GPG Key ID:
1F1A7ECCCFE0B92F
11 changed files with 2 additions and 411 deletions
@ -1,6 +0,0 @@
|
||||
--- |
||||
- hosts: voe_social |
||||
roles: |
||||
- caddy |
||||
- mastodon |
||||
tags: voe_social |
||||
@ -1,3 +0,0 @@
|
||||
--- |
||||
dependencies: |
||||
- { role: docker } |
||||
@ -1,30 +0,0 @@
|
||||
--- |
||||
- name: Create /root/docker-compose/mastodon-{{ domain }} |
||||
file: |
||||
path=/root/docker-compose/mastodon-{{ domain }} |
||||
state=directory |
||||
recurse=yes |
||||
owner=root |
||||
group=root |
||||
mode=0755 |
||||
|
||||
- name: Create docker-compose.yml |
||||
template: |
||||
dest=/root/docker-compose/mastodon-{{ domain }}/docker-compose.yml |
||||
src=docker-compose.yml.tmpl |
||||
owner=root |
||||
group=root |
||||
mode=0644 |
||||
|
||||
- name: Create env.production |
||||
template: |
||||
dest=/root/docker-compose/mastodon-{{ domain }}/env.production |
||||
src=env.production.tmpl |
||||
owner=root |
||||
group=root |
||||
mode=0640 |
||||
|
||||
- name: Compose |
||||
command: |
||||
docker-compose up -d |
||||
chdir=/root/docker-compose/mastodon-{{ domain }} |
||||
@ -1,81 +0,0 @@
|
||||
version: '3.0' |
||||
services: |
||||
|
||||
db: |
||||
restart: always |
||||
image: postgres:9.6-alpine |
||||
networks: |
||||
- internal_network |
||||
volumes: |
||||
- postgres:/var/lib/postgresql/data |
||||
|
||||
redis: |
||||
restart: always |
||||
image: redis:4.0-alpine |
||||
networks: |
||||
- internal_network |
||||
volumes: |
||||
- redis:/data |
||||
|
||||
web: |
||||
image: tootsuite/mastodon:v2.3.3 |
||||
restart: always |
||||
env_file: env.production |
||||
command: bundle exec rails s -p 3000 -b '0.0.0.0' |
||||
networks: |
||||
- external_network |
||||
- internal_network |
||||
ports: |
||||
- "127.0.0.1:3000:3000" |
||||
depends_on: |
||||
- db |
||||
- redis |
||||
volumes: |
||||
- /var/lib/caddy/{{ domain }}/public/assets:/mastodon/public/assets |
||||
- /var/lib/caddy/{{ domain }}/public/packs:/mastodon/public/packs |
||||
- /var/lib/caddy/{{ domain }}/public/system:/mastodon/public/system |
||||
|
||||
streaming: |
||||
image: tootsuite/mastodon:v2.3.3 |
||||
restart: always |
||||
env_file: env.production |
||||
command: yarn start |
||||
networks: |
||||
- external_network |
||||
- internal_network |
||||
ports: |
||||
- "127.0.0.1:4000:4000" |
||||
depends_on: |
||||
- db |
||||
- redis |
||||
volumes: |
||||
- /var/lib/caddy/{{ domain }}/public/assets:/mastodon/public/assets |
||||
- /var/lib/caddy/{{ domain }}/public/packs:/mastodon/public/packs |
||||
- /var/lib/caddy/{{ domain }}/public/system:/mastodon/public/system |
||||
|
||||
sidekiq: |
||||
image: tootsuite/mastodon:v2.3.3 |
||||
restart: always |
||||
env_file: env.production |
||||
command: bundle exec sidekiq -q default -q mailers -q pull -q push |
||||
networks: |
||||
- external_network |
||||
- internal_network |
||||
depends_on: |
||||
- db |
||||
- redis |
||||
volumes: |
||||
- /var/lib/caddy/{{ domain }}/public/assets:/mastodon/public/assets |
||||
- /var/lib/caddy/{{ domain }}/public/packs:/mastodon/public/packs |
||||
- /var/lib/caddy/{{ domain }}/public/system:/mastodon/public/system |
||||
|
||||
volumes: |
||||
postgres: |
||||
driver: local |
||||
redis: |
||||
driver: local |
||||
|
||||
networks: |
||||
