feat: managing my Pleroma instance with GitOps.

This is a big milestone for me as this is the
first project where I completely set up GitOps for
managing my Pleroma platform.

[skip ci]
This commit is contained in:
Dan Anglin 2020-06-28 02:58:45 +01:00
parent fec64b95ab
commit 9b7e3f3955
Signed by: dananglin
GPG key ID: 0C1D44CFBEE68638
9 changed files with 353 additions and 0 deletions

61
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,61 @@
---
stages:
- deploy
# TODO: research and add a suitable WorkFlow.
variables:
ANSIBLE_FORCE_COLOR: "True"
INVENTORY: ${CI_PROJECT_DIR}/ansible/inventory/free-flow/hosts
PLEROMA_PLAYBOOK_DIRECTORY: /ansible/pleroma-playbook
PLEROMA_INFRASTRUCTURE_DIRECTORY: ${CI_PROJECT_DIR}
VAULT_AUTH_METHOD: approle
image: registry.gitlab.com/dananglin/pleroma-ansible-playbook:v0.1.3
before_script:
- .gitlab/ci/bin/generate-inventory
- .gitlab/ci/bin/update-config-for-testing
- cd ${PLEROMA_PLAYBOOK_DIRECTORY}
deploy:testing:
environment:
name: ${PLEROMA_ENVIRONMENT}
url: ${TESTING_PLEROMA_FQDN}
rules:
- if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == "testing" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
when: always
script:
- "make pleroma"
stage: deploy
tags:
- pleroma-ansible-testing
variables:
EXTRA_ARGS: "--extra-vars enable_pleroma_upgrade=True"
PLEROMA_ENVIRONMENT: testing
PLEROMA_ANSIBLE_HOST: ${TESTING_PLEROMA_ANSIBLE_HOST}
PLEROMA_ANSIBLE_USER: ${TESTING_PLEROMA_ANSIBLE_USER}
PLEROMA_ANSIBLE_PASSWORD: ${TESTING_PLEROMA_ANSIBLE_PASSWORD}
VAULT_ROLE_ID: ${TESTING_VAULT_ROLE_ID}
VAULT_SECRET_ID: ${TESTING_VAULT_SECRET_ID}
deploy:production:
environment:
name: ${PLEROMA_ENVIRONMENT}
url: https://fedi.dananglin.me.uk
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "dananglin/pleroma-free-flow"'
when: always
script:
- "make pleroma"
stage: deploy
tags:
- pleroma-ansible-production
variables:
ANSIBLE_PRIVATE_KEY_FILE: ${PRODUCTION_PLEROMA_ANSIBLE_PRIVATE_KEY_FILE}
EXTRA_ARGS: "--extra-vars enable_pleroma_upgrade=True"
PLEROMA_ENVIRONMENT: production
PLEROMA_ANSIBLE_HOST: ${PRODUCTION_PLEROMA_ANSIBLE_HOST}
PLEROMA_ANSIBLE_USER: ${PRODUCTION_PLEROMA_ANSIBLE_USER}
VAULT_ROLE_ID: ${PRODUCTION_PLEROMA_VAULT_ROLE_ID}
VAULT_SECRET_ID: ${PRODUCTION_PLEROMA_VAULT_SECRET_ID}

View file

@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -euo pipefail
ANSIBLE_SSH_VARS="ansible_connection=ssh ansible_host=${PLEROMA_ANSIBLE_HOST} ansible_user=${PLEROMA_ANSIBLE_USER}"
if [ "${PLEROMA_ENVIRONMENT:-nil}" == "testing" ]; then
ANSIBLE_SSH_VARS="${ANSIBLE_SSH_VARS} ansible_password=${PLEROMA_ANSIBLE_PASSWORD}"
fi
sed -i -e "s/free-flow/free-flow $ANSIBLE_SSH_VARS/g" ${INVENTORY}

View file

@ -0,0 +1,24 @@
#!/usr/bin/env bash
set -euo pipefail
CONFIGURATION_FILE=${PLEROMA_INFRASTRUCTURE_DIRECTORY}/ansible/inventory/free-flow/host_vars/free-flow/pleroma-configuration.yml
if [ "${PLEROMA_ENVIRONMENT:-nil}" == "testing" ]; then
# 1) Ensure vault secrets are retrieved from the development path.
# 2) Change instance name.
# 3) Change instance description.
# 4) Disable healthcheck.
# 5) Change the domain name.
# 6) Disable let's encrypt (until we get ngrok set up).
sed -i \
-e 's/secret=pleroma\/production/secret=pleroma\/development/g' \
-e 's/^.*instanceName:.*$/ instanceName: "Free Flow (Test Instance)"/' \
-e 's/^.*instanceDescription:.*$/ instanceDescription: "Pleroma test instance for Free Flow"/' \
-e 's/^.*healthCheck:.*$/ healthCheck: "false"/' \
-e "s/^.*host:.*$/ host: ${TESTING_PLEROMA_FQDN}/" \
${CONFIGURATION_FILE}
fi

View file

@ -0,0 +1,65 @@
---
pleroma:
config:
email: &email daangling@gmail.com
host: fedi.dananglin.me.uk
listeningPort: 10000
instanceName: "Free Flow"
instanceDescription: "Yet another single-user Pleroma instance in the Fediverse."
secretKeyBase: "{{ lookup('hashi_vault', 'secret=pleroma/production:secretKeyBase') }}"
signingSalt: "{{ lookup('hashi_vault', 'secret=pleroma/production:signingSalt') }}"
webPushEncryption:
email: *email
privateKey: "{{ lookup('hashi_vault', 'secret=pleroma/production:webPushEncryption.privateKey') }}"
publicKey: "{{ lookup('hashi_vault', 'secret=pleroma/production:webPushEncryption.publicKey') }}"
characterLimit: 5000
registrationsOpen: "false"
configurableFromDatabase: "false"
healthCheck: "true"
remotePostRetentionDays: 30
logLevel: info
federating: "true"
chatEnabled: "false"
mrf:
simplePolicy:
reject:
- baraag.net
- gab.com
- switter.at
- vipgirlfriend.xxx
- pawoo.net
federatedTimelineRemoval:
- freespeechextremist.com
- sinblr.com
mediaRemoval: []
mediaNsfw: []
frontend:
background: "{{ lookup('env', 'PLEROMA_INFRASTRUCTURE_DIRECTORY') }}/assets/background/photo-of-starry-night.jpg"
themes:
custom:
- name: night-owl
path: "{{ lookup('env', 'PLEROMA_INFRASTRUCTURE_DIRECTORY') }}/assets/themes/night-owl.json"
default: night-owl
db:
name: "{{ lookup('hashi_vault', 'secret=pleroma/production:database.name') }}"
user: "{{ lookup('hashi_vault', 'secret=pleroma/production:database.user') }}"
password: "{{ lookup('hashi_vault', 'secret=pleroma/production:database.password') }}"
connLimit: 15
ssl:
csr:
countryName: "GB"
emailAddress: *email
organizationName: "Dan Anglin"
organizationUnitName: "DevOps"
stateOrProvinceName: "Hertfordshire"
letsEncrypt:
enable: true
acmeAccountEmail: *email
acmeDirectory: "https://acme-v02.api.letsencrypt.org/directory"
remainingDays: 30
termsAgreed: yes
validateCerts: true
keybase:
enable: true
proof:
filepath: "{{ lookup('env', 'PLEROMA_INFRASTRUCTURE_DIRECTORY') }}/assets/keybase/keybase.txt"

View file

@ -0,0 +1,2 @@
pleroma_version: 2.0.7
pleroma_download_url: file:///opt/pleroma-installation/pleroma-{{ pleroma_version }}.zip

View file

@ -0,0 +1,11 @@
[pleroma]
free-flow
[pleroma_database:children]
pleroma
[pleroma_main:children]
pleroma
[pleroma_proxy:children]
pleroma

