From 865e2f05621fc10f3d332d3840707997c0b94abf Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Mon, 12 Jun 2023 21:02:22 -0400 Subject: add mastodon role --- .../etc/systemd/system/mastodon-cleanup.service.j2 | 49 ++++++++++++++++++ .../etc/systemd/system/mastodon-cleanup.timer.j2 | 10 ++++ .../etc/systemd/system/mastodon-sidekiq.service.j2 | 52 +++++++++++++++++++ .../systemd/system/mastodon-streaming.service.j2 | 51 +++++++++++++++++++ .../etc/systemd/system/mastodon-web.service.j2 | 52 +++++++++++++++++++ .../opt/mastodon/mastodon/.env.production.j2 | 59 ++++++++++++++++++++++ 6 files changed, 273 insertions(+) create mode 100644 roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.service.j2 create mode 100644 roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.timer.j2 create mode 100644 roles/mastodon/templates/etc/systemd/system/mastodon-sidekiq.service.j2 create mode 100644 roles/mastodon/templates/etc/systemd/system/mastodon-streaming.service.j2 create mode 100644 roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 create mode 100644 roles/mastodon/templates/opt/mastodon/mastodon/.env.production.j2 (limited to 'roles/mastodon/templates') diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.service.j2 new file mode 100644 index 0000000..3db1ea3 --- /dev/null +++ b/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.service.j2 @@ -0,0 +1,49 @@ +[Unit] +Description=mastodon-cleanup +After=network.target + +[Service] +Type=oneshot +User={{ mastodon_user }} +WorkingDirectory={{ mastodon_install_dir }} +Environment="RAILS_ENV=production" +ExecStart={{ mastodon_install_dir }}/bin/tootctl media remove +ExecStart={{ mastodon_install_dir }}/bin/tootctl preview_cards remove +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths={{ mastodon_install_dir }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.timer.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.timer.j2 new file mode 100644 index 0000000..a767551 --- /dev/null +++ b/roles/mastodon/templates/etc/systemd/system/mastodon-cleanup.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Mastodon cleanup on calendar interval + +[Timer] +OnCalendar=weekly +AccuracySec=1h +Persistent=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-sidekiq.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-sidekiq.service.j2 new file mode 100644 index 0000000..9b9abfd --- /dev/null +++ b/roles/mastodon/templates/etc/systemd/system/mastodon-sidekiq.service.j2 @@ -0,0 +1,52 @@ +[Unit] +Description=mastodon-sidekiq +After=network.target + +[Service] +Type=simple +User={{ mastodon_user }} +WorkingDirectory={{ mastodon_install_dir }} +Environment="RAILS_ENV=production" +Environment="DB_POOL=25" +Environment="MALLOC_ARENA_MAX=2" +ExecStart=/usr/bin/bundle exec sidekiq -c 25 +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths={{ mastodon_install_dir }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-streaming.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-streaming.service.j2 new file mode 100644 index 0000000..48f58ab --- /dev/null +++ b/roles/mastodon/templates/etc/systemd/system/mastodon-streaming.service.j2 @@ -0,0 +1,51 @@ +[Unit] +Description=mastodon-streaming +After=network.target + +[Service] +Type=simple +User={{ mastodon_user }} +WorkingDirectory={{ mastodon_install_dir }} +Environment="NODE_ENV=production" +Environment="PORT={{ mastodon_streaming_port }}" +Environment="STREAMING_CLUSTER_NUM=1" +ExecStart=/usr/bin/node ./streaming +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @ipc @memlock @mount @obsolete @privileged @resources @setuid +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths={{ mastodon_install_dir }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 new file mode 100644 index 0000000..6a3fd03 --- /dev/null +++ b/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 @@ -0,0 +1,52 @@ +[Unit] +Description=mastodon-web +After=network.target + +[Service] +Type=simple +User={{ mastodon_user }} +WorkingDirectory={{ mastodon_install_dir }} +Environment="RAILS_ENV=production" +Environment="PORT={{ mastodon_web_port }}" +ExecStart=/usr/bin/bundle exec puma -C config/puma.rb +ExecReload=/bin/kill -SIGUSR1 $MAINPID +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths={{ mastodon_install_dir }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/mastodon/templates/opt/mastodon/mastodon/.env.production.j2 b/roles/mastodon/templates/opt/mastodon/mastodon/.env.production.j2 new file mode 100644 index 0000000..03af34a --- /dev/null +++ b/roles/mastodon/templates/opt/mastodon/mastodon/.env.production.j2 @@ -0,0 +1,59 @@ +# Federation +# ---------- +# This identifies your server and cannot be changed safely later +# ---------- +LOCAL_DOMAIN={{ mastodon_domain }} +WEB_DOMAIN={{ mastodon_web_domain }} + +DEFAULT_LOCALE={{ mastodon_default_locale }} + +# Redis +# ----- +REDIS_HOST=localhost +REDIS_PORT={{ mastodon_redis_port }} + +# PostgreSQL +# ---------- +DB_SSLMODE=verify-full +DATABASE_URL=postgresql://{{ mastodon_db_user }}:{{ mastodon_db_password}}@{{ mastodon_db_host }}/{{ mastodon_db_name }}?sslmode=verify-full&sslrootcert=/etc/pki/tls/certs/ca-bundle.crt + +# Secrets +# ------- +# Make sure to use `rake secret` to generate secrets +# ------- +SECRET_KEY_BASE={{ mastodon_secret_key_base }} +OTP_SECRET={{ mastodon_otp_secret }} + +# Web Push +# -------- +# Generate with `rake mastodon:webpush:generate_vapid_key` +# -------- +VAPID_PRIVATE_KEY={{ mastodon_vapid_public_key }} +VAPID_PUBLIC_KEY={{ mastodon_vapid_private_key }} + +# Sending mail +# ------------ +SMTP_SERVER=localhost +SMTP_PORT=25 +SMTP_FROM_ADDRESS={{ mastodon_email_from }} + +# IP and session retention +# ----------------------- +# Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml +# to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). +# ----------------------- +IP_RETENTION_PERIOD=31556952 +SESSION_RETENTION_PERIOD=31556952 + +# LDAP +# ---- +LDAP_ENABLED=true +LDAP_HOST={{ mastodon_ldap_host }} +LDAP_PORT=636 +LDAP_METHOD=simple_tls +LDAP_BASE={{ freeipa_user_basedn }} +LDAP_BIND_DN=uid={{ mastodon_sysaccount_username }},{{ freeipa_sysaccount_basedn }} +LDAP_PASSWORD={{ mastodon_sysaccount_password }} +LDAP_SEARCH_FILTER=(&(%{uid}=%{email})(memberOf=cn={{ mastodon_access_group }},{{ freeipa_group_basedn }})) +LDAP_MAIL=mail +LDAP_UID=mastodonUsername -- cgit