From b0ddbc30adff8daa29751842850162cde279d7de Mon Sep 17 00:00:00 2001 From: Dan Anglin Date: Tue, 15 Oct 2019 09:16:24 +0100 Subject: [PATCH] added: configuration for Pleroma This merge request adds the template file and default variables for configuring Pleroma. Also included in this merge request are: - added: Makefile to produce the secret key base, signing salt and the public and private keys for web encryption. - fixed: Pleroma OTP builds are now downloaded from the stable branch. - changed: removed data from the pleroma task and added them in the variable directory. --- Makefile | 24 ++++++++++ tasks/pleroma.yml | 56 +++++++++++----------- templates/etc_pleroma_config.exs.j2 | 73 +++++++++++++++++++++++++++++ vars/main.yml | 12 +++++ 4 files changed, 137 insertions(+), 28 deletions(-) create mode 100644 Makefile create mode 100644 templates/etc_pleroma_config.exs.j2 diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..bd00df0 --- /dev/null +++ b/Makefile @@ -0,0 +1,24 @@ +VAPID_PRIVATE_KEY_FILE := vapid-private-key.pem + +PHONY: secret_key_base signing_salt vapid_private_key vapid_public_key + +all: secret_key_base signing_salt vapid_private_key vapid_public_key + +secret_key_base: + @echo "Secret key base:" + @openssl rand -base64 48 + +signing_salt: + @echo -e "\nSigning salt:" + @openssl rand -hex 4 + +$(VAPID_PRIVATE_KEY_FILE): + @openssl ecparam -genkey -name prime256v1 -out $(VAPID_PRIVATE_KEY_FILE) + +vapid_private_key: $(VAPID_PRIVATE_KEY_FILE) + @echo -e "\nVapid private key:" + @openssl ec -in $(VAPID_PRIVATE_KEY_FILE) -outform DER 2> /dev/null | tail -c +8 | head -c 32 | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n' + +vapid_public_key: $(VAPID_PRIVATE_KEY_FILE) + @echo -e "\n\nVapid public key:" + @openssl ec -in $(VAPID_PRIVATE_KEY_FILE) -pubout -outform DER 2> /dev/null | tail -c 65 | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n' diff --git a/tasks/pleroma.yml b/tasks/pleroma.yml index 4ad0bbf..ea8c0ae 100644 --- a/tasks/pleroma.yml +++ b/tasks/pleroma.yml @@ -1,43 +1,43 @@ --- +# TODO: Do we need ncurses? - name: Ensure Pleroma dependencies are installed. apk: name: unzip, ncurses state: present -- name: Ensure group 'pleroma' exists. +- name: Ensure group '{{ pleroma_user.group }}' exists. group: - gid: 1200 - name: pleroma + gid: "{{ pleroma_user.id }}" + name: "{{ pleroma_user.group }}" state: present system: yes -- name: Ensure user 'pleroma' exists. +- name: Ensure user '{{ pleroma_user.name }}' exists. user: - group: pleroma - home: /opt/pleroma - name: pleroma - shell: /bin/false + group: "{{ pleroma_user.group }}" + home: "{{ pleroma_user.home }}" + name: "{{ pleroma_user.name }}" + shell: "{{ pleroma_user.shell }}" state: present system: yes - uid: 1200 + uid: "{{ pleroma_user.id }}" -# Directories - name: Ensure the Pleroma data and config directories exists. file: name: "{{ item }}" state: directory mode: '0700' - owner: pleroma - group: pleroma + owner: "{{ pleroma_user.name }}" + group: "{{ pleroma_user.group }}" loop: - - /etc/pleroma - - /var/lib/pleroma - - /var/lib/pleroma/uploads - - /var/lib/pleroma/static + - "{{ pleroma_config_dir }}" + - "{{ pleroma_base_data_dir }}" + - "{{ pleroma_uploads_dir }}" + - "{{ pleroma_static_dir }}" - name: Ensuring that the release build of pleroma is downloaded. get_url: - url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/master/download?job=amd64-musl + url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=amd64-musl dest: /tmp/pleroma.zip - name: Unzipping the release build of pleroma. @@ -45,21 +45,21 @@ remote_src: yes src: /tmp/pleroma.zip dest: /tmp - owner: pleroma - group: pleroma + owner: "{{ pleroma_user.name }}" + group: "{{ pleroma_user.group }}" - name: Ensuring that Pleroma is installed. shell: | - find /tmp/release/ -mindepth 1 -maxdepth 1 | xargs -I dir mv dir /opt/pleroma/ + find /tmp/release/ -mindepth 1 -maxdepth 1 | xargs -I dir mv dir {{ pleroma_user.home }} args: - creates: /opt/pleroma/bin/pleroma + creates: "{{ pleroma_user.home }}/bin/pleroma" - name: Ensuring the configuration file is set. template: src: etc_pleroma_config.exs.j2 - dest: /etc/pleroma/config.exs - owner: pleroma - group: pleroma + dest: "{{ pleroma_config_dir }}/config.exs" + owner: "{{ pleroma_user.name }}" + group: "{{ pleroma_user.group }}" mode: '0400' - name: Running database migrations. @@ -72,12 +72,12 @@ - name: Ensuring that folder permissions are set properly in /opt/pleroma. shell: | - find /opt/pleroma -mindepth 1 -maxdepth 1 -type d | xargs -I dir chmod 0700 dir - find /opt/pleroma -mindepth 1 -maxdepth 1 -type d | xargs -I dir chown -R pleroma:pleroma dir + find {{ pleroma_user.home }} -mindepth 1 -maxdepth 1 -type d | xargs -I dir chmod 0700 dir + find {{ pleroma_user.home }} -mindepth 1 -maxdepth 1 -type d | xargs -I dir chown -R {{ pleroma_user.name }}:{{ pleroma_user.group }} dir - name: Setting up the Pleroma service. copy: - src: /opt/pleroma/installation/init.d/pleroma + src: "{{ pleroma_user.home }}/installation/init.d/pleroma" dest: /etc/init.d/pleroma remote_src: yes owner: root @@ -88,7 +88,7 @@ service: name: pleroma enabled: yes - state: started + state: restarted - name: Cleaning up file: diff --git a/templates/etc_pleroma_config.exs.j2 b/templates/etc_pleroma_config.exs.j2 new file mode 100644 index 0000000..150ae6a --- /dev/null +++ b/templates/etc_pleroma_config.exs.j2 @@ -0,0 +1,73 @@ +import Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [ + host: "{{ pleroma.config.host }}", + scheme: "https", + port: 443 + ], + http: [ + ip: {127, 0, 0, 1}, + port: {{ pleroma.config.listeningPort }} + ], + secret_key_base: "{{ pleroma.config.secretKeyBase }}", + secure_cookie_flag: true, + signing_salt: "{{ pleroma.config.signingSalt }}" + +config :pleroma, :instance, + name: "{{ pleroma.config.instanceName }}", + email: "{{ pleroma.config.email }}", + notify_email: "{{ pleroma.config.notifyEmail }}", + description: "{{ pleroma.config.instanceDescription }}", + limit: {{ pleroma.config.characterLimit }}, + registrations_open: {{ pleroma.config.registrationsOpen }}, + healthcheck: {{ pleroma.config.healthCheck }}, + dynamic_configuration: {{ pleroma.config.dynamicConfiguration }}, + federating: {{ pleroma.config.federating }} + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "{{ pleroma.config.db.user }}", + password: "{{ pleroma.config.db.password }}", + database: "{{ pleroma.config.db.name }}", + hostname: "localhost", + pool_size: 10 + +config :pleroma, :database, rum_enabled: false +config :pleroma, :instance, static_dir: "{{ pleroma_static_dir }}" +config :pleroma, Pleroma.Uploaders.Local, uploads: "{{ pleroma_uploads_dir }}" + +# Enable Strict-Transport-Security once SSL is working: +config :pleroma, :http_security, + sts: true + +# I probably would like to set this up at some point +# https://docs-develop.pleroma.social/backend/configuration/cheatsheet/#pleromaemailsmailer +config :pleroma, Pleroma.Emails.Mailer, + adapter: Swoosh.Adapters.Local, + enabled: false + +# Ensure logs are sent to syslog +config :logger, + backends: [ + {ExSyslogger, :ex_syslogger} + ], + level: :{{ pleroma.config.logLevel }} + +config :logger, :ex_syslogger, + level: :{{ pleroma.config.logLevel }}, + format: "$date $time [$level] $message", + facility: :local1, + option: [:pid, :ndelay], + ident: "pleroma" + +# Configure web push notifications +config :web_push_encryption, :vapid_details, + subject: "mailto:{{ pleroma.config.webPushEncryption.email }}", + private_key: "{{ pleroma.config.webPushEncryption.privateKey }}", + public_key: "{{ pleroma.config.webPushEncryption.publicKey }}" diff --git a/vars/main.yml b/vars/main.yml index 5b05c51..416fc0e 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,16 @@ --- +pleroma_user: + group: pleroma + home: /opt/pleroma + id: 1200 + name: pleroma + shell: /bin/false + +pleroma_config_dir: /etc/pleroma +pleroma_base_data_dir: /var/lib/pleroma +pleroma_static_dir: "{{ pleroma_base_data_dir }}/static" +pleroma_uploads_dir: "{{ pleroma_base_data_dir }}/uploads" + pleroma_ssl_folder: /etc/ssl/pleroma pleroma_ssl_privateKeyPath: "{{ pleroma_ssl_folder }}/pleroma.key" pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr"