[meta] ansible config for ramble-hard

ansible/playbooks/lets_encrypt/main.yml

@@ -0,0 +1,21 @@
+---
+- hosts: all
+  tasks:
+
+  - apt:
+      update_cache: yes
+
+  - package:
+      name:
+      - certbot
+
+  - command: >
+      certbot certonly --standalone --preferred-challenges http
+      -n --agree-tos -m {{ lets_encrypt_email }}
+      -d {{ item }}
+    loop: "{{ lets_encrypt_tlds }}"
+
+  - template:
+      src: renew-certs
+      dest: /etc/cron.daily/renew-certs
+      mode: +x

ansible/playbooks/lets_encrypt/renew-certs

@@ -0,0 +1,4 @@
+#!/bin/sh
+{% for tld in lets_encrypt_tlds %}
+certbot renew --cert-name {{ tld }} --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
+{% endfor %}

ansible/playbooks/pixelfed/install.yml

@@ -0,0 +1,172 @@
+---
+- hosts: pixelfed
+  tasks:
+
+  - apt:
+      update_cache: yes
+
+  # https://docs.pixelfed.org/running-pixelfed/prerequisites.html
+  - package:
+      name:
+        - git
+        - python-psycopg2 # required for postgresql_user task
+
+        # pixelfed dependencies
+        - nginx
+        - postgresql
+        - php-fpm
+        - php-bcmath
+        - php-curl
+        - php-gd
+        - php-intl
+        - php-mbstring
+        - php-pgsql
+        - php-redis
+        - php-xml
+        - php-zip
+        - redis
+
+  - community.postgresql.postgresql_db:
+      name: pixelfed
+    become: true
+    become_user: postgres
+  - community.postgresql.postgresql_user:
+      db: pixelfed
+      name: pixelfed
+      password: "{{ pixelfed_db_password }}"
+      # role_attr_flags: CREATEDB
+    become: true
+    become_user: postgres
+
+  - copy:
+      src: /etc/php/7.3/fpm/pool.d/www.conf
+      dest: /etc/php/7.3/fpm/pool.d/pixelfed.conf
+      remote_src: yes
+  - lineinfile:
+      path: /etc/php/7.3/fpm/pool.d/pixelfed.conf
+      regexp: "{{ item.regexp }}"
+      line: "{{ item.line }}"
+    loop:
+      - { regexp: "\\[www\\]", line: "[pixelfed]" }
+      - { regexp: "^user =", line: "user = pixelfed" }
+      - { regexp: "^group =", line: "group = pixelfed" }
+      - { regexp: "^listen =", line: "listen = /run/php/pixelfed.sock" }
+      - { regexp: "^;listen.mode =", line: "listen.mode = 0660" }
+    notify: Restart php-fpm
+
+  # - lineinfile:
+  #     path: /etc/redis/redis.conf
+  #     regexp: "{{ item.regexp }}"
+  #     line: "{{ item.line }}"
+  #   loop:
+  #     - { regexp: "^# unixsocket ", line: "unixsocket /var/run/redis/redis.sock" }
+  #     - { regexp: "^# unixsocketperm ", line: "unixsocketperm 770" }
+
+  - user:
+      name: pixelfed
+
+  # https://docs.pixelfed.org/running-pixelfed/installation.html#setting-up-pixelfed-files
+  - git:
+      repo: "https://github.com/pixelfed/pixelfed.git"
+      dest: /usr/share/pixelfed
+      version: dev
+
+  - file:
+      path: /usr/share/pixelfed
+      recurse: yes
+      owner: pixelfed
+      group: pixelfed
+
+  handlers:
+
+    - name: Restart php-fpm
+      service:
+        name: php7.3-fpm
+        state: restarted
+
+- hosts: pixelfed
+  become: yes
+  become_user: pixelfed
+  tasks:
+
+  - get_url:
+      url: https://getcomposer.org/installer
+      dest: /usr/share/pixelfed/composer-setup.php
+  - file:
+      path: /usr/share/pixelfed/bin
+      state: directory
+  - command: php composer-setup.php --install-dir=bin --filename=composer
+    args:
+      chdir: /usr/share/pixelfed
+
+  - community.general.composer:
+      command: install
+      working_dir: /usr/share/pixelfed
+      composer_executable: /usr/share/pixelfed/bin/composer
+
+  - copy:
+      src: /usr/share/pixelfed/.env.example
+      dest: /usr/share/pixelfed/.env
+      remote_src: yes
+  - lineinfile:
+      path: /usr/share/pixelfed/.env
+      regexp: "{{ item.regexp }}"
+      line: "{{ item.line }}"
+    loop:
+      - { regexp: "^APP_NAME=", line: "APP_NAME={{ pixelfed_app_name }}" }
+      - { regexp: "^APP_KEY=", line: "APP_KEY={{ pixelfed_app_key }}" }
+      - { regexp: "^APP_URL=", line: "APP_URL={{ pixelfed_app_url }}" }
+      - { regexp: "^APP_DOMAIN=", line: "APP_DOMAIN={{ pixelfed_domain }}" }
+      - { regexp: "^ADMIN_DOMAIN=", line: "ADMIN_DOMAIN={{ pixelfed_domain }}" }
+      - { regexp: "^SESSION_DOMAIN=", line: "SESSION_DOMAIN={{ pixelfed_domain }}" }
+      - { regexp: "^DB_CONNECTION=", line: "DB_CONNECTION=pgsql" }
+      - { regexp: "^DB_PORT=", line: "DB_PORT=5432" }
+      - { regexp: "^DB_PASSWORD=", line: "DB_PASSWORD={{ pixelfed_db_password }}" }
+      - { regexp: "^ACTIVITY_PUB=", line: "ACTIVITY_PUB=true" }
+      - { regexp: "^AP_REMOTE_FOLLOW=", line: "AP_REMOTE_FOLLOW=true" }
+
+  - command: php artisan {{ item }}
+    args:
+      chdir: /usr/share/pixelfed
+    loop:
+      - storage:link
+      - migrate --force
+      - import:cities
+      - instance:actor
+      - route:cache
+      - view:cache
+      - horizon:install
+      - horizon:publish
+
+- hosts: pixelfed
+  tasks:
+
+  - copy:
+      src: pixelfed.service
+      dest: /etc/systemd/system/pixelfed.service
+    become: yes
+
+  - service:
+      name: pixelfed
+      enabled: yes
+      state: restarted
+
+  - cron:
+      job: /usr/bin/php /usr/share/pixelfed/artisan schedule:run >> /dev/null 2>&1
+
+  - template:
+      src: pixelfed.nginx
+      dest: /etc/nginx/sites-available/pixelfed.conf
+    notify: Restart nginx
+  - file:
+      src: /etc/nginx/sites-available/pixelfed.conf
+      dest: /etc/nginx/sites-enabled/pixelfed.conf
+      state: link
+    notify: Restart nginx
+
+  handlers:
+
+    - name: Restart nginx
+      service:
+        name: nginx
+        state: restarted

ansible/playbooks/pixelfed/pixelfed.nginx

@@ -0,0 +1,54 @@
+# https://github.com/pixelfed/pixelfed/blob/dev/contrib/nginx.conf
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ pixelfed_domain }};                    # change this to your fqdn
+    root /usr/share/pixelfed/public;                      # path to repo/public
+
+    ssl_trusted_certificate   /etc/letsencrypt/live/{{ pixelfed_domain }}/chain.pem;
+    ssl_certificate           /etc/letsencrypt/live/{{ pixelfed_domain }}/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/{{ pixelfed_domain }}/privkey.pem;
+
+    ssl_protocols TLSv1.2;
+    ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES;
+    ssl_prefer_server_ciphers on;
+
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+
+    index index.html index.htm index.php;
+
+    charset utf-8;
+    client_max_body_size 15M;
+
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    error_page 404 /index.php;
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        try_files $fastcgi_script_name =404;
+        fastcgi_pass unix:/run/php/pixelfed.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # or $request_filename
+    }
+
+    location ~ /\.(?!well-known).* {
+        deny all;
+    }
+}
+
+server {                                             # Redirect http to https
+    server_name {{ pixelfed_domain }};                    # change this to your fqdn
+    listen 80;
+    listen [::]:80;
+    return 301 https://$host$request_uri;
+}

ansible/playbooks/pixelfed/pixelfed.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Pixelfed task queueing via Laravel Horizon
+After=network.target
+Requires=postgresql
+Requires=php-fpm
+Requires=redis
+Requires=nginx
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/php /usr/share/pixelfed/artisan horizon
+User=pixelfed
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target