Initial commit with previous code

2022-10-11 10:19:16 +03:00 · 2022-10-11 10:19:16 +03:00 · 016c6b35ff
commit 016c6b35ff
14 changed files with 461 additions and 0 deletions
--- a/files/nginx/letsencrypt.conf.j2
+++ b/files/nginx/letsencrypt.conf.j2
@ -0,0 +1,8 @@
+# This starts a simple nginx for the letsencrypt acme challenge
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ mastodon_host }};
+  root {{ mastodon_home }}/{{ mastodon_path }}/public;
+  location /.well-known/acme-challenge/ { allow all; }
+}
--- a/files/nginx/mastodon.conf.j2
+++ b/files/nginx/mastodon.conf.j2
@ -0,0 +1,102 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ mastodon_host }};
+
+  # Useful for Let's Encrypt
+  location /.well-known/acme-challenge/ { 
+    alias {{ mastodon_home }}/{{ mastodon_path }}/public/.well-known/acme-challenge/;
+  }
+  location / { return 301 https://$host$request_uri; }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {{ mastodon_host }};
+
+  ssl_protocols TLSv1.2;
+  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+
+{% if disable_letsencrypt != "true" %}
+  ssl_certificate     /etc/letsencrypt/live/{{ mastodon_host }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ mastodon_host }}/privkey.pem;
+{% endif %}
+
+  keepalive_timeout    70;
+  sendfile             on;
+  client_max_body_size 8m;
+
+  root {{ mastodon_home }}/{{ mastodon_path }}/public;
+
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+{% if disable_hsts == "true" %}
+  add_header Strict-Transport-Security "max-age=31536000";
+{% endif %}
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    try_files $uri @proxy;
+  }
+  
+  location /sw.js {
+    add_header Cache-Control "public, max-age=0";
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+    proxy_pass_header Server;
+
+    proxy_pass http://127.0.0.1:3000;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  location /api/v1/streaming {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+
+    proxy_pass http://127.0.0.1:4000;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  error_page 500 501 502 503 504 /500.html;
+}
--- a/files/systemd/mastodon-sidekiq.service.j2
+++ b/files/systemd/mastodon-sidekiq.service.j2
@ -0,0 +1,16 @@
+[Unit]
+Description=mastodon-sidekiq
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory={{ mastodon_home }}/{{ mastodon_path }}
+Environment="RAILS_ENV=production"
+Environment="DB_POOL=5"
+ExecStart={{ mastodon_home }}/.rbenv/shims/bundle exec sidekiq -c 5 -q default -q push -q mailers -q pull
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
--- a/files/systemd/mastodon-streaming.service.j2
+++ b/files/systemd/mastodon-streaming.service.j2
@ -0,0 +1,16 @@
+[Unit]
+Description=mastodon-streaming
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory={{ mastodon_home }}/{{ mastodon_path }}
+Environment="NODE_ENV=production"
+Environment="PORT=4000"
+ExecStart=/usr/bin/npm run start
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
--- a/files/systemd/mastodon-web.service.j2
+++ b/files/systemd/mastodon-web.service.j2
@ -0,0 +1,17 @@
+[Unit]
+Description=mastodon-web
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory={{ mastodon_home }}/{{ mastodon_path }}
+Environment="RAILS_ENV=production"
+Environment="PORT=3000"
+ExecStart={{ mastodon_home }}/.rbenv/shims/bundle exec puma -C config/puma.rb
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
--- a/tasks/letsencrypt.yml
+++ b/tasks/letsencrypt.yml
@ -0,0 +1,31 @@
+---
+- stat: path=/etc/letsencrypt/live/{{ mastodon_host }}/fullchain.pem
+  register: letsencrypt_cert
+
+- name: Copy letsencrypt nginx config
+  template: 
+    src: ../files/nginx/letsencrypt.conf.j2
+    dest: /etc/nginx/sites-available/mastodon.conf
+  when: not letsencrypt_cert.stat.exists
+  
+- name: Symlink enabled site
+  file:
+    src: "/etc/nginx/sites-available/mastodon.conf"
+    dest: "/etc/nginx/sites-enabled/mastodon.conf"
+    state: link
+  when: not letsencrypt_cert.stat.exists
+
+- name: Reload nginx
+  command: "systemctl reload nginx"
+
+- name: Install letsencrypt cert
