archives/pleroma-ansible-playbook
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

initial commit

Browse source
This commit is contained in:
Dan Anglin 2019-10-02 01:31:38 +01:00
commit 684191060c
No known key found for this signature in database
GPG key ID: 7AC2B18EC1D09F27
8 changed files with 340 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md Normal file
View file

@ -0,0 +1,3 @@
# plemora-ansible-role
This role installs and configures Pleroma, PostgreSQL and Nginx on a single instance with Alpine Linux.

11
defaults/main.yml Normal file
View file

@ -0,0 +1,11 @@
---
pleroma_config_email: admin@localhost
pleroma_config_host: pleroma.localhost
pleroma_config_listeningPort: 4000
pleroma_config_instanceName: "New Pleroma Instance"
pleroma_config_characterLimit: 5000
pleroma_config_registrationsOpen: "false"
pleroma_config_dynamicConfiguration: "false"
plerom_db_user: pleroma
plerom_db_name: pleroma_db

27
tasks/main.yml Normal file
View file

@ -0,0 +1,27 @@
---
- name: Installing and configuring PostgreSQL.
include_tasks:
file: postgres.yml
apply:
tags:
- postgres
tags:
- postgres
- name: Installing and configuring Pleroma.
include_tasks:
file: pleroma.yml
apply:
tags:
- pleroma
tags:
- pleroma
- name: Installing and configuring Nginx.
include_tasks:
file: nginx.yml
apply:
tags:
- nginx
tags:
- nginx

55
tasks/nginx.yml Normal file
View file

@ -0,0 +1,55 @@
---
# py-cryptography is needed for self-signed certificates
# we could probably do away with certbot.
- name: Nginx -- Ensuring Nginx dependencies are installed.
apk:
name: nginx, certbot, py-cryptography
state: present
- name: Nginx -- Ensuring that the ssl folder exists
file:
name: "{{ pleroma_ssl_folder }}"
state: directory
mode: '0700'
owner: root
group: root
- name: Nginx -- Ensuring that the ssl private key is generated.
openssl_privatekey:
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_privateKeyPath }}"
size: 4096
state: present
type: RSA
- name: Nginx -- Ensuring that the certificate signing request is generated.
openssl_csr:
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_csrPath }}"
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
common_name: "{{ pleroma_config_host }}"
- name: Nginx -- Ensuring the self-signed certificate is generated.
openssl_certificate:
path: "{{ pleroma_ssl_selfSignedCertPath }}"
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
csr_path: "{{ pleroma_ssl_csrPath }}"
provider: selfsigned
- name: Nginx -- Ensuring the Nginx configuration is present.
template:
src: etc_ngnix_confd_pleroma.conf.j2
dest: /etc/nginx/conf.d/pleroma.conf
owner: root
group: root
mode: '0400'
- name: Nginx -- Ensuring that Nginx is enabled and started.
service:
name: nginx
enabled: yes
state: started

99
tasks/pleroma.yml Normal file
View file

@ -0,0 +1,99 @@
---
- name: Ensure Pleroma dependencies are installed.
apk:
name: unzip, ncurses
state: present
- name: Ensure group 'pleroma' exists.
group:
gid: 1200
name: pleroma
state: present
system: yes
- name: Ensure user 'pleroma' exists.
user:
group: pleroma
home: /opt/pleroma
name: pleroma
shell: /bin/false
state: present
system: yes
uid: 1200
# Directories
- name: Ensure the Pleroma data and config directories exists.
file:
name: "{{ item }}"
state: directory
mode: '0700'
owner: pleroma
group: pleroma
loop:
- /etc/pleroma
- /var/lib/pleroma
- /var/lib/pleroma/uploads
- /var/lib/pleroma/static
- name: Ensuring that the release build of pleroma is downloaded.
get_url:
url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/master/download?job=amd64-musl
dest: /tmp/pleroma.zip
- name: Unzipping the release build of pleroma.
unarchive:
remote_src: yes
src: /tmp/pleroma.zip
dest: /tmp
owner: pleroma
group: pleroma
- name: Ensuring that Pleroma is installed.
shell: |
find /tmp/release/ -mindepth 1 -maxdepth 1 | xargs -I dir mv dir /opt/pleroma/
args:
creates: /opt/pleroma/bin/pleroma
- name: Ensuring the configuration file is set.
template:
src: etc_pleroma_config.exs.j2
dest: /etc/pleroma/config.exs
owner: pleroma
group: pleroma
mode: '0400'
- name: Running database migrations.
command:
argv:
- pleroma_ctl
- migrate
environment:
PATH: "{{ ansible_env.PATH }}:/opt/pleroma/bin"
- name: Ensuring that folder permissions are set properly in /opt/pleroma.
shell: |
find /opt/pleroma -mindepth 1 -maxdepth 1 -type d | xargs -I dir chmod 0700 dir
find /opt/pleroma -mindepth 1 -maxdepth 1 -type d | xargs -I dir chown -R pleroma:pleroma dir
- name: Setting up the Pleroma service.
copy:
src: /opt/pleroma/installation/init.d/pleroma
dest: /etc/init.d/pleroma
remote_src: yes
owner: root
group: root
mode: '0700'
- name: Ensuring that the Pleroma service is enabled and started.
service:
name: pleroma
enabled: yes
state: started
- name: Cleaning up
file:
path: "{{ item }}"
state: absent
loop:
- /tmp/pleroma.zip
- /tmp/release

