From 506cd00c13854eb94a088b46c3bc9668348af1e6 Mon Sep 17 00:00:00 2001 From: "Tyler B. Thrailkill" Date: Tue, 20 Jun 2023 19:30:55 -0600 Subject: [PATCH 01/68] Performance fixes for postgres --- templates/docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index ce5ea96..9a92e7c 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -8,6 +8,7 @@ services: restart: always environment: - RUST_LOG="warn,lemmy_server=info,lemmy_api=info,lemmy_api_common=info,lemmy_api_crud=info,lemmy_apub=info,lemmy_db_queries=info,lemmy_db_schema=info,lemmy_db_views=info,lemmy_db_views_actor=info,lemmy_db_views_moderator=info,lemmy_routes=info,lemmy_utils=info,lemmy_websocket=info" + - MAX_DB_CONNECTIONS=20 volumes: - ./lemmy.hjson:/config/config.hjson depends_on: @@ -38,6 +39,7 @@ services: - ./volumes/postgres:/var/lib/postgresql/data - ./customPostgresql.conf:/etc/postgresql.conf restart: always + shm_size: 1g pictrs: image: asonix/pictrs:0.3.1 From f45f2044737a2a720e6488cd950b2489a571a431 Mon Sep 17 00:00:00 2001 From: Mark Esler Date: Wed, 2 Aug 2023 15:00:15 +0200 Subject: [PATCH 02/68] configure debian docker apt repos (#140) * configure debian docker apt repos * prettier lint --- lemmy.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/lemmy.yml b/lemmy.yml index e8e0e3c..22f0cd4 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -44,7 +44,7 @@ - "virtualenv" - "python3-setuptools" - - name: Configure Docker apt repo before Jammy + - name: Configure Docker apt repo for Ubuntu < 22.04 when: ansible_distribution == 'Ubuntu' and ansible_distribution_version < '22.04' block: - name: Add Docker GPG apt Key @@ -56,17 +56,21 @@ repo: deb https://download.docker.com/linux/ubuntu focal stable state: present - - name: Configure Docker apt repo on Jammy++ - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '22.04' + # based on https://docs.docker.com/engine/install/debian/ + # and https://docs.docker.com/engine/install/ubuntu/ + # note that Debian and Ubuntu use the same key + - name: Configure Docker apt repo for Debian or Ubuntu >= 22.04 + when: (ansible_distribution == 'Debian') or + (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '22.04') block: - name: Download Docker GPG Key get_url: - url: https://download.docker.com/linux/ubuntu/gpg + url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg dest: /etc/apt/keyrings/docker.asc checksum: sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570 - - name: Add Docker to apt + - name: Add Docker apt repo apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" state: present - name: Update apt and install docker-ce From a95c3321c3611ab0616dae361ded35c21b9da206 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Tue, 8 Aug 2023 08:02:07 -0400 Subject: [PATCH 03/68] Updating VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 267d7e0..0cc9884 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.18.3 +0.18.4 From b9787aee7320bffd597ba837c683c6401d9c2567 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 10 Aug 2023 21:59:36 -0400 Subject: [PATCH 04/68] Fix duplicate headers being sent - Internal/external nginx were sending duplicate headers, removed from internal - Opted X-Frame-Options DENY as default - Fixes #143 --- templates/nginx_internal.conf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 34c1427..4f983e5 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -57,15 +57,10 @@ http { gzip on; gzip_types text/css application/javascript image/svg+xml; - gzip_vary on; # Upload limit, relevant for pictrs client_max_body_size 20M; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - # Send actual client IP upstream proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; From 3b7ff005e26d20da7d8e26454d87b691247b3793 Mon Sep 17 00:00:00 2001 From: usr3 <50021155+usr3@users.noreply.github.com> Date: Wed, 30 Aug 2023 05:38:39 +0530 Subject: [PATCH 05/68] Fix pictrs environent variable for setting API_KEY (#153) Environment variable for setting API Key has changed in v0.4.0. This fixes the error: Invalid API Key with the old variable. --- templates/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 7329d86..42c6e95 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -56,7 +56,7 @@ services: # entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -p /mnt -m 4 --image-format webp environment: - PICTRS_OPENTELEMETRY_URL=http://otel:4137 - - PICTRS__API_KEY={{ postgres_password }} + - PICTRS__SERVER__API_KEY={{ postgres_password }} - RUST_LOG=debug - RUST_BACKTRACE=full - PICTRS__MEDIA__VIDEO_CODEC=vp9 From 627432b3a63baf4751725151e9de6308c696c94c Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Tue, 29 Aug 2023 20:11:53 -0400 Subject: [PATCH 06/68] Get dpkg-formatted arch and use it for docker apt repo (#148) * Get dpkg-formatted arch and use it for docker apt repo - Fixes #130 - Tested against amd64/arm64 * Add conditional for dpkg command (Debian/Ubuntu), Adjust GPG path to use standard existing one - Path exists on at least Ubuntu >= 22.04, Debian 10, Debian 11 --- lemmy.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lemmy.yml b/lemmy.yml index 22f0cd4..a114792 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -56,6 +56,13 @@ repo: deb https://download.docker.com/linux/ubuntu focal stable state: present + - name: Get architecture using dpkg + when: (ansible_distribution == 'Debian') or + (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '22.04') + command: dpkg --print-architecture + register: dpkg_output + changed_when: false + # based on https://docs.docker.com/engine/install/debian/ # and https://docs.docker.com/engine/install/ubuntu/ # note that Debian and Ubuntu use the same key @@ -66,11 +73,11 @@ - name: Download Docker GPG Key get_url: url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg - dest: /etc/apt/keyrings/docker.asc + dest: /etc/apt/trusted.gpg.d/docker.asc checksum: sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570 - name: Add Docker apt repo apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" + repo: "deb [arch={{ dpkg_output.stdout }} signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" state: present - name: Update apt and install docker-ce From 53f09308833f8a17a22166556bf858500340f762 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 31 Aug 2023 16:52:09 -0400 Subject: [PATCH 07/68] Remove redundant gzip lines - Present/enabled in nginx.conf template --- templates/nginx_internal.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 4f983e5..89274b7 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -55,9 +55,6 @@ http { server_name localhost; server_tokens off; - gzip on; - gzip_types text/css application/javascript image/svg+xml; - # Upload limit, relevant for pictrs client_max_body_size 20M; From 1a68715165533a3008ea6799c6949e56a68ec294 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 31 Aug 2023 21:13:39 -0400 Subject: [PATCH 08/68] Initial commit of pict-rs external configuration - Refs https://github.com/LemmyNet/lemmy-ansible/issues/109 - Co-authored by: Maximilian Praeger --- examples/pictrs.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 examples/pictrs.yml diff --git a/examples/pictrs.yml b/examples/pictrs.yml new file mode 100644 index 0000000..b69213b --- /dev/null +++ b/examples/pictrs.yml @@ -0,0 +1,11 @@ +# You can set any pict-rs environmental variables here. They will populate the templates/docker-compose.yml file. +# https://git.asonix.dog/asonix/pict-rs + +#pictrs_env_vars: +# - PICTRS__STORE__TYPE: object_storage +# - PICTRS__STORE__ENDPOINT: '' +# - PICTRS__STORE__BUCKET_NAME: '' +# - PICTRS__STORE__REGION: '' +# - PICTRS__STORE__USE_PATH_STYLE: false +# - PICTRS__STORE__ACCESS_KEY: '' +# - PICTRS__STORE__SECRET_KEY: '' From 829fec3537f5df2b93a3e0fef4cc3f638ab04bd6 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 31 Aug 2023 21:13:46 -0400 Subject: [PATCH 09/68] Update README --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fdcbafe..e89a535 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,13 @@ To run this ansible playbook, you need to: You can use [the PGTune tool](https://pgtune.leopard.in.ua) to tune your postgres to meet your server memory and CPU. -6. Run the playbook: +6. **Optional**: If you want to configure the pict-rs instance via environmental variables (EX, to configure it to use Amazon S3 for storage), copy the sample `pictrs.yml` file into your `host_vars//pictrs.yml`: + + `cp examples/pictrs.yml inventory/host_vars//pictrs.yml` + + Edit the `inventory_host_vars//pictrs.yml` file to your liking. + +7. Run the playbook: `ansible-playbook -i inventory/hosts lemmy.yml` From 276eb3e3caea3d522e6a783c4dfd98c4c22b3afc Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 31 Aug 2023 21:14:48 -0400 Subject: [PATCH 10/68] - Loop over variables and populate docker-compose.yml --- templates/docker-compose.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 7329d86..facccba 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -64,6 +64,13 @@ services: - PICTRS__MEDIA__GIF__MAX_HEIGHT=256 - PICTRS__MEDIA__GIF__MAX_AREA=65536 - PICTRS__MEDIA__GIF__MAX_FRAME_COUNT=400 +{% if pictrs_env_vars is defined and pictrs_env_vars|length > 0 %} +{%- for item in pictrs_env_vars %} +{%- for key, value in item.items() %} + - {{ key }}={{ value }} +{% endfor -%} +{% endfor %} +{% endif %} user: 991:991 volumes: - ./volumes/pictrs:/mnt:Z From b9fd747868789f1ba1dfc6417f28511eea3dba27 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Fri, 1 Sep 2023 09:19:22 -0400 Subject: [PATCH 11/68] Fix duplicate headers being sent by nginx (#151) * Fix duplicate headers being sent - Internal/external nginx were sending duplicate headers, removed from internal - Opted X-Frame-Options DENY as default - Fixes #143 * Remove redundant gzip lines - Present/enabled in nginx.conf template --- templates/nginx_internal.conf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 34c1427..89274b7 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -55,17 +55,9 @@ http { server_name localhost; server_tokens off; - gzip on; - gzip_types text/css application/javascript image/svg+xml; - gzip_vary on; - # Upload limit, relevant for pictrs client_max_body_size 20M; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - # Send actual client IP upstream proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; From c14098e4c8e79d2904aa37ce894bf582d69bac58 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sat, 2 Sep 2023 14:05:36 -0400 Subject: [PATCH 12/68] Remove reliance on `pip` module (#157) * Remove installation via pip module, use apt - Resolves #152 * Update task name to be more accurate --- lemmy.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/lemmy.yml b/lemmy.yml index a114792..e6dc530 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -80,18 +80,13 @@ repo: "deb [arch={{ dpkg_output.stdout }} signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" state: present - - name: Update apt and install docker-ce + - name: Install docker-ce and docker-compose apt: - name: docker-ce - state: latest - update_cache: true - - - name: Install Docker Module and docker-compose for Python - pip: name: - - docker + - docker-ce - docker-compose state: latest + update_cache: true - name: copy docker config copy: src='../files/docker-daemon.json' dest='/etc/docker/daemon.json' mode='0644' From b260182b816f60915d2a3f3cef8333a75d774ad4 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sat, 2 Sep 2023 14:10:12 -0400 Subject: [PATCH 13/68] Lemmy AlmaLinux/RHEL Ansible Support (#145) * Add initial lemmy-almalinux.yml playbook - Supports AlmaLinux 9, RHEL 9, Rocky Linux 9 * Update docker-compose.yml to explicitly point to Docker Hub registry - By default EL9 lists 3x registries and prompts on short names, this allows unattended pulling without modifying registry configuration * Modify uninstall.yml playbook to support AlmaLinux/EL distributions - Add syntax check to lemmy-almalinux.yml playbook w/ woodpecker CI * Run `prettier` on playbooks to make lemmy-ansible upstream CI happy * Add some logic to the uninstall playbook for docker/podman/nginx - Installation starts and enables services, seems wise to offer inverse * Remove unused debug line * Update notes to be consistent with other task * Add distribution & version checks to lemmy-playbook, uninstall playbooks - EL >= 9 (for now?) - Add CentOS to list of targets (CentOS stream, boo hiss) * Revert postgres_password logic to be in-line with main playbook, docs * Update our targets baby! Technically should work on all EL9 spinoffs - But we build for ALmaLinux <3 * Add `always` tag for distribution/version check task * Gather facts for distribution conditionals --- .woodpecker.yml | 1 + README.md | 2 +- lemmy-almalinux.yml | 236 +++++++++++++++++++++++++++++++++ templates/docker-compose.yml | 8 +- templates/sysconfig-certbot.j2 | 47 +++++++ uninstall.yml | 90 ++++++++++--- 6 files changed, 362 insertions(+), 22 deletions(-) create mode 100644 lemmy-almalinux.yml create mode 100644 templates/sysconfig-certbot.j2 diff --git a/.woodpecker.yml b/.woodpecker.yml index 678e0fe..bd2dd73 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -8,4 +8,5 @@ pipeline: commands: - apk add ansible - ansible-playbook lemmy.yml --syntax-check + - ansible-playbook lemmy-almalinux.yml --syntax-check - ansible-playbook uninstall.yml --syntax-check diff --git a/README.md b/README.md index fdcbafe..2c1e732 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ This provides an easy way to install [Lemmy](https://github.com/LemmyNet/lemmy) To run this ansible playbook, you need to: -- Have a Debian-based server / VPS where lemmy will run. +- Have a Debian/AlmaLinux 9-based server / VPS where lemmy will run. - Configure a DNS `A` Record to point at your server's IP address. - Make sure you can ssh to it, with a sudo user: `ssh @` - Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) on your **local** machine (do not install it on your destination server). diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml new file mode 100644 index 0000000..1d48d96 --- /dev/null +++ b/lemmy-almalinux.yml @@ -0,0 +1,236 @@ +--- +- hosts: all + gather_facts: true + pre_tasks: + # This is not needed for this playbook as it predates its existence + # But we're keeping it for funsies :) + - name: check lemmy_base_dir + ansible.builtin.fail: + msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file." + when: lemmy_base_dir is not defined + handlers: + - name: reload nginx + ansible.builtin.command: nginx -s reload + vars: + lemmy_port: "{{ 32767 | random(start=1024) }}" + postgres_password: "{{ lookup('password', 'host_vars/{{ domain }}/passwords/postgres chars=ascii_letters,digits') }}" + tasks: + - name: Ensure target system is >= EL9 + ansible.builtin.fail: + msg: "This playbook requires Enterprise Linux 9 or greater" + when: + - ansible_distribution not in ['AlmaLinux', 'CentOS', 'RedHat', 'Rocky'] + - ansible_distribution_major_version | int < 9 + tags: + - always + + - name: Enable CRB repository + ansible.builtin.yum_repository: + name: almalinux-crb + description: AlmaLinux $releasever - CRB + mirrorlist: https://mirrors.almalinux.org/mirrorlist/$releasever/crb + gpgcheck: true + gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9 + enabled: yes + tags: + - dependencies + + - name: Install epel-release + ansible.builtin.dnf: + state: present + name: epel-release + tags: + - dependencies + + - name: Install dependencies + ansible.builtin.dnf: + state: present + name: + - certbot + - curl + - nginx + - podman + - podman-compose + - podman-docker + - python3-certbot-nginx + - python3-docker + - python3-pip + - python3-podman + - python3-virtualenv + - python3-setuptools + tags: + - dependencies + + - name: Gather service facts + ansible.builtin.service_facts: + tags: + - firewalld + + # TODO: Use ansible.posix.firewalld + - name: Allow http/httpd traffic to public zone in firewalld + ansible.builtin.command: "firewall-cmd --zone=public --add-service={{ item }} --perm" + loop: + - http + - https + when: "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'" + tags: + - firewalld + + - name: Reload firewalld + ansible.builtin.command: firewall-cmd --reload + when: "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'" + tags: + - firewalld + + # TODO: certbot logic needs to be re-worked + - name: Request initial letsencrypt certificate + ansible.builtin.command: certbot certonly --nginx --agree-tos --cert-name '{{ domain }}' -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' + args: + creates: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" + tags: + - certbot + - certbot_initial + - ssl + + - name: Create lemmy folder + ansible.builtin.file: + path: "{{ item.path }}" + owner: "{{ item.owner }}" + state: directory + loop: + - path: "{{ lemmy_base_dir }}/{{ domain }}/" + owner: "root" + - path: "{{ lemmy_base_dir }}/{{ domain }}/volumes/" + owner: "root" + - path: "{{ lemmy_base_dir }}/{{ domain }}/volumes/pictrs/" + owner: "991" # Matches docker-compose UID in docker-compose.yml + + - name: Set lemmy_port fact + ansible.builtin.set_fact: + lemmy_port: "{{ 32767 |random(start=1024) }}" + tags: + - always + + - name: Distribute docker/podman templates + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + loop: + - src: "templates/docker-compose.yml" + dest: "{{ lemmy_base_dir }}/{{ domain }}/docker-compose.yml" + mode: "0600" + - src: "templates/nginx_internal.conf" + dest: "{{ lemmy_base_dir }}/{{ domain }}/nginx_internal.conf" + mode: "0644" + vars: + lemmy_docker_image: "docker.io/dessalines/lemmy:{{ lemmy_version | default( lookup('file', 'VERSION') )}}" + lemmy_docker_ui_image: "docker.io/dessalines/lemmy-ui:{{ lemmy_ui_version | default(lemmy_version | default(lookup('file', 'VERSION')))}}" + tags: + - docker + - podman + + # TODO: Move to templates/, keeping consistent with upstream currently + # to ensure documentation is accurate + - name: Add the config.hjson + ansible.builtin.template: + #src: "templates/{{ domain }}/config.hjson" + src: "host_vars/{{ domain }}/config.hjson" + dest: "{{ lemmy_base_dir }}/{{ domain }}/lemmy.hjson" + mode: "0600" + owner: "1000" # Match UID in container + group: "1000" # Match GID in container + tags: + - configs + + # TODO: Move to files/, keeping consistent with upstream currently + # to ensure documentation is accurate + - name: Add the customPostgresql.conf + ansible.builtin.template: + #src: "files/{{ domain }}/customPostgresql.conf" + src: "host_vars/{{ domain }}/customPostgresql.conf" + dest: "{{ lemmy_base_dir }}/{{ domain }}/customPostgresql.conf" + mode: "0600" + owner: "1000" # Match UID in container + group: "1000" # Match GID in container + tags: + - configs + - postgresql + + - name: Distribute nginx site templates + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + loop: + - src: "templates/nginx.conf" + dest: "/etc/nginx/conf.d/{{ domain }}.conf" + mode: "0644" + notify: reload nginx + tags: + - nginx + + # TODO: Check if this is necessary with EL & podman + #- name: Copy docker config + # ansible.builtin.copy: + # src: "{{ ansible_playbook }}/files/docker-daemon.json" + # dest: /etc/docker/daemon.json + # mode: '0644' + + # TODO: podman-compose should wrap this safely + # TODO: This was an incorrect assumption, module uses docker python module, not cli + #- name: Run podman-compose + # docker_compose: + # project_src: "{{ lemmy_base_dir }}/{{ domain }}" + # state: present + # pull: yes + # remove_orphans: yes + # tags: + # - docker + # - docker_compose + # - podman + # - podman_compose + + - name: Start and enable podman service + ansible.builtin.systemd: + name: podman.service + state: started + enabled: yes + tags: + - docker + - podman + + - name: Run podman-compose pull + ansible.builtin.command: podman-compose pull + args: + chdir: "{{ lemmy_base_dir }}/{{ domain }}" + tags: + - docker + - podman + + - name: Run podman-compose up + ansible.builtin.command: podman-compose up -d + args: + chdir: "{{ lemmy_base_dir }}/{{ domain }}" + tags: + - docker + - podman + + # This isn't using any jinja2 templating currently + - name: Distribute /etc/sysconfig/certbot + ansible.builtin.template: + src: "templates/sysconfig-certbot.j2" + dest: "/etc/sysconfig/certbot" + mode: "0644" + tags: + - certbot + - ssl + + - name: Enable certbot-renew.timer + ansible.builtin.systemd: + name: certbot-renew.timer + state: started + enabled: yes + tags: + - certbot + - ssl diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 42c6e95..fe047f6 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -8,7 +8,7 @@ x-logging: &default-logging services: proxy: - image: nginx:1-alpine + image: docker.io/library/nginx ports: # actual and only port facing any connection from outside # Note, change the left number if port 1236 is already in use on your system @@ -49,7 +49,7 @@ services: logging: *default-logging pictrs: - image: asonix/pictrs:0.4.0 + image: docker.io/asonix/pictrs:0.4.0 # this needs to match the pictrs url in lemmy.hjson hostname: pictrs # we can set options to pictrs like this, here we set max. image size and forced format for conversion @@ -75,7 +75,7 @@ services: memory: 690m postgres: - image: postgres:15-alpine + image: docker.io/postgres:15-alpine hostname: postgres environment: - POSTGRES_USER=lemmy @@ -88,7 +88,7 @@ services: logging: *default-logging postfix: - image: mwader/postfix-relay + image: docker.io/mwader/postfix-relay environment: - POSTFIX_myhostname={{ domain }} restart: "always" diff --git a/templates/sysconfig-certbot.j2 b/templates/sysconfig-certbot.j2 new file mode 100644 index 0000000..c2865e0 --- /dev/null +++ b/templates/sysconfig-certbot.j2 @@ -0,0 +1,47 @@ +## NOTE ## +# If a hook is set here then it will be used for all +# certificates and will override any per certificate +# hook configuration in place. + +# Command to be run in a shell before obtaining any +# certificates. Intended primarily for renewal, where it +# can be used to temporarily shut down a webserver that +# might conflict with the standalone plugin. This will +# only be called if a certificate is actually to be +# obtained/renewed. When renewing several certificates +# that have identical pre-hooks, only the first will be +# executed. +# +# An example to stop the MTA before updating certs would be +# PRE_HOOK="--pre-hook 'systemctl stop postfix'" +PRE_HOOK="" + +# Command to be run in a shell after attempting to +# obtain/renew certificates. Can be used to deploy +# renewed certificates, or to restart any servers that +# were stopped by --pre-hook. This is only run if an +# attempt was made to obtain/renew a certificate. If +# multiple renewed certificates have identical post- +# hooks, only one will be run. +# +# An example to restart httpd would be: +# POST_HOOK="--post-hook 'systemctl restart httpd'" +POST_HOOK="'nginx -s reload'" + +# Command to be run in a shell once for each +# successfully renewed certificate. For this command, +# the shell variable $RENEWED_LINEAGE will point to the +# config live subdirectory containing the new certs and +# keys; the shell variable $RENEWED_DOMAINS will contain +# a space-delimited list of renewed cert domains +# +# An example to run a script to alert each cert would be: +# DEPLOY_HOOK="--deploy-hook /usr/local/bin/cert-notifier.sh" +DEPLOY_HOOK="" + +# Any other misc arguments for the renewal +# See certbot -h renew for full list +# +# An example to force renewal for certificates not due yet +# CERTBOT_ARGS="--force-renewal" +CERTBOT_ARGS="" diff --git a/uninstall.yml b/uninstall.yml index 1779c0c..4280d87 100644 --- a/uninstall.yml +++ b/uninstall.yml @@ -10,6 +10,14 @@ prompt: "Delete certificates? Select 'no' if you want to reinstall Lemmy [yes/no]" private: no + - name: stop_disable_nginx + prompt: "Do you want to stop/disable nginx? [yes/no]" + private: no + + - name: stop_disable_docker_podman + prompt: "Do you want to stop/disable Docker/podman? [yes/no]" + private: no + tasks: - name: end play if no confirmation was given debug: @@ -19,20 +27,68 @@ - meta: end_play when: not confirm_uninstall|bool - - name: stop docker-compose - docker_compose: - project_src: "{{lemmy_base_dir}}/{{domain}}" - state: absent - - - name: delete data - file: - path: "{{item.path}}" - state: absent - with_items: - - path: "{{lemmy_base_dir}}/{{domain}}" - - path: "/etc/nginx/sites-enabled/{{domain}}.conf" - - - name: remove certbot cronjob - cron: - name: certbot-renew-lemmy - state: absent + # Ubuntu specific uninstallation steps + - block: + - name: stop docker-compose + docker_compose: + project_src: "{{lemmy_base_dir}}/{{domain}}" + state: absent + + - name: delete data + file: + path: "{{item.path}}" + state: absent + with_items: + - path: "{{lemmy_base_dir}}/{{domain}}" + - path: "/etc/nginx/sites-enabled/{{domain}}.conf" + + - name: remove certbot cronjob + cron: + name: certbot-renew-lemmy + state: absent + + - name: Stop and disable Docker + ansible.builtin.systemd: + name: docker.service + state: stopped + enabled: no + when: stop_disable_docker_podman|bool + when: ansible_distribution == "Ubuntu" + + # EL specific uninstallation steps + - block: + - name: Stop and remove containers + ansible.builtin.command: podman-compose down + args: + chdir: "{{ lemmy_base_dir }}/{{ domain }}" + + - name: Delete Lemmy data + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: + - path: "{{lemmy_base_dir}}/{{ domain }}" + - path: "/etc/nginx/conf.d/{{ domain }}.conf" + + - name: Stop and disable certbot-renew.timer + ansible.builtin.systemd: + name: certbot-renew.timer + state: stopped + enabled: no + + - name: Stop and disable podman + ansible.builtin.systemd: + name: podman.service + state: stopped + enabled: no + when: stop_disable_docker_podman|bool + when: + - ansible_distribution in ['AlmaLinux', 'CentOS', 'RedHat', 'Rocky'] + - ansible_distribution_major_version | int >= 9 + + - name: Stop and disable nginx + ansible.builtin.systemd: + name: nginx.service + state: stopped + enabled: no + when: stop_disable_nginx|bool From a4af56583916ea5073c8a3aebe99a0f59ef09e15 Mon Sep 17 00:00:00 2001 From: Sanat Sathaye Date: Sat, 2 Sep 2023 23:44:58 +0530 Subject: [PATCH 14/68] Also test for python3 installation (#156) Newer OSs ship with python3 by default and not python2. The current raw check will always fail for them, so fix that. --- lemmy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemmy.yml b/lemmy.yml index e6dc530..d23831f 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -10,9 +10,9 @@ msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file." when: lemmy_base_dir is not defined - - name: install python for Ansible + - name: Install python for Ansible # python2-minimal instead of python-minimal for ubuntu 20.04 and up - raw: test -e /usr/bin/python || (apt -y update && apt install -y python3-minimal python3-setuptools) + raw: test -e /usr/bin/python || test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal python3-setuptools) args: executable: /bin/bash register: output From 4401e15b4d0ec8b1b90d171f13e14aefce0ef520 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sat, 2 Sep 2023 15:38:34 -0400 Subject: [PATCH 15/68] Add `PICTRS__SERVER__API_KEY` to pict-rs configuration example - Refs #53 --- examples/pictrs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/pictrs.yml b/examples/pictrs.yml index b69213b..1253dba 100644 --- a/examples/pictrs.yml +++ b/examples/pictrs.yml @@ -2,6 +2,7 @@ # https://git.asonix.dog/asonix/pict-rs #pictrs_env_vars: +# - PICTRS__SERVER__API_KEY: 'CHANGE_ME' # - PICTRS__STORE__TYPE: object_storage # - PICTRS__STORE__ENDPOINT: '' # - PICTRS__STORE__BUCKET_NAME: '' From a8c859da60d31281faa34d1de57049f728436121 