From e77ff577c16355d72f7532974b63beab982c5667 Mon Sep 17 00:00:00 2001 From: VC Date: Fri, 5 Jul 2024 11:53:29 +0200 Subject: [PATCH] feat: add mastodon support directly --- ...z.mateu.be.yml => masto1.dmz.mateu.be.yml} | 0 mastodon.yml | 6 ++ production.yml | 14 ++-- roles/mastodon/tasks/main.yml | 71 +++++++++++++++++++ roles/mastodon/tasks/mastodon.yml | 47 ++++++++++++ roles/mastodon/tasks/nodejs.yml | 22 ++++++ roles/mastodon/tasks/rbenv.yml | 38 ++++++++++ roles/mastodon/tasks/redis.yml | 12 ++++ roles/mastodon/tasks/yarn.yml | 22 ++++++ .../templates/mastodon-sidekiq.service.j2 | 53 ++++++++++++++ .../templates/mastodon-streaming.service.j2 | 51 +++++++++++++ .../templates/mastodon-web.service.j2 | 53 ++++++++++++++ roles/mastodon/vars/main.yml | 13 ++++ roles/webapps/tasks/main.yml | 17 +++-- .../tasks/{tootctl.yml => tootctl_docker.yml} | 0 roles/webapps/tasks/tootctl_nodocker.yml | 19 +++++ site.yml | 1 + 17 files changed, 427 insertions(+), 12 deletions(-) rename host_vars/{ror1.dmz.mateu.be.yml => masto1.dmz.mateu.be.yml} (100%) create mode 100644 mastodon.yml create mode 100644 roles/mastodon/tasks/main.yml create mode 100644 roles/mastodon/tasks/mastodon.yml create mode 100644 roles/mastodon/tasks/nodejs.yml create mode 100644 roles/mastodon/tasks/rbenv.yml create mode 100644 roles/mastodon/tasks/redis.yml create mode 100644 roles/mastodon/tasks/yarn.yml create mode 100644 roles/mastodon/templates/mastodon-sidekiq.service.j2 create mode 100644 roles/mastodon/templates/mastodon-streaming.service.j2 create mode 100644 roles/mastodon/templates/mastodon-web.service.j2 create mode 100644 roles/mastodon/vars/main.yml rename roles/webapps/tasks/{tootctl.yml => tootctl_docker.yml} (100%) create mode 100644 roles/webapps/tasks/tootctl_nodocker.yml diff --git a/host_vars/ror1.dmz.mateu.be.yml b/host_vars/masto1.dmz.mateu.be.yml similarity index 100% rename from host_vars/ror1.dmz.mateu.be.yml rename to host_vars/masto1.dmz.mateu.be.yml diff --git a/mastodon.yml b/mastodon.yml new file mode 100644 index 0000000..4d1d266 --- /dev/null +++ b/mastodon.yml @@ -0,0 +1,6 @@ +--- + +- hosts: mastodonservers + diff: true + roles: + - mastodon diff --git a/production.yml b/production.yml index 3d984d8..d52656d 100644 --- a/production.yml +++ b/production.yml @@ -57,10 +57,9 @@ borg_client: borg_backup_path: - /etc - /var/lib/mumble-server - ror1.dmz.mateu.be: + masto1.dmz.mateu.be: borg_backup_path: - /srv - - /home - /etc - /var/lib/scootaloo borg_backup_excluded_path: @@ -131,7 +130,7 @@ webservers: web_hostname: - sebicomics.com - www.sebicomics.com - ror1.dmz.mateu.be: + masto1.dmz.mateu.be: web_hostname: - m.nintendojo.fr jabber.dmz.mateu.be: @@ -167,7 +166,6 @@ phpservers: dockerservers: hosts: - ror1.dmz.mateu.be: 20b4f083-4ef3-4a82-b15c-edbc31aa1731.pub.instances.scw.cloud: mariadbservers: @@ -178,13 +176,17 @@ mariadbservers: pgsqlservers: hosts: - ror1.dmz.mateu.be: + masto1.dmz.mateu.be: 93b2685c-9087-4e52-a66f-bf44bfc4a13a.pub.instances.scw.cloud: +mastodonservers: + hosts: + masto1.dmz.mateu.be: + rorservers: hosts: 20b4f083-4ef3-4a82-b15c-edbc31aa1731.pub.instances.scw.cloud: - ror1.dmz.mateu.be: + masto1.dmz.mateu.be: mailservers: hosts: diff --git a/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml new file mode 100644 index 0000000..05e6376 --- /dev/null +++ b/roles/mastodon/tasks/main.yml @@ -0,0 +1,71 @@ +--- + +- name: install nodejs + include_tasks: nodejs.yml + +- name: install yarn + include_tasks: yarn.yml + +- name: install redis + include_tasks: redis.yml + +- name: mastodon user + user: + name: mastodon + comment: "John Mastodon" + password: '!' + shell: /bin/bash + home: "{{ mastodon_home }}" + +- name: mastodon .ssh dir + file: + state: directory + path: "{{ mastodon_home }}/.ssh" + owner: mastodon + group: mastodon + +- name: ssh for mastodon user + copy: + remote_src: true + src: /root/.ssh/authorized_keys + dest: "{{ mastodon_home }}/.ssh/authorized_keys" + owner: mastodon + group: mastodon + +- name: install prereq + apt: + name: "{{ item }}" + state: present + loop: + - imagemagick + - ffmpeg + - libpq-dev + - libxml2-dev + - libxslt1-dev + - file + - git-core + - g++ + - libprotobuf-dev + - protobuf-compiler + - pkg-config + - nodejs + - gcc + - autoconf + - bison + - build-essential + - libssl-dev + - libyaml-dev + - libreadline6-dev + - zlib1g-dev + - libncurses5-dev + - libffi-dev + - libgdbm-dev + - libidn11-dev + - libicu-dev + - libjemalloc-dev + +- name: install rbenv + include_tasks: rbenv.yml + +- name: install mastodon + include_tasks: mastodon.yml diff --git a/roles/mastodon/tasks/mastodon.yml b/roles/mastodon/tasks/mastodon.yml new file mode 100644 index 0000000..7ae4d2e --- /dev/null +++ b/roles/mastodon/tasks/mastodon.yml @@ -0,0 +1,47 @@ +--- + +- name: git mastodon + remote_user: mastodon + git: + repo: "https://github.com/mastodon/mastodon.git" + dest: "{{ mastodon_home }}/live" + version: "v{{ mastodon_version }}" + +- name: bundle config command + remote_user: mastodon + shell: | + bash -lic "bundle config deployment 'true' && bundle config without 'development test'" + args: + creates: "{{ mastodon_home }}/.bundle/config" + chdir: "{{ mastodon_home }}/live" + +- name: bundle install + remote_user: mastodon + shell: | + bash -lic "bundle install -j$(getconf _NPROCESSORS_ONLN)" + args: + chdir: "{{ mastodon_home }}/live" + +- name: yarn install + remote_user: mastodon + shell: | + bash -lic "yarn install --pure-lockfile" + args: + chdir: "{{ mastodon_home }}/live" + +- name: install services + template: + src: "{{ item }}.j2" + dest: "/etc/systemd/system/{{ item }}" + loop: &mastodon_services + - "mastodon-sidekiq.service" + - "mastodon-streaming.service" + - "mastodon-web.service" + +- name: run services + systemd: + name: "{{ item }}" + daemon_reload: true + state: started + enabled: true + loop: *mastodon_services diff --git a/roles/mastodon/tasks/nodejs.yml b/roles/mastodon/tasks/nodejs.yml new file mode 100644 index 0000000..4b1bbcf --- /dev/null +++ b/roles/mastodon/tasks/nodejs.yml @@ -0,0 +1,22 @@ +--- + +- name: get node source gpg url + get_url: + url: "{{ mastodon_nodejs_key_url }}" + dest: /tmp/nodesource.gpg.key + +- name: gpg dearmor key + shell: "gpg --dearmor -o {{ mastodon_nodejs_key_path }} /tmp/nodesource.gpg.key" + args: + creates: "{{ mastodon_nodejs_key_path }}" + +- name: node source repo + copy: + content: "deb [signed-by={{ mastodon_nodejs_key_path }}] https://deb.nodesource.com/node_16.x {{ ansible_facts['distribution_release'] }} main" + dest: /etc/apt/sources.list.d/nodesource.list + +- name: install nodejs + apt: + name: nodejs + state: present + update_cache: true diff --git a/roles/mastodon/tasks/rbenv.yml b/roles/mastodon/tasks/rbenv.yml new file mode 100644 index 0000000..ad2a5d6 --- /dev/null +++ b/roles/mastodon/tasks/rbenv.yml @@ -0,0 +1,38 @@ +--- + +- name: git rbenv + remote_user: mastodon + git: + repo: "https://github.com/rbenv/rbenv.git" + dest: "{{ mastodon_home }}/.rbenv" + single_branch: true + version: master + +- name: git ruby-build + remote_user: mastodon + git: + repo: https://github.com/rbenv/ruby-build.git + dest: "{{ mastodon_home }}/.rbenv/plugins/ruby-build" + single_branch: true + version: master + +- name: append env to mastodon bashrc + remote_user: mastodon + lineinfile: + path: "{{ mastodon_home }}/.bashrc" + line: "eval \"$(~/.rbenv/bin/rbenv init - bash)\"" + +- name: install ruby version + remote_user: mastodon + shell: "bash -lic 'rbenv install {{ mastodon_ruby_version }}'" + args: + executable: /bin/bash + creates: "~/.rbenv/versions/{{ mastodon_ruby_version }}/bin/ruby" + environment: + RUBY_CONFIGURE_OPTS: "--with-jemalloc" + +- name: install bundler for ruby + remote_user: mastodon + shell: "bash -lic 'rbenv global {{ mastodon_ruby_version }} && ruby --version && gem install bundler --no-document'" + args: + executable: /bin/bash diff --git a/roles/mastodon/tasks/redis.yml b/roles/mastodon/tasks/redis.yml new file mode 100644 index 0000000..e9aefd4 --- /dev/null +++ b/roles/mastodon/tasks/redis.yml @@ -0,0 +1,12 @@ +--- + +- name: install redis + apt: + name: redis + state: present + update_cache: true + +- name: start redis service + service: + name: redis + state: started diff --git a/roles/mastodon/tasks/yarn.yml b/roles/mastodon/tasks/yarn.yml new file mode 100644 index 0000000..244330d --- /dev/null +++ b/roles/mastodon/tasks/yarn.yml @@ -0,0 +1,22 @@ +--- + +- name: get yarn gpg url + get_url: + url: "{{ mastodon_yarn_key_url }}" + dest: /tmp/yarn.gpg.key + +- name: gpg dearmor key + shell: "gpg --dearmor -o {{ mastodon_yarn_key_path }} /tmp/yarn.gpg.key" + args: + creates: "{{ mastodon_yarn_key_path }}" + +- name: yarn source repo + copy: + content: "deb [signed-by={{ mastodon_yarn_key_path }}] https://dl.yarnpkg.com/debian stable main" + dest: /etc/apt/sources.list.d/yarn.list + +- name: install yarn + apt: + name: yarn + state: present + update_cache: true diff --git a/roles/mastodon/templates/mastodon-sidekiq.service.j2 b/roles/mastodon/templates/mastodon-sidekiq.service.j2 new file mode 100644 index 0000000..0463ac4 --- /dev/null +++ b/roles/mastodon/templates/mastodon-sidekiq.service.j2 @@ -0,0 +1,53 @@ +[Unit] +Description=mastodon-sidekiq +After=network.target + +[Service] +Type=simple +User=mastodon +WorkingDirectory={{ mastodon_home }}/live +Environment="RAILS_ENV=production" +Environment="DB_POOL=25" +Environment="MALLOC_ARENA_MAX=2" +Environment="LD_PRELOAD=libjemalloc.so" +ExecStart={{ mastodon_home}}/.rbenv/shims/bundle exec sidekiq -c 25 +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths={{ mastodon_home }}/live + +[Install] +WantedBy=multi-user.target diff --git a/roles/mastodon/templates/mastodon-streaming.service.j2 b/roles/mastodon/templates/mastodon-streaming.service.j2 new file mode 100644 index 0000000..409310c --- /dev/null +++ b/roles/mastodon/templates/mastodon-streaming.service.j2 @@ -0,0 +1,51 @@ +[Unit] +Description=mastodon-streaming +After=network.target + +[Service] +Type=simple +User=mastodon +WorkingDirectory={{ mastodon_home }}/live +Environment="NODE_ENV=production" +Environment="PORT=4000" +Environment="STREAMING_CLUSTER_NUM=1" +ExecStart=/usr/bin/node ./streaming +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths={{ mastodon_home }}/live + +[Install] +WantedBy=multi-user.target diff --git a/roles/mastodon/templates/mastodon-web.service.j2 b/roles/mastodon/templates/mastodon-web.service.j2 new file mode 100644 index 0000000..cc269d9 --- /dev/null +++ b/roles/mastodon/templates/mastodon-web.service.j2 @@ -0,0 +1,53 @@ +[Unit] +Description=mastodon-web +After=network.target + +[Service] +Type=simple +User=mastodon +WorkingDirectory={{ mastodon_home }}/live +Environment="RAILS_ENV=production" +Environment="PORT=3000" +Environment="LD_PRELOAD=libjemalloc.so" +ExecStart={{ mastodon_home }}/.rbenv/shims/bundle exec puma -C config/puma.rb +ExecReload=/bin/kill -SIGUSR1 $MAINPID +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths={{ mastodon_home }}/live + +[Install] +WantedBy=multi-user.target diff --git a/roles/mastodon/vars/main.yml b/roles/mastodon/vars/main.yml new file mode 100644 index 0000000..bcce1e0 --- /dev/null +++ b/roles/mastodon/vars/main.yml @@ -0,0 +1,13 @@ +--- + +mastodon_home: "/srv/mastodon" + +mastodon_version: "4.0.2" + +mastodon_nodejs_key_url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" +mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg" + +mastodon_yarn_key_url: "https://dl.yarnpkg.com/debian/pubkey.gpg" +mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg" + +mastodon_ruby_version: "3.0.4" diff --git a/roles/webapps/tasks/main.yml b/roles/webapps/tasks/main.yml index 5859840..aa41864 100644 --- a/roles/webapps/tasks/main.yml +++ b/roles/webapps/tasks/main.yml @@ -9,12 +9,17 @@ - name: WP for NintendojoFR include_tasks: wp_dojo.yml when: inventory_hostname == 'web2.dmz.mateu.be' + +# Scootaloo +- name: Scootaloo config for m.nintendojo.fr + include_tasks: scootaloo_config.yml + when: inventory_hostname == 'masto1.dmz.mateu.be' - name: Scootaloo for Mastodon include_tasks: scootaloo.yml when: inventory_hostname in groups['rorservers'] -- name: Scootaloo config for m.nintendojo.fr - include_tasks: scootaloo_config.yml - when: inventory_hostname == 'ror1.dmz.mateu.be' -- name: tootctl for mastodon - include_tasks: tootctl.yml - when: inventory_hostname in groups['rorservers'] +- name: tootctl (docker) for mastodon + include_tasks: tootctl_docker.yml + when: inventory_hostname in groups['dockerservers'] +- name: tootctl (no docker) for mastodon + include_tasks: tootctl_nodocker.yml + when: inventory_hostname in groups['mastodonservers'] diff --git a/roles/webapps/tasks/tootctl.yml b/roles/webapps/tasks/tootctl_docker.yml similarity index 100% rename from roles/webapps/tasks/tootctl.yml rename to roles/webapps/tasks/tootctl_docker.yml diff --git a/roles/webapps/tasks/tootctl_nodocker.yml b/roles/webapps/tasks/tootctl_nodocker.yml new file mode 100644 index 0000000..92bf8f4 --- /dev/null +++ b/roles/webapps/tasks/tootctl_nodocker.yml @@ -0,0 +1,19 @@ +--- + +- name: cron for media tootctl + cron: + user: mastodon + name: Mastodon tootctl + minute: "0" + hour: "19" + weekday: "5" + job: "cd live && bin/tootctl media remove" + +- name: cron for preview_cards tootctl + cron: + user: mastodon + name: Mastodon tootctl preview + minute: "30" + hour: "19" + weekday: "5" + job: "cd live && bin/tootctl preview_cards remove" diff --git a/site.yml b/site.yml index 4df14e1..b307b0d 100644 --- a/site.yml +++ b/site.yml @@ -15,6 +15,7 @@ - import_playbook: php.yml - import_playbook: mariadb.yml - import_playbook: pgsql.yml +- import_playbook: mastodon.yml - import_playbook: bittorrent.yml - import_playbook: mumble.yml - import_playbook: icecast2.yml