added: configuration for Pleroma

This merge request adds the template file and default variables for configuring Pleroma. Also included in this merge request are: - added: Makefile to produce the secret key base, signing salt and the public and private keys for web encryption. - fixed: Pleroma OTP builds are now downloaded from the stable branch. - changed: removed data from the pleroma task and added them in the variable directory.
2019-10-15 09:16:24 +01:00 · 2019-10-15 09:16:24 +01:00 · b0ddbc30ad
commit b0ddbc30ad
parent f293d06c78
4 changed files with 137 additions and 28 deletions
--- a/24
+++ b/24
@ -0,0 +1,24 @@
+VAPID_PRIVATE_KEY_FILE := vapid-private-key.pem
+
+PHONY: secret_key_base signing_salt vapid_private_key vapid_public_key
+
+all: secret_key_base signing_salt vapid_private_key vapid_public_key
+
+secret_key_base:
+	@echo "Secret key base:"
+	@openssl rand -base64 48
+
+signing_salt:
+	@echo -e "\nSigning salt:"
+	@openssl rand -hex 4
+
+$(VAPID_PRIVATE_KEY_FILE):
+	@openssl ecparam -genkey -name prime256v1 -out $(VAPID_PRIVATE_KEY_FILE)
+
+vapid_private_key: $(VAPID_PRIVATE_KEY_FILE)
+	@echo -e "\nVapid private key:"
+	@openssl ec -in $(VAPID_PRIVATE_KEY_FILE) -outform DER 2> /dev/null | tail -c +8 | head -c 32 | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n'
+
+vapid_public_key: $(VAPID_PRIVATE_KEY_FILE)
+	@echo -e "\n\nVapid public key:"
+	@openssl ec -in $(VAPID_PRIVATE_KEY_FILE) -pubout -outform DER 2> /dev/null | tail -c 65 | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n'
--- a/tasks/pleroma.yml
+++ b/tasks/pleroma.yml
@ -1,43 +1,43 @@
 ---
+# TODO: Do we need ncurses?
 - name: Ensure Pleroma dependencies are installed.
  apk:
    name: unzip, ncurses
    state: present

- name: Ensure group 'pleroma' exists.
+- name: Ensure group '{{ pleroma_user.group }}' exists.
  group:
-    gid: 1200
-    name: pleroma
+    gid: "{{ pleroma_user.id }}"
+    name: "{{ pleroma_user.group }}"
    state: present
    system: yes

- name: Ensure user 'pleroma' exists.
+- name: Ensure user '{{ pleroma_user.name }}' exists.
  user:
-    group: pleroma
-    home: /opt/pleroma
-    name: pleroma
-    shell: /bin/false
+    group: "{{ pleroma_user.group }}"
+    home: "{{ pleroma_user.home }}"
+    name: "{{ pleroma_user.name }}"
+    shell: "{{ pleroma_user.shell }}"
    state: present
    system: yes
-    uid: 1200
+    uid: "{{ pleroma_user.id }}"

-# Directories
 - name: Ensure the Pleroma data and config directories exists.
  file:
    name: "{{ item }}"
    state: directory
    mode: '0700'
-    owner: pleroma
-    group: pleroma
+    owner: "{{ pleroma_user.name }}"
+    group: "{{ pleroma_user.group }}"
  loop:
-  - /etc/pleroma
-  - /var/lib/pleroma
-  - /var/lib/pleroma/uploads
-  - /var/lib/pleroma/static
+  - "{{ pleroma_config_dir }}"
+  - "{{ pleroma_base_data_dir }}"
+  - "{{ pleroma_uploads_dir }}"
+  - "{{ pleroma_static_dir }}"

 - name: Ensuring that the release build of pleroma is downloaded.
  get_url:
-    url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/master/download?job=amd64-musl
+    url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=amd64-musl
    dest: /tmp/pleroma.zip

 - name: Unzipping the release build of pleroma.
@ -45,21 +45,21 @@
    remote_src: yes
    src: /tmp/pleroma.zip
    dest: /tmp
-    owner: pleroma
-    group: pleroma
+    owner: "{{ pleroma_user.name }}"
+    group: "{{ pleroma_user.group }}"

 - name: Ensuring that Pleroma is installed.
  shell: |
-    find /tmp/release/ -mindepth 1 -maxdepth 1 | xargs -I dir mv dir /opt/pleroma/
+    find /tmp/release/ -mindepth 1 -maxdepth 1 | xargs -I dir mv dir {{ pleroma_user.home }}
  args:
-    creates: /opt/pleroma/bin/pleroma
+    creates: "{{ pleroma_user.home }}/bin/pleroma"

 - name: Ensuring the configuration file is set.
  template:
    src: etc_pleroma_config.exs.j2
-    dest: /etc/pleroma/config.exs
-    owner: pleroma
-    group: pleroma
+    dest: "{{ pleroma_config_dir }}/config.exs"
+    owner: "{{ pleroma_user.name }}"
+    group: "{{ pleroma_user.group }}"
    mode: '0400'