external_network: |
||||
internal_network: |
||||
internal: true |
||||
@ -1,216 +0,0 @@
|
||||
# Service dependencies |
||||
REDIS_HOST=redis |
||||
REDIS_PORT=6379 |
||||
# REDIS_DB=0 |
||||
|
||||
DB_HOST=db |
||||
DB_USER=postgres |
||||
DB_NAME=postgres |
||||
DB_PASS= |
||||
DB_PORT=5432 |
||||
|
||||
# Optional ElasticSearch configuration |
||||
# ES_ENABLED=true |
||||
# ES_HOST=es |
||||
# ES_PORT=9200 |
||||
|
||||
# Federation |
||||
LOCAL_DOMAIN={{ domain }} |
||||
|
||||
# Use this only if you need to run mastodon on a different domain than the one used for federation. |
||||
# Do not use this unless you know exactly what you are doing. |
||||
# WEB_DOMAIN= |
||||
|
||||
# Application secrets |
||||
# Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose) |
||||
PAPERCLIP_SECRET={{ mastodon[domain].paperclip_secret }} |
||||
SECRET_KEY_BASE={{ mastodon[domain].secret_key_base }} |
||||
OTP_SECRET={{ mastodon[domain].otp_secret }} |
||||
|
||||
# VAPID keys (used for push notifications |
||||
# You can generate the keys using the following command (first is the private key, second is the public one) |
||||
# You should only generate this once per instance. If you later decide to change it, all push subscription will |
||||
# be invalidated, requiring the users to access the website again to resubscribe. |
||||
# |
||||
# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose) |
||||
# |
||||
# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html |
||||
VAPID_PRIVATE_KEY={{ mastodon[domain].vapid_private_key }} |
||||
VAPID_PUBLIC_KEY={{ mastodon[domain].vapid_public_key }} |
||||
|
||||
# Registrations |
||||
{% if mastodon[domain].single_user_mode | default(False) %} |
||||
# Single user mode will disable registrations and redirect frontpage to the first profile |
||||
SINGLE_USER_MODE=true |
||||
{% endif %} |
||||
{% if mastodon[domain].email_domain_blacklist is defined %} |
||||
# Prevent registrations with following e-mail domains |
||||
EMAIL_DOMAIN_BLACKLIST={{ mastodon[domain].email_domain_blacklist }} |
||||
{% endif %} |
||||
{% if mastodon[domain].email_domain_whitelist is defined %} |
||||
# Only allow registrations with the following e-mail domains |
||||
EMAIL_DOMAIN_WHITELIST={{ mastodon[domain].email_domain_whitelist }} |
||||
{% endif %} |
||||
|
||||
# Optionally change default language |
||||
DEFAULT_LOCALE=en |
||||
|
||||
# E-mail configuration |
||||
# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers |
||||
# If you want to use an SMTP server without authentication (e.g local Postfix relay) |
||||
# then set SMTP_AUTH_METHOD to 'none' and *comment* SMTP_LOGIN and SMTP_PASSWORD. |
||||
# Leaving them blank is not enough for authentication method 'none'. |
||||
SMTP_SERVER={{ mastodon[domain].smtp.server }} |
||||
SMTP_PORT=587 |
||||
SMTP_LOGIN={{ mastodon[domain].smtp.login }} |
||||
SMTP_PASSWORD={{ mastodon[domain].smtp.password }} |
||||
SMTP_FROM_ADDRESS={{ mastodon[domain].smtp.from }} |
||||
#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN |
||||
#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail |
||||
#SMTP_AUTH_METHOD=plain |
||||
#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt |
||||
#SMTP_OPENSSL_VERIFY_MODE=peer |
||||
#SMTP_ENABLE_STARTTLS_AUTO=true |
||||
|
||||
|
||||
# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files. |
||||
# PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system |
||||
# PAPERCLIP_ROOT_URL=/system |
||||
|
||||
# Optional asset host for multi-server setups |
||||
# CDN_HOST=assets.example.com |
||||
|
||||
# S3 (optional) |
||||
# S3_ENABLED=true |
||||
# S3_BUCKET= |
||||
# AWS_ACCESS_KEY_ID= |
||||
# AWS_SECRET_ACCESS_KEY= |
||||
# S3_REGION= |
||||
# S3_PROTOCOL=http |
||||
# S3_HOSTNAME=192.168.1.123:9000 |
||||
|
||||
# S3 (Minio Config (optional) Please check Minio instance for details) |
||||
# S3_ENABLED=true |
||||
# S3_BUCKET= |
||||
# AWS_ACCESS_KEY_ID= |
||||
# AWS_SECRET_ACCESS_KEY= |
||||
# S3_REGION= |
||||
# S3_PROTOCOL=https |
||||
# S3_HOSTNAME= |
||||
# S3_ENDPOINT= |
||||
# S3_SIGNATURE_VERSION= |
||||
|
||||
# Swift (optional) |
||||
# SWIFT_ENABLED=true |
||||
# SWIFT_USERNAME= |
||||
# For Keystone V3, the value for SWIFT_TENANT should be the project name |
||||
# SWIFT_TENANT= |
||||
# SWIFT_PASSWORD= |
||||
# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid |
||||
# issues with token rate-limiting during high load. |
||||
# SWIFT_AUTH_URL= |
||||
# SWIFT_CONTAINER= |
||||
# SWIFT_OBJECT_URL= |
||||
# SWIFT_REGION= |
||||
# Defaults to 'default' |
||||
# SWIFT_DOMAIN_NAME= |
||||
# Defaults to 60 seconds. Set to 0 to disable |
||||
# SWIFT_CACHE_TTL= |
||||
|
||||
# Optional alias for S3 if you want to use Cloudfront or Cloudflare in front |
||||
# S3_CLOUDFRONT_HOST= |
||||
|
||||
# Streaming API integration |
||||
# STREAMING_API_BASE_URL= |
||||
|
||||
# Advanced settings |
||||
# If you need to use pgBouncer, you need to disable prepared statements: |
||||
# PREPARED_STATEMENTS=false |
||||
|
||||
# Cluster number setting for streaming API server. |
||||
# If you comment out following line, cluster number will be `numOfCpuCores - 1`. |
||||
STREAMING_CLUSTER_NUM=1 |
||||
|
||||
# Docker mastodon user |
||||
# If you use Docker, you may want to assign UID/GID manually. |
||||
# UID=1000 |
||||
# GID=1000 |
||||
|
||||
# LDAP authentication (optional) |
||||
# LDAP_ENABLED=true |
||||
# LDAP_HOST=localhost |
||||
# LDAP_PORT=389 |
||||
# LDAP_METHOD=simple_tls |
||||
# LDAP_BASE= |
||||
# LDAP_BIND_DN= |
||||
# LDAP_PASSWORD= |
||||
# LDAP_UID=cn |
||||
|
||||
# PAM authentication (optional) |
||||
# PAM authentication uses for the email generation the "email" pam variable |
||||
# and optional as fallback PAM_DEFAULT_SUFFIX |
||||
# The pam environment variable "email" is provided by: |
||||
# https://github.com/devkral/pam_email_extractor |
||||
# PAM_ENABLED=true |
||||
# Fallback email domain for email address generation (LOCAL_DOMAIN by default) |
||||
# PAM_EMAIL_DOMAIN=example.com |
||||
# Name of the pam service (pam "auth" section is evaluated) |
||||
# PAM_DEFAULT_SERVICE=rpam |
||||
# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default) |
||||
# PAM_CONTROLLED_SERVICE=rpam |
||||
|
||||
# Global OAuth settings (optional) : |
||||
# If you have only one strategy, you may want to enable this |
||||
# OAUTH_REDIRECT_AT_SIGN_IN=true |
||||
|
||||
# Optional CAS authentication (cf. omniauth-cas) : |
||||
# CAS_ENABLED=true |
||||
# CAS_URL=https://sso.myserver.com/ |
||||
# CAS_HOST=sso.myserver.com/ |
||||
# CAS_PORT=443 |
||||