+  command: letsencrypt certonly -n --webroot -d {{ mastodon_host }} -w {{ mastodon_home }}/{{ mastodon_path }}/public/ --email "webmaster@{{ mastodon_host }}" --agree-tos && systemctl reload nginx
+  when: not letsencrypt_cert.stat.exists
+
+- name: Letsencrypt Job
+  cron:
+    name: "letsencrypt renew"
+    minute: "15"
+    hour: "0"
+    job: "letsencrypt renew && service nginx reload"
+
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,24 @@
+---
+- include_tasks: repositories.yml
+  when: os_family == "debian"
+
+- include_tasks: packages.yml
+  become: true
+- include_tasks: ufw.yml
+  become: true
+  tags:
+    - firewall
+- include_tasks: user.yml
+  become: true
+- include_tasks: ruby.yml
+  become: true
+  become_user: mastodon
+- include_tasks: mastodon.yml
+  become: true
+  become_user: mastodon
+- include_tasks: letsencrypt.yml
+  become: true
+  tags:
+    - letsencrypt 
+- include_tasks: nginx.yml
+  become: true
--- a/tasks/mastodon.yml
+++ b/tasks/mastodon.yml
@ -0,0 +1,101 @@
+- name: Clone mastodon
+  git:
+    repo: "https://github.com/mastodon/mastodon.git"
+    dest: "{{ mastodon_home }}/{{mastodon_path}}"
+    clone: true
+
+# - name: Update to latest version
+#   shell: "git fetch; git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)"
+#   args:
+#     chdir: "{{ mastodon_home }}/{{ mastodon_path }}"
+
+- name: Bundle install
+  shell: "
+~/.rbenv/shims/bundle config set --local deployment 'true' && \
+~/.rbenv/shims/bundle config set --local without 'test' && \
+~/.rbenv/shims/bundle config set --local with 'development' && \
+~/.rbenv/shims/bundle install -j$(getconf _NPROCESSORS_ONLN)
+"
+  args:
+    chdir: "{{ mastodon_home }}/{{ mastodon_path }}"
+
+- name: Yarn install
+  command: yarn install --pure-lockfile
+  args:
+    chdir: "{{ mastodon_home }}/{{ mastodon_path }}"
+
+- name: Install systemd sidekiq Service Files
+  template:
+    src: ../files/systemd/mastodon-sidekiq.service.j2
+    dest: /etc/systemd/system/mastodon-sidekiq.service
+  become: true
+  become_user: root
+
+- name: Install systemd web Service Files
+  template:
+    src: ../files/systemd/mastodon-web.service.j2
+    dest: /etc/systemd/system/mastodon-web.service
+  become: true
+  become_user: root
+
+- name: Install systemd streaming Service Files
+  template:
+    src: ../files/systemd/mastodon-streaming.service.j2
+    dest: /etc/systemd/system/mastodon-streaming.service
+  become: true
+  become_user: root
+
+- name: Media cleanup cronjob
+  cron:
+    name: "media cleanup"
+    minute: "15"
+    hour: "1"
+    job: '/bin/bash -c ''export PATH="$HOME/.rbenv/bin:$PATH"; eval "$(rbenv init -)"; cd {{ mastodon_home }}/{{ mastodon_path }} && RAILS_ENV=production ./bin/tootctl media remove'''
+
+- stat: path={{ mastodon_home }}/{{ mastodon_path }}/.env.production
+  register: production_config
+
+- name: Migrate database
+  shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails db:migrate"
+  args:
+    chdir: "{{ mastodon_home }}/{{ mastodon_path }}"
+  when: production_config.stat.exists
+
+- name: Precompile assets
+  shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails assets:precompile"
+  args:
+    chdir: "{{ mastodon_home }}/{{ mastodon_path }}"
+  when: production_config.stat.exists
+
+- name: Enable mastodon-web
+  command: systemctl enable mastodon-web.service
+  become: true
+  become_user: root
+
+- name: Enable mastodon-streaming
+  command: systemctl enable mastodon-streaming.service
+  become: true
+  become_user: root
+
+- name: Enable mastodon-sidekiq
+  command: systemctl enable mastodon-sidekiq.service
+  become: true
+  become_user: root
+
+- name: Restart mastodon-web
+  command: systemctl restart mastodon-web.service
+  when: production_config.stat.exists
+  become: true
+  become_user: root
+
+- name: Restart mastodon-streaming
+  command: systemctl restart mastodon-streaming.service
+  when: production_config.stat.exists
+  become: true
+  become_user: root
+
+- name: Restart mastodon-sidekiq
+  command: systemctl restart mastodon-sidekiq.service
+  when: production_config.stat.exists
+  become: true
+  become_user: root