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sat, 2 Sep 2023 15:53:55 -0400 Subject: [PATCH 16/68] Move all pict-rs environmentals to external variables file - Rename pictrs.yml to vars.yml - Start moving some variables to vars.yml for easier management and discoverability --- examples/pictrs.yml | 12 ------------ examples/vars.yml | 25 +++++++++++++++++++++++++ lemmy-almalinux.yml | 1 - lemmy.yml | 3 --- templates/docker-compose.yml | 9 --------- 5 files changed, 25 insertions(+), 25 deletions(-) delete mode 100644 examples/pictrs.yml create mode 100644 examples/vars.yml diff --git a/examples/pictrs.yml b/examples/pictrs.yml deleted file mode 100644 index 1253dba..0000000 --- a/examples/pictrs.yml +++ /dev/null @@ -1,12 +0,0 @@ -# You can set any pict-rs environmental variables here. They will populate the templates/docker-compose.yml file. -# https://git.asonix.dog/asonix/pict-rs - -#pictrs_env_vars: -# - PICTRS__SERVER__API_KEY: 'CHANGE_ME' -# - PICTRS__STORE__TYPE: object_storage -# - PICTRS__STORE__ENDPOINT: '' -# - PICTRS__STORE__BUCKET_NAME: '' -# - PICTRS__STORE__REGION: '' -# - PICTRS__STORE__USE_PATH_STYLE: false -# - PICTRS__STORE__ACCESS_KEY: '' -# - PICTRS__STORE__SECRET_KEY: '' diff --git a/examples/vars.yml b/examples/vars.yml new file mode 100644 index 0000000..b16199b --- /dev/null +++ b/examples/vars.yml @@ -0,0 +1,25 @@ +postgres_password: "{{ lookup('password', 'inventory/host_vars/{{domain}}/passwords/postgres.psk chars=ascii_letters,digits') }}" + +# You can set any pict-rs environmental variables here. They will populate the templates/docker-compose.yml file. +# https://git.asonix.dog/asonix/pict-rs +pictrs_env_vars: + - PICTRS__SERVER__API_KEY: {{ postgres_password }} + - PICTRS__MEDIA__VIDEO_CODEC: vp9 + - PICTRS__MEDIA__GIF__MAX_WIDTH: 256 + - PICTRS__MEDIA__GIF__MAX_HEIGHT: 256 + - PICTRS__MEDIA__GIF__MAX_AREA: 65536 + - PICTRS__MEDIA__GIF__MAX_FRAME_COUNT: 400 + - PICTRS_OPENTELEMETRY_URL: http://otel:4137 + - RUST_LOG: debug + - RUST_BACKTRACE: full +# - PICTRS__STORE__TYPE: object_storage +# - PICTRS__STORE__ENDPOINT: '' +# - PICTRS__STORE__BUCKET_NAME: '' +# - PICTRS__STORE__REGION: '' +# - PICTRS__STORE__USE_PATH_STYLE: false +# - PICTRS__STORE__ACCESS_KEY: '' +# - PICTRS__STORE__SECRET_KEY: '' + + + + \ No newline at end of file diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index 1d48d96..a4a9c0a 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -13,7 +13,6 @@ ansible.builtin.command: nginx -s reload vars: lemmy_port: "{{ 32767 | random(start=1024) }}" - postgres_password: "{{ lookup('password', 'host_vars/{{ domain }}/passwords/postgres chars=ascii_letters,digits') }}" tasks: - name: Ensure target system is >= EL9 ansible.builtin.fail: diff --git a/lemmy.yml b/lemmy.yml index d23831f..536995c 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -166,9 +166,6 @@ owner: "1000" group: "1000" - vars: - postgres_password: "{{ lookup('password', 'inventory/host_vars/{{domain}}/passwords/postgres chars=ascii_letters,digits') }}" - - name: enable and start docker service systemd: name: docker diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 98ae643..f7739f5 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -55,15 +55,6 @@ services: # we can set options to pictrs like this, here we set max. image size and forced format for conversion # entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -p /mnt -m 4 --image-format webp environment: - - PICTRS_OPENTELEMETRY_URL=http://otel:4137 - - PICTRS__SERVER__API_KEY={{ postgres_password }} - - RUST_LOG=debug - - RUST_BACKTRACE=full - - PICTRS__MEDIA__VIDEO_CODEC=vp9 - - PICTRS__MEDIA__GIF__MAX_WIDTH=256 - - PICTRS__MEDIA__GIF__MAX_HEIGHT=256 - - PICTRS__MEDIA__GIF__MAX_AREA=65536 - - PICTRS__MEDIA__GIF__MAX_FRAME_COUNT=400 {% if pictrs_env_vars is defined and pictrs_env_vars|length > 0 %} {%- for item in pictrs_env_vars %} {%- for key, value in item.items() %} From 31631d2616de68f4398f976b6a569f68a02bdd9f Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sat, 2 Sep 2023 16:25:54 -0400 Subject: [PATCH 17/68] Adjust inventory example to use `ansible_user` - Causes issues with how Ansible resolves variables - `server.com` != `root@server.com`, host_vars/server.com vs. host_vars/root@server.com --- examples/hosts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/hosts b/examples/hosts index 2b75109..6dda8a9 100644 --- a/examples/hosts +++ b/examples/hosts @@ -1,6 +1,7 @@ [lemmy] # to get started, copy this file to `inventory` and adjust the values below. # - `myuser@example.com`: replace with the destination you use to connect to your server via ssh +# - `ansible_user=root`: replace `root` with your the username you use to connect to your ssh server # - `domain=example.com`: replace `example.com` with your lemmy domain # - `letsencrypt_contact_email=your@email.com` replace `your@email.com` with your email address, # to get notifications if your ssl cert expires @@ -8,7 +9,7 @@ # if you are upgrading from a previous version, set this to `/lemmy` # - `lemmy_version`: The back end version. # - `lemmy_ui_version`: overrides the front end version. -myuser@example.com domain=example.com letsencrypt_contact_email=your@email.com lemmy_base_dir=/srv/lemmy +example.com ansible_user=root domain=example.com letsencrypt_contact_email=your@email.com lemmy_base_dir=/srv/lemmy [all:vars] ansible_connection=ssh From 6b671f18b588ae6e6cd23770bcfa0e8010fe68c0 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sat, 2 Sep 2023 16:42:35 -0400 Subject: [PATCH 18/68] Quote variable in examples/vars.yml --- examples/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vars.yml b/examples/vars.yml index b16199b..fb21cac 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -3,7 +3,7 @@ postgres_password: "{{ lookup('password', 'inventory/host_vars/{{domain}}/passwo # You can set any pict-rs environmental variables here. They will populate the templates/docker-compose.yml file. # https://git.asonix.dog/asonix/pict-rs pictrs_env_vars: - - PICTRS__SERVER__API_KEY: {{ postgres_password }} + - PICTRS__SERVER__API_KEY: "{{ postgres_password }}" - PICTRS__MEDIA__VIDEO_CODEC: vp9 - PICTRS__MEDIA__GIF__MAX_WIDTH: 256 - PICTRS__MEDIA__GIF__MAX_HEIGHT: 256 From 3909b5ec383ccc0945ac39a1e5f32f9f6387dcfa Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sat, 2 Sep 2023 16:47:47 -0400 Subject: [PATCH 19/68] Adjust README.md to reflect `vars.yml` file --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e3abf35..76579ef 100644 --- a/README.md +++ b/README.md @@ -44,11 +44,11 @@ To run this ansible playbook, you need to: You can use [the PGTune tool](https://pgtune.leopard.in.ua) to tune your postgres to meet your server memory and CPU. -6. **Optional**: If you want to configure the pict-rs instance via environmental variables (EX, to configure it to use Amazon S3 for storage), copy the sample `pictrs.yml` file into your `host_vars//pictrs.yml`: +6. Copy the sample `vars.yml` file - `cp examples/pictrs.yml inventory/host_vars//pictrs.yml` + `cp examples/vars.yml inventory/host_vars//vars.yml` - Edit the `inventory_host_vars//pictrs.yml` file to your liking. + Edit the `inventory/host_vars//vars.yml` file to your liking. 7. Run the playbook: From 2c9b9aac890da2170c4f5fb7a945e086f16b6091 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sat, 2 Sep 2023 19:50:41 -0400 Subject: [PATCH 20/68] Fix incorrect/inconsistent usage of `proxy_set_header` in nginx_internal.conf - Distribute proxy_params to nginx VM, include it as necessary in config - Resolves #155 --- files/proxy_params | 4 ++++ lemmy-almalinux.yml | 10 ++++++++++ lemmy.yml | 8 ++++++++ templates/docker-compose.yml | 1 + templates/nginx_internal.conf | 5 ++--- 5 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 files/proxy_params diff --git a/files/proxy_params b/files/proxy_params new file mode 100644 index 0000000..11c0f2c --- /dev/null +++ b/files/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; \ No newline at end of file diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index 1d48d96..32a4355 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -157,6 +157,16 @@ - configs - postgresql + - name: Distribute nginx proxy_params configuration + ansible.builtin.copy: + src: files/proxy_params + dest: "{{ lemmy_base_dir }}/{{ domain }}/proxy_params" + owner: root + group: root + mode: "0644" + tags: + - nginx + - name: Distribute nginx site templates ansible.builtin.template: src: "{{ item.src }}" diff --git a/lemmy.yml b/lemmy.yml index d23831f..6483705 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -113,6 +113,14 @@ - set_fact: lemmy_port: "{{ 32767 |random(start=1024) }}" + - name: Distribute nginx proxy_params configuration + ansible.builtin.copy: + src: files/proxy_params + dest: "{{ lemmy_base_dir }}/{{ domain }}/proxy_params" + owner: root + group: root + mode: "0644" + - name: add template files template: src: "{{item.src}}" diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index fe047f6..87edf1a 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -16,6 +16,7 @@ services: - "{{ lemmy_port }}:8536" volumes: - ./nginx_internal.conf:/etc/nginx/nginx.conf:ro,Z + - ./proxy_params:/etc/nginx/proxy_params:ro,Z restart: always logging: *default-logging depends_on: diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 89274b7..396d389 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -59,9 +59,7 @@ http { client_max_body_size 20M; # Send actual client IP upstream - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + include proxy_params; # frontend general requests location / { @@ -79,6 +77,7 @@ http { proxy_pass "http://lemmy"; # proxy common stuff + include proxy_params; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; From fb65a1444893658258310447e0d8c503c10a4a9e Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Mon, 4 Sep 2023 06:09:08 -0400 Subject: [PATCH 21/68] Adjust paths to be consistent with documentation (#162) --- lemmy-almalinux.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index 1d48d96..54da9b5 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -13,7 +13,7 @@ ansible.builtin.command: nginx -s reload vars: lemmy_port: "{{ 32767 | random(start=1024) }}" - postgres_password: "{{ lookup('password', 'host_vars/{{ domain }}/passwords/postgres chars=ascii_letters,digits') }}" + postgres_password: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/postgres chars=ascii_letters,digits') }}" tasks: - name: Ensure target system is >= EL9 ansible.builtin.fail: @@ -135,7 +135,7 @@ - name: Add the config.hjson ansible.builtin.template: #src: "templates/{{ domain }}/config.hjson" - src: "host_vars/{{ domain }}/config.hjson" + src: "inventory/host_vars/{{ domain }}/config.hjson" dest: "{{ lemmy_base_dir }}/{{ domain }}/lemmy.hjson" mode: "0600" owner: "1000" # Match UID in container @@ -148,7 +148,7 @@ - name: Add the customPostgresql.conf ansible.builtin.template: #src: "files/{{ domain }}/customPostgresql.conf" - src: "host_vars/{{ domain }}/customPostgresql.conf" + src: "inventory/host_vars/{{ domain }}/customPostgresql.conf" dest: "{{ lemmy_base_dir }}/{{ domain }}/customPostgresql.conf" mode: "0600" owner: "1000" # Match UID in container From 62972fedfdf27150050285052202900f18529970 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Mon, 4 Sep 2023 06:10:23 -0400 Subject: [PATCH 22/68] Adding CODEOWNERS (#158) --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..5040830 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @Nutomic @dessalines @codyro From 459d24f2dac33ba59eb109f891ce9c42539be74d Mon Sep 17 00:00:00 2001 From: Dessalines Date: Mon, 4 Sep 2023 14:55:19 -0400 Subject: [PATCH 23/68] Adding ticoombs to codeowners. (#163) --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 5040830..c01a677 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @Nutomic @dessalines @codyro +* @Nutomic @dessalines @codyro @ticoombs From ed7089c9c5d3f0cdaa8c9e23c5f8ca872d293495 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Mon, 4 Sep 2023 15:34:48 -0400 Subject: [PATCH 24/68] Remove legacy headers as per @Nutomic - Old headers were for websocket, which is now gone - Refs https://nginx.org/en/docs/http/websocket.html --- templates/nginx_internal.conf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 396d389..87754c5 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -76,11 +76,8 @@ http { location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) { proxy_pass "http://lemmy"; - # proxy common stuff + # Send actual client IP upstream include proxy_params; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; } } } From 03a2817d7b69f4777b400207bf6846af827961a9 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Mon, 4 Sep 2023 15:55:11 -0400 Subject: [PATCH 25/68] Clean up unnecessary whitespace control in Jinja2 tags --- templates/docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index f7739f5..e7a0d42 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -56,10 +56,10 @@ services: # entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -p /mnt -m 4 --image-format webp environment: {% if pictrs_env_vars is defined and pictrs_env_vars|length > 0 %} -{%- for item in pictrs_env_vars %} -{%- for key, value in item.items() %} +{% for item in pictrs_env_vars %} +{% for key, value in item.items() %} - {{ key }}={{ value }} -{% endfor -%} +{% endfor %} {% endfor %} {% endif %} user: 991:991 From 78af02b5e83bc815e549587bb22952256363fc23 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Sun, 10 Sep 2023 08:34:11 -0400 Subject: [PATCH 26/68] Fix nginx connect 111 error. (#165) --- templates/nginx_internal.conf | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 87754c5..2922645 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -21,29 +21,19 @@ http { # Learn more about nginx maps here http://nginx.org/en/docs/http/ngx_http_map_module.html map "$request_method:$http_accept" $proxpass { # If no explicit matches exists below, send traffic to lemmy-ui - default "http://lemmy-ui"; + default "http://lemmy-ui:1234"; # GET/HEAD requests that accepts ActivityPub or Linked Data JSON should go to lemmy. # # These requests are used by Mastodon and other fediverse instances to look up profile information, # discover site information and so on. - "~^(?:GET|HEAD):.