feat: add mastodon support directly

roles/mastodon/tasks/main.yml

@@ -0,0 +1,71 @@
+---
+
+- name: install nodejs
+  include_tasks: nodejs.yml
+
+- name: install yarn
+  include_tasks: yarn.yml
+
+- name: install redis
+  include_tasks: redis.yml
+
+- name: mastodon user
+  user:
+    name: mastodon
+    comment: "John Mastodon"
+    password: '!'
+    shell: /bin/bash
+    home: "{{ mastodon_home }}"
+
+- name: mastodon .ssh dir
+  file:
+    state: directory
+    path: "{{ mastodon_home }}/.ssh"
+    owner: mastodon
+    group: mastodon
+
+- name: ssh for mastodon user
+  copy:
+    remote_src: true
+    src: /root/.ssh/authorized_keys
+    dest: "{{ mastodon_home }}/.ssh/authorized_keys"
+    owner: mastodon
+    group: mastodon
+
+- name: install prereq
+  apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - imagemagick
+    - ffmpeg
+    - libpq-dev
+    - libxml2-dev
+    - libxslt1-dev
+    - file
+    - git-core
+    - g++
+    - libprotobuf-dev
+    - protobuf-compiler
+    - pkg-config
+    - nodejs
+    - gcc
+    - autoconf
+    - bison
+    - build-essential
+    - libssl-dev
+    - libyaml-dev
+    - libreadline6-dev
+    - zlib1g-dev
+    - libncurses5-dev
+    - libffi-dev
+    - libgdbm-dev
+    - libidn11-dev
+    - libicu-dev
+    - libjemalloc-dev
+
+- name: install rbenv
+  include_tasks: rbenv.yml
+
+- name: install mastodon
+  include_tasks: mastodon.yml

roles/mastodon/tasks/mastodon.yml

@@ -0,0 +1,47 @@
+---
+
+- name: git mastodon
+  remote_user: mastodon
+  git:
+    repo: "https://github.com/mastodon/mastodon.git"
+    dest: "{{ mastodon_home }}/live"
+    version: "v{{ mastodon_version }}"
+
+- name: bundle config command
+  remote_user: mastodon
+  shell: |
+    bash -lic "bundle config deployment 'true' && bundle config without 'development test'"
+  args:
+    creates: "{{ mastodon_home }}/.bundle/config"
+    chdir: "{{ mastodon_home }}/live"
+
+- name: bundle install
+  remote_user: mastodon
+  shell: |
+    bash -lic "bundle install -j$(getconf _NPROCESSORS_ONLN)"
+  args:
+    chdir: "{{ mastodon_home }}/live"
+
+- name: yarn install
+  remote_user: mastodon
+  shell: |
+    bash -lic "yarn install --pure-lockfile"
+  args:
+    chdir: "{{ mastodon_home }}/live"
+
+- name: install services
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+  loop: &mastodon_services
+    - "mastodon-sidekiq.service"
+    - "mastodon-streaming.service"
+    - "mastodon-web.service"
+
+- name: run services
+  systemd:
+    name: "{{ item }}"
+    daemon_reload: true
+    state: started
+    enabled: true
+  loop: *mastodon_services

roles/mastodon/tasks/nodejs.yml

@@ -0,0 +1,22 @@
+---
+
+- name: get node source gpg url
+  get_url:
+    url: "{{ mastodon_nodejs_key_url }}"
+    dest: /tmp/nodesource.gpg.key
+
+- name: gpg dearmor key
+  shell: "gpg --dearmor -o {{ mastodon_nodejs_key_path }} /tmp/nodesource.gpg.key"
+  args:
+    creates: "{{ mastodon_nodejs_key_path }}"
+
+- name: node source repo
+  copy:
+    content: "deb [signed-by={{ mastodon_nodejs_key_path }}] https://deb.nodesource.com/node_16.x {{ ansible_facts['distribution_release'] }} main"
+    dest: /etc/apt/sources.list.d/nodesource.list
+
+- name: install nodejs
+  apt:
+    name: nodejs
+    state: present
+    update_cache: true

roles/mastodon/tasks/rbenv.yml

@@ -0,0 +1,38 @@
+---
+
+- name: git rbenv
+  remote_user: mastodon
+  git:
+    repo: "https://github.com/rbenv/rbenv.git"
+    dest: "{{ mastodon_home }}/.rbenv"
+    single_branch: true
+    version: master
+
+- name: git ruby-build
+  remote_user: mastodon
+  git:
+    repo: https://github.com/rbenv/ruby-build.git
+    dest: "{{ mastodon_home }}/.rbenv/plugins/ruby-build"
+    single_branch: true
+    version: master
+
+- name: append env to mastodon bashrc
+  remote_user: mastodon
+  lineinfile:
+    path: "{{ mastodon_home }}/.bashrc"
+    line: "eval \"$(~/.rbenv/bin/rbenv init - bash)\""
+
+- name: install ruby version
+  remote_user: mastodon
+  shell: "bash -lic 'rbenv install {{ mastodon_ruby_version }}'"
+  args:
+    executable: /bin/bash
+    creates: "~/.rbenv/versions/{{ mastodon_ruby_version }}/bin/ruby"
+  environment:
+    RUBY_CONFIGURE_OPTS: "--with-jemalloc"
+
+- name: install bundler for ruby
+  remote_user: mastodon
+  shell: "bash -lic 'rbenv global {{ mastodon_ruby_version }} && ruby --version && gem install bundler --no-document'"
+  args:
+    executable: /bin/bash

roles/mastodon/tasks/redis.yml

@@ -0,0 +1,12 @@
+---
+
+- name: install redis
+  apt:
+    name: redis
+    state: present
+    update_cache: true
+
+- name: start redis service
+  service:
+    name: redis
+    state: started

roles/mastodon/tasks/yarn.yml

@@ -0,0 +1,22 @@
+---
+
+- name: get yarn gpg url
+  get_url:
+    url: "{{ mastodon_yarn_key_url }}"
+    dest: /tmp/yarn.gpg.key
+
+- name: gpg dearmor key
+  shell: "gpg --dearmor -o {{ mastodon_yarn_key_path }} /tmp/yarn.gpg.key"
+  args:
+    creates: "{{ mastodon_yarn_key_path }}"
+
+- name: yarn source repo
+  copy:
+    content: "deb [signed-by={{ mastodon_yarn_key_path }}] https://dl.yarnpkg.com/debian stable main"
+    dest: /etc/apt/sources.list.d/yarn.list
+
+- name: install yarn
+  apt:
+    name: yarn
+    state: present
+    update_cache: true

roles/mastodon/templates/mastodon-sidekiq.service.j2

@@ -0,0 +1,53 @@
+[Unit]
+Description=mastodon-sidekiq
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory={{ mastodon_home }}/live
+Environment="RAILS_ENV=production"
+Environment="DB_POOL=25"
+Environment="MALLOC_ARENA_MAX=2"
+Environment="LD_PRELOAD=libjemalloc.so"
+ExecStart={{ mastodon_home}}/.rbenv/shims/bundle exec sidekiq -c 25
+TimeoutSec=15
+Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths={{ mastodon_home }}/live
+
+[Install]
+WantedBy=multi-user.target

roles/mastodon/templates/mastodon-streaming.service.j2

@@ -0,0 +1,51 @@
+[Unit]
+Description=mastodon-streaming
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory={{ mastodon_home }}/live
+Environment="NODE_ENV=production"
+Environment="PORT=4000"
+Environment="STREAMING_CLUSTER_NUM=1"
+ExecStart=/usr/bin/node ./streaming
+TimeoutSec=15
+Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths={{ mastodon_home }}/live
+
+[Install]
+WantedBy=multi-user.target

roles/mastodon/templates/mastodon-web.service.j2

@@ -0,0 +1,53 @@
+[Unit]
+Description=mastodon-web
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory={{ mastodon_home }}/live
+Environment="RAILS_ENV=production"
+Environment="PORT=3000"
+Environment="LD_PRELOAD=libjemalloc.so"
+ExecStart={{ mastodon_home }}/.rbenv/shims/bundle exec puma -C config/puma.rb
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+TimeoutSec=15
+Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths={{ mastodon_home }}/live
+
+[Install]
+WantedBy=multi-user.target

roles/mastodon/vars/main.yml

@@ -0,0 +1,13 @@
+---
+
+mastodon_home: "/srv/mastodon"
+
+mastodon_version: "4.0.2"
+
+mastodon_nodejs_key_url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
+mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
+
+mastodon_yarn_key_url: "https://dl.yarnpkg.com/debian/pubkey.gpg"
+mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg"
+
+mastodon_ruby_version: "3.0.4"

roles/webapps/tasks/main.yml

@@ -9,12 +9,17 @@
 - name: WP for NintendojoFR
   include_tasks: wp_dojo.yml
   when: inventory_hostname == 'web2.dmz.mateu.be'
+
+# Scootaloo
+- name: Scootaloo config for m.nintendojo.fr
+  include_tasks: scootaloo_config.yml
+  when: inventory_hostname == 'masto1.dmz.mateu.be'
 - name: Scootaloo for Mastodon
   include_tasks: scootaloo.yml
   when: inventory_hostname in groups['rorservers']
-- name: Scootaloo config for m.nintendojo.fr
-  include_tasks: scootaloo_config.yml
-  when: inventory_hostname == 'ror1.dmz.mateu.be'
-- name: tootctl for mastodon
-  include_tasks: tootctl.yml
-  when: inventory_hostname in groups['rorservers']
+- name: tootctl (docker) for mastodon
+  include_tasks: tootctl_docker.yml
+  when: inventory_hostname in groups['dockerservers']
+- name: tootctl (no docker) for mastodon
+  include_tasks: tootctl_nodocker.yml
+  when: inventory_hostname in groups['mastodonservers']

roles/webapps/tasks/tootctl_nodocker.yml

@@ -0,0 +1,19 @@
+---
+
+- name: cron for media tootctl
+  cron:
+    user: mastodon
+    name: Mastodon tootctl
+    minute: "0"
+    hour: "19"
+    weekday: "5"
+    job: "cd live && bin/tootctl media remove"
+
+- name: cron for preview_cards tootctl
+  cron:
+    user: mastodon
+    name: Mastodon tootctl preview
+    minute: "30"
+    hour: "19"
+    weekday: "5"
+    job: "cd live && bin/tootctl preview_cards remove"