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 MiB

View file

@ -0,0 +1,76 @@
==================================================================
https://keybase.io/dananglin
--------------------------------------------------------------------
I hereby claim:
* I am an admin of https://fedi.dananglin.me.uk
* I am dananglin (https://keybase.io/dananglin) on keybase.
* I have a public key with fingerprint 2DA0 1412 E54B 4D09 1EC7 832B 6881 FFE2 487C 411A
To do so, I am signing this object:
{
"body": {
"key": {
"eldest_kid": "01209ab244758a00dbdaa62f22e39f0a01626be8eed46486fad7cf98d8960c5733100a",
"fingerprint": "2da01412e54b4d091ec7832b6881ffe2487c411a",
"host": "keybase.io",
"key_id": "6881ffe2487c411a",
"kid": "01017c0ec830219a1bc8b485cd8ffc2888e5c7d8867ea0700a7489d19fa2531d4d610a",
"uid": "cabbfca4014ba07a1b45acccf673ca19",
"username": "dananglin"
},
"service": {
"hostname": "fedi.dananglin.me.uk",
"protocol": "https:"
},
"type": "web_service_binding",
"version": 1
},
"ctime": 1573089617,
"expire_in": 157680000,
"prev": "0640a7700c3ed34aa9e0952b106d15173939196e781450fdb1439c3142c5c154",
"seqno": 31,
"tag": "signature"
}
which yields the signature:
-----BEGIN PGP MESSAGE-----
Version: Keybase OpenPGP v2.1.3
Comment: https://keybase.io/crypto
yMNzAnicbVJ/TFVVHOcBRjxnGCNquYDuNFa86J7781yM5Ec+7GUZYmtGgPeeey7c
4P1+j/cYoCRqgyih2GKOJJpClE8TGwkO42fTYI6MKMKU3nxzpoQbDBWWdB/T/ur8
c3a++3w+5/P5nDO0JixEryt6b9m/pSL9Sd1If6s7JG/Qnl1OSFa5jEgpJ4rxyoZL
ZOx0FRSrMpFCkIAiBVGiGIZnoUiSsiSLIkcpFIVpQSFFEnAUJ2GIscxwDOQUUeaR
IkAZChyJWJ6mAUmKhIFQVEshdtgcqsWlyVKyxmQAhVlGYmRSABjxkKYkDkKgKJhi
II8YAILEIqszyNDMSaITJ6tWbaYdClbs/Q/+gW8S8IjECNIkBQQRSAhKDGSRDBUF
URBCzCJehpDjsUjymkeegYIMBEWkWBrIjMyBFd/uFTkkSpKCREYzLWlwTY5hRYSQ
wvE0EoEQBDqxwyKasYaWRYtoKSxRLUSlgdDGpSrCwWaDUe5DFCyryf/hks042V2s
idgcVpcVWUs0RJHLZXOmBBVcZbYgxYOlgvtiBZJqkbVCNUYpdjhVq4VIARoSudSg
OtB6J7UHALyBwF6b6sAFqmVlzEFSW8F7cGmwJY7RgmvpEY1lmhFFAZMCS0mA5GTA
Ap4WaAEIHOYhYFhSkSXA0AKiAUMhFgGWIYLx7BYrkUIDzadYqGk61UKL6HI7MFE5
0P9OeIhOH/LQqtDgTwvRR6598P/yo6L+iTn4ocmWsK1y/vieH/PXfNt5PM1vMJUk
HLt+wPzGxOXV1Z5dxIaWY02BoX2DfW9X571yp/lCT29Y5vlevzsu9am9qGV73PDI
Z0lL7fHwXBod07HQW84v//3E3YaI8aVAeqZ3KjG+ZbLQ8XjDWO2Xv1ifMXrqXl2M
brwxPe6qCG/ZndVYON/dWfOdOW94bY1kqnjk5nyGbbN+XVdU3fLirth532R5/q8V
eUNX23M3vRgXnmHWrUtUPNn2kc6Yzm/80YHTjucPX93R39rF6aqic05srM1sa21U
28Obl/cZs+91+Wcnv/Lpm6qnbr020VGXu3M6dCKyJmF6dv7pF0IXmi/HJl8z6k7A
9MiNZxv69+/wdm+rrboQ0/MFumZQLL/1Fvl/CHRHLf48szqyrciwhfr4zoa2Uzb7
w4J303hH9QJ80zQ9PONdNIRmhd/bPhNzcqfUWrnqSqbYxOpm+ktn6cTHzlzS28/e
aqj6fGyffvSQP6IqLGfrwO+HbkflfLr0bBqay0ry1b//7k9NX9+8aDWelkaN131K
7Z8N9R+8nPrW64+eG3jp+6wzJfX07QhPaoTdl550aW9fXJ/9wO6L66cnY8S7gWGo
2+pQm6fMn9yoGp3KkImTf5l6Th2OPXjk/EyZ8w/bnGtPeO5RT7x3MDdn/5Wqo0c+
ygqsNz7nNw27x7LmMn0mg/Ffy+jIVA==
=AISr
-----END PGP MESSAGE-----
And finally, I am proving ownership of this host by posting or
appending to this document.
View my publicly-auditable identity here: https://keybase.io/dananglin
==================================================================

View file

@ -0,0 +1,103 @@
{
"_pleroma_theme_version": 2,
"name": "Free Flow - Night Owl",
"theme": {
"fonts": {
"interface": {
"family": "sans-serif"
},
"input": {
"family": "sans-serif"
},
"post": {
"family": "sans-serif"
},
"postCode": {
"family": "monospace"
}
},
"shadows": {
"buttonPressed": [
{
"x": 0,
"y": 0,
"blur": "10",
"spread": "4",
"color": "#5d5fc8",
"alpha": 1
},
{
"x": 0,
"y": 1,
"blur": 0,
"spread": 0,
"color": "#000000",
"alpha": 0.2,
"inset": true
},
{
"x": 0,
"y": -1,
"blur": 0,
"spread": 0,
"color": "#FFFFFF",
"alpha": 0.2,
"inset": true
}
],
"button": [
{
"x": 0,
"y": 0,
"blur": 2,
"spread": 0,
"color": "#3664f3",
"alpha": 1
},
{
"x": 0,
"y": 1,
"blur": 0,
"spread": 0,
"color": "#FFFFFF",
"alpha": 0.2,
"inset": true
},
{
"x": 0,
"y": -1,
"blur": 0,
"spread": 0,
"color": "#000000",
"alpha": 0.2,
"inset": true
}
]
},
"opacity": {
"bg": "0.85"
},
"colors": {
"bg": "#0d0e0f",
"text": "#c1c1e7",
"link": "#5198c6",
"fg": "#0d0e0f",
"btn": "#0f2740",
"btnText": "#cdcddd",
"alertError": "#c3292c",
"cRed": "#ff474a",
"cBlue": "#0095ff",
"cGreen": "#5edea2",
"cOrange": "#e1754f"
},
"radii": {
"btn": "3",
"input": "0",
"checkbox": "0",
"panel": "5",
"avatar": "2",
"avatarAlt": "5",
"tooltip": "4"
}
}
}