 - name: Running database migrations.
@ -72,12 +72,12 @@

 - name: Ensuring that folder permissions are set properly in /opt/pleroma.
  shell: |
-    find /opt/pleroma -mindepth 1 -maxdepth 1 -type d | xargs -I dir chmod 0700 dir
-    find /opt/pleroma -mindepth 1 -maxdepth 1 -type d | xargs -I dir chown -R pleroma:pleroma dir
+    find {{ pleroma_user.home }} -mindepth 1 -maxdepth 1 -type d | xargs -I dir chmod 0700 dir
+    find {{ pleroma_user.home }} -mindepth 1 -maxdepth 1 -type d | xargs -I dir chown -R {{ pleroma_user.name }}:{{ pleroma_user.group }} dir

 - name: Setting up the Pleroma service.
  copy:
-    src: /opt/pleroma/installation/init.d/pleroma
+    src: "{{ pleroma_user.home }}/installation/init.d/pleroma"
    dest: /etc/init.d/pleroma
    remote_src: yes
    owner: root
@ -88,7 +88,7 @@
  service:
    name: pleroma
    enabled: yes
-    state: started
+    state: restarted

 - name: Cleaning up
  file:
--- a/templates/etc_pleroma_config.exs.j2
+++ b/templates/etc_pleroma_config.exs.j2
@ -0,0 +1,73 @@
+import Config
+
+config :pleroma, Pleroma.Web.Endpoint,
+  url: [
+    host: "{{ pleroma.config.host }}",
+    scheme: "https",
+    port: 443
+  ],
+  http: [
+    ip: {127, 0, 0, 1},
+    port: {{ pleroma.config.listeningPort }}
+  ],
+  secret_key_base: "{{ pleroma.config.secretKeyBase }}",
+  secure_cookie_flag: true,
+  signing_salt: "{{ pleroma.config.signingSalt }}"
+
+config :pleroma, :instance,
+  name: "{{ pleroma.config.instanceName }}",
+  email: "{{ pleroma.config.email }}",
+  notify_email: "{{ pleroma.config.notifyEmail }}",
+  description: "{{ pleroma.config.instanceDescription }}",
+  limit: {{ pleroma.config.characterLimit }},
+  registrations_open: {{ pleroma.config.registrationsOpen }},
+  healthcheck: {{ pleroma.config.healthCheck }},
+  dynamic_configuration: {{ pleroma.config.dynamicConfiguration }},
+  federating: {{ pleroma.config.federating }}
+
+config :pleroma, :media_proxy,
+  enabled: false,
+  redirect_on_failure: true
+  #base_url: "https://cache.pleroma.social"
+
+config :pleroma, Pleroma.Repo,
+  adapter: Ecto.Adapters.Postgres,
+  username: "{{ pleroma.config.db.user }}",
+  password: "{{ pleroma.config.db.password }}",
+  database: "{{ pleroma.config.db.name }}",
+  hostname: "localhost",
+  pool_size: 10
+
+config :pleroma, :database, rum_enabled: false
+config :pleroma, :instance, static_dir: "{{ pleroma_static_dir }}"
+config :pleroma, Pleroma.Uploaders.Local, uploads: "{{ pleroma_uploads_dir }}"
+
+# Enable Strict-Transport-Security once SSL is working:
+config :pleroma, :http_security,
+  sts: true
+
+# I probably would like to set this up at some point
+# https://docs-develop.pleroma.social/backend/configuration/cheatsheet/#pleromaemailsmailer
+config :pleroma, Pleroma.Emails.Mailer,
+  adapter: Swoosh.Adapters.Local,
+  enabled: false
+
+# Ensure logs are sent to syslog
+config :logger,
+  backends: [
+    {ExSyslogger, :ex_syslogger}
+  ],
+  level: :{{ pleroma.config.logLevel }}
+
+config :logger, :ex_syslogger,
+  level: :{{ pleroma.config.logLevel }},
+  format: "$date $time [$level] $message",
+  facility: :local1,
+  option: [:pid, :ndelay],
+  ident: "pleroma"
+
+# Configure web push notifications
+config :web_push_encryption, :vapid_details,
+  subject: "mailto:{{ pleroma.config.webPushEncryption.email }}",
+  private_key: "{{ pleroma.config.webPushEncryption.privateKey }}",
+  public_key: "{{ pleroma.config.webPushEncryption.publicKey }}"
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,4 +1,16 @@
 ---
+pleroma_user:
+  group: pleroma
+  home: /opt/pleroma
+  id: 1200
+  name: pleroma
+  shell: /bin/false
+
+pleroma_config_dir: /etc/pleroma
+pleroma_base_data_dir: /var/lib/pleroma
+pleroma_static_dir: "{{ pleroma_base_data_dir }}/static"
+pleroma_uploads_dir: "{{ pleroma_base_data_dir }}/uploads"
+
 pleroma_ssl_folder: /etc/ssl/pleroma
 pleroma_ssl_privateKeyPath: "{{ pleroma_ssl_folder }}/pleroma.key"
 pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr"