diff --git a/manifests/init.pp b/manifests/init.pp index 3fe3e8e..d5ed94b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -338,7 +338,7 @@ class mastodon ( ], custom_fragment => ' ServerSignature Off - + ProxyPass /api/v1/streaming ws://localhost:4000 ProxyPassReverse /api/v1/streaming ws://localhost:4000 ProxyPass / http://localhost:3000/ @@ -402,7 +402,29 @@ class mastodon ( redirect_dest => "https://${hostname}/", custom_fragment => 'ServerSignature Off', } + systemd::unit_file { 'mastodon-sidekiq.service': + ensure => present, + content => template('mastodon/mastodon-sidekiq.service.erb'), + active => true, + enable => true, + } + systemd::unit_file { 'mastodon-streaming.service': + ensure => present, + content => template('mastodon/mastodon-streaming.service.erb'), + active => true, + enable => true, + } + systemd::unit_file { 'mastodon-streaming@.service': + ensure => present, + content => template('mastodon/mastodon-streaming@.service.erb'), +# active => true, + enable => true, + } + systemd::unit_file { 'mastodon-web.service': + ensure => present, + content => template('mastodon/mastodon-web.service.erb'), + active => true, + enable => true, + } - # systemd units - # systemctl enable --now mastodon-web mastodon-sidekiq mastodon-streaming } diff --git a/templates/mastodon-sidekiq.service.erb b/templates/mastodon-sidekiq.service.erb new file mode 100644 index 0000000..cab8a4b --- /dev/null +++ b/templates/mastodon-sidekiq.service.erb @@ -0,0 +1,53 @@ +[Unit] +Description=mastodon-sidekiq +After=network.target + +[Service] +Type=simple +User=<%= @mastodon_user %> +WorkingDirectory=<%= @mastodon_home %>/live +Environment="RAILS_ENV=production" +Environment="DB_POOL=25" +Environment="MALLOC_ARENA_MAX=2" +Environment="LD_PRELOAD=libjemalloc.so" +ExecStart=<%= @mastodon_home %>/.rbenv/shims/bundle exec sidekiq -c 25 +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths=<%= @mastodon_home %>/live + +[Install] +WantedBy=multi-user.target diff --git a/templates/mastodon-streaming.service.erb b/templates/mastodon-streaming.service.erb new file mode 100644 index 0000000..66cc347 --- /dev/null +++ b/templates/mastodon-streaming.service.erb @@ -0,0 +1,12 @@ +[Unit] +Description=mastodon-streaming +After=network.target +Wants=mastodon-streaming@4000.service + +[Service] +Type=oneshot +ExecStart=/bin/echo "mastodon-streaming exists only to collectively start and stop mastodon-streaming@ instances, shimming over the migration to templated mastodon-streaming systemd unit" +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/templates/mastodon-streaming@.service.erb b/templates/mastodon-streaming@.service.erb new file mode 100644 index 0000000..6100024 --- /dev/null +++ b/templates/mastodon-streaming@.service.erb @@ -0,0 +1,54 @@ +[Unit] +Description=mastodon-streaming on port %I +After=network.target +# handles using `systemctl restart mastodon-streaming` +PartOf=mastodon-streaming.service +ReloadPropagatedFrom=mastodon-streaming.service + +[Service] +Type=simple +User=<%= @mastodon_user %> +WorkingDirectory=<%= @mastodon_home %>/live +Environment="NODE_ENV=production" +Environment="PORT=%i" +ExecStart=/usr/bin/node ./streaming +TimeoutSec=15 +Restart=always +LimitNOFILE=65536 +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths=<%= @mastodon_home %>/live + +[Install] +WantedBy=multi-user.target mastodon-streaming.service diff --git a/templates/mastodon-web.service.erb b/templates/mastodon-web.service.erb new file mode 100644 index 0000000..695965c --- /dev/null +++ b/templates/mastodon-web.service.erb @@ -0,0 +1,53 @@ +[Unit] +Description=mastodon-web +After=network.target + +[Service] +Type=simple +User=<%= @mastodon_user %> +WorkingDirectory=<%= @mastodon_home %>/live +Environment="RAILS_ENV=production" +Environment="PORT=3000" +Environment="LD_PRELOAD=libjemalloc.so" +ExecStart=<%= @mastodon_home %>/.rbenv/shims/bundle exec puma -C config/puma.rb +ExecReload=/bin/kill -SIGUSR1 $MAINPID +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths=<%= @mastodon_home %>/live + +[Install] +WantedBy=multi-user.target