monit
@@ -79,6 +83,11 @@
79 83
   notify: restart monit
80 84
   when: synapse_config_file.stat.exists == True
81 85
 
86
+- name: Copy Mastodon monit service config files into place
87
+  copy: src=etc_monit_conf.d_mastodon dest=/etc/monit/conf.d/mastodon
88
+  notify: restart monit
89
+  when: mastodon_config_file.stat.exists == True
90
+
82 91
 - name: Copy monit service config files into place
83 92
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
84 93
   with_items:
@@ -90,6 +99,8 @@
90 99
     - tomcat
91 100
   notify: restart monit
92 101
 
102
+# TODO add to fail2ban when monit_page_public == 1
103
+
93 104
 - name: Create the Apache monit sites config files
94 105
   template:
95 106
     src=etc_apache2_sites-available_monit.j2

+ 1
- 0
site.yml Visa fil

@@ -17,5 +17,6 @@
17 17
     - ircbouncer
18 18
     - xmpp
19 19
     - matrix
20
+    - mastodon
20 21
     - vpn
21 22
     - monitoring  # Monitoring role should be last. See roles/monitoring/README.md

Laddar…
Avbryt
Spara