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@ -0,0 +1,21 @@
+---
+
+- name: Copy nginx config
+  template: 
+    src: ../files/nginx/mastodon.conf.j2
+    dest: /etc/nginx/sites-available/mastodon.conf
+  when:
+    - mastodon_host is defined
+  
+- name: Symlink enabled site
+  file:
+    src: "/etc/nginx/sites-available/mastodon.conf"
+    dest: "/etc/nginx/sites-enabled/mastodon.conf"
+    state: link
+  when:
+    - mastodon_host is defined
+
+- name: Reload nginx
+  command: "systemctl reload nginx"
+  tags:
+    - systemd
--- a/tasks/packages.yml
+++ b/tasks/packages.yml
@ -0,0 +1,16 @@
+---
+
+- name: Install packages
+  package:
+    name: "{{ item.package }}"
+    update_cache: yes
+    cache_valid_time: 3600
+    state: latest
+    install_recommends: no
+  with_items: "{{ packages }}"
+
+- name: nodejs alternative
+  alternatives:
+    name: node
+    link: /usr/bin/node
+    path: /usr/lib/nodejs
--- a/tasks/repositories.yml
+++ b/tasks/repositories.yml
@ -0,0 +1,22 @@
+---
+
+- name: Install required packages for HTTPS repositories
+  apt: name={{ item.package }} state=present update_cache=yes cache_valid_time=3600
+  become: yes
+  with_items:
+    - package: apt-transport-https
+    - package: ca-certificates
+
+- name: Install APT repository keys
+  apt_key: id={{ item.id }} url={{ item.url }} state=present
+  become: yes
+  with_items:
+    - { id: "72ECF46A56B4AD39C907BBB71646B01B86E50310", url: "https://dl.yarnpkg.com/debian/pubkey.gpg" }
+    - { id: "9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280", url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" }
+
+- name: Install APT repositories
+  apt_repository: repo={{ item.repo }} state=present
+  become: yes
+  with_items:
+    - repo: "deb https://dl.yarnpkg.com/debian/ stable main"
+    - repo: "deb https://deb.nodesource.com/node_{{ node_major_version }}.x {{ ubuntu_codename }} main"
--- a/tasks/ruby.yml
+++ b/tasks/ruby.yml
@ -0,0 +1,58 @@
+---
+- name: Clone rbenv
+  git:
+    repo: "https://github.com/rbenv/rbenv.git"
+    dest: "~/.rbenv"
+    clone: true
+    version: "{{ rbenv_version }}"
+
+- name: Clone ruby-build
+  git:
+    repo: "https://github.com/rbenv/ruby-build.git"
+    dest: "~/.rbenv/plugins/ruby-build"
+    clone: true
+    version: "{{ ruby_build_version }}"
+  register: ruby_build
+
+- name: Configure rbenv
+  command: ./configure
+  args:
+    chdir: "~/.rbenv/src"
+  register: rbenv_configure
+
+- name: Build rbenv
+  command: make
+  args:
+    chdir: "~/.rbenv/src"
+  when: rbenv_configure is succeeded
+
+- name: Update profile settings
+  copy:
+    dest: "~/.bashrc"
+    content: |
+      export PATH="~/.rbenv/bin:${PATH}"
+      eval "$(rbenv init -)"
+
+- name: Check if the Ruby version is already installed
+  shell: "~/.rbenv/bin/rbenv versions | grep -q {{ ruby_version }}"
+  register: ruby_installed
+  ignore_errors: yes
+  check_mode: no
+
+- name: Install Ruby {{ ruby_version }}
+  shell: "~/.rbenv/bin/rbenv install {{ ruby_version }}"
+  args:
+    executable: /bin/bash
+  when: ruby_installed is failed
+
+- name: Set the default Ruby version to {{ ruby_version }}
+  shell: "~/.rbenv/bin/rbenv global {{ ruby_version }}"
+  args:
+    executable: /bin/bash
+  register: default_ruby_version
+
+- name: Install bundler
+  shell: 'export PATH="$HOME/.rbenv/bin:$PATH"; eval "$(rbenv init -)"; gem install bundler:{{ bundler_version }}'
+  args:
+    executable: /bin/bash
+  when: default_ruby_version is succeeded
--- a/tasks/ufw.yml
+++ b/tasks/ufw.yml
@ -0,0 +1,22 @@
+---
+
+- name: Allow ssh through firewall
+  ufw:
+    proto: tcp
+    port: "22"
+    rule: allow
+- name: Set ufw policy
+  ufw: 
+    state: enabled 
+    direction: incoming 
+    policy: deny
+- name: Allow nginx firewall
+  ufw: 
+    proto: tcp
+    port: "80"
+    rule: allow
+- name: Allow nginx ssl firewall
+  ufw: 
+    proto: tcp
+    port: "443"
+    rule: allow
--- a/tasks/user.yml
+++ b/tasks/user.yml
@ -0,0 +1,7 @@
+- name: Create Mastodon user
+  user:
+    name: "{{ mastodon_user }}"
+    createhome: true
+    shell: /bin/bash
+    home: "{{ mastodon_home }}"
+