Browse Source

Remove Mastodon deployment

main
Nick Thomas 3 years ago
parent
commit
1111813ef2
Signed by: lupine
GPG Key ID: 1F1A7ECCCFE0B92F
  1. 4
      README.md
  2. 6
      deploy
  3. 4
      inventory
  4. 6
      playbooks/voe_social.yaml
  5. 3
      roles/mastodon/meta/main.yaml
  6. 30
      roles/mastodon/tasks/main.yaml
  7. 81
      roles/mastodon/templates/docker-compose.yml.tmpl
  8. 216
      roles/mastodon/templates/env.production.tmpl
  9. 17
      secrets/main.yaml.example
  10. 1
      site.yaml
  11. 45
      templates/caddy/voe.social.Caddyfile.tmpl

4
README.md

@ -8,8 +8,7 @@ services for myself:
* CalDAV / CardDAV
* Common setup to all hosts
* DNS (master and slaves)
* E-mail
* Mastodon server (dockerified)
* E-mail (kinda, needs simplification)
* Database (PostgreSQL)
* VPN (server)
* Website (Caddy)
@ -20,6 +19,7 @@ services for myself:
* Code hosting (wow self-referential)
* File sharing
* Photo albums
* Fedi (pleroma?)
* SIP
* VPN (client)
* XMPP

6
deploy

@ -4,7 +4,6 @@ ROOT="$(dirname $0)"
VENDOR="${ROOT}/vendor"
CADDY="${VENDOR}/caddy"
HUGO="${VENDOR}/hugo"
COMPOSE="${VENDOR}/docker-compose"
if [ ! -e "$CADDY" ]; then
curl -L "https://caddyserver.com/download/linux/amd64?plugins=dns,hook.service,http.awslambda,http.cgi,http.cors,http.expires,http.filemanager,http.filter,http.git,http.hugo,http.ipfilter,http.jwt,http.mailout,http.minify,http.prometheus,http.proxyprotocol,http.ratelimit,http.realip,http.upload,net,tls.dns.rfc2136" \
@ -19,10 +18,5 @@ if [ ! -e "$HUGO" ]; then
chmod a+x "$HUGO"
fi
if [ ! -e "$COMPOSE" ]; then
curl -L "https://github.com/docker/compose/releases/download/1.21.0/docker-compose-Linux-x86_64" > $COMPOSE
chmod a+x "$COMPOSE"
fi
export ANSIBLE_CFG="${ROOT}/ansible.cfg"
exec ansible-playbook -i ${ROOT}/inventory --extra-vars @secrets/main.yaml "$@" site.yaml

4
inventory

@ -1,7 +1,6 @@
[backup]
outpost.ur.gs backup_role=server
endgame.ur.gs backup_role=client
voe.social backup_role=client
[database]
ur.gs
@ -13,8 +12,5 @@ endgame.ur.gs dns_role=master
[ur_gs]
ur.gs domain=ur.gs
[voe_social]
voe.social domain=voe.social
[vpn]
endgame.ur.gs vpn_role=server

6
playbooks/voe_social.yaml

@ -1,6 +0,0 @@
---
- hosts: voe_social
roles:
- caddy
- mastodon
tags: voe_social

3
roles/mastodon/meta/main.yaml

@ -1,3 +0,0 @@
---
dependencies:
- { role: docker }

30
roles/mastodon/tasks/main.yaml

@ -1,30 +0,0 @@
---
- name: Create /root/docker-compose/mastodon-{{ domain }}
file:
path=/root/docker-compose/mastodon-{{ domain }}
state=directory
recurse=yes
owner=root
group=root
mode=0755
- name: Create docker-compose.yml
template:
dest=/root/docker-compose/mastodon-{{ domain }}/docker-compose.yml
src=docker-compose.yml.tmpl
owner=root
group=root
mode=0644
- name: Create env.production
template:
dest=/root/docker-compose/mastodon-{{ domain }}/env.production
src=env.production.tmpl
owner=root
group=root
mode=0640
- name: Compose
command:
docker-compose up -d
chdir=/root/docker-compose/mastodon-{{ domain }}

