From 54a8e4aa2d8db52b4330bf0e3a47af779a22985b Mon Sep 17 00:00:00 2001 From: Salt Date: Tue, 28 Jul 2020 10:41:07 -0500 Subject: [PATCH] Add Pleroma GOD THAT SUCKED FUCK GOD I HATE ELIXR --- inventory/group_vars/cowfee.moe.yml | 84 ++++++++++ playbooks/webservers.yml | 4 + roles/pleroma/defaults/main.yml | 6 + roles/pleroma/handlers/main.yml | 8 + roles/pleroma/meta/main.yml | 6 + roles/pleroma/tasks/main.yml | 143 ++++++++++++++++++ .../pleroma/templates/apache2-vhost-ssl.conf | 35 +++++ roles/pleroma/templates/config.exs | 38 +++++ roles/pleroma/templates/pleroma.service | 26 ++++ 9 files changed, 350 insertions(+) create mode 100644 inventory/group_vars/cowfee.moe.yml create mode 100644 roles/pleroma/defaults/main.yml create mode 100644 roles/pleroma/handlers/main.yml create mode 100644 roles/pleroma/meta/main.yml create mode 100644 roles/pleroma/tasks/main.yml create mode 100644 roles/pleroma/templates/apache2-vhost-ssl.conf create mode 100644 roles/pleroma/templates/config.exs create mode 100644 roles/pleroma/templates/pleroma.service diff --git a/inventory/group_vars/cowfee.moe.yml b/inventory/group_vars/cowfee.moe.yml new file mode 100644 index 0000000..a315f55 --- /dev/null +++ b/inventory/group_vars/cowfee.moe.yml @@ -0,0 +1,84 @@ +#!/usr/bin/ansible-playbook +# vim:ft=ansible: + +## BACKEND +# ACME +acme_directory: "https://acme-v02.api.letsencrypt.org/directory" +#acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory" # Testing ACME endpoint +acme_version: 2 +acme_webroot: "/var/www/acme" +# AWS Backups +aws_backup_bucket: "9iron-backups-general" +# AWS SES +aws_ses_user: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33643766376336316266373239386466373639633765333332353031373132383061346564633036 + 3337396261333264363562363364336235633831353133380a613164666161313265396261616634 + 38353531306238613735623433663138643231663139363735373537393337636362636534656166 + 3063373930343039320a663063663535633932323739653461336164643035633036663362666161 + 38316564326537303236333266303432326164393435663665363963326363306237 +aws_ses_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39306665653635383832623438656364616633643032663365643033316236333939363732363034 + 3566663361653862646636396339343963626561613839620a663731313337613734356261326437 + 31653763346663656165343632336366343562333836396232636431323635333965336137316237 + 3662393364636631310a643935313539353338333233356362623835363631383035666536343634 + 65663937643165613337373837633737653765303764303536386530616363343361326536633935 + 3565626161343562396663353538653136376138373334336435 +# Pleroma +pleroma_instance_desc: owo +pleroma_instance_email: rehashedsalt@cock.li +pleroma_instance_name: Cowfee +pleroma_instance_notify_email: noreply@cowfee.moe +pleroma_openreg: true +pleroma_db_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34343838386134656236313462653531663839363030333630383332386535356431326436633137 + 3261323632653635383930333131333235373437653733300a363562666264616138623832666137 + 61333039646332343838346633363035343434303036643465353062353062303961383138643564 + 3338393765393733340a626436653666363236643938613466643530326665653764333933393437 + 37613033653864643965323162373366306233626235663461326266376662663634353066386139 + 37636162313364623933396232366239633338363539626637373163333130373665373038363566 + 65646633636638653335356536323334646632366164633532636634376632356166306139393766 + 38633934623639366263 +pleroma_secret_key_base: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36333934336635613533333137636532363937613764353933636566663031316262333837323064 + 6534653062626461633462636335346132353564653038330a326330326235623530393337333063 + 37666666386637633839633737376465366439356461653363396665636137353264363762346461 + 3765616634653234630a623061393834373964653939626564363263383435666366356339663136 + 64613330656434653538363734393831353133316666326338366335383064356165333537383837 + 31633939353565303661626233623064653838636435376239376361663362636164653962383561 + 33366335623038653232613731333730363836653532363834663663343963303763323534343038 + 61666238346239636634 +pleroma_signing_salt: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31306137646362333433313630363538333234643339353530333038393061663132633161356231 + 3662386234633933633762363334333031306564353132380a633339323364633137396636616363 + 64393536353362386336323662316262333763326138616364333237353262323232636335353436 + 3563396435643363620a646337346561393863366361643536356363626334343264343861663131 + 3466 +# snmpd +snmp_location: "us-east-2" +snmp_contact: "Salt " +snmp_auth_user_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36373662333533616331623933343364663532326261653636363732323138633836356633623934 + 6561333833343432353561366438313165383163366131630a653163666463356462633966666330 + 38323965303639356635613565633030373836643132336332373730303137376165616163646538 + 3162616233366236350a626130643230323264343938373134653034636232303130623134393531 + 61366330316330646137336161623166343835316432363433373333323232383166 +snmp_priv_user_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61316538316630333662633665646364356138613730633334653761626636633836363335383965 + 6332303265323236383130383366336662626331613866340a636139366135313134303538613833 + 61383662306163663634333538343733663836633834373462616265366365626533366334383031 + 6265643764656461320a313137326430386532653538346462323463386538303966303830343037 + 63333632656534333334383666666138353435383938623934663766623735656533 +snmp_int_user_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31616561323762653439346630653231646137626638383930346437323139666163316131333534 + 6463313537316230363735346236323033386562373032330a326261393039663539353738643465 + 36666136663930663463373731663534316232643637623732346331383737643233626235613439 + 3733366462613133620a386336303434303130313636356339633939623638366236346234376566 + 65386530663137393830636134653632623366333837616364396161666464613166 diff --git a/playbooks/webservers.yml b/playbooks/webservers.yml index d37ab53..b4d36af 100644 --- a/playbooks/webservers.yml +++ b/playbooks/webservers.yml @@ -53,3 +53,7 @@ 33306532343963383331623663616161626533633261383238646164663362396261633736636362 373764613833343634346333613639626535 tags: [ discord, adam ] + - role: pleroma + vars: + pleroma_url: cowfee.moe + tags: [ web, pleroma ] diff --git a/roles/pleroma/defaults/main.yml b/roles/pleroma/defaults/main.yml new file mode 100644 index 0000000..c1bd569 --- /dev/null +++ b/roles/pleroma/defaults/main.yml @@ -0,0 +1,6 @@ +#!/usr/bin/ansible-playbook +# vim:ft=ansible: +pleroma_arch: amd64 +pleroma_char_limit: 65535 +pleroma_openreg: false +pleroma_webroot: /var/www/pleroma diff --git a/roles/pleroma/handlers/main.yml b/roles/pleroma/handlers/main.yml new file mode 100644 index 0000000..1d752f1 --- /dev/null +++ b/roles/pleroma/handlers/main.yml @@ -0,0 +1,8 @@ +#!/usr/bin/ansible-playbook +# vim:ft=ansible: +--- +- name: restart pleroma + systemd: + name: pleroma + state: restarted + become: yes diff --git a/roles/pleroma/meta/main.yml b/roles/pleroma/meta/main.yml new file mode 100644 index 0000000..8fdd1a5 --- /dev/null +++ b/roles/pleroma/meta/main.yml @@ -0,0 +1,6 @@ +--- +allow_duplicates: no +dependencies: + - role: apache-php + - role: postgresql + - role: redis diff --git a/roles/pleroma/tasks/main.yml b/roles/pleroma/tasks/main.yml new file mode 100644 index 0000000..25e331f --- /dev/null +++ b/roles/pleroma/tasks/main.yml @@ -0,0 +1,143 @@ +#!/usr/bin/ansible-playbook +# vim:ft=ansible: +--- +- name: Install Pleroma + block: + - name: Set up system + block: + - name: Install packages + apt: + name: + - curl + - unzip + #- ncurses # Comes installed by default on buntu + - name: Create pleroma user + user: + name: pleroma + password: "!" + home: /opt/pleroma + shell: /usr/sbin/nologin + - name: Set up PostgreSQL + block: + - name: Create DB user + postgresql_user: + name: pleroma + password: "{{ pleroma_db_password }}" + - name: Create DB + postgresql_db: + name: pleroma + owner: pleroma + - name: Create extensions + postgresql_ext: + db: pleroma + name: "{{ item }}" + loop: + - citext + - pg_trgm + - uuid-ossp + become: yes + become_user: postgres + - name: Set up Apache + block: + - name: Enable modules + command: + cmd: a2enmod "{{ item }}" + creates: "/etc/apache2/mods-enabled/{{ item }}.load" + loop: + - proxy + - proxy_http + notify: restart apache + - name: Template out vhost + template: + src: "apache2-vhost-ssl.conf" + dest: "/etc/apache2/sites-available/{{ pleroma_url }}.conf" + notify: restart apache + - name: Create webroot + file: + state: directory + path: "{{ pleroma_webroot }}" + - name: Enable site + command: + cmd: "a2ensite {{ pleroma_url }}.conf" + creates: "/etc/apache2/sites-enabled/{{ pleroma_url }}.conf" + notify: restart apache + - name: Generate certificate + include_role: + name: https + vars: + website_url: "{{ pleroma_url }}" + - name: Install Pleroma + block: + - name: Get latest release zip + get_url: + url: "https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{ pleroma_arch }}" + dest: "/opt/pleroma/release.zip" + register: r + - name: Install Pleroma + block: + - name: Unzip release + unarchive: + src: "/opt/pleroma/release.zip" + remote_src: yes + dest: "/opt/pleroma" + - name: Remove old release + file: + path: "/opt/pleroma/{{ item }}" + state: absent + loop: + - bin + - lib + - releases + - installation + - erts-10.3.5.2 # Don't give me shit for hardcoding this version string in + - name: Move release out of folder + shell: mv -f /opt/pleroma/release/* /opt/pleroma/ + - name: Clean up + file: + path: /opt/pleroma/release + state: absent + - name: Assign ownership + file: + path: /opt/pleroma + owner: pleroma + group: pleroma + recurse: yes + when: r is changed + - name: Create directory structure + file: + path: "{{ item }}" + state: directory + owner: pleroma + group: pleroma + mode: "0750" + loop: + - /etc/pleroma + - /opt/pleroma + - /var/lib/pleroma + - /var/lib/pleroma/uploads + - /var/lib/pleroma/static + - name: Template out configs + template: + src: config.exs + dest: /etc/pleroma/config.exs + owner: pleroma + group: pleroma + notify: restart pleroma + - name: Migrate DB + command: /opt/pleroma/bin/pleroma_ctl migrate + args: + chdir: /opt/pleroma + changed_when: false + - name: Template out service + template: + src: "pleroma.service" + dest: "/etc/systemd/system/pleroma.service" + notify: restart pleroma + - name: Start and enable service + systemd: + daemon_reload: yes + name: pleroma.service + state: started + enabled: yes + # TODO: BACKUPS BACKUPS BACKUPS + become: yes diff --git a/roles/pleroma/templates/apache2-vhost-ssl.conf b/roles/pleroma/templates/apache2-vhost-ssl.conf new file mode 100644 index 0000000..640a218 --- /dev/null +++ b/roles/pleroma/templates/apache2-vhost-ssl.conf @@ -0,0 +1,35 @@ +# Configuration for {{ pleroma_url }} +# vim:ft=apache: + +# Accept connections from non-SNI clients +SSLStrictSNIVHostCheck off +# Need this for SSL proxying, apparently +SSLProxyEngine on + +# Website configuration + + ServerName {{ pleroma_url }} + Redirect permanent / https://{{ pleroma_url }} + + + SSLEngine on + SSLCertificateFile /etc/pki/cert/crt/{{ pleroma_url }}.crt + SSLCertificateKeyFile /etc/pki/cert/private/{{ pleroma_url }}.key + SSLCertificateChainFile /etc/pki/cert/crt/{{ pleroma_url }}-fullchain.crt + SSLProtocol {{ ssl_protocol }} + SSLCipherSuite {{ ssl_cipher_suite }} + ServerName {{ pleroma_url }} + DocumentRoot {{ pleroma_webroot }} + + Require all granted + AllowOverride All + Options MultiViews FollowSymlinks + + ProxyPreserveHost On + ProxyRequests Off + ProxyPass / http://127.0.0.1:4000/ nocanon retry=1 + ProxyPassReverse / https://127.0.0.1:4000/ + + RequestHeader set X_FORWARDED_PROTO 'https' + RequestHeader set X-Forwarded-Ssl on + diff --git a/roles/pleroma/templates/config.exs b/roles/pleroma/templates/config.exs new file mode 100644 index 0000000..c96a613 --- /dev/null +++ b/roles/pleroma/templates/config.exs @@ -0,0 +1,38 @@ +# WARNING: THIS FILE CONTAINS SENSITIVE INFORMATION +import Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "{{ pleroma_url }}", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: 4000], + secret_key_base: "{{ pleroma_secret_key_base }}", + signing_salt: "{{ pleroma_signing_salt }}" + +config :pleroma, :instance, + name: "{{ pleroma_instance_name }}", + desc: "{{ pleroma_instance_desc }}", + email: "{{ pleroma_instance_email }}", + notify_email: "{{ pleroma_instance_notify_email }}", + limit: "{{ pleroma_char_limit }}", + registrations_open: "{{ pleroma_openreg }}", + static_dir: "/var/lib/pleroma/static" + +config :pleroma, Pleroma.Upload, + uploader: Pleroma.Uploaders.Local, + filters: [Pleroma.Upload.Filter.Dedupe] + +config :pleroma, Pleroma.Uploaders.Local, + uploads: "/var/lib/pleroma/uploads" + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + password: "{{ pleroma_db_password }}", + database: "pleroma", + hostname: "localhost", + pool_size: 10 + +config :pleroma, :database, rum_enabled: false diff --git a/roles/pleroma/templates/pleroma.service b/roles/pleroma/templates/pleroma.service new file mode 100644 index 0000000..c5a7b6d --- /dev/null +++ b/roles/pleroma/templates/pleroma.service @@ -0,0 +1,26 @@ +# vim:ft=systemd +[Unit] +Description=Pleroma social network +After=network.target postgresql.service + +[Service] +User=pleroma +Environment="HOME=/opt/pleroma" +WorkingDirectory=/opt/pleroma + +KillMode=process +Restart=on-failure + +ExecStart=/opt/pleroma/bin/pleroma start +ExecStop=/opt/pleroma/bin/pleroma stop + +PrivateTmp=true +ProtectHome=true +ProtectSystem=full +PrivateDevice=false +NoNewPrivileges=true +CapabilityBoundingSet=~CAP_SYS_ADMIN + +[Install] +WantedBy=multi-user.target +