feat: support for proving your site with Keybase.

This commit adds support for uploading the site
owner's keybase.txt file onto their Pleroma server
so that Keybase can prove that they are the owner
of their site. This is diabled by default but can
be enabled by the user.

Resolves dananglin/pleroma-ansible-playbook#1

roles/init/defaults/main.yml

@@ -49,3 +49,7 @@ pleroma_defaults:
       remainingDays: 10
       termsAgreed: no
       validateCerts: true
+  keybase:
+    enable: false
+    proof:
+      filepath: "{{ lookup('env','HOME') }}/keybase.txt"

roles/pleroma-nginx/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
-- name: Nginx -- Ensuring Nginx dependencies are installed.
+- name: Nginx | Ensuring Nginx dependencies are installed.
   apk:
     name: "{{ pleroma_deps_nginx }}"
     state: present
 
-- name: Nginx -- Ensuring the Nginx configuration is present.
+- name: Nginx | Ensuring the Nginx configuration is present.
   template:
     src: etc_ngnix_confd_pleroma.conf.j2
     dest: "{{ pleroma_nginx_conf_file }}"
@@ -12,7 +12,25 @@
     group: root
     mode: '0600'
 
-- name: Nginx -- Ensuring that the SSL folder exists
+- name: Nginx | Ensuring that the server root directory is present.
+  file:
+    name: "{{ pleroma_nginx_root_dir }}"
+    recurse: true
+    state: directory
+    mode: '0700'
+    owner: nginx
+    group: nginx
+
+- name: Nginx | Ensuring the Keybase text file is present.
+  copy:
+    src: "{{ pleroma.keybase.proof.filepath }}"
+    dest: "{{ pleroma_nginx_root_dir }}/keybase.txt"
+    mode: '0644'
+    owner: nginx
+    group: nginx
+  when: pleroma.keybase.enable
+
+- name: Nginx | Ensuring that the SSL folder exists
   file:
     name: "{{ pleroma_ssl_folder }}"
     state: directory
@@ -20,7 +38,7 @@
     owner: root
     group: root
 
-- name: Nginx -- Ensuring that the ssl private key is generated.
+- name: Nginx | Ensuring that the ssl private key is generated.
   openssl_privatekey:
     mode: '0400'
     group: root
@@ -30,7 +48,7 @@
     state: present
     type: RSA
 
-- name: Nginx -- Ensuring that the certificate signing request is generated.
+- name: Nginx | Ensuring that the certificate signing request is generated.
   openssl_csr:
     common_name: "{{ pleroma.config.host }}"
     country_name: "{{ pleroma.ssl.csr.countryName }}"
@@ -45,7 +63,7 @@
     path: "{{ pleroma_ssl_csrPath }}"
     privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
 
-- name: Nginx -- Ensuring the self-signed certificate is generated.
+- name: Nginx | Ensuring the self-signed certificate is generated.
   openssl_certificate:
     path: "{{ pleroma_ssl_selfSignedCertPath }}"
     mode: '0400'
@@ -55,7 +73,7 @@
     csr_path: "{{ pleroma_ssl_csrPath }}"
     provider: selfsigned
 
-- name: Nginx -- Ensuring Nginx configuration references the self signed certificate.
+- name: Nginx | Ensuring Nginx configuration references the self signed certificate.
   lineinfile:
     path: "{{ pleroma_nginx_conf_file }}"
     owner: root
@@ -66,7 +84,7 @@
     state: present
   when: not pleroma.ssl.letsEncrypt.enable
 
-- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present.
+- name: Nginx | Ensuring that the Let's encrypt challenge directory is present.
   file:
     name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
     state: directory
@@ -76,7 +94,7 @@
     recurse: yes
   when: pleroma.ssl.letsEncrypt.enable
 
-- name: Nginx -- Ensuring that the private ACME account key is present.
+- name: Nginx | Ensuring that the private ACME account key is present.
   openssl_privatekey:
     mode: '0400'
     group: root
@@ -87,13 +105,13 @@
     type: RSA
   when: pleroma.ssl.letsEncrypt.enable
 
-- name: Nginx -- Checking if the full chain certificate exists.
+- name: Nginx | Checking if the full chain certificate exists.
   stat:
     path: "{{ pleroma_ssl_fullChainCert }}"
   register: certificate_file
   when: pleroma.ssl.letsEncrypt.enable
 
-- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge.
+- name: Nginx | Temporarily adding the reference to the self signed certificate for ACME challenge.
   lineinfile:
     path: "{{ pleroma_nginx_conf_file }}"
     owner: root
@@ -104,7 +122,7 @@
     state: present
   when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
 
-- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config.
+- name: Nginx | Ensuring the existing full chain certificate is referenced in the Nginx config.
   lineinfile:
     path: "{{ pleroma_nginx_conf_file }}"
     owner: root
@@ -115,7 +133,7 @@
     state: present
   when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
 
-- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
+- name: Nginx | Ensuring that Nginx is running for the ACME challenge.
   service:
     name: nginx
     state: started
@@ -137,13 +155,13 @@
   register: acme_challenge
   when: pleroma.ssl.letsEncrypt.enable
 
-- name: Nginx -- Creating the Acme challenge file
+- name: Nginx | Creating the Acme challenge file
   copy:
     dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
     content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
   when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
 
-- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
+- name: Nginx | Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
   acme_certificate:
     account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
     account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
@@ -160,7 +178,7 @@
   register: acme_challenge
   when: pleroma.ssl.letsEncrypt.enable
 
-- name: Nginx -- Updating file permissions of the SSL certificate.
+- name: Nginx | Updating file permissions of the SSL certificate.
   file:
     path: "{{ pleroma_ssl_fullChainCert }}"
     owner: root
@@ -169,7 +187,7 @@
     state: file
   when: pleroma.ssl.letsEncrypt.enable
 
-- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
+- name: Nginx | Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
   lineinfile:
     path: "{{ pleroma_nginx_conf_file }}"
     owner: root
@@ -180,7 +198,7 @@
     state: present
   when: pleroma.ssl.letsEncrypt.enable
 
-- name: Nginx -- Ensuring that Nginx is enabled and restarted.
+- name: Nginx | Ensuring that Nginx is enabled and restarted.
   service:
     name: nginx
     enabled: yes

roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2

@@ -4,9 +4,12 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac
 server {
     server_name    {{ pleroma.config.host }};
 
+    root {{ pleroma_nginx_root_dir }};
+
     listen         80;
     listen         [::]:80;
 
+
     {% if pleroma.ssl.letsEncrypt.enable == true -%}
     location ~/\.well-known/acme-challenge {
       root {{ pleroma_letsEncrypt_baseDir }}/;
@@ -28,6 +31,8 @@ ssl_session_cache shared:ssl_session_cache:10m;
 server {
     server_name {{ pleroma.config.host }};
 
+    root {{ pleroma_nginx_root_dir }};
+
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
     ssl_session_timeout 5m;
@@ -82,4 +87,11 @@ server {
         proxy_hide_header Cache-Control;
         proxy_pass http://localhost:{{ pleroma.config.listeningPort }};
     }
+
+    {% if pleroma.keybase.enable == true -%}
+    location = /keybase.txt {
+      try_files $uri =404;
+    }
+    {% endif %}
+
 }

roles/pleroma-nginx/vars/main.yml

@@ -3,6 +3,7 @@ pleroma_deps_nginx: nginx, py-cryptography
 
 pleroma_nginx_conf_dir: /etc/nginx/conf.d
 pleroma_nginx_conf_file: "{{ pleroma_nginx_conf_dir }}/pleroma.conf"
+pleroma_nginx_root_dir: /var/www/{{ pleroma.config.host }}
 
 pleroma_ssl_folder: /etc/ssl/pleroma
 pleroma_ssl_privateKeyPath: "{{ pleroma_ssl_folder }}/pleroma.key"