*?application\/(?:activity|ld)\+json" "http://lemmy"; + "~^(?:GET|HEAD):.*?application\/(?:activity|ld)\+json" "http://lemmy:8536"; # All non-GET/HEAD requests should go to lemmy # # Rather than calling out POST, PUT, DELETE, PATCH, CONNECT and all the verbs manually # we simply negate the GET|HEAD pattern from above and accept all possibly $http_accept values - "~^(?!(GET|HEAD)).*:" "http://lemmy"; - } - - upstream lemmy { - # this needs to map to the lemmy (server) docker service hostname - server "lemmy:8536"; - } - - upstream lemmy-ui { - # this needs to map to the lemmy-ui docker service hostname - server "lemmy-ui:1234"; + "~^(?!(GET|HEAD)).*:" "http://lemmy:8536"; } server { @@ -69,12 +59,12 @@ http { # security.txt location = /.well-known/security.txt { - proxy_pass "http://lemmy-ui"; + proxy_pass "http://lemmy-ui:1234"; } # backend location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) { - proxy_pass "http://lemmy"; + proxy_pass "http://lemmy:8536"; # Send actual client IP upstream include proxy_params; From 1fa49a22dcb8feac9293acacef930f745e727a45 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sun, 10 Sep 2023 19:52:34 -0400 Subject: [PATCH 27/68] Fix inventory path --- lemmy-almalinux.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index a4a9c0a..28f88ff 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -134,7 +134,7 @@ - name: Add the config.hjson ansible.builtin.template: #src: "templates/{{ domain }}/config.hjson" - src: "host_vars/{{ domain }}/config.hjson" + src: "inventory/host_vars/{{ domain }}/config.hjson" dest: "{{ lemmy_base_dir }}/{{ domain }}/lemmy.hjson" mode: "0600" owner: "1000" # Match UID in container @@ -147,7 +147,7 @@ - name: Add the customPostgresql.conf ansible.builtin.template: #src: "files/{{ domain }}/customPostgresql.conf" - src: "host_vars/{{ domain }}/customPostgresql.conf" + src: "inventory/host_vars/{{ domain }}/customPostgresql.conf" dest: "{{ lemmy_base_dir }}/{{ domain }}/customPostgresql.conf" mode: "0600" owner: "1000" # Match UID in container From 701cb509a14dc42a5b64eb9654cee7541f823bcc Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Sun, 10 Sep 2023 20:24:49 -0400 Subject: [PATCH 28/68] Move other env vars to vars.yml --- examples/vars.yml | 14 +++++++++++++- templates/docker-compose.yml | 36 ++++++++++++++++++++++++++++-------- 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index fb21cac..25833d8 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -20,6 +20,18 @@ pictrs_env_vars: # - PICTRS__STORE__ACCESS_KEY: '' # - PICTRS__STORE__SECRET_KEY: '' +postgres_env_vars: + - POSTGRES_USER: lemmy + - POSTGRES_PASSWORD: "{{ postgres_password }}" + - POSTGRES_DB: lemmy +lemmy_env_vars: + - RUST_LOG: warn - \ No newline at end of file +lemmyui_env_vars: + - LEMMY_UI_LEMMY_INTERNAL_HOST: lemmy:8536 + - LEMMY_UI_LEMMY_EXTERNAL_HOST: "{{ domain }}" + - LEMMY_UI_HTTPS: true + +postfix_env_vars: + - POSTFIX_myhostname: "{{ domain }}" diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index e7a0d42..704935e 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -28,7 +28,13 @@ services: restart: always logging: *default-logging environment: - - RUST_LOG="warn" +{% if lemmy_env_vars is defined and lemmy_env_vars|length > 0 %} +{% for item in lemmy_env_vars %} +{% for key, value in item.items() %} + - {{ key }}={{ value }} +{% endfor %} +{% endfor %} +{% endif %} volumes: - ./lemmy.hjson:/config/config.hjson:Z depends_on: @@ -38,9 +44,13 @@ services: lemmy-ui: image: {{ lemmy_docker_ui_image }} environment: - - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536 - - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }} - - LEMMY_UI_HTTPS=true +{% if lemmyui_env_vars is defined and lemmyui_env_vars|length > 0 %} +{% for item in lemmyui_env_vars %} +{% for key, value in item.items() %} + - {{ key }}={{ value }} +{% endfor %} +{% endfor %} +{% endif %} volumes: - ./volumes/lemmy-ui/extra_themes:/app/extra_themes depends_on: @@ -76,9 +86,13 @@ services: image: docker.io/postgres:15-alpine hostname: postgres environment: - - POSTGRES_USER=lemmy - - POSTGRES_PASSWORD={{ postgres_password }} - - POSTGRES_DB=lemmy +{% if postgres_env_vars is defined and postgres_env_vars|length > 0 %} +{% for item in postgres_env_vars %} +{% for key, value in item.items() %} + - {{ key }}={{ value }} +{% endfor %} +{% endfor %} +{% endif %} volumes: - ./volumes/postgres:/var/lib/postgresql/data:Z - ./customPostgresql.conf:/etc/postgresql.conf @@ -88,6 +102,12 @@ services: postfix: image: docker.io/mwader/postfix-relay environment: - - POSTFIX_myhostname={{ domain }} +{% if postfix_env_vars is defined and postfix_env_vars|length > 0 %} +{% for item in postfix_env_vars %} +{% for key, value in item.items() %} + - {{ key }}={{ value }} +{% endfor %} +{% endfor %} +{% endif %} restart: "always" logging: *default-logging From 70eec4c2aaf40d2103933d7d73358972b3c2fd23 Mon Sep 17 00:00:00 2001 From: Richard Schwab Date: Mon, 11 Sep 2023 00:15:11 +0200 Subject: [PATCH 29/68] Fix ansible-lint warnings - add ansible-lint check to CI - reformat playbooks to conform to strict ansible-lint checks - set explicit modes for all files and directories created in playbook - only ensure presence, not latest for packages installed by the playbook --- .woodpecker.yml | 5 ++ lemmy-almalinux.yml | 61 ++++++++-------- lemmy.yml | 165 ++++++++++++++++++++++++-------------------- uninstall.yml | 75 ++++++++++---------- 4 files changed, 167 insertions(+), 139 deletions(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index bd2dd73..f3c2418 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -10,3 +10,8 @@ pipeline: - ansible-playbook lemmy.yml --syntax-check - ansible-playbook lemmy-almalinux.yml --syntax-check - ansible-playbook uninstall.yml --syntax-check + ansible_lint: + image: alpine:3 + commands: + - apk add ansible ansible-lint + - ansible-lint --warn-list experimental lemmy.yml lemmy-almalinux.yml uninstall.yml diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index db71477..cf93146 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -1,16 +1,18 @@ --- -- hosts: all +- name: Install Lemmy + hosts: all gather_facts: true pre_tasks: # This is not needed for this playbook as it predates its existence # But we're keeping it for funsies :) - - name: check lemmy_base_dir + - name: Check lemmy_base_dir ansible.builtin.fail: msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file." when: lemmy_base_dir is not defined handlers: - - name: reload nginx + - name: Reload nginx ansible.builtin.command: nginx -s reload + changed_when: true vars: lemmy_port: "{{ 32767 | random(start=1024) }}" tasks: @@ -30,7 +32,7 @@ mirrorlist: https://mirrors.almalinux.org/mirrorlist/$releasever/crb gpgcheck: true gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9 - enabled: yes + enabled: true tags: - dependencies @@ -72,12 +74,14 @@ - http - https when: "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'" + changed_when: true tags: - firewalld - name: Reload firewalld ansible.builtin.command: firewall-cmd --reload when: "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'" + changed_when: true tags: - firewalld @@ -96,6 +100,7 @@ path: "{{ item.path }}" owner: "{{ item.owner }}" state: directory + mode: "0755" loop: - path: "{{ lemmy_base_dir }}/{{ domain }}/" owner: "root" @@ -106,7 +111,7 @@ - name: Set lemmy_port fact ansible.builtin.set_fact: - lemmy_port: "{{ 32767 |random(start=1024) }}" + lemmy_port: "{{ 32767 | random(start=1024) }}" tags: - always @@ -123,8 +128,8 @@ dest: "{{ lemmy_base_dir }}/{{ domain }}/nginx_internal.conf" mode: "0644" vars: - lemmy_docker_image: "docker.io/dessalines/lemmy:{{ lemmy_version | default( lookup('file', 'VERSION') )}}" - lemmy_docker_ui_image: "docker.io/dessalines/lemmy-ui:{{ lemmy_ui_version | default(lemmy_version | default(lookup('file', 'VERSION')))}}" + lemmy_docker_image: "docker.io/dessalines/lemmy:{{ lemmy_version | default(lookup('file', 'VERSION')) }}" + lemmy_docker_ui_image: "docker.io/dessalines/lemmy-ui:{{ lemmy_ui_version | default(lemmy_version | default(lookup('file', 'VERSION'))) }}" tags: - docker - podman @@ -133,7 +138,7 @@ # to ensure documentation is accurate - name: Add the config.hjson ansible.builtin.template: - #src: "templates/{{ domain }}/config.hjson" + # src: "templates/{{ domain }}/config.hjson" src: "inventory/host_vars/{{ domain }}/config.hjson" dest: "{{ lemmy_base_dir }}/{{ domain }}/lemmy.hjson" mode: "0600" @@ -146,7 +151,7 @@ # to ensure documentation is accurate - name: Add the customPostgresql.conf ansible.builtin.template: - #src: "files/{{ domain }}/customPostgresql.conf" + # src: "files/{{ domain }}/customPostgresql.conf" src: "inventory/host_vars/{{ domain }}/customPostgresql.conf" dest: "{{ lemmy_base_dir }}/{{ domain }}/customPostgresql.conf" mode: "0600" @@ -180,31 +185,31 @@ - nginx # TODO: Check if this is necessary with EL & podman - #- name: Copy docker config - # ansible.builtin.copy: - # src: "{{ ansible_playbook }}/files/docker-daemon.json" - # dest: /etc/docker/daemon.json - # mode: '0644' + # - name: Copy docker config + # ansible.builtin.copy: + # src: "{{ ansible_playbook }}/files/docker-daemon.json" + # dest: /etc/docker/daemon.json + # mode: '0644' # TODO: podman-compose should wrap this safely # TODO: This was an incorrect assumption, module uses docker python module, not cli - #- name: Run podman-compose - # docker_compose: - # project_src: "{{ lemmy_base_dir }}/{{ domain }}" - # state: present - # pull: yes - # remove_orphans: yes - # tags: - # - docker - # - docker_compose - # - podman - # - podman_compose + # - name: Run podman-compose + # docker_compose: + # project_src: "{{ lemmy_base_dir }}/{{ domain }}" + # state: present + # pull: yes + # remove_orphans: yes + # tags: + # - docker + # - docker_compose + # - podman + # - podman_compose - name: Start and enable podman service ansible.builtin.systemd: name: podman.service state: started - enabled: yes + enabled: true tags: - docker - podman @@ -213,6 +218,7 @@ ansible.builtin.command: podman-compose pull args: chdir: "{{ lemmy_base_dir }}/{{ domain }}" + changed_when: true tags: - docker - podman @@ -221,6 +227,7 @@ ansible.builtin.command: podman-compose up -d args: chdir: "{{ lemmy_base_dir }}/{{ domain }}" + changed_when: true tags: - docker - podman @@ -239,7 +246,7 @@ ansible.builtin.systemd: name: certbot-renew.timer state: started - enabled: yes + enabled: true tags: - certbot - ssl diff --git a/lemmy.yml b/lemmy.yml index f933550..1f20e45 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -1,35 +1,37 @@ --- -- hosts: all +- name: Install Lemmy + hosts: all # Install python if required # https://www.josharcher.uk/code/ansible-python-connection-failure-ubuntu-server-1604/ - gather_facts: False + gather_facts: false pre_tasks: - - name: check lemmy_base_dir - fail: + - name: Check lemmy_base_dir + ansible.builtin.fail: msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file." when: lemmy_base_dir is not defined - name: Install python for Ansible # python2-minimal instead of python-minimal for ubuntu 20.04 and up - raw: test -e /usr/bin/python || test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal python3-setuptools) + ansible.builtin.raw: test -e /usr/bin/python || test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal python3-setuptools) args: executable: /bin/bash register: output changed_when: output.stdout != '' - - setup: # gather facts + - name: Gather facts + ansible.builtin.setup: tasks: - name: Install aptitude - apt: + ansible.builtin.apt: name: aptitude - state: latest + state: present update_cache: true - - name: install dependencies - apt: - state: latest + - name: Install dependencies + ansible.builtin.apt: + state: present update_cache: true pkg: - "nginx" @@ -48,18 +50,18 @@ when: ansible_distribution == 'Ubuntu' and ansible_distribution_version < '22.04' block: - name: Add Docker GPG apt Key - apt_key: + ansible.builtin.apt_key: url: https://download.docker.com/linux/ubuntu/gpg state: present - name: Add Docker Repository - apt_repository: + ansible.builtin.apt_repository: repo: deb https://download.docker.com/linux/ubuntu focal stable state: present - name: Get architecture using dpkg when: (ansible_distribution == 'Debian') or (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '22.04') - command: dpkg --print-architecture + ansible.builtin.command: dpkg --print-architecture register: dpkg_output changed_when: false @@ -71,47 +73,56 @@ (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '22.04') block: - name: Download Docker GPG Key - get_url: + ansible.builtin.get_url: url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg dest: /etc/apt/trusted.gpg.d/docker.asc checksum: sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570 + mode: "0644" - name: Add Docker apt repo - apt_repository: - repo: "deb [arch={{ dpkg_output.stdout }} signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" + ansible.builtin.apt_repository: + repo: >- + deb [arch={{ dpkg_output.stdout }} signed-by=/etc/apt/trusted.gpg.d/docker.asc] + https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable state: present - name: Install docker-ce and docker-compose - apt: + ansible.builtin.apt: name: - docker-ce - docker-compose - state: latest + state: present update_cache: true - - name: copy docker config - copy: src='../files/docker-daemon.json' dest='/etc/docker/daemon.json' mode='0644' + - name: Copy docker config + ansible.builtin.copy: + src: ../files/docker-daemon.json # noqa: no-relative-paths + dest: /etc/docker/daemon.json + mode: "0644" - - name: request initial letsencrypt certificate - command: certbot certonly --nginx --agree-tos --cert-name '{{ domain }}' -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' + - name: Request initial letsencrypt certificate + ansible.builtin.command: certbot certonly --nginx --agree-tos --cert-name '{{ domain }}' -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' args: - creates: "/etc/letsencrypt/live/{{domain}}/privkey.pem" + creates: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" - - name: create lemmy folder - file: - path: "{{item.path}}" - owner: "{{item.owner}}" + - name: Create lemmy folder + ansible.builtin.file: + path: "{{ item.path }}" + owner: "{{ item.owner }}" state: directory + mode: "0755" with_items: - - path: "{{lemmy_base_dir}}/{{domain}}/" + - path: "{{ lemmy_base_dir }}/{{ domain }}/" owner: "root" - - path: "{{lemmy_base_dir}}/{{domain}}/volumes/" + - path: "{{ lemmy_base_dir }}/{{ domain }}/volumes/" owner: "root" - - path: "{{lemmy_base_dir}}/{{domain}}/volumes/pictrs/" + - path: "{{ lemmy_base_dir }}/{{ domain }}/volumes/pictrs/" owner: "991" - - block: - - set_fact: - lemmy_port: "{{ 32767 |random(start=1024) }}" + - name: Deploy configuration files + block: + - name: Generate random port for lemmy service + ansible.builtin.set_fact: + lemmy_port: "{{ 32767 | random(start=1024) }}" - name: Distribute nginx proxy_params configuration ansible.builtin.copy: @@ -121,63 +132,64 @@ group: root mode: "0644" - - name: add template files - template: - src: "{{item.src}}" - dest: "{{item.dest}}" - mode: "{{item.mode}}" + - name: Add template files + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" with_items: - src: "templates/docker-compose.yml" - dest: "{{lemmy_base_dir}}/{{domain}}/docker-compose.yml" + dest: "{{ lemmy_base_dir }}/{{ domain }}/docker-compose.yml" mode: "0600" - src: "templates/nginx_internal.conf" - dest: "{{lemmy_base_dir}}/{{domain}}/nginx_internal.conf" + dest: "{{ lemmy_base_dir }}/{{ domain }}/nginx_internal.conf" mode: "0644" - src: "templates/nginx.conf" - dest: "/etc/nginx/sites-available/{{domain}}.conf" + dest: "/etc/nginx/sites-available/{{ domain }}.conf" mode: "0644" vars: - lemmy_docker_image: "dessalines/lemmy:{{ lemmy_version | default( lookup('file', 'VERSION') )}}" - lemmy_docker_ui_image: "dessalines/lemmy-ui:{{ lemmy_ui_version | default(lemmy_version | default(lookup('file', 'VERSION')))}}" - - - block: - - name: gather stats on site enabled config - stat: - path: "/etc/nginx/sites-enabled/{{domain}}.conf" + lemmy_docker_image: "dessalines/lemmy:{{ lemmy_version | default(lookup('file', 'VERSION')) }}" + lemmy_docker_ui_image: "dessalines/lemmy-ui:{{ lemmy_ui_version | default(lemmy_version | default(lookup('file', 'VERSION'))) }}" + + - name: Set up nginx sites-enabled symlink + block: + - name: Gather stats on site enabled config + ansible.builtin.stat: + path: "/etc/nginx/sites-enabled/{{ domain }}.conf" register: reg_enabled - - name: remove if regular file (legacy) instead of symlink - file: - path: "/etc/nginx/sites-enabled/{{domain}}.conf" + - name: Remove if regular file (legacy) instead of symlink + ansible.builtin.file: + path: "/etc/nginx/sites-enabled/{{ domain }}.conf" state: absent when: reg_enabled.stat.exists and reg_enabled.stat.isreg - - name: enable nginx site - file: - src: "../sites-available/{{domain}}.conf" - dest: "/etc/nginx/sites-enabled/{{domain}}.conf" + - name: Enable nginx site + ansible.builtin.file: + src: "../sites-available/{{ domain }}.conf" + dest: "/etc/nginx/sites-enabled/{{ domain }}.conf" state: link - - name: add the config.hjson - template: - src: "inventory/host_vars/{{domain}}/config.hjson" - dest: "{{lemmy_base_dir}}/{{domain}}/lemmy.hjson" + - name: Add the config.hjson + ansible.builtin.template: + src: "inventory/host_vars/{{ domain }}/config.hjson" + dest: "{{ lemmy_base_dir }}/{{ domain }}/lemmy.hjson" mode: "0600" owner: "1000" group: "1000" - - name: add the customPostgresql.conf - template: - src: "inventory/host_vars/{{domain}}/customPostgresql.conf" - dest: "{{lemmy_base_dir}}/{{domain}}/customPostgresql.conf" + - name: Add the customPostgresql.conf + ansible.builtin.template: + src: "inventory/host_vars/{{ domain }}/customPostgresql.conf" + dest: "{{ lemmy_base_dir }}/{{ domain }}/customPostgresql.conf" mode: "0600" owner: "1000" group: "1000" - - name: enable and start docker service - systemd: + - name: Enable and start docker service + ansible.builtin.systemd: name: docker - enabled: yes + enabled: true state: started # - name: Change the working directory to /opt @@ -187,18 +199,19 @@ # register: shell_output # - debug: var=shell_output - - name: start docker-compose - docker_compose: - project_src: "{{lemmy_base_dir}}/{{domain}}" + - name: Start docker-compose + community.docker.docker_compose: + project_src: "{{ lemmy_base_dir }}/{{ domain }}" state: present - pull: yes - remove_orphans: yes + pull: true + remove_orphans: true - - name: reload nginx with new config - shell: nginx -s reload + - name: Reload nginx with new config + ansible.builtin.command: nginx -s reload + changed_when: true - - name: certbot renewal cronjob - cron: + - name: Certbot renewal cronjob + ansible.builtin.cron: special_time: daily name: certbot-renew-lemmy user: root diff --git a/uninstall.yml b/uninstall.yml index 4280d87..d19f71f 100644 --- a/uninstall.yml +++ b/uninstall.yml @@ -1,49 +1,52 @@ --- -- hosts: all +- name: Uninstall Lemmy + hosts: all vars_prompt: - name: confirm_uninstall prompt: "Do you really want to uninstall Lemmy? This will delete all data and can not be reverted [yes/no]" - private: no + private: false - name: delete_certs prompt: "Delete certificates? Select 'no' if you want to reinstall Lemmy [yes/no]" - private: no + private: false - name: stop_disable_nginx prompt: "Do you want to stop/disable nginx? [yes/no]" - private: no + private: false - name: stop_disable_docker_podman prompt: "Do you want to stop/disable Docker/podman? [yes/no]" - private: no + private: false tasks: - - name: end play if no confirmation was given - debug: + - name: Inform about cancellation if no confirmation was given + ansible.builtin.debug: msg: "Uninstall cancelled, doing nothing" - when: not confirm_uninstall|bool + when: not confirm_uninstall | bool - - meta: end_play - when: not confirm_uninstall|bool + - name: End play if no confirmation was given + ansible.builtin.meta: end_play + when: not confirm_uninstall | bool - # Ubuntu specific uninstallation steps - - block: - - name: stop docker-compose - docker_compose: - project_src: "{{lemmy_base_dir}}/{{domain}}" + - name: Run Ubuntu specific uninstallation steps + when: ansible_distribution == "Ubuntu" + block: + - name: Stop docker-compose + community.docker.docker_compose: + project_src: "{{ lemmy_base_dir }}/{{ domain }}" state: absent - - name: delete data - file: - path: "{{item.path}}" + - name: Delete data + ansible.builtin.file: + path: "{{ item.path }}" state: absent with_items: - - path: "{{lemmy_base_dir}}/{{domain}}" - - path: "/etc/nginx/sites-enabled/{{domain}}.conf" + - path: "{{ lemmy_base_dir }}/{{ domain }}" + - path: "/etc/nginx/sites-enabled/{{ domain }}.conf" - - name: remove certbot cronjob - cron: + - name: Remove certbot cronjob + ansible.builtin.cron: name: certbot-renew-lemmy state: absent @@ -51,44 +54,44 @@ ansible.builtin.systemd: name: docker.service state: stopped - enabled: no - when: stop_disable_docker_podman|bool - when: ansible_distribution == "Ubuntu" + enabled: false + when: stop_disable_docker_podman | bool - # EL specific uninstallation steps - - block: + - name: Run EL specific uninstallation steps + when: + - ansible_distribution in ['AlmaLinux', 'CentOS', 'RedHat', 'Rocky'] + - ansible_distribution_major_version | int >= 9 + block: - name: Stop and remove containers ansible.builtin.command: podman-compose down args: chdir: "{{ lemmy_base_dir }}/{{ domain }}" + changed_when: true - name: Delete Lemmy data ansible.builtin.file: path: "{{ item.path }}" state: absent loop: - - path: "{{lemmy_base_dir}}/{{ domain }}" + - path: "{{ lemmy_base_dir }}/{{ domain }}" - path: "/etc/nginx/conf.d/{{ domain }}.conf" - name: Stop and disable certbot-renew.timer ansible.builtin.systemd: name: certbot-renew.timer state: stopped - enabled: no + enabled: false - name: Stop and disable podman ansible.builtin.systemd: name: podman.service state: stopped - enabled: no - when: stop_disable_docker_podman|bool - when: - - ansible_distribution in ['AlmaLinux', 'CentOS', 'RedHat', 'Rocky'] - - ansible_distribution_major_version | int >= 9 + enabled: false + when: stop_disable_docker_podman | bool - name: Stop and disable nginx ansible.builtin.systemd: name: nginx.service state: stopped - enabled: no - when: stop_disable_nginx|bool + enabled: false + when: stop_disable_nginx | bool From 8503e65bc2e185b039abc0377ddd992e7c2c49a2 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Tue, 12 Sep 2023 16:57:21 -0400 Subject: [PATCH 30/68] Fix change that broke notify/reload, update nginx handler (#167) * Fix change that broke notify/reload - Update handler to use ansible.builtin.systemd module * Clean up `lemmy.yml` a bit more - Use `loop` instead of `with_items` - Use a handler & systemd module to handle nginx reloads - Refs #166 changes suggested by @sanatsathaye * Move `notify` key higher to satiate `ansible-lint` --- lemmy-almalinux.yml | 7 ++++--- lemmy.yml | 17 ++++++++++------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index cf93146..3cd7874 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -11,8 +11,9 @@ when: lemmy_base_dir is not defined handlers: - name: Reload nginx - ansible.builtin.command: nginx -s reload - changed_when: true + ansible.builtin.systemd: + name: nginx + state: reloaded vars: lemmy_port: "{{ 32767 | random(start=1024) }}" tasks: @@ -180,7 +181,7 @@ - src: "templates/nginx.conf" dest: "/etc/nginx/conf.d/{{ domain }}.conf" mode: "0644" - notify: reload nginx + notify: Reload nginx tags: - nginx diff --git a/lemmy.yml b/lemmy.yml index 1f20e45..293187b 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -21,7 +21,11 @@ - name: Gather facts ansible.builtin.setup: - + handlers: + - name: Reload nginx + ansible.builtin.systemd: + name: nginx + state: reloaded tasks: - name: Install aptitude ansible.builtin.apt: @@ -110,7 +114,7 @@ owner: "{{ item.owner }}" state: directory mode: "0755" - with_items: + loop: - path: "{{ lemmy_base_dir }}/{{ domain }}/" owner: "root" - path: "{{ lemmy_base_dir }}/{{ domain }}/volumes/" @@ -131,13 +135,14 @@ owner: root group: root mode: "0644" + notify: Reload nginx - name: Add template files ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: "{{ item.mode }}" - with_items: + loop: - src: "templates/docker-compose.yml" dest: "{{ lemmy_base_dir }}/{{ domain }}/docker-compose.yml" mode: "0600" @@ -147,11 +152,13 @@ - src: "templates/nginx.conf" dest: "/etc/nginx/sites-available/{{ domain }}.conf" mode: "0644" + notify: Reload nginx vars: lemmy_docker_image: "dessalines/lemmy:{{ lemmy_version | default(lookup('file', 'VERSION')) }}" lemmy_docker_ui_image: "dessalines/lemmy-ui:{{ lemmy_ui_version | default(lemmy_version | default(lookup('file', 'VERSION'))) }}" - name: Set up nginx sites-enabled symlink + notify: Reload nginx block: - name: Gather stats on site enabled config ansible.builtin.stat: @@ -206,10 +213,6 @@ pull: true remove_orphans: true - - name: Reload nginx with new config - ansible.builtin.command: nginx -s reload - changed_when: true - - name: Certbot renewal cronjob ansible.builtin.cron: special_time: daily From 6aaf939064c8cce7a75bcea2f1eb14ec412ae366 Mon Sep 17 00:00:00 2001 From: Sanat Sathaye Date: Wed, 13 Sep 2023 17:02:43 +0530 Subject: [PATCH 31/68] Fix path to docker-daemon.json --- lemmy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemmy.yml b/lemmy.yml index 293187b..be16606 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -99,7 +99,7 @@ - name: Copy docker config ansible.builtin.copy: - src: ../files/docker-daemon.json # noqa: no-relative-paths + src: files/docker-daemon.json dest: /etc/docker/daemon.json mode: "0644" From 0852352d73928cf7a8c37ad3bbe7b1364a6b8307 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 14 Sep 2023 14:01:40 -0400 Subject: [PATCH 32/68] Update `Upgrading` section, add basic sanity checks for old files and give warnings --- README.md | 3 +++ lemmy-almalinux.yml | 28 ++++++++++++++++++++++++++++ lemmy.yml | 28 ++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+) diff --git a/README.md b/README.md index 76579ef..1ad5a2e 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,9 @@ To run this ansible playbook, you need to: - Run `git pull` - Check out the [Lemmy Releases Changelog](https://github.com/LemmyNet/lemmy/blob/main/RELEASES.md) to see if there are any config changes with the releases since your last. +- When upgrading from older versions these playbooks, you will need to do the following: + * Rename `inventory/host_vars/{{ domain }}/passwords/postgres` file to `inventory/host_vars/{{ domain }}/passwords/postgres.psk` + * Copy the `examples/vars.yml` file to `inventory/host_vars/{{ domain }}/vars.yml` - Run `ansible-playbook -i inventory/hosts lemmy.yml --become` ## Migrating your existing install to use this deploy diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index cf93146..bf99bdd 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -9,6 +9,34 @@ ansible.builtin.fail: msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file." when: lemmy_base_dir is not defined + + - name: Check for legacy passwords/postgres file + delegate_to: localhost + ansible.builtin.stat: + path: "inventory/host_vars/{{ domain }}/passwords/postgres" + register: postgres_password_file + + - name: Legacy use of passwords/postgres file + delegate_to: localhost + ansible.builtin.fail: + msg: >- + In current versions of the Lemmy Ansible playbooks, the passwords/postgres file must be renamed to passwords/postgres.psk. + See https://github.com/LemmyNet/lemmy-ansible#upgrading + when: postgres_password_file.stat.exists + + - name: Check for vars.yml file + delegate_to: localhost + ansible.builtin.stat: + path: "inventory/host_vars/{{ domain }}/vars.yml" + register: vars_file + + - name: Missing vars.yml file + delegate_to: localhost + ansible.builtin.fail: + msg: >- + Missing vars.yml file, please refer to the installations instructions. See https://github.com/LemmyNet/lemmy-ansible#install + and https://github.com/LemmyNet/lemmy-ansible#upgrading" + when: not vars_file.stat.exists handlers: - name: Reload nginx ansible.builtin.command: nginx -s reload diff --git a/lemmy.yml b/lemmy.yml index 1f20e45..15fd5f4 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -11,6 +11,34 @@ msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file." when: lemmy_base_dir is not defined + - name: Check for legacy passwords/postgres file + delegate_to: localhost + ansible.builtin.stat: + path: "inventory/host_vars/{{ domain }}/passwords/postgres" + register: postgres_password_file + + - name: Legacy use of passwords/postgres file + delegate_to: localhost + ansible.builtin.fail: + msg: >- + In current versions of the Lemmy Ansible playbooks, the passwords/postgres file must be renamed to passwords/postgres.psk. + See https://github.com/LemmyNet/lemmy-ansible#upgrading" + when: postgres_password_file.stat.exists + + - name: Check for vars.yml file + delegate_to: localhost + ansible.builtin.stat: + path: "inventory/host_vars/{{ domain }}/vars.yml" + register: vars_file + + - name: Missing vars.yml file + delegate_to: localhost + ansible.builtin.fail: + msg: >- + Missing vars.yml file, please refer to the installations instructions. See https://github.com/LemmyNet/lemmy-ansible#install + and https://github.com/LemmyNet/lemmy-ansible#upgrading + when: not vars_file.stat.exists + - name: Install python for Ansible # python2-minimal instead of python-minimal for ubuntu 20.04 and up ansible.builtin.raw: test -e /usr/bin/python || test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal python3-setuptools) From f5bc407c6d1f4696da6307c734b85434ee54a725 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 14 Sep 2023 14:39:53 -0400 Subject: [PATCH 33/68] Missing a word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1ad5a2e..72e0cd5 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ To run this ansible playbook, you need to: - Run `git pull` - Check out the [Lemmy Releases Changelog](https://github.com/LemmyNet/lemmy/blob/main/RELEASES.md) to see if there are any config changes with the releases since your last. -- When upgrading from older versions these playbooks, you will need to do the following: +- When upgrading from older versions of these playbooks, you will need to do the following: * Rename `inventory/host_vars/{{ domain }}/passwords/postgres` file to `inventory/host_vars/{{ domain }}/passwords/postgres.psk` * Copy the `examples/vars.yml` file to `inventory/host_vars/{{ domain }}/vars.yml` - Run `ansible-playbook -i inventory/hosts lemmy.yml --become` From 3555ae23ae8fc9016a7b0c171aa0851414e97400 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 14 Sep 2023 15:26:37 -0400 Subject: [PATCH 34/68] Explicitly import `inventory/host_vars/{{ domain }}/vars.yml` - Refs #169 --- lemmy-almalinux.yml | 2 ++ lemmy.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index bf99bdd..d10ce54 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -2,6 +2,8 @@ - name: Install Lemmy hosts: all gather_facts: true + vars_files: + - "inventory/host_vars/{{ domain }}/vars.yml" pre_tasks: # This is not needed for this playbook as it predates its existence # But we're keeping it for funsies :) diff --git a/lemmy.yml b/lemmy.yml index 15fd5f4..e8587b7 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -5,6 +5,8 @@ # Install python if required # https://www.josharcher.uk/code/ansible-python-connection-failure-ubuntu-server-1604/ gather_facts: false + vars_files: + - "inventory/host_vars/{{ domain }}/vars.yml" pre_tasks: - name: Check lemmy_base_dir ansible.builtin.fail: From 550cf82beacbbf5b9d20f2e1daf5e1e2a420c95e Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Thu, 14 Sep 2023 15:29:25 -0400 Subject: [PATCH 35/68] Run `prettier` on `README.md` --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 72e0cd5..9ee9e49 100644 --- a/README.md +++ b/README.md @@ -75,8 +75,8 @@ To run this ansible playbook, you need to: - Run `git pull` - Check out the [Lemmy Releases Changelog](https://github.com/LemmyNet/lemmy/blob/main/RELEASES.md) to see if there are any config changes with the releases since your last. - When upgrading from older versions of these playbooks, you will need to do the following: - * Rename `inventory/host_vars/{{ domain }}/passwords/postgres` file to `inventory/host_vars/{{ domain }}/passwords/postgres.psk` - * Copy the `examples/vars.yml` file to `inventory/host_vars/{{ domain }}/vars.yml` + - Rename `inventory/host_vars/{{ domain }}/passwords/postgres` file to `inventory/host_vars/{{ domain }}/passwords/postgres.psk` + - Copy the `examples/vars.yml` file to `inventory/host_vars/{{ domain }}/vars.yml` - Run `ansible-playbook -i inventory/hosts lemmy.yml --become` ## Migrating your existing install to use this deploy From bbe8bc680b1fa14e441059bd46662424b0f6c6aa Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Fri, 15 Sep 2023 16:45:30 -0400 Subject: [PATCH 36/68] Remove sneaky `"` --- lemmy-almalinux.yml | 2 +- lemmy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index d10ce54..ae711cb 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -37,7 +37,7 @@ ansible.builtin.fail: msg: >- Missing vars.yml file, please refer to the installations instructions. See https://github.com/LemmyNet/lemmy-ansible#install - and https://github.com/LemmyNet/lemmy-ansible#upgrading" + and https://github.com/LemmyNet/lemmy-ansible#upgrading when: not vars_file.stat.exists handlers: - name: Reload nginx diff --git a/lemmy.yml b/lemmy.yml index e8587b7..fb0ca25 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -24,7 +24,7 @@ ansible.builtin.fail: msg: >- In current versions of the Lemmy Ansible playbooks, the passwords/postgres file must be renamed to passwords/postgres.psk. - See https://github.com/LemmyNet/lemmy-ansible#upgrading" + See https://github.com/LemmyNet/lemmy-ansible#upgrading when: postgres_password_file.stat.exists - name: Check for vars.yml file From 0c23f4d51f83a0501772e5638cf1ace2b4a01e9b Mon Sep 17 00:00:00 2001 From: db0 Date: Sat, 23 Sep 2023 22:58:17 +0200 Subject: [PATCH 37/68] feat: pictrs-safety --- examples/hosts | 3 ++- examples/vars.yml | 9 +++++++++ templates/docker-compose.yml | 31 ++++++++++++++++++++++++++++++- 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/examples/hosts b/examples/hosts index 6dda8a9..64d2a85 100644 --- a/examples/hosts +++ b/examples/hosts @@ -9,7 +9,8 @@ # if you are upgrading from a previous version, set this to `/lemmy` # - `lemmy_version`: The back end version. # - `lemmy_ui_version`: overrides the front end version. -example.com ansible_user=root domain=example.com letsencrypt_contact_email=your@email.com lemmy_base_dir=/srv/lemmy +# - `use_pictrs_safety`: If true, a docker container for pictrs-safety will be deployed and pict-rs will be configured to validate images through it. You will also need to set up a fedi-safety worker to validate the images. +example.com ansible_user=root domain=example.com letsencrypt_contact_email=your@email.com lemmy_base_dir=/srv/lemmy pictrs_safety=false [all:vars] ansible_connection=ssh diff --git a/examples/vars.yml b/examples/vars.yml index 25833d8..76a8449 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -35,3 +35,12 @@ lemmyui_env_vars: postfix_env_vars: - POSTFIX_myhostname: "{{ domain }}" + +pictrs_safety_env_vars: + # Use this in your fedi-safety to allow your worker to authenticate to pictrs-safety + - FEDIVERSE_SAFETY_WORKER_AUTH: "{{ lookup('password', 'inventory/host_vars/{{domain}}/passwords/pictrs_safety_worker_auth.psk chars=ascii_letters,digits length=15') }}" + - FEDIVERSE_SAFETY_IMGDIR: "/tmp/images" + - USE_SQLITE: 1 + - secret_key: "{{ lookup('password', 'inventory/host_vars/{{domain}}/passwords/pictrs_safety_secret.psk chars=ascii_letters,digits length=80') }}" + - SCAN_BYPASS_THRESHOLD: 10 + - MISSING_WORKER_THRESHOLD: 5 diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index abfeaaa..fb3e9fe 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -60,7 +60,7 @@ services: logging: *default-logging pictrs: - image: docker.io/asonix/pictrs:0.4.0 + image: docker.io/asonix/pictrs:0.4.3 # this needs to match the pictrs url in lemmy.hjson hostname: pictrs # we can set options to pictrs like this, here we set max. image size and forced format for conversion @@ -72,6 +72,9 @@ services: - {{ key }}={{ value }} {% endfor %} {% endfor %} +{% endif %} +{% if pictrs_safety is defined and pictrs_safety|bool == true %} + - PICTRS__MEDIA__EXTERNAL_VALIDATION=http://{{ domain }}:14051/api/v1/scan/IPADDR {% endif %} user: 991:991 volumes: @@ -112,3 +115,29 @@ services: {% endif %} restart: "always" logging: *default-logging + +{% if pictrs_safety is defined and pictrs_safety|bool == true %} + pictrs-safety: + image: ghcr.io/db0/pictrs-safety:main + hostname: "pictrs-safety" + networks: + - lemmyinternal + - lemmyexternalproxy + environment: +{% if pictrs_safety_env_vars is defined and pictrs_safety_env_vars|length > 0 %} +{% for item in pictrs_safety_env_vars %} +{% for key, value in item.items() %} + - {{ key }}={{ value }} +{% endfor %} +{% endfor %} +{% endif %} + ports: + - "14051:14051" + expose: + - '14051' + user: 991:991 + restart: always + logging: *default-logging + depends_on: + - pictrs +{% endif %} From a2bd86ba5202da4eaa11846bab4d3689e806799d Mon Sep 17 00:00:00 2001 From: db0 Date: Sun, 24 Sep 2023 00:35:55 +0200 Subject: [PATCH 38/68] doc: wrong var --- examples/hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/hosts b/examples/hosts index 64d2a85..49fd86c 100644 --- a/examples/hosts +++ b/examples/hosts @@ -9,7 +9,7 @@ # if you are upgrading from a previous version, set this to `/lemmy` # - `lemmy_version`: The back end version. # - `lemmy_ui_version`: overrides the front end version. -# - `use_pictrs_safety`: If true, a docker container for pictrs-safety will be deployed and pict-rs will be configured to validate images through it. You will also need to set up a fedi-safety worker to validate the images. +# - `pictrs_safety`: If true, a docker container for pictrs-safety will be deployed and pict-rs will be configured to validate images through it. You will also need to set up a fedi-safety worker to validate the images. example.com ansible_user=root domain=example.com letsencrypt_contact_email=your@email.com lemmy_base_dir=/srv/lemmy pictrs_safety=false [all:vars] From 98d97423ae9ad67882e8d3040ca2c173b82256df Mon Sep 17 00:00:00 2001 From: db0 Date: Sun, 24 Sep 2023 22:52:51 +0200 Subject: [PATCH 39/68] fix: versioned the container --- templates/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index fb3e9fe..69d298b 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -118,7 +118,7 @@ services: {% if pictrs_safety is defined and pictrs_safety|bool == true %} pictrs-safety: - image: ghcr.io/db0/pictrs-safety:main + image: ghcr.io/db0/pictrs-safety:v1.2.2 hostname: "pictrs-safety" networks: - lemmyinternal From b6e703fe0dcf5d3ac3c6fd23dd17ed1d666fffbd Mon Sep 17 00:00:00 2001 From: db0 Date: Wed, 27 Sep 2023 17:58:18 +0200 Subject: [PATCH 40/68] ref: adjusted as per comments --- examples/vars.yml | 9 ++++++--- templates/docker-compose.yml | 7 +------ templates/nginx.conf | 10 +++++----- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index 76a8449..a45a1c5 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -1,4 +1,7 @@ -postgres_password: "{{ lookup('password', 'inventory/host_vars/{{domain}}/passwords/postgres.psk chars=ascii_letters,digits') }}" +postgres_password: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/postgres.psk chars=ascii_letters,digits') }}" +# Next two only relevant if pictrs_safety == True +pictrs_safety_worker_auth: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/pictrs_safety_worker_auth.psk chars=ascii_letters,digits length=15') }}" +pictrs_safety_secret: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/pictrs_safety_secret.psk chars=ascii_letters,digits length=80') }}" # You can set any pict-rs environmental variables here. They will populate the templates/docker-compose.yml file. # https://git.asonix.dog/asonix/pict-rs @@ -38,9 +41,9 @@ postfix_env_vars: pictrs_safety_env_vars: # Use this in your fedi-safety to allow your worker to authenticate to pictrs-safety - - FEDIVERSE_SAFETY_WORKER_AUTH: "{{ lookup('password', 'inventory/host_vars/{{domain}}/passwords/pictrs_safety_worker_auth.psk chars=ascii_letters,digits length=15') }}" + - FEDIVERSE_SAFETY_WORKER_AUTH: "{{ pictrs_safety_worker_auth }}" - FEDIVERSE_SAFETY_IMGDIR: "/tmp/images" - USE_SQLITE: 1 - - secret_key: "{{ lookup('password', 'inventory/host_vars/{{domain}}/passwords/pictrs_safety_secret.psk chars=ascii_letters,digits length=80') }}" + - secret_key: "{{ pictrs_safety_secret }}" - SCAN_BYPASS_THRESHOLD: 10 - MISSING_WORKER_THRESHOLD: 5 diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 69d298b..1af1b3f 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -119,10 +119,7 @@ services: {% if pictrs_safety is defined and pictrs_safety|bool == true %} pictrs-safety: image: ghcr.io/db0/pictrs-safety:v1.2.2 - hostname: "pictrs-safety" - networks: - - lemmyinternal - - lemmyexternalproxy + hostname: pictrs-safety environment: {% if pictrs_safety_env_vars is defined and pictrs_safety_env_vars|length > 0 %} {% for item in pictrs_safety_env_vars %} @@ -133,8 +130,6 @@ services: {% endif %} ports: - "14051:14051" - expose: - - '14051' user: 991:991 restart: always logging: *default-logging diff --git a/templates/nginx.conf b/templates/nginx.conf index 7ab078b..c8b7a63 100644 --- a/templates/nginx.conf +++ b/templates/nginx.conf @@ -1,9 +1,9 @@ -limit_req_zone $binary_remote_addr zone={{domain}}_ratelimit:10m rate=1r/s; +limit_req_zone $binary_remote_addr zone={{ domain }}_ratelimit:10m rate=1r/s; server { listen 80; listen [::]:80; - server_name {{domain}}; + server_name {{ domain }}; # Hide nginx version server_tokens off; location /.well-known/acme-challenge/ { @@ -17,10 +17,10 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{domain}}; + server_name {{ domain }}; - ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; + ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; From 963ab7b9f58f7b6b907132464936f82577631ed8 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Wed, 27 Sep 2023 14:47:04 -0400 Subject: [PATCH 41/68] Add vars.yml to woodpecker pipeline (#176) * Add vars.yml to CI pipeline - prettier - ansible-lint * Update vars.yml format for ansible-lint & prettier --- .woodpecker.yml | 4 ++-- examples/vars.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index f3c2418..932aa4e 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -2,7 +2,7 @@ pipeline: prettier_markdown_check: image: tmknom/prettier commands: - - prettier -c "*.md" "*.yml" + - prettier -c "*.md" "*.yml" "examples/vars.yml" check_ansible_format: image: alpine:3 commands: @@ -14,4 +14,4 @@ pipeline: image: alpine:3 commands: - apk add ansible ansible-lint - - ansible-lint --warn-list experimental lemmy.yml lemmy-almalinux.yml uninstall.yml + - ansible-lint --warn-list experimental lemmy.yml lemmy-almalinux.yml uninstall.yml examples/vars.yml diff --git a/examples/vars.yml b/examples/vars.yml index 25833d8..ff24c71 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -12,11 +12,11 @@ pictrs_env_vars: - PICTRS_OPENTELEMETRY_URL: http://otel:4137 - RUST_LOG: debug - RUST_BACKTRACE: full -# - PICTRS__STORE__TYPE: object_storage +# - PICTRS__STORE__TYPE: object_storage # - PICTRS__STORE__ENDPOINT: '' # - PICTRS__STORE__BUCKET_NAME: '' # - PICTRS__STORE__REGION: '' -# - PICTRS__STORE__USE_PATH_STYLE: false +# - PICTRS__STORE__USE_PATH_STYLE: false # - PICTRS__STORE__ACCESS_KEY: '' # - PICTRS__STORE__SECRET_KEY: '' From c20347157dc92d02b19e6210234fe75949e2d1da Mon Sep 17 00:00:00 2001 From: Dessalines Date: Fri, 29 Sep 2023 07:39:19 -0400 Subject: [PATCH 42/68] Updating VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 0cc9884..543466e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.18.4 +0.18.5 From 6d610c9ee48d438c71dee2d64f3df78cb52a1857 Mon Sep 17 00:00:00 2001 From: Tim Coombs Date: Thu, 5 Oct 2023 08:36:26 +1100 Subject: [PATCH 43/68] Update ansible.cfg (#178) Removing become as it forces sudo on all servers including localhost --- ansible.cfg | 3 --- 1 file changed, 3 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 08550db..87bdc5d 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -4,6 +4,3 @@ inventory = inventory [ssh_connection] pipelining = True - -[privilege_escalation] -become = True From d7be6c38292b7a973d15cf16a9fe7588de59c6cb Mon Sep 17 00:00:00 2001 From: Sanat Sathaye Date: Thu, 5 Oct 2023 05:03:31 +0530 Subject: [PATCH 44/68] Make firewalld operations idempotent (#173) * Use firewalld module instead of command module * Reload firewalld with systemd module * Convert firewalld reload to a handler * Explicit firewalld reload is not needed With immediate:true in ansible.posix.firewalld we don't need reload. Thanks @codyro * Add requirements.yml --- lemmy-almalinux.yml | 21 +++++++++++---------- requirements.yml | 3 +++ 2 files changed, 14 insertions(+), 10 deletions(-) create mode 100644 requirements.yml diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index 5746f4c..29fb902 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -44,6 +44,11 @@ ansible.builtin.systemd: name: nginx state: reloaded + + - name: Reload firewalld + ansible.builtin.systemd: + name: firewalld + state: reloaded vars: lemmy_port: "{{ 32767 | random(start=1024) }}" tasks: @@ -98,21 +103,17 @@ tags: - firewalld - # TODO: Use ansible.posix.firewalld - name: Allow http/httpd traffic to public zone in firewalld - ansible.builtin.command: "firewall-cmd --zone=public --add-service={{ item }} --perm" + ansible.posix.firewalld: + service: "{{ item }}" + state: enabled + zone: public + permanent: true + immediate: true loop: - http - https when: "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'" - changed_when: true - tags: - - firewalld - - - name: Reload firewalld - ansible.builtin.command: firewall-cmd --reload - when: "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'" - changed_when: true tags: - firewalld diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..a0cd255 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,3 @@ +--- +collections: + - name: ansible.posix From 3b451d8c5ee424d839ca082a5d875bc21143956f Mon Sep 17 00:00:00 2001 From: Tim Coombs Date: Thu, 5 Oct 2023 10:35:09 +1100 Subject: [PATCH 45/68] feat: Version 1.2.0 documentation (#179) * Update README.md * chore: Create a distribution matix with relevent playbooks fixes #159 * Update README.md Add an actual _note_ rather than a link * chore: pictrs mention --- README.md | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9ee9e49..2ad278e 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Lemmy-Ansible -This provides an easy way to install [Lemmy](https://github.com/LemmyNet/lemmy) on any server. It automatically sets up an nginx server, letsencrypt certificates, and email. +This provides an easy way to install [Lemmy](https://github.com/LemmyNet/lemmy) on any server. It automatically sets up an nginx server, letsencrypt certificates, docker containers, pict-rs, and email smtp. ## Requirements @@ -11,13 +11,27 @@ To run this ansible playbook, you need to: - Make sure you can ssh to it, with a sudo user: `ssh @` - Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) on your **local** machine (do not install it on your destination server). +### Supported Distribution Playbook Matrix + +These are the distributions we currently support. Anything not listed here is currently not supported. +If you wish to see another distribution on the list, please test on the latest commit in `main` and report your findings via an Issue. + +| Distribution | Version | Playbook | +| ------------ | --------- | --------------------- | +| Debian | 10 | `lemmy.yml` | +| Debian | 11 | `lemmy.yml` | +| Debian | 12 | `lemmy.yml` | +| Ubuntu | 22.04 LTS | `lemmy.yml` | +| RHEL | 9 | `lemmy-almalinux.yml` | + ## Install -1. Clone this repo: +1. Clone this repo & checkout latest tag ``` git clone https://github.com/LemmyNet/lemmy-ansible.git cd lemmy-ansible + git checkout $(git describe --tags) ``` 2. Make a directory to hold your config: @@ -52,6 +66,8 @@ To run this ansible playbook, you need to: 7. Run the playbook: + _Note_: See the "Supported Distribution Playbook Matrix" section above if you should use `lemmy.yml` or not + `ansible-playbook -i inventory/hosts lemmy.yml` _Note_: if you are not the root user or don't have password-less sudo, use this command: @@ -72,12 +88,28 @@ To run this ansible playbook, you need to: ## Upgrading -- Run `git pull` -- Check out the [Lemmy Releases Changelog](https://github.com/LemmyNet/lemmy/blob/main/RELEASES.md) to see if there are any config changes with the releases since your last. +Since version `1.1.0` we no longer default to using `main` but use tags to make sure deployments are versioned. +With every new release all migration steps shall be written below so make sure you check out the [Lemmy Releases Changelog](https://github.com/LemmyNet/lemmy/blob/main/RELEASES.md) to see if there are any config changes with the releases since your last read. + +### Upgrading to 1.2.0 (Lemmy 0.18.5) + +Major changes: + +- All variables are not under a singular file so you will not need to modify anything: `inventory/host_vars/{{ domain }}/vars.yml` +- `--become` is now optional instead of forced on + +#### Steps + +- Run `git pull && git checkout 1.2.0` - When upgrading from older versions of these playbooks, you will need to do the following: - Rename `inventory/host_vars/{{ domain }}/passwords/postgres` file to `inventory/host_vars/{{ domain }}/passwords/postgres.psk` - Copy the `examples/vars.yml` file to `inventory/host_vars/{{ domain }}/vars.yml` -- Run `ansible-playbook -i inventory/hosts lemmy.yml --become` + - Edit your variables as desired +- Run your regular deployment. Example: `ansible-playbook -i inventory/hosts lemmy.yml --become` + +### Upgrading to 1.1.0 (Lemmy 0.18.3) + +- No major changes should be required ## Migrating your existing install to use this deploy From 84e904c8948cf509071cd6479117ff2100cbac02 Mon Sep 17 00:00:00 2001 From: "Tyler B. Thrailkill" Date: Sun, 8 Oct 2023 17:28:09 -0600 Subject: [PATCH 46/68] Updating the lemmy_env_vars after upgrade --- examples/vars.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/vars.yml b/examples/vars.yml index ff24c71..5b4e682 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -27,6 +27,7 @@ postgres_env_vars: lemmy_env_vars: - RUST_LOG: warn + - MAX_DB_CONNECTIONS=20 lemmyui_env_vars: - LEMMY_UI_LEMMY_INTERNAL_HOST: lemmy:8536 From a9139e225ffab4f8189a74bd4a35e0bbc530ff50 Mon Sep 17 00:00:00 2001 From: Tim Coombs Date: Mon, 9 Oct 2023 17:49:41 +1100 Subject: [PATCH 47/68] fix: noqa on linelength for password imports --- examples/vars.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index 3382734..1bfd0ac 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -1,7 +1,8 @@ -postgres_password: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/postgres.psk chars=ascii_letters,digits') }}" +postgres_password: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/postgres.psk chars=ascii_letters,digits') }}" # noqa yaml[line-length]:w + # Next two only relevant if pictrs_safety == True -pictrs_safety_worker_auth: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/pictrs_safety_worker_auth.psk chars=ascii_letters,digits length=15') }}" -pictrs_safety_secret: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/pictrs_safety_secret.psk chars=ascii_letters,digits length=80') }}" +pictrs_safety_worker_auth: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/pictrs_safety_worker_auth.psk chars=ascii_letters,digits length=15') }}" # noqa yaml[line-length] +pictrs_safety_secret: "{{ lookup('password', 'inventory/host_vars/{{ domain }}/passwords/pictrs_safety_secret.psk chars=ascii_letters,digits length=80') }}" # noqa yaml[line-length] # You can set any pict-rs environmental variables here. They will populate the templates/docker-compose.yml file. # https://git.asonix.dog/asonix/pict-rs From 31f11379b5381b9e4efb9e3efd99eb7ba0a66b4a Mon Sep 17 00:00:00 2001 From: Tim Coombs Date: Tue, 10 Oct 2023 01:46:03 +1100 Subject: [PATCH 48/68] fix: force no become on localhost (#185) --- lemmy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lemmy.yml b/lemmy.yml index 2bc8ad9..931059a 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -18,6 +18,7 @@ ansible.builtin.stat: path: "inventory/host_vars/{{ domain }}/passwords/postgres" register: postgres_password_file + become: false - name: Legacy use of passwords/postgres file delegate_to: localhost @@ -26,12 +27,14 @@ In current versions of the Lemmy Ansible playbooks, the passwords/postgres file must be renamed to passwords/postgres.psk. See https://github.com/LemmyNet/lemmy-ansible#upgrading when: postgres_password_file.stat.exists + become: false - name: Check for vars.yml file delegate_to: localhost ansible.builtin.stat: path: "inventory/host_vars/{{ domain }}/vars.yml" register: vars_file + become: false - name: Missing vars.yml file delegate_to: localhost @@ -40,6 +43,7 @@ Missing vars.yml file, please refer to the installations instructions. See https://github.com/LemmyNet/lemmy-ansible#install and https://github.com/LemmyNet/lemmy-ansible#upgrading when: not vars_file.stat.exists + become: false - name: Install python for Ansible # python2-minimal instead of python-minimal for ubuntu 20.04 and up From 22aa431a3d1ed8437a418633e9d92ae4af45bbf5 Mon Sep 17 00:00:00 2001 From: Ben Curtis Date: Mon, 9 Oct 2023 10:57:05 -0400 Subject: [PATCH 49/68] config fix for postgres docker defaults (#183) Co-authored-by: Dessalines --- examples/customPostgresql.conf | 3 +++ templates/docker-compose.yml | 1 + 2 files changed, 4 insertions(+) diff --git a/examples/customPostgresql.conf b/examples/customPostgresql.conf index 49428e4..21ed5fc 100644 --- a/examples/customPostgresql.conf +++ b/examples/customPostgresql.conf @@ -28,3 +28,6 @@ temp_file_size=1GB synchronous_commit=off # This one shouldn't be on regularly, because DB migrations often take a long time # statement_timeout = 10000 + +# Listen beyond localhost +listen_addresses = '*' diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 1af1b3f..6256534 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -101,6 +101,7 @@ services: - ./volumes/postgres:/var/lib/postgresql/data:Z - ./customPostgresql.conf:/etc/postgresql.conf restart: always + command: postgres -c config_file=/etc/postgresql.conf logging: *default-logging postfix: From 5c68d9588cb3aad511a0822ab3dd46b82101f149 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Mon, 9 Oct 2023 17:09:10 -0400 Subject: [PATCH 50/68] Adjust permissions for the distribute /etc/postgresql.conf so `postgres` user can read it - Refs #183 - Refs comment https://github.com/LemmyNet/lemmy-ansible/pull/183#issuecomment-1751809582 --- lemmy-almalinux.yml | 6 +++--- lemmy.