adelgado/ansible-role-mastodon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-role-mastodon/tasks/bare/nginx.yml

188 lines
5.2 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
#We need to enable the service first or we will not have the appropriate folders generated.
- name: "Start and enable NGINX service"
become: true
#Workaround for "Interactive authentication required" issue
become_user: root
service: "name={{ item }} state=started enabled=yes"
with_items:
- nginx
- name: "Set NGINX to run under {{ mastodon_user }} to avoid permission issues"
become: true
lineinfile:
dest: "/etc/nginx/nginx.conf"
regexp: "ˆuser"
line: "user mastodon;"
state: present
- name: "Ensure that NGINX doesn't run under the user nginx"
become: true
lineinfile:
dest: "/etc/nginx/nginx.conf"
regexp: "user.nginx;"
line: "user nginx;"
state: absent
when:
- ansible_os_family == "RedHat"
- name: "Ensure that NGINX doesn't run under the user www-data"
become: true
lineinfile:
dest: "/etc/nginx/nginx.conf"
regexp: "user.www-data;"
line: "user www-data;"
state: absent
when:
- ansible_os_family == "Debian"
- name: Copy nginx config
template:
src: ../files/nginx/mastodon.conf.j2
dest: /etc/nginx/sites-available/mastodon.conf
when:
- ansible_os_family == "Debian"
- mastodon_host is defined
- name: Symlink enabled site
file:
src: "/etc/nginx/sites-available/mastodon.conf"
dest: "/etc/nginx/sites-enabled/mastodon.conf"
state: link
when:
- ansible_os_family == "Debian"
- mastodon_host is defined
- name: Copy nginx config with RHEL folder stucture
template:
src: ../files/nginx/mastodon.conf.j2
dest: /etc/nginx/conf.d/mastodon.conf
when:
- ansible_os_family == "RedHat"
- mastodon_host is defined
- name: Create folder structure for Mastodon public folder
file:
path: "{{ mastodon_nginx_symlink }}"
state: directory
owner: "{{ mastodon_user }}"
group: "nginx"
recurse: true
when:
- ansible_os_family == "RedHat"
- mastodon_host is defined
- name: Create folder structure for Mastodon public folder
file:
path: "{{ mastodon_nginx_symlink }}"
state: directory
owner: "{{ mastodon_user }}"
group: "www-data"
recurse: true
when:
- ansible_os_family == "Debian"
- mastodon_host is defined
- name: Create a symbolic link of Mastodon public folder to comply with SELinux policy
become: true
file:
src: "{{ mastodon_home }}/{{ mastodon_path }}/public"
dest: "{{ mastodon_nginx_symlink }}"
state: link
owner: "{{ mastodon_user }}"
group: "nginx"
force: true
when:
- ansible_os_family == "RedHat"
- mastodon_host is defined
- name: Create a symbolic link of Mastodon public folder
become: true
file:
src: "{{ mastodon_home }}/{{ mastodon_path }}/public"
dest: "{{ mastodon_nginx_symlink }}"
state: link
owner: "{{ mastodon_user }}"
group: "www-data"
force: true
when:
- ansible_os_family == "Debian"
- mastodon_host is defined
- name: Permit NGINX SELinux permission to access filesystem
become: true
shell: "setsebool -P httpd_read_user_content 1"
when:
- ansible_os_family == "RedHat"
- mastodon_host is defined
- name: Permit SELinux permission to allow NGINX to make proxy connections with httpd_can_network_connect
become: true
shell: "setsebool -P httpd_can_network_connect 1"
when:
- ansible_os_family == "RedHat"
- mastodon_host is defined
- name: Permit SELinux permission to allow NGINX to make proxy connections with httpd_can_network_relay
become: true
shell: "setsebool -P httpd_can_network_relay 1"
when:
- ansible_os_family == "RedHat"
- mastodon_host is defined
#Reading and writing into users home directories as a web server or executing any binary as systemd service is
#really pretty anomalous behaviour. SELinux is completely right to flag this as it looks like we're an attacker.
#Potential security issue?
- name: Permit SELinux permission to allow NGINX to read contents of home folders (Required for Mastodon)
become: true
shell: "setsebool -P httpd_enable_homedirs on"
when:
- ansible_os_family == "RedHat"
- mastodon_host is defined
- name: Change SELinux properties of Mastodon symlink
become: true
shell: "chcon -Rt httpd_sys_content_t {{ mastodon_nginx_symlink }}"
when:
- ansible_os_family == "RedHat"
- mastodon_host is defined
- name: "Ensure that we have correct file permissions for /var/lib/nginx/ as we are not running NGINX under default user"
become: true
become_user: root
file:
path: "/var/lib/nginx/"
owner: "{{ mastodon_user }}"
group: "nginx"
recurse: true
when:
- ansible_os_family == "RedHat"
- name: "Ensure that we have correct file permissions for /var/lib/nginx/ as we are not running NGINX under default user"
become: true
become_user: root
file:
path: "/var/lib/nginx/"
owner: "{{ mastodon_user }}"
group: "www-data"
recurse: true
when:
- ansible_os_family == "Debian"
- name: Restart nginx
become: true
#Workaround for "Interactive authentication required" issue
become_user: root
service: name=nginx state=restarted
tags:
- systemd
- name: Check if Mastodon instance is up and running
uri:
url: 'https://{{ mastodon_host }}/about'
validate_certs: no
register: result
until: 'result.status == 200'
retries: 5
delay: 5
Reference in a new issue View git blame Copy permalink