alpha
/
boxen
1
0
Fork 0
Code Issues 20 Pull Requests Packages Projects 1 Releases Wiki Activity

mu

Browse Source
main
Alpha Chen 2 years ago
parent 674bf386e3
commit e5b090c19f
Signed by: alpha
SSH Key Fingerprint: SHA256:3fOT8fiYQG/aK9ntivV3Bqtg8AYQ7q4nV6ZgihOA20g
16 changed files with 674 additions and 282 deletions
Show Stats Download Patch File Download Diff File

2
.ansible-lint
Unescape View File

@ -0,0 +1,2 @@
exclude_paths:
- .terraform/

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
.terraform

0
dev/ansible.cfg → ansible.cfg
Unescape View File

10
dev/defaults.yml
Unescape View File

@ -233,7 +233,15 @@
- domain: com.freron.MailMate - domain: com.freron.MailMate
key: MmAllowedImageURLRegexp key: MmAllowedImageURLRegexp
type: string type: string
value: https://((i|images|d)\.gr-assets\.com|www\.goodreads\.com|massdrop-s3\.imgix\.net|.*\.cloudfront\.net|s3\.amazonaws\.com|files\.convertkitcdn\.com/assets/pictures)/.* value: "{{ regexps | join('|') }}"
vars:
regexps:
- https://((i|images|d)\.gr-assets\.com
- www\.goodreads\.com
- massdrop-s3\.imgix\.net
- .*\.cloudfront\.net
- s3\.amazonaws\.com
- files\.convertkitcdn\.com/assets/pictures)/.*
- domain: com.freron.MailMate - domain: com.freron.MailMate
key: MmSendMessageDelayEnabled key: MmSendMessageDelayEnabled

23
dev/homebrew.yml
Unescape View File

@ -1,12 +1,17 @@
- hosts: all - name: Homebrew
hosts: all
tasks: tasks:
- community.general.homebrew: - name: Install Homebrew formulae
community.general.homebrew:
name: "{{ item }}" name: "{{ item }}"
loop: loop:
- chruby - chruby
- colima
- difftastic - difftastic
- direnv - direnv
- docker
- docker-compose
- efm-langserver - efm-langserver
- entr - entr
- exa - exa
@ -21,21 +26,22 @@
- ripgrep - ripgrep
- ruby-install - ruby-install
- shellcheck - shellcheck
- svn # required for source code pro # - svn # required for source code pro?
- tmux - tmux
- tree - tree
- zsh - zsh
- fabianishere/personal/pam_reattach - fabianishere/personal/pam_reattach
- community.general.homebrew_cask: - name: Install Homebrew casks
community.general.homebrew_cask:
name: "{{ item }}" name: "{{ item }}"
loop: loop:
- alfred - alfred
- bartender - bartender
- dash - dash
- fantastical - fantastical
- firefox - firefox-developer-edition
- google-chrome - google-chrome
- hammerspoon - hammerspoon
- mailmate - mailmate
@ -47,3 +53,10 @@
# - homebrew/cask-fonts/font-source-code-pro # - homebrew/cask-fonts/font-source-code-pro
- homebrew/cask-fonts/font-sauce-code-pro-nerd-font - homebrew/cask-fonts/font-sauce-code-pro-nerd-font
- homebrew/cask-versions/firefox-developer-edition - homebrew/cask-versions/firefox-developer-edition
- name: Heed docker-compose caveats
block:
- name: Create Docker CLI plugins config dir
ansible.buitin.file:
dest: ~/.docker/cli-plugins
state: directory

