Add Pleroma

GOD THAT SUCKED
FUCK
GOD I HATE ELIXR

inventory/group_vars/cowfee.moe.yml

@@ -0,0 +1,84 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+
+## BACKEND
+# ACME
+acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
+#acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory" # Testing ACME endpoint
+acme_version: 2
+acme_webroot: "/var/www/acme"
+# AWS Backups
+aws_backup_bucket: "9iron-backups-general"
+# AWS SES
+aws_ses_user: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33643766376336316266373239386466373639633765333332353031373132383061346564633036
+          3337396261333264363562363364336235633831353133380a613164666161313265396261616634
+          38353531306238613735623433663138643231663139363735373537393337636362636534656166
+          3063373930343039320a663063663535633932323739653461336164643035633036663362666161
+          38316564326537303236333266303432326164393435663665363963326363306237
+aws_ses_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          39306665653635383832623438656364616633643032663365643033316236333939363732363034
+          3566663361653862646636396339343963626561613839620a663731313337613734356261326437
+          31653763346663656165343632336366343562333836396232636431323635333965336137316237
+          3662393364636631310a643935313539353338333233356362623835363631383035666536343634
+          65663937643165613337373837633737653765303764303536386530616363343361326536633935
+          3565626161343562396663353538653136376138373334336435
+# Pleroma
+pleroma_instance_desc: owo
+pleroma_instance_email: rehashedsalt@cock.li
+pleroma_instance_name: Cowfee
+pleroma_instance_notify_email: noreply@cowfee.moe
+pleroma_openreg: true
+pleroma_db_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34343838386134656236313462653531663839363030333630383332386535356431326436633137
+          3261323632653635383930333131333235373437653733300a363562666264616138623832666137
+          61333039646332343838346633363035343434303036643465353062353062303961383138643564
+          3338393765393733340a626436653666363236643938613466643530326665653764333933393437
+          37613033653864643965323162373366306233626235663461326266376662663634353066386139
+          37636162313364623933396232366239633338363539626637373163333130373665373038363566
+          65646633636638653335356536323334646632366164633532636634376632356166306139393766
+          38633934623639366263
+pleroma_secret_key_base: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36333934336635613533333137636532363937613764353933636566663031316262333837323064
+          6534653062626461633462636335346132353564653038330a326330326235623530393337333063
+          37666666386637633839633737376465366439356461653363396665636137353264363762346461
+          3765616634653234630a623061393834373964653939626564363263383435666366356339663136
+          64613330656434653538363734393831353133316666326338366335383064356165333537383837
+          31633939353565303661626233623064653838636435376239376361663362636164653962383561
+          33366335623038653232613731333730363836653532363834663663343963303763323534343038
+          61666238346239636634
+pleroma_signing_salt: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31306137646362333433313630363538333234643339353530333038393061663132633161356231
+          3662386234633933633762363334333031306564353132380a633339323364633137396636616363
+          64393536353362386336323662316262333763326138616364333237353262323232636335353436
+          3563396435643363620a646337346561393863366361643536356363626334343264343861663131
+          3466
+# snmpd
+snmp_location: "us-east-2"
+snmp_contact: "Salt <rehashedsalt@cock.li>"
+snmp_auth_user_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36373662333533616331623933343364663532326261653636363732323138633836356633623934
+          6561333833343432353561366438313165383163366131630a653163666463356462633966666330
+          38323965303639356635613565633030373836643132336332373730303137376165616163646538
+          3162616233366236350a626130643230323264343938373134653034636232303130623134393531
+          61366330316330646137336161623166343835316432363433373333323232383166
+snmp_priv_user_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61316538316630333662633665646364356138613730633334653761626636633836363335383965
+          6332303265323236383130383366336662626331613866340a636139366135313134303538613833
+          61383662306163663634333538343733663836633834373462616265366365626533366334383031
+          6265643764656461320a313137326430386532653538346462323463386538303966303830343037
+          63333632656534333334383666666138353435383938623934663766623735656533
+snmp_int_user_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31616561323762653439346630653231646137626638383930346437323139666163316131333534
+          6463313537316230363735346236323033386562373032330a326261393039663539353738643465
+          36666136663930663463373731663534316232643637623732346331383737643233626235613439
+          3733366462613133620a386336303434303130313636356339633939623638366236346234376566
+          65386530663137393830636134653632623366333837616364396161666464613166