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index 29fb902..9a8046e 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -186,9 +186,9 @@ # src: "files/{{ domain }}/customPostgresql.conf" src: "inventory/host_vars/{{ domain }}/customPostgresql.conf" dest: "{{ lemmy_base_dir }}/{{ domain }}/customPostgresql.conf" - mode: "0600" - owner: "1000" # Match UID in container - group: "1000" # Match GID in container + mode: "0644" + owner: root + group: root tags: - configs - postgresql diff --git a/lemmy.yml b/lemmy.yml index 931059a..1e49c89 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -223,9 +223,9 @@ ansible.builtin.template: src: "inventory/host_vars/{{ domain }}/customPostgresql.conf" dest: "{{ lemmy_base_dir }}/{{ domain }}/customPostgresql.conf" - mode: "0600" - owner: "1000" - group: "1000" + mode: "0644" + owner: root + group: root - name: Enable and start docker service ansible.builtin.systemd: From 300a261b2a346dd6489f5eb43d6af632633f4059 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Fri, 13 Oct 2023 10:23:32 -0400 Subject: [PATCH 51/68] Update ansible requirements, remove `become` for localhost delegated tasks (#188) * Add ansible-core >= 2.11.0 requirement - Adds assertion to gracefully fail instead of an error (ref #177) - Add to README * Remove `become` on `localhost` to `lemmy-almalinux.yml` playbook - Refs https://github.com/LemmyNet/lemmy-ansible/pull/178 * Adjust Ansible -> ansible-core - Add `become: false` to assertion in `lemmy.yml` * Adjust README verbiage * Apparently I really want it to be 2.10.0 --- README.md | 2 +- lemmy-almalinux.yml | 12 ++++++++++++ lemmy.yml | 8 ++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ad278e..a25a760 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ To run this ansible playbook, you need to: - Have a Debian/AlmaLinux 9-based server / VPS where lemmy will run. - Configure a DNS `A` Record to point at your server's IP address. - Make sure you can ssh to it, with a sudo user: `ssh @` -- Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) on your **local** machine (do not install it on your destination server). +- Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) (>= `2.11.0` on your **local** machine (do not install it on your destination server). ### Supported Distribution Playbook Matrix diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index 9a8046e..4e236bb 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -5,6 +5,14 @@ vars_files: - "inventory/host_vars/{{ domain }}/vars.yml" pre_tasks: + - name: Assert that Ansible version is >= 2.11.0 + delegate_to: localhost + ansible.builtin.assert: + that: + - "ansible_version.full is version('2.11.0', '>=')" + fail_msg: "This playbook requires Ansible 2.11.0 or higher" + become: false + # This is not needed for this playbook as it predates its existence # But we're keeping it for funsies :) - name: Check lemmy_base_dir @@ -17,6 +25,7 @@ ansible.builtin.stat: path: "inventory/host_vars/{{ domain }}/passwords/postgres" register: postgres_password_file + become: false - name: Legacy use of passwords/postgres file delegate_to: localhost @@ -25,12 +34,14 @@ In current versions of the Lemmy Ansible playbooks, the passwords/postgres file must be renamed to passwords/postgres.psk. See https://github.com/LemmyNet/lemmy-ansible#upgrading when: postgres_password_file.stat.exists + become: false - name: Check for vars.yml file delegate_to: localhost ansible.builtin.stat: path: "inventory/host_vars/{{ domain }}/vars.yml" register: vars_file + become: false - name: Missing vars.yml file delegate_to: localhost @@ -39,6 +50,7 @@ Missing vars.yml file, please refer to the installations instructions. See https://github.com/LemmyNet/lemmy-ansible#install and https://github.com/LemmyNet/lemmy-ansible#upgrading when: not vars_file.stat.exists + become: false handlers: - name: Reload nginx ansible.builtin.systemd: diff --git a/lemmy.yml b/lemmy.yml index 1e49c89..37404ac 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -8,6 +8,14 @@ vars_files: - "inventory/host_vars/{{ domain }}/vars.yml" pre_tasks: + - name: Assert that Ansible version is >= 2.11.0 + delegate_to: localhost + ansible.builtin.assert: + that: + - "ansible_version.full is version('2.11.0', '>=')" + fail_msg: "This playbook requires Ansible 2.11.0 or higher" + become: false + - name: Check lemmy_base_dir ansible.builtin.fail: msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file." From 9676c75fb9fdc638c6b89ae75181de93cb381b5f Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Tue, 17 Oct 2023 10:23:26 -0400 Subject: [PATCH 52/68] Remove invalid `temp_file_size` line in `customPostgresql.conf` (#192) - Refs #191 --- examples/customPostgresql.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/customPostgresql.conf b/examples/customPostgresql.conf index 21ed5fc..66cbd87 100644 --- a/examples/customPostgresql.conf +++ b/examples/customPostgresql.conf @@ -24,7 +24,6 @@ max_parallel_workers = 4 max_parallel_maintenance_workers = 2 # Other custom params -temp_file_size=1GB synchronous_commit=off # This one shouldn't be on regularly, because DB migrations often take a long time # statement_timeout = 10000 From a3b210ff10596474bb64b0ce451b256972c04a55 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Wed, 18 Oct 2023 16:36:13 -0400 Subject: [PATCH 53/68] Adding /version route --- templates/nginx_internal.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 2922645..7700c15 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -63,7 +63,7 @@ http { } # backend - location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) { + location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known|version) { proxy_pass "http://lemmy:8536"; # Send actual client IP upstream From 0af5869d8de03f4718b76b3da63c41f93f98d7e7 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Fri, 20 Oct 2023 11:07:15 -0400 Subject: [PATCH 54/68] Redirecting version to nodeinfo. --- templates/nginx_internal.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 7700c15..b43cb46 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -63,11 +63,14 @@ http { } # backend - location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known|version) { + location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) { proxy_pass "http://lemmy:8536"; # Send actual client IP upstream include proxy_params; } + + # Redirect /version to /nodeinfo/2.0.json + rewrite /version /nodeinfo/2.0.json permanent; } } From ebad4321c285c57873eb1d82acbd81cf61573c78 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Mon, 23 Oct 2023 12:04:24 -0400 Subject: [PATCH 55/68] Revert "Redirecting version to nodeinfo." --- templates/nginx_internal.conf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index b43cb46..7700c15 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -63,14 +63,11 @@ http { } # backend - location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) { + location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known|version) { proxy_pass "http://lemmy:8536"; # Send actual client IP upstream include proxy_params; } - - # Redirect /version to /nodeinfo/2.0.json - rewrite /version /nodeinfo/2.0.json permanent; } } From 51a82f7f183538db30d66d7eb2f515373bfcc261 Mon Sep 17 00:00:00 2001 From: Tim Coombs Date: Thu, 26 Oct 2023 09:48:02 +1100 Subject: [PATCH 56/68] chore: 1.2.1 update docs (#198) * chore: 1.2.1 update docs * chore: prettier * chore: prettier --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index a25a760..cfc0131 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,21 @@ If you wish to see another distribution on the list, please test on the latest c Since version `1.1.0` we no longer default to using `main` but use tags to make sure deployments are versioned. With every new release all migration steps shall be written below so make sure you check out the [Lemmy Releases Changelog](https://github.com/LemmyNet/lemmy/blob/main/RELEASES.md) to see if there are any config changes with the releases since your last read. +### Upgrading to 1.2.1 (Lemmy 0.18.5) + +This is a minor change which fixes the issue with the Postgres container not using the `customPostgres.conf` file. + +#### Steps + +- Please regenerate your `customPostgres.conf` from `examples/customPostgres.conf` +- **OR** +- Add the following block to your current customPostgres file. + +``` +# Listen beyond localhost +listen_addresses = '*' +``` + ### Upgrading to 1.2.0 (Lemmy 0.18.5) Major changes: From a292378c056b09b8775d4885be6a71f48dc5621d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=B0smail=20Karsl=C4=B1?= <17887754+ismailkarsli@users.noreply.github.com> Date: Thu, 9 Nov 2023 16:40:25 +0300 Subject: [PATCH 57/68] Redirect "/sitemap.xml" to backend --- templates/nginx_internal.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 7700c15..6129583 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -63,7 +63,7 @@ http { } # backend - location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known|version) { + location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known|version|sitemap.xml) { proxy_pass "http://lemmy:8536"; # Send actual client IP upstream From 196761c8bb4681dacb1ccd2db6c752dd38389574 Mon Sep 17 00:00:00 2001 From: Nutomic Date: Wed, 29 Nov 2023 11:16:22 +0100 Subject: [PATCH 58/68] Include CPU architectures in requirements --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index cfc0131..f3ac76e 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ This provides an easy way to install [Lemmy](https://github.com/LemmyNet/lemmy) To run this ansible playbook, you need to: - Have a Debian/AlmaLinux 9-based server / VPS where lemmy will run. +- Supported CPI architectures are x86-64 and ARM64 - Configure a DNS `A` Record to point at your server's IP address. - Make sure you can ssh to it, with a sudo user: `ssh @` - Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) (>= `2.11.0` on your **local** machine (do not install it on your destination server). From 63adf2e01bbbf16e995a2bf25e87e2bdcce3437f Mon Sep 17 00:00:00 2001 From: Nutomic Date: Wed, 29 Nov 2023 11:17:24 +0100 Subject: [PATCH 59/68] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f3ac76e..ec626d6 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ This provides an easy way to install [Lemmy](https://github.com/LemmyNet/lemmy) To run this ansible playbook, you need to: - Have a Debian/AlmaLinux 9-based server / VPS where lemmy will run. -- Supported CPI architectures are x86-64 and ARM64 +- Supported CPU architectures are x86-64 and ARM64 - Configure a DNS `A` Record to point at your server's IP address. - Make sure you can ssh to it, with a sudo user: `ssh @` - Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) (>= `2.11.0` on your **local** machine (do not install it on your destination server). From 8612dba46c8b5270105258977add265f326aff0c Mon Sep 17 00:00:00 2001 From: Nutomic Date: Wed, 29 Nov 2023 11:17:43 +0100 Subject: [PATCH 60/68] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ec626d6..a873e3b 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ This provides an easy way to install [Lemmy](https://github.com/LemmyNet/lemmy) To run this ansible playbook, you need to: - Have a Debian/AlmaLinux 9-based server / VPS where lemmy will run. -- Supported CPU architectures are x86-64 and ARM64 +- Supported CPU architectures are x86-64 and ARM64. - Configure a DNS `A` Record to point at your server's IP address. - Make sure you can ssh to it, with a sudo user: `ssh @` - Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) (>= `2.11.0` on your **local** machine (do not install it on your destination server). From e6f2198ccec99db84a1d6ccb26767ba03e1205bc Mon Sep 17 00:00:00 2001 From: "Tyler B. Thrailkill" Date: Thu, 30 Nov 2023 13:47:42 -0700 Subject: [PATCH 61/68] Update to pictrs and fix for debian --- lemmy.yml | 5 ++++- templates/docker-compose.yml | 30 ++++++++++++++++++++---------- templates/nginx.conf | 1 + 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/lemmy.yml b/lemmy.yml index 2bc8ad9..890c265 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -57,10 +57,13 @@ name: nginx state: reloaded tasks: + - name: Check hostname resolution + ansible.builtin.ping: + - name: Install aptitude ansible.builtin.apt: name: aptitude - state: present + state: latest update_cache: true - name: Install dependencies diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 901cec8..1297e26 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -46,8 +46,8 @@ services: interval: 1m timeout: 10s retries: 3 - labels: - - "autoheal=true" + # labels: + # - "autoheal=true" lemmy-ui: image: {{ lemmy_docker_ui_image }} @@ -67,7 +67,7 @@ services: logging: *default-logging pictrs: - image: docker.io/asonix/pictrs:0.4.0 + image: docker.io/asonix/pictrs:0.4.5 # this needs to match the pictrs url in lemmy.hjson hostname: pictrs # we can set options to pictrs like this, here we set max. image size and forced format for conversion @@ -101,6 +101,8 @@ services: {% endfor %} {% endfor %} {% endif %} + ports: + - 5432:5432 volumes: - ./volumes/postgres:/var/lib/postgresql/data:Z - ./customPostgresql.conf:/etc/postgresql.conf @@ -121,11 +123,19 @@ services: restart: "always" logging: *default-logging - autoheal: - restart: always - image: willfarrell/autoheal - environment: - - AUTOHEAL_CONTAINER_LABEL=autoheal + # autoheal: + # restart: always + # image: willfarrell/autoheal + # environment: + # - AUTOHEAL_CONTAINER_LABEL=autoheal - volumes: - - /var/run/docker.sock:/var/run/docker.sock \ No newline at end of file + # volumes: + # - /var/run/docker.sock:/var/run/docker.sock + + + lemmy-modder: + image: ghcr.io/tgxn/lemmy-modder:latest + restