aboutsummaryrefslogtreecommitdiffstats
path: root/roles/mastodon/templates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/mastodon/templates')
-rw-r--r--roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.service.j249
-rw-r--r--roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.timer.j210
-rw-r--r--roles/mastodon/templates/etc/systemd/system/mastodon-sidekiq.service.j252
-rw-r--r--roles/mastodon/templates/etc/systemd/system/mastodon-streaming.service.j251
-rw-r--r--roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j252
-rw-r--r--roles/mastodon/templates/opt/mastodon/mastodon/.env.production.j259
6 files changed, 273 insertions, 0 deletions
diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.service.j2
new file mode 100644
index 0000000..3db1ea3
--- /dev/null
+++ b/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.service.j2
@@ -0,0 +1,49 @@
+[Unit]
+Description=mastodon-cleanup
+After=network.target
+
+[Service]
+Type=oneshot
+User={{ mastodon_user }}
+WorkingDirectory={{ mastodon_install_dir }}
+Environment="RAILS_ENV=production"
+ExecStart={{ mastodon_install_dir }}/bin/tootctl media remove
+ExecStart={{ mastodon_install_dir }}/bin/tootctl preview_cards remove
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths={{ mastodon_install_dir }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.timer.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.timer.j2
new file mode 100644
index 0000000..a767551
--- /dev/null
+++ b/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.timer.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=Mastodon cleanup on calendar interval
+
+[Timer]
+OnCalendar=weekly
+AccuracySec=1h
+Persistent=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-sidekiq.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-sidekiq.service.j2
new file mode 100644
index 0000000..9b9abfd
--- /dev/null
+++ b/roles/mastodon/templates/etc/systemd/system/mastodon-sidekiq.service.j2
@@ -0,0 +1,52 @@
+[Unit]
+Description=mastodon-sidekiq
+After=network.target
+
+[Service]
+Type=simple
+User={{ mastodon_user }}
+WorkingDirectory={{ mastodon_install_dir }}
+Environment="RAILS_ENV=production"
+Environment="DB_POOL=25"
+Environment="MALLOC_ARENA_MAX=2"
+ExecStart=/usr/bin/bundle exec sidekiq -c 25
+TimeoutSec=15
+Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths={{ mastodon_install_dir }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-streaming.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-streaming.service.j2
new file mode 100644
index 0000000..48f58ab
--- /dev/null
+++ b/roles/mastodon/templates/etc/systemd/system/mastodon-streaming.service.j2
@@ -0,0 +1,51 @@
+[Unit]
+Description=mastodon-streaming
+After=network.target
+
+[Service]
+Type=simple
+User={{ mastodon_user }}
+WorkingDirectory={{ mastodon_install_dir }}
+Environment="NODE_ENV=production"
+Environment="PORT={{ mastodon_streaming_port }}"
+Environment="STREAMING_CLUSTER_NUM=1"
+ExecStart=/usr/bin/node ./streaming
+TimeoutSec=15
+Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @ipc @memlock @mount @obsolete @privileged @resources @setuid
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths={{ mastodon_install_dir }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2
new file mode 100644
index 0000000..6a3fd03
--- /dev/null
+++ b/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2
@@ -0,0 +1,52 @@
+[Unit]
+Description=mastodon-web
+After=network.target
+
+[Service]
+Type=simple
+User={{ mastodon_user }}
+WorkingDirectory={{ mastodon_install_dir }}
+Environment="RAILS_ENV=production"
+Environment="PORT={{ mastodon_web_port }}"
+ExecStart=/usr/bin/bundle exec puma -C config/puma.rb
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+TimeoutSec=15
+Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths={{ mastodon_install_dir }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/mastodon/templates/opt/mastodon/mastodon/.env.production.j2 b/roles/mastodon/templates/opt/mastodon/mastodon/.env.production.j2
new file mode 100644
index 0000000..03af34a
--- /dev/null
+++ b/roles/mastodon/templates/opt/mastodon/mastodon/.env.production.j2
@@ -0,0 +1,59 @@
+# Federation
+# ----------
+# This identifies your server and cannot be changed safely later
+# ----------
+LOCAL_DOMAIN={{ mastodon_domain }}
+WEB_DOMAIN={{ mastodon_web_domain }}
+
+DEFAULT_LOCALE={{ mastodon_default_locale }}
+
+# Redis
+# -----
+REDIS_HOST=localhost
+REDIS_PORT={{ mastodon_redis_port }}
+
+# PostgreSQL
+# ----------
+DB_SSLMODE=verify-full
+DATABASE_URL=postgresql://{{ mastodon_db_user }}:{{ mastodon_db_password}}@{{ mastodon_db_host }}/{{ mastodon_db_name }}?sslmode=verify-full&sslrootcert=/etc/pki/tls/certs/ca-bundle.crt
+
+# Secrets
+# -------
+# Make sure to use `rake secret` to generate secrets
+# -------
+SECRET_KEY_BASE={{ mastodon_secret_key_base }}
+OTP_SECRET={{ mastodon_otp_secret }}
+
+# Web Push
+# --------
+# Generate with `rake mastodon:webpush:generate_vapid_key`
+# --------
+VAPID_PRIVATE_KEY={{ mastodon_vapid_public_key }}
+VAPID_PUBLIC_KEY={{ mastodon_vapid_private_key }}
+
+# Sending mail
+# ------------
+SMTP_SERVER=localhost
+SMTP_PORT=25
+SMTP_FROM_ADDRESS={{ mastodon_email_from }}
+
+# IP and session retention
+# -----------------------
+# Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml
+# to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800).
+# -----------------------
+IP_RETENTION_PERIOD=31556952
+SESSION_RETENTION_PERIOD=31556952
+
+# LDAP
+# ----
+LDAP_ENABLED=true
+LDAP_HOST={{ mastodon_ldap_host }}
+LDAP_PORT=636
+LDAP_METHOD=simple_tls
+LDAP_BASE={{ freeipa_user_basedn }}
+LDAP_BIND_DN=uid={{ mastodon_sysaccount_username }},{{ freeipa_sysaccount_basedn }}
+LDAP_PASSWORD={{ mastodon_sysaccount_password }}
+LDAP_SEARCH_FILTER=(&(%{uid}=%{email})(memberOf=cn={{ mastodon_access_group }},{{ freeipa_group_basedn }}))
+LDAP_MAIL=mail
+LDAP_UID=mastodonUsername
generated by cgit (git 2.34.1) at 2024-09-19 12:17:50 -0400