playbooks/webservers.yml

@@ -53,3 +53,7 @@
                   33306532343963383331623663616161626533633261383238646164663362396261633736636362
                   373764613833343634346333613639626535
       tags: [ discord, adam ]
+    - role: pleroma
+      vars:
+        pleroma_url: cowfee.moe
+      tags: [ web, pleroma ]

roles/pleroma/defaults/main.yml

@@ -0,0 +1,6 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+pleroma_arch: amd64
+pleroma_char_limit: 65535
+pleroma_openreg: false
+pleroma_webroot: /var/www/pleroma

roles/pleroma/handlers/main.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: restart pleroma
+  systemd:
+    name: pleroma
+    state: restarted
+  become: yes

roles/pleroma/meta/main.yml

@@ -0,0 +1,6 @@
+---
+allow_duplicates: no
+dependencies:
+  - role: apache-php
+  - role: postgresql
+  - role: redis

roles/pleroma/tasks/main.yml

@@ -0,0 +1,143 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: Install Pleroma
+  block:
+    - name: Set up system
+      block:
+        - name: Install packages
+          apt:
+            name:
+              - curl
+              - unzip
+              #- ncurses # Comes installed by default on buntu
+        - name: Create pleroma user
+          user:
+            name: pleroma
+            password: "!"
+            home: /opt/pleroma
+            shell: /usr/sbin/nologin
+    - name: Set up PostgreSQL
+      block:
+        - name: Create DB user
+          postgresql_user:
+            name: pleroma
+            password: "{{ pleroma_db_password }}"
+        - name: Create DB
+          postgresql_db:
+            name: pleroma
+            owner: pleroma
+        - name: Create extensions
+          postgresql_ext:
+            db: pleroma
+            name: "{{ item }}"
+          loop:
+            - citext
+            - pg_trgm
+            - uuid-ossp
+      become: yes
+      become_user: postgres
+    - name: Set up Apache
+      block:
+        - name: Enable modules
+          command:
+            cmd: a2enmod "{{ item }}"
+            creates: "/etc/apache2/mods-enabled/{{ item }}.load"
+          loop:
+            - proxy
+            - proxy_http
+          notify: restart apache
+        - name: Template out vhost
+          template:
+            src: "apache2-vhost-ssl.conf"
+            dest: "/etc/apache2/sites-available/{{ pleroma_url }}.conf"
+          notify: restart apache
+        - name: Create webroot
+          file:
+            state: directory
+            path: "{{ pleroma_webroot }}"
+        - name: Enable site
+          command:
+            cmd: "a2ensite {{ pleroma_url }}.conf"
+            creates: "/etc/apache2/sites-enabled/{{ pleroma_url }}.conf"
+          notify: restart apache
+        - name: Generate certificate
+          include_role:
+            name: https
+          vars:
+            website_url: "{{ pleroma_url }}"
+    - name: Install Pleroma
+      block:
+        - name: Get latest release zip
+          get_url:
+            url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{ pleroma_arch }}"
+            dest: "/opt/pleroma/release.zip"
+          register: r
+        - name: Install Pleroma
+          block:
+            - name: Unzip release
+              unarchive:
+                src: "/opt/pleroma/release.zip"
+                remote_src: yes
+                dest: "/opt/pleroma"
+            - name: Remove old release
+              file:
+                path: "/opt/pleroma/{{ item }}"
+                state: absent
+              loop:
+                - bin
+                - lib
+                - releases
+                - installation
+                - erts-10.3.5.2 # Don't give me shit for hardcoding this version string in
+            - name: Move release out of folder
+              shell: mv -f /opt/pleroma/release/* /opt/pleroma/
+            - name: Clean up
+              file:
+                path: /opt/pleroma/release
+                state: absent
+            - name: Assign ownership
+              file:
+                path: /opt/pleroma
+                owner: pleroma
+                group: pleroma
+                recurse: yes
+          when: r is changed
+        - name: Create directory structure
+          file:
+            path: "{{ item }}"
+            state: directory
+            owner: pleroma
+            group: pleroma
+            mode: "0750"
+          loop:
+            - /etc/pleroma
+            - /opt/pleroma
+            - /var/lib/pleroma
+            - /var/lib/pleroma/uploads
+            - /var/lib/pleroma/static
+        - name: Template out configs
+          template:
+            src: config.exs
+            dest: /etc/pleroma/config.exs
+            owner: pleroma
+            group: pleroma
+          notify: restart pleroma
+        - name: Migrate DB
+          command: /opt/pleroma/bin/pleroma_ctl migrate
+          args:
+            chdir: /opt/pleroma
+          changed_when: false
+        - name: Template out service
+          template:
+            src: "pleroma.service"
+            dest: "/etc/systemd/system/pleroma.service"
+          notify: restart pleroma
+        - name: Start and enable service
+          systemd:
+            daemon_reload: yes
+            name: pleroma.service
+            state: started
+            enabled: yes
+        # TODO: BACKUPS BACKUPS BACKUPS
+  become: yes