5
dev/macos.yml
Unescape View File

@ -20,8 +20,7 @@
dest: ~/Library/Dictionaries/websters-1913.dictionary dest: ~/Library/Dictionaries/websters-1913.dictionary
- name: Enable Touch ID for sudo - name: Enable Touch ID for sudo
block: lineinfile:
- lineinfile:
path: /etc/pam.d/sudo path: /etc/pam.d/sudo
insertafter: '^auth\s+sufficient' insertafter: '^auth\s+sufficient'
regexp: '^auth\s+sufficient\s+pam_tid.so$' regexp: '^auth\s+sufficient\s+pam_tid.so$'
@ -35,4 +34,4 @@
insertbefore: '^auth\tsufficient\tpam_tid.so' insertbefore: '^auth\tsufficient\tpam_tid.so'
regexp: '^auth\s+optional\s+.*pam_reattach.so$' regexp: '^auth\s+optional\s+.*pam_reattach.so$'
line: "auth\toptional\t{{ brew_prefix.stdout | trim }}/lib/pam/pam_reattach.so" line: "auth\toptional\t{{ brew_prefix.stdout | trim }}/lib/pam/pam_reattach.so"
become: yes become: true

1
dev/main.yml
Unescape View File

@ -34,4 +34,3 @@
tasks: tasks:
- ansible.builtin.command: "luarocks install fennel" - ansible.builtin.command: "luarocks install fennel"

3
dev/hosts.yml → hosts.yml
Unescape View File

@ -3,3 +3,6 @@ all:
localhost: localhost:
ansible_connection: local ansible_connection: local
ansible_python_interpreter: "{{ansible_playbook_python}}" ansible_python_interpreter: "{{ansible_playbook_python}}"
ramble-hard:
ansible_user: root
ansible_python_interpreter: /usr/bin/python3

3
ramble-hard/main.yml
Unescape View File

@ -0,0 +1,3 @@
- hosts: ramble-hard
tasks:

65
ramble-hard/nginx/main.yml
Unescape View File

@ -0,0 +1,65 @@
---
- name: Set up Lets Encrypt
hosts: ramble-hard
vars_files:
- ../vars.private
tasks:
- apt:
update_cache: yes
- package:
name:
- certbot
- nginx
- service:
name: nginx
state: stopped
- command: >
certbot certonly --standalone --preferred-challenges http
-n --agree-tos -m {{ lets_encrypt.email }}
-d {{ tld }}
vars:
tld: "{{ item.value['subdomain'] | default(item.key) }}.{{ domain }}"
loop: "{{ apps | dict2items }}"
- service:
name: nginx
state: started
- template:
src: renew-certs
dest: /etc/cron.daily/renew-certs
mode: +x
# - name: Set up nginx proxies
# hosts: ramble-hard
# vars_files:
# - ../vars.private
# tasks:
# - template:
# src: nginx.conf
# dest: /etc/nginx/sites-available/{{ item.key }}.conf
# vars:
# server_name: "{{ item.value['subdomain'] | default(item.key) }}.{{ domain }}"
# port: "{{ item.value['port'] }}"
# loop: "{{ apps | dict2items }}"
# notify: Restart nginx
# - file:
# src: /etc/nginx/sites-available/{{ item.key }}.conf
# dest: /etc/nginx/sites-enabled/{{ item.key }}.conf
# state: link
# loop: "{{ apps | dict2items }}"
# notify: Restart nginx
# handlers:
# - name: Restart nginx
# service:
# name: nginx
# state: restarted

37
ramble-hard/nginx/nginx.conf
Unescape View File

@ -0,0 +1,37 @@
server {
server_name {{ server_name }};
listen 80;
listen [::]:80;
location / {
return https://$server_name$request_uri;
}
}
server {
server_name {{ server_name }};
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_trusted_certificate /etc/letsencrypt/live/{{ server_name }}/chain.pem;
ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
location / {
proxy_pass http://127.0.0.1:{{ port }};
}
}

2
ramble-hard/nginx/renew-certs
Unescape View File

@ -0,0 +1,2 @@
#!/bin/sh
certbot renew -w /var/lib/letsencrypt/ --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

118
ramble-hard/pleroma/01.yml
Unescape View File

@ -0,0 +1,118 @@
# https://docs.pleroma.social/backend/installation/otp_en/
---
- hosts: ramble-hard
become: true
tasks:
# arch="$(uname -m)";if [ "$arch" = "x86_64" ];then arch="amd64";elif [ "$arch" = "armv7l" ];then arch="arm";elif [ "$arch" = "aarch64" ];then arch="arm64";else echo "Unsupported arch: $arch">&2;fi;if getconf GNU_LIBC_VERSION>/dev/null;then libc_postfix="";elif [ "$(ldd 2>&1|head -c 9)" = "musl libc" ];then libc_postfix="-musl";elif [ "$(find /lib/libc.musl*|wc -l)" ];then libc_postfix="-musl";else echo "Unsupported libc">&2;fi;echo "$arch$libc_postfix" # noqa yaml[line-length]
- shell: |
arch="$(uname -m)"
if [ "$arch" = "x86_64" ]; then
arch="amd64";
elif [ "$arch" = "armv7l" ]; then
arch="arm";
elif [ "$arch" = "aarch64" ]; then
arch="arm64";
else
echo "Unsupported arch: $arch">&2;
fi;
if getconf GNU_LIBC_VERSION>/dev/null; then
libc_postfix="";
elif [ "$(ldd 2>&1|head -c 9)" = "musl libc" ]; then
libc_postfix="-musl";
elif [ "$(find /lib/libc.musl*|wc -l)" ]; then
libc_postfix="-musl";
else
echo "Unsupported libc">&2;
fi;
echo "$arch$libc_postfix"
register: arch_result
- set_fact:
pleroma_flavour: "{{ arch_result.stdout | trim }}"
- apt:
update_cache: true
# apt install curl unzip libncurses5 postgresql postgresql-contrib nginx certbot libmagic-dev
# apt install imagemagick ffmpeg libimage-exiftool-perl
# apt install postgresql-11-rum
- package:
name:
- curl
- unzip
- libncurses5
- postgresql
- postgresql-contrib
- nginx
- certbot
- libmagic-dev
- imagemagick
- ffmpeg
- libimage-exiftool-perl
# - postgresql-13-rum
notify:
- Restart postgres
# Create a Pleroma user
# adduser --system --shell /bin/false --home /opt/pleroma pleroma
- user:
name: pleroma
home: /opt/pleroma
shell: /bin/false
system: true
# Clone the release build into a temporary directory and unpack it
# su pleroma -s $SHELL -lc "
# curl 'https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=$FLAVOUR' -o /tmp/pleroma.zip
# unzip /tmp/pleroma.zip -d /tmp/
# "
- get_url:
url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{ pleroma_flavour }}
dest: /tmp/pleroma.zip
- command: unzip /tmp/pleroma.zip -d /tmp/
# Move the release to the home directory and delete temporary files
# su pleroma -s $SHELL -lc "
# mv /tmp/release/* /opt/pleroma
# rmdir /tmp/release
# rm /tmp/pleroma.zip
# "
- copy:
src: /tmp/release/
dest: /opt/pleroma/
remote_src: true
owner: pleroma
- file:
path: "{{ item }}"
state: absent
loop:
- /tmp/release
- /tmp/pleroma.zip
# Create uploads directory and set proper permissions (skip if planning to use a remote uploader)
# Note: It does not have to be `/var/lib/pleroma/uploads`, the config generator will ask about the upload directory later
# mkdir -p /var/lib/pleroma/uploads
# chown -R pleroma /var/lib/pleroma
# Create custom public files directory (custom emojis, frontend bundle overrides, robots.txt, etc.)
# Note: It does not have to be `/var/lib/pleroma/static`, the config generator will ask about the custom public files directory later
# mkdir -p /var/lib/pleroma/static
# chown -R pleroma /var/lib/pleroma
# Create a config directory
# mkdir -p /etc/pleroma
# chown -R pleroma /etc/pleroma
- file:
path: "{{ item }}"
state: directory
owner: pleroma
loop:
- /var/lib/pleroma/uploads
- /var/lib/pleroma/static
- /etc/pleroma
handlers:
- name: Restart postgres
service:
name: postgresql
state: restarted

30
ramble-hard/pleroma/02.yml
Unescape View File

@ -0,0 +1,30 @@
# https://docs.pleroma.social/backend/installation/otp_en/
---
- hosts: ramble-hard
become: true
tasks:
# Create the postgres database
# su postgres -s $SHELL -lc "psql -f /tmp/setup_db.psql"
- command: psql -f /tmp/setup_db.psql
become_user: postgres
# Create the database schema
# su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate"
- command: ./bin/pleroma_ctl migrate
args:
chdir: /opt/pleroma
become_user: pleroma
# If you have installed RUM indexes uncomment and run
# su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate --migrations-path priv/repo/optional_migrations/rum_indexing/"
# - command: ./bin/pleroma_ctl migrate --migrations-path priv/repo/optional_migrations/rum_indexing/
# args:
# chdir: /opt/pleroma
# become_user: pleroma
handlers:
- name: Restart postgres
service:
name: postgresql
state: restarted

89
ramble-hard/pleroma/03.yml
Unescape View File

@ -0,0 +1,89 @@
# https://docs.pleroma.social/backend/installation/otp_en/
---
- hosts: ramble-hard
become: true
vars_files:
- ../vars.private
tasks:
- package:
name:
- certbot
- nginx
- service:
name: nginx
state: stopped
# certbot certonly --standalone --preferred-challenges http -d yourinstance.tld
- command: >
certbot certonly --standalone --preferred-challenges http
-n --agree-tos -m {{ lets_encrypt.email }}
-d {{ pleroma.tld }}
- service:
name: nginx
state: started
# cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.conf
# ln -s /etc/nginx/sites-available/pleroma.conf /etc/nginx/sites-enabled/pleroma.conf
- copy:
src: /opt/pleroma/installation/pleroma.nginx
dest: /etc/nginx/sites-available/pleroma.conf
remote_src: true
notify: Restart nginx
- file:
src: /etc/nginx/sites-available/pleroma.conf
dest: /etc/nginx/sites-enabled/pleroma.conf
state: link
notify: Restart nginx
- replace:
path: /etc/nginx/sites-available/pleroma.conf
regexp: 'example\.tld'
replace: "{{ pleroma.tld }}"
notify: Restart nginx
# Copy the service into a proper directory
# cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
- copy:
src: /opt/pleroma/installation/pleroma.service
dest: /etc/systemd/system/pleroma.service
remote_src: true
# Start pleroma and enable it on boot
# systemctl start pleroma
# systemctl enable pleroma
notify: Restart pleroma
# Create the directory for webroot challenges
# mkdir -p /var/lib/letsencrypt
- file:
path: /var/lib/letsencrypt
state: directory
# Add it to the daily cron
# echo '#!/bin/sh
# certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
# ' > /etc/cron.daily/renew-pleroma-cert
# chmod +x /etc/cron.daily/renew-pleroma-cert
- ansible.builtin.copy:
content: |
\#!/bin/sh
certbot renew --cert-name {{ pleroma.tld }} --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
dest: /etc/cron.daily/renew-pleroma-cert
mode: +x
# - template:
# src: renew-pleroma-cert
# dest: /etc/cron.daily/renew-pleroma-cert
# mode: +x
handlers:
- name: Restart nginx
service:
name: nginx
state: restarted
- name: Restart pleroma
service:
name: pleroma
enabled: true
state: restarted

23
ramble-hard/pleroma/README.md
Unescape View File

@ -0,0 +1,23 @@
```sh
ansible-playbook playbooks/pleroma/01.yml
su pleroma -s $SHELL -lc "./bin/pleroma_ctl instance gen --output /etc/pleroma/config.exs --output-psql /tmp/setup_db.psql"
ansible-playbook playbooks/pleroma/02.yml
# Start the instance to verify that everything is working as expected
su pleroma -s $SHELL -lc "./bin/pleroma daemon"
# Wait for about 20 seconds and query the instance endpoint, if it shows your
# uri, name and email correctly, you are configured correctly
sleep 20 && curl http://localhost:4000/api/v1/instance
# Stop the instance
su pleroma -s $SHELL -lc "./bin/pleroma stop"
ansible-playbook -l pleroma playbooks/pleroma/03.yml
cd /opt/pleroma
su pleroma -s $SHELL -lc "./bin/pleroma_ctl user new joeuser joeuser@sld.tld --admin"
su pleroma -s $SHELL -lc "./bin/pleroma_ctl config migrate_to_db"
```
Write Preview
Loading…
Cancel
Save