# CAS_SSL=true |
||||
# CAS_VALIDATE_URL= |
||||
# CAS_CALLBACK_URL= |
||||
# CAS_LOGOUT_URL= |
||||
# CAS_LOGIN_URL= |
||||
# CAS_UID_FIELD='user' |
||||
# CAS_CA_PATH= |
||||
# CAS_DISABLE_SSL_VERIFICATION=false |
||||
# CAS_UID_KEY='user' |
||||
# CAS_NAME_KEY='name' |
||||
# CAS_EMAIL_KEY='email' |
||||
# CAS_NICKNAME_KEY='nickname' |
||||
# CAS_FIRST_NAME_KEY='firstname' |
||||
# CAS_LAST_NAME_KEY='lastname' |
||||
# CAS_LOCATION_KEY='location' |
||||
# CAS_IMAGE_KEY='image' |
||||
# CAS_PHONE_KEY='phone' |
||||
|
||||
# Optional SAML authentication (cf. omniauth-saml) |
||||
# SAML_ENABLED=true |
||||
# SAML_ACS_URL= |
||||
# SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback |
||||
# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO |
||||
# SAML_IDP_CERT= |
||||
# SAML_IDP_CERT_FINGERPRINT= |
||||
# SAML_NAME_IDENTIFIER_FORMAT= |
||||
# SAML_CERT= |
||||
# SAML_PRIVATE_KEY= |
||||
# SAML_SECURITY_WANT_ASSERTION_SIGNED=true |
||||
# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true |
||||
# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true |
||||
# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1" |
||||
# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" |
||||
# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241" |
||||
# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42" |
||||
# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4" |
||||
# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1" |
||||
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED= |
||||
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= |
||||
|
||||
# Use HTTP proxy for outgoing request (optional) |
||||
# http_proxy=http://gateway.local:8118 |
||||
# Access control for hidden service. |
||||
# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true |
||||
# If you use transparent proxy to access to hidden service, uncomment following for skipping private address check. |
||||
# HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY=true |
||||
@ -1,45 +0,0 @@
|
||||
{{ domain }} { |
||||
log stderr |
||||
root /var/lib/caddy/{{ domain }}/public |
||||
gzip |
||||
|
||||
header / { |
||||
Strict-Transport-Security "max-age=31536000;" |
||||
Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'self'; img-src data: https:; media-src data: https:; connect-src 'self' wss://{{ domain }}; upgrade-insecure-requests" |
||||
} |
||||
|
||||
header /emoji Cache-Control "public, max-age=31536000, immutable" |
||||
header /packs Cache-Control "public, max-age=31536000, immutable" |
||||
header /system/accounts/avatars Cache-Control "public, max-age=31536000, immutable" |
||||
header /system/media_attachments/files Cache-Control "public, max-age=31536000, immutable" |
||||
|
||||
errors { |
||||
* 500.html |
||||
} |
||||
|
||||
rewrite { |
||||
if {path} is / |
||||
to /proxy{path} |
||||
} |
||||
|
||||
rewrite { |
||||
if {path} not_has /api/v1/streaming |
||||
to {path} /proxy{path} |
||||
} |
||||
|
||||
proxy /proxy localhost:3000 { |
||||
without /proxy |
||||
|
||||
transparent |
||||
websocket |
||||
} |
||||
|
||||
proxy /api/v1/streaming localhost:4000 { |
||||
transparent |
||||
websocket |
||||
} |
||||
|
||||
tls me@ur.gs { |
||||
protocols tls1.2 |
||||
} |
||||
} |
||||
Loading…
Reference in new issue