55
tasks/postgres.yml Normal file
View file

@ -0,0 +1,55 @@
---
- name: Postgres -- Ensure that PostgreSQL is installed.
apk:
name: postgresql, postgresql-contrib, py-psycopg2
state: present
- name: Postgres -- Ensure that the database is initialised.
command:
argv:
- /etc/init.d/postgresql
- setup
creates: /var/lib/postgresql/11/data/postgresql.conf
# TODO: Take a look at the postgres configuration file before going into production.
# TODO: Take a look at pg_hba before going into production.
- name: Postgres -- Ensure that PostgreSQL is enabled and started
service:
name: postgresql
enabled: yes
state: started
- name: waiting for Postgres to become available.
wait_for:
connect_timeout: 10
delay: 5
host: localhost
port: 5432
state: started
- name: Postgres -- Ensuring that the database user {{ pleroma_db_user }} exists.
postgresql_user:
db: postgres
encrypted: yes
name: "{{ pleroma_db_user }}"
password: "{{ pleroma_db_password }}"
state: present
- name: Postgres -- Ensuring that the database {{ pleroma_db_name }} exists.
postgresql_db:
conn_limit: "20"
encoding: UTF-8
name: "{{ pleroma_db_name }}"
owner: "{{ pleroma_db_user }}"
state: present
- name: Postgres -- Ensuring the PostgreSQL extensions is added to the database.
postgresql_ext:
name: "{{ item }}"
db: "{{ pleroma_db_name }}"
state: present
loop:
- citext
- pg_trgm
- uuid-ossp

85
templates/etc_ngnix_confd_pleroma.conf.j2 Normal file
View file

@ -0,0 +1,85 @@
proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
inactive=720m use_temp_path=off;
server {
server_name {{ pleroma_config_host }};
listen 80;
listen [::]:80;
# Uncomment this if you need to use the 'webroot' method with certbot. Make sure
# that the directory exists and that it is accessible by the webserver. If you followed
# the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
# You may need to load this file with the ssl server block commented out, run certbot
# to get the certificate, and then uncomment it.
#
# location ~ /\.well-known/acme-challenge {
# root /var/lib/letsencrypt/;
# }
location / {
return 301 https://$server_name$request_uri;
}
}
# Enable SSL session caching for improved performance
ssl_session_cache shared:ssl_session_cache:10m;
server {
server_name {{ pleroma_config_host }};
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_session_timeout 5m;
# ssl_trusted_certificate /etc/letsencrypt/live/{{ pleroma_config_host }}/chain.pem;
ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};
ssl_certificate_key {{ pleroma_ssl_privateKeyPath }};
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
# In case of an old server with an OpenSSL version of 1.0.2 or below,
# leave only prime256v1 or comment out the following line.
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
# the nginx default is 1m, not enough for large media uploads
client_max_body_size 16m;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
# and `localhost.` resolves to [::0] on some systems: see issue #930
proxy_pass http://127.0.0.1:{{ pleroma_config_listeningPort }};
client_max_body_size 16m;
}
location ~ ^/(media|proxy) {
proxy_cache pleroma_media_cache;
slice 1m;
proxy_cache_key $host$uri$is_args$args$slice_range;
proxy_set_header Range $slice_range;
proxy_http_version 1.1;
proxy_cache_valid 200 206 301 304 1h;
proxy_cache_lock on;
proxy_ignore_client_abort on;
proxy_buffering on;
chunked_transfer_encoding on;
proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control;
proxy_pass http://localhost:{{ pleroma_config_listeningPort }};
}
}

5
vars/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
pleroma_ssl_folder: /etc/ssl/pleroma
pleroma_ssl_privateKeyPath: "{{ pleroma_ssl_folder }}/pleroma.key"
pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr"
pleroma_ssl_selfSignedCertPath: "{{ pleroma_ssl_folder }}/pleroma.crt"