From 684191060c9b0b2d68ffbc22cb5279961b18bda2 Mon Sep 17 00:00:00 2001 From: Dan Anglin Date: Wed, 2 Oct 2019 01:31:38 +0100 Subject: [PATCH] initial commit --- README.md | 3 + defaults/main.yml | 11 +++ tasks/main.yml | 27 +++++++ tasks/nginx.yml | 55 +++++++++++++ tasks/pleroma.yml | 99 +++++++++++++++++++++++ tasks/postgres.yml | 55 +++++++++++++ templates/etc_ngnix_confd_pleroma.conf.j2 | 85 +++++++++++++++++++ vars/main.yml | 5 ++ 8 files changed, 340 insertions(+) create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 tasks/main.yml create mode 100644 tasks/nginx.yml create mode 100644 tasks/pleroma.yml create mode 100644 tasks/postgres.yml create mode 100644 templates/etc_ngnix_confd_pleroma.conf.j2 create mode 100644 vars/main.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..36dcc7b --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# plemora-ansible-role + +This role installs and configures Pleroma, PostgreSQL and Nginx on a single instance with Alpine Linux. diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..3ce9c29 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,11 @@ +--- +pleroma_config_email: admin@localhost +pleroma_config_host: pleroma.localhost +pleroma_config_listeningPort: 4000 +pleroma_config_instanceName: "New Pleroma Instance" +pleroma_config_characterLimit: 5000 +pleroma_config_registrationsOpen: "false" +pleroma_config_dynamicConfiguration: "false" + +plerom_db_user: pleroma +plerom_db_name: pleroma_db diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..593cad2 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Installing and configuring PostgreSQL. + include_tasks: + file: postgres.yml + apply: + tags: + - postgres + tags: + - postgres + +- name: Installing and configuring Pleroma. + include_tasks: + file: pleroma.yml + apply: + tags: + - pleroma + tags: + - pleroma + +- name: Installing and configuring Nginx. + include_tasks: + file: nginx.yml + apply: + tags: + - nginx + tags: + - nginx diff --git a/tasks/nginx.yml b/tasks/nginx.yml new file mode 100644 index 0000000..cdd5b9e --- /dev/null +++ b/tasks/nginx.yml @@ -0,0 +1,55 @@ +--- +# py-cryptography is needed for self-signed certificates +# we could probably do away with certbot. +- name: Nginx -- Ensuring Nginx dependencies are installed. + apk: + name: nginx, certbot, py-cryptography + state: present + +- name: Nginx -- Ensuring that the ssl folder exists + file: + name: "{{ pleroma_ssl_folder }}" + state: directory + mode: '0700' + owner: root + group: root + +- name: Nginx -- Ensuring that the ssl private key is generated. + openssl_privatekey: + mode: '0400' + group: root + owner: root + path: "{{ pleroma_ssl_privateKeyPath }}" + size: 4096 + state: present + type: RSA + +- name: Nginx -- Ensuring that the certificate signing request is generated. + openssl_csr: + mode: '0400' + group: root + owner: root + path: "{{ pleroma_ssl_csrPath }}" + privatekey_path: "{{ pleroma_ssl_privateKeyPath }}" + common_name: "{{ pleroma_config_host }}" + +- name: Nginx -- Ensuring the self-signed certificate is generated. + openssl_certificate: + path: "{{ pleroma_ssl_selfSignedCertPath }}" + privatekey_path: "{{ pleroma_ssl_privateKeyPath }}" + csr_path: "{{ pleroma_ssl_csrPath }}" + provider: selfsigned + +- name: Nginx -- Ensuring the Nginx configuration is present. + template: + src: etc_ngnix_confd_pleroma.conf.j2 + dest: /etc/nginx/conf.d/pleroma.conf + owner: root + group: root + mode: '0400' + +- name: Nginx -- Ensuring that Nginx is enabled and started. + service: + name: nginx + enabled: yes + state: started diff --git a/tasks/pleroma.yml b/tasks/pleroma.yml new file mode 100644 index 0000000..4ad0bbf --- /dev/null +++ b/tasks/pleroma.yml @@ -0,0 +1,99 @@ +--- +- name: Ensure Pleroma dependencies are installed. + apk: + name: unzip, ncurses + state: present + +- name: Ensure group 'pleroma' exists. + group: + gid: 1200 + name: pleroma + state: present + system: yes + +- name: Ensure user 'pleroma' exists. + user: + group: pleroma + home: /opt/pleroma + name: pleroma + shell: /bin/false + state: present + system: yes + uid: 1200 + +# Directories +- name: Ensure the Pleroma data and config directories exists. + file: + name: "{{ item }}" + state: directory + mode: '0700' + owner: pleroma + group: pleroma + loop: + - /etc/pleroma + - /var/lib/pleroma + - /var/lib/pleroma/uploads + - /var/lib/pleroma/static + +- name: Ensuring that the release build of pleroma is downloaded. + get_url: + url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/master/download?job=amd64-musl + dest: /tmp/pleroma.zip + +- name: Unzipping the release build of pleroma. + unarchive: + remote_src: yes + src: /tmp/pleroma.zip + dest: /tmp + owner: pleroma + group: pleroma + +- name: Ensuring that Pleroma is installed. + shell: | + find /tmp/release/ -mindepth 1 -maxdepth 1 | xargs -I dir mv dir /opt/pleroma/ + args: + creates: /opt/pleroma/bin/pleroma + +- name: Ensuring the configuration file is set. + template: + src: etc_pleroma_config.exs.j2 + dest: /etc/pleroma/config.exs + owner: pleroma + group: pleroma + mode: '0400' + +- name: Running database migrations. + command: + argv: + - pleroma_ctl + - migrate + environment: + PATH: "{{ ansible_env.PATH }}:/opt/pleroma/bin" + +- name: Ensuring that folder permissions are set properly in /opt/pleroma. + shell: | + find /opt/pleroma -mindepth 1 -maxdepth 1 -type d | xargs -I dir chmod 0700 dir + find /opt/pleroma -mindepth 1 -maxdepth 1 -type d | xargs -I dir chown -R pleroma:pleroma dir + +- name: Setting up the Pleroma service. + copy: + src: /opt/pleroma/installation/init.d/pleroma + dest: /etc/init.d/pleroma + remote_src: yes + owner: root + group: root + mode: '0700' + +- name: Ensuring that the Pleroma service is enabled and started. + service: + name: pleroma + enabled: yes + state: started + +- name: Cleaning up + file: + path: "{{ item }}" + state: absent + loop: + - /tmp/pleroma.zip + - /tmp/release diff --git a/tasks/postgres.yml b/tasks/postgres.yml new file mode 100644 index 0000000..8a841c9 --- /dev/null +++ b/tasks/postgres.yml @@ -0,0 +1,55 @@ +--- +- name: Postgres -- Ensure that PostgreSQL is installed. + apk: + name: postgresql, postgresql-contrib, py-psycopg2 + state: present + +- name: Postgres -- Ensure that the database is initialised. + command: + argv: + - /etc/init.d/postgresql + - setup + creates: /var/lib/postgresql/11/data/postgresql.conf + +# TODO: Take a look at the postgres configuration file before going into production. +# TODO: Take a look at pg_hba before going into production. + +- name: Postgres -- Ensure that PostgreSQL is enabled and started + service: + name: postgresql + enabled: yes + state: started + +- name: waiting for Postgres to become available. + wait_for: + connect_timeout: 10 + delay: 5 + host: localhost + port: 5432 + state: started + +- name: Postgres -- Ensuring that the database user {{ pleroma_db_user }} exists. + postgresql_user: + db: postgres + encrypted: yes + name: "{{ pleroma_db_user }}" + password: "{{ pleroma_db_password }}" + state: present + +- name: Postgres -- Ensuring that the database {{ pleroma_db_name }} exists. + postgresql_db: + conn_limit: "20" + encoding: UTF-8 + name: "{{ pleroma_db_name }}" + owner: "{{ pleroma_db_user }}" + state: present + +- name: Postgres -- Ensuring the PostgreSQL extensions is added to the database. + postgresql_ext: + name: "{{ item }}" + db: "{{ pleroma_db_name }}" + state: present + loop: + - citext + - pg_trgm + - uuid-ossp diff --git a/templates/etc_ngnix_confd_pleroma.conf.j2 b/templates/etc_ngnix_confd_pleroma.conf.j2 new file mode 100644 index 0000000..8ca42ee --- /dev/null +++ b/templates/etc_ngnix_confd_pleroma.conf.j2 @@ -0,0 +1,85 @@ +proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +server { + server_name {{ pleroma_config_host }}; + + listen 80; + listen [::]:80; + + # Uncomment this if you need to use the 'webroot' method with certbot. Make sure + # that the directory exists and that it is accessible by the webserver. If you followed + # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder. + # You may need to load this file with the ssl server block commented out, run certbot + # to get the certificate, and then uncomment it. + # + # location ~ /\.well-known/acme-challenge { + # root /var/lib/letsencrypt/; + # } + location / { + return 301 https://$server_name$request_uri; + } +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +server { + server_name {{ pleroma_config_host }}; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_session_timeout 5m; + + # ssl_trusted_certificate /etc/letsencrypt/live/{{ pleroma_config_host }}/chain.pem; + ssl_certificate {{ pleroma_ssl_selfSignedCertPath }}; + ssl_certificate_key {{ pleroma_ssl_privateKeyPath }}; + + ssl_protocols TLSv1.2; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_prefer_server_ciphers on; + # In case of an old server with an OpenSSL version of 1.0.2 or below, + # leave only prime256v1 or comment out the following line. + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only + # and `localhost.` resolves to [::0] on some systems: see issue #930 + proxy_pass http://127.0.0.1:{{ pleroma_config_listeningPort }}; + + client_max_body_size 16m; + } + + location ~ ^/(media|proxy) { + proxy_cache pleroma_media_cache; + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + proxy_http_version 1.1; + proxy_cache_valid 200 206 301 304 1h; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_buffering on; + chunked_transfer_encoding on; + proxy_ignore_headers Cache-Control; + proxy_hide_header Cache-Control; + proxy_pass http://localhost:{{ pleroma_config_listeningPort }}; + } +} diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..989253d --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,5 @@ +--- +pleroma_ssl_folder: /etc/ssl/pleroma +pleroma_ssl_privateKeyPath: "{{ pleroma_ssl_folder }}/pleroma.key" +pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr" +pleroma_ssl_selfSignedCertPath: "{{ pleroma_ssl_folder }}/pleroma.crt"