roles/pleroma/templates/apache2-vhost-ssl.conf

@@ -0,0 +1,35 @@
+# Configuration for {{ pleroma_url }}
+# vim:ft=apache:
+
+# Accept connections from non-SNI clients
+SSLStrictSNIVHostCheck off
+# Need this for SSL proxying, apparently
+SSLProxyEngine on
+
+# Website configuration
+<VirtualHost *:80>
+	ServerName {{ pleroma_url }}
+	Redirect permanent / https://{{ pleroma_url }}
+</VirtualHost>
+<VirtualHost *:443>
+	SSLEngine on
+	SSLCertificateFile /etc/pki/cert/crt/{{ pleroma_url }}.crt
+	SSLCertificateKeyFile /etc/pki/cert/private/{{ pleroma_url }}.key
+	SSLCertificateChainFile /etc/pki/cert/crt/{{ pleroma_url }}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
+	SSLCipherSuite {{ ssl_cipher_suite }}
+	ServerName {{ pleroma_url }}
+	DocumentRoot {{ pleroma_webroot }}
+	<Directory "{{ pleroma_webroot }}">
+		Require all granted
+		AllowOverride All
+		Options MultiViews FollowSymlinks
+	</Directory>
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyPass / http://127.0.0.1:4000/ nocanon retry=1
+	ProxyPassReverse / https://127.0.0.1:4000/
+
+	RequestHeader set X_FORWARDED_PROTO 'https'
+	RequestHeader set X-Forwarded-Ssl on
+</VirtualHost>

roles/pleroma/templates/config.exs

@@ -0,0 +1,38 @@
+# WARNING: THIS FILE CONTAINS SENSITIVE INFORMATION
+import Config
+
+config :pleroma, Pleroma.Web.Endpoint,
+	url: [host: "{{ pleroma_url }}", scheme: "https", port: 443],
+	http: [ip: {127, 0, 0, 1}, port: 4000],
+	secret_key_base: "{{ pleroma_secret_key_base }}",
+	signing_salt: "{{ pleroma_signing_salt }}"
+
+config :pleroma, :instance,
+	name: "{{ pleroma_instance_name }}",
+	desc: "{{ pleroma_instance_desc }}",
+	email: "{{ pleroma_instance_email }}",
+	notify_email: "{{ pleroma_instance_notify_email }}",
+	limit: "{{ pleroma_char_limit }}",
+	registrations_open: "{{ pleroma_openreg }}",
+	static_dir: "/var/lib/pleroma/static"
+
+config :pleroma, Pleroma.Upload,
+	uploader: Pleroma.Uploaders.Local,
+	filters: [Pleroma.Upload.Filter.Dedupe]
+
+config :pleroma, Pleroma.Uploaders.Local,
+	uploads: "/var/lib/pleroma/uploads"
+
+config :pleroma, :media_proxy,
+	enabled: false,
+	redirect_on_failure: true
+
+config :pleroma, Pleroma.Repo,
+	adapter: Ecto.Adapters.Postgres,
+	username: "pleroma",
+	password: "{{ pleroma_db_password }}",
+	database: "pleroma",
+	hostname: "localhost",
+	pool_size: 10
+
+config :pleroma, :database, rum_enabled: false

roles/pleroma/templates/pleroma.service

@@ -0,0 +1,26 @@
+# vim:ft=systemd
+[Unit]
+Description=Pleroma social network
+After=network.target postgresql.service
+
+[Service]
+User=pleroma
+Environment="HOME=/opt/pleroma"
+WorkingDirectory=/opt/pleroma
+
+KillMode=process
+Restart=on-failure
+
+ExecStart=/opt/pleroma/bin/pleroma start
+ExecStop=/opt/pleroma/bin/pleroma stop
+
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=full
+PrivateDevice=false
+NoNewPrivileges=true
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+
+[Install]
+WantedBy=multi-user.target
+