81
roles/mastodon/templates/docker-compose.yml.tmpl

@ -1,81 +0,0 @@
version: '3.0'
services:
db:
restart: always
image: postgres:9.6-alpine
networks:
- internal_network
volumes:
- postgres:/var/lib/postgresql/data
redis:
restart: always
image: redis:4.0-alpine
networks:
- internal_network
volumes:
- redis:/data
web:
image: tootsuite/mastodon:v2.3.3
restart: always
env_file: env.production
command: bundle exec rails s -p 3000 -b '0.0.0.0'
networks:
- external_network
- internal_network
ports:
- "127.0.0.1:3000:3000"
depends_on:
- db
- redis
volumes:
- /var/lib/caddy/{{ domain }}/public/assets:/mastodon/public/assets
- /var/lib/caddy/{{ domain }}/public/packs:/mastodon/public/packs
- /var/lib/caddy/{{ domain }}/public/system:/mastodon/public/system
streaming:
image: tootsuite/mastodon:v2.3.3
restart: always
env_file: env.production
command: yarn start
networks:
- external_network
- internal_network
ports:
- "127.0.0.1:4000:4000"
depends_on:
- db
- redis
volumes:
- /var/lib/caddy/{{ domain }}/public/assets:/mastodon/public/assets
- /var/lib/caddy/{{ domain }}/public/packs:/mastodon/public/packs
- /var/lib/caddy/{{ domain }}/public/system:/mastodon/public/system
sidekiq:
image: tootsuite/mastodon:v2.3.3
restart: always
env_file: env.production
command: bundle exec sidekiq -q default -q mailers -q pull -q push
networks:
- external_network
- internal_network
depends_on:
- db
- redis
volumes:
- /var/lib/caddy/{{ domain }}/public/assets:/mastodon/public/assets
- /var/lib/caddy/{{ domain }}/public/packs:/mastodon/public/packs
- /var/lib/caddy/{{ domain }}/public/system:/mastodon/public/system
volumes:
postgres:
driver: local
redis:
driver: local
networks:
external_network:
internal_network:
internal: true

216
roles/mastodon/templates/env.production.tmpl

@ -1,216 +0,0 @@
# Service dependencies
REDIS_HOST=redis
REDIS_PORT=6379
# REDIS_DB=0
DB_HOST=db
DB_USER=postgres
DB_NAME=postgres
DB_PASS=
DB_PORT=5432
# Optional ElasticSearch configuration
# ES_ENABLED=true
# ES_HOST=es
# ES_PORT=9200
# Federation
LOCAL_DOMAIN={{ domain }}
# Use this only if you need to run mastodon on a different domain than the one used for federation.
# Do not use this unless you know exactly what you are doing.
# WEB_DOMAIN=
# Application secrets
# Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
PAPERCLIP_SECRET={{ mastodon[domain].paperclip_secret }}
SECRET_KEY_BASE={{ mastodon[domain].secret_key_base }}
OTP_SECRET={{ mastodon[domain].otp_secret }}
# VAPID keys (used for push notifications
# You can generate the keys using the following command (first is the private key, second is the public one)
# You should only generate this once per instance. If you later decide to change it, all push subscription will
# be invalidated, requiring the users to access the website again to resubscribe.
#
# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
#
# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
VAPID_PRIVATE_KEY={{ mastodon[domain].vapid_private_key }}
VAPID_PUBLIC_KEY={{ mastodon[domain].vapid_public_key }}
# Registrations
{% if mastodon[domain].single_user_mode | default(False) %}
# Single user mode will disable registrations and redirect frontpage to the first profile
SINGLE_USER_MODE=true
{% endif %}
{% if mastodon[domain].email_domain_blacklist is defined %}
# Prevent registrations with following e-mail domains
EMAIL_DOMAIN_BLACKLIST={{ mastodon[domain].email_domain_blacklist }}
{% endif %}
{% if mastodon[domain].email_domain_whitelist is defined %}
# Only allow registrations with the following e-mail domains
EMAIL_DOMAIN_WHITELIST={{ mastodon[domain].email_domain_whitelist }}
{% endif %}
# Optionally change default language
DEFAULT_LOCALE=en
# E-mail configuration
# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
# If you want to use an SMTP server without authentication (e.g local Postfix relay)
# then set SMTP_AUTH_METHOD to 'none' and *comment* SMTP_LOGIN and SMTP_PASSWORD.
# Leaving them blank is not enough for authentication method 'none'.
SMTP_SERVER={{ mastodon[domain].smtp.server }}
SMTP_PORT=587
SMTP_LOGIN={{ mastodon[domain].smtp.login }}
SMTP_PASSWORD={{ mastodon[domain].smtp.password }}
SMTP_FROM_ADDRESS={{ mastodon[domain].smtp.from }}
#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN
#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
#SMTP_AUTH_METHOD=plain
#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt
#SMTP_OPENSSL_VERIFY_MODE=peer
#SMTP_ENABLE_STARTTLS_AUTO=true
# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files.
# PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system
# PAPERCLIP_ROOT_URL=/system
# Optional asset host for multi-server setups
# CDN_HOST=assets.example.com
# S3 (optional)
# S3_ENABLED=true
# S3_BUCKET=
# AWS_ACCESS_KEY_ID=
# AWS_SECRET_ACCESS_KEY=
# S3_REGION=
# S3_PROTOCOL=http
# S3_HOSTNAME=192.168.1.123:9000
# S3 (Minio Config (optional) Please check Minio instance for details)
# S3_ENABLED=true
# S3_BUCKET=
# AWS_ACCESS_KEY_ID=
# AWS_SECRET_ACCESS_KEY=
# S3_REGION=
# S3_PROTOCOL=https
# S3_HOSTNAME=
# S3_ENDPOINT=
# S3_SIGNATURE_VERSION=
# Swift (optional)
# SWIFT_ENABLED=true
# SWIFT_USERNAME=
# For Keystone V3, the value for SWIFT_TENANT should be the project name
# SWIFT_TENANT=
# SWIFT_PASSWORD=
# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid
# issues with token rate-limiting during high load.
# SWIFT_AUTH_URL=
# SWIFT_CONTAINER=
# SWIFT_OBJECT_URL=
# SWIFT_REGION=
# Defaults to 'default'
# SWIFT_DOMAIN_NAME=
# Defaults to 60 seconds. Set to 0 to disable
# SWIFT_CACHE_TTL=
# Optional alias for S3 if you want to use Cloudfront or Cloudflare in front
# S3_CLOUDFRONT_HOST=
# Streaming API integration
# STREAMING_API_BASE_URL=
# Advanced settings
# If you need to use pgBouncer, you need to disable prepared statements:
# PREPARED_STATEMENTS=false
# Cluster number setting for streaming API server.
# If you comment out following line, cluster number will be `numOfCpuCores - 1`.
STREAMING_CLUSTER_NUM=1
# Docker mastodon user
# If you use Docker, you may want to assign UID/GID manually.
# UID=1000
# GID=1000
# LDAP authentication (optional)
# LDAP_ENABLED=true
# LDAP_HOST=localhost
# LDAP_PORT=389
# LDAP_METHOD=simple_tls
# LDAP_BASE=
# LDAP_BIND_DN=
# LDAP_PASSWORD=
# LDAP_UID=cn
# PAM authentication (optional)
# PAM authentication uses for the email generation the "email" pam variable
# and optional as fallback PAM_DEFAULT_SUFFIX
# The pam environment variable "email" is provided by:
# https://github.com/devkral/pam_email_extractor
# PAM_ENABLED=true
# Fallback email domain for email address generation (LOCAL_DOMAIN by default)
# PAM_EMAIL_DOMAIN=example.com
# Name of the pam service (pam "auth" section is evaluated)
# PAM_DEFAULT_SERVICE=rpam
# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default)
# PAM_CONTROLLED_SERVICE=rpam
# Global OAuth settings (optional) :
# If you have only one strategy, you may want to enable this
# OAUTH_REDIRECT_AT_SIGN_IN=true
# Optional CAS authentication (cf. omniauth-cas) :
# CAS_ENABLED=true
# CAS_URL=https://sso.myserver.com/
# CAS_HOST=sso.myserver.com/
# CAS_PORT=443
# CAS_SSL=true
# CAS_VALIDATE_URL=
# CAS_CALLBACK_URL=
# CAS_LOGOUT_URL=
# CAS_LOGIN_URL=
# CAS_UID_FIELD='user'
# CAS_CA_PATH=
# CAS_DISABLE_SSL_VERIFICATION=false
# CAS_UID_KEY='user'
# CAS_NAME_KEY='name'
# CAS_EMAIL_KEY='email'
# CAS_NICKNAME_KEY='nickname'
# CAS_FIRST_NAME_KEY='firstname'
# CAS_LAST_NAME_KEY='lastname'
# CAS_LOCATION_KEY='location'
# CAS_IMAGE_KEY='image'
# CAS_PHONE_KEY='phone'
# Optional SAML authentication (cf. omniauth-saml)
# SAML_ENABLED=true
# SAML_ACS_URL=
# SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback
# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
# SAML_IDP_CERT=
# SAML_IDP_CERT_FINGERPRINT=
# SAML_NAME_IDENTIFIER_FORMAT=
# SAML_CERT=
# SAML_PRIVATE_KEY=
# SAML_SECURITY_WANT_ASSERTION_SIGNED=true
# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1"
# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42"
# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4"
# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
# Use HTTP proxy for outgoing request (optional)
# http_proxy=http://gateway.local:8118
# Access control for hidden service.
# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
# If you use transparent proxy to access to hidden service, uncomment following for skipping private address check.
# HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY=true

17
secrets/main.yaml.example

@ -21,20 +21,3 @@ mail:
me:
password_hash: "{SHA512-CRYPT}$6$aaaaaa"
wildcard: me@ur.gs
mastodon:
voe.social:
paperclip_secret:
secret_key_base:
otp_secret:
vapid_private_key:
vapid_public_key:
# single_user_mode: false
# email_domain_whitelist: 1.example.com|2.example.com
# email_domain_blacklist: 2.example.com|1.example.com
smtp:
from:
server:
login:
password:

1
site.yaml

@ -4,5 +4,4 @@
- include: playbooks/database.yaml
- include: playbooks/dns.yaml
- include: playbooks/ur_gs.yaml
- include: playbooks/voe_social.yaml
- include: playbooks/vpn.yaml

45
templates/caddy/voe.social.Caddyfile.tmpl

@ -1,45 +0,0 @@
{{ domain }} {
log stderr
root /var/lib/caddy/{{ domain }}/public
gzip
header / {
Strict-Transport-Security "max-age=31536000;"
Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'self'; img-src data: https:; media-src data: https:; connect-src 'self' wss://{{ domain }}; upgrade-insecure-requests"
}
header /emoji Cache-Control "public, max-age=31536000, immutable"
header /packs Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files Cache-Control "public, max-age=31536000, immutable"
errors {
* 500.html
}
rewrite {
if {path} is /
to /proxy{path}
}
rewrite {
if {path} not_has /api/v1/streaming
to {path} /proxy{path}
}
proxy /proxy localhost:3000 {
without /proxy
transparent
websocket
}
proxy /api/v1/streaming localhost:4000 {
transparent
websocket
}
tls me@ur.gs {
protocols tls1.2
}
}
Loading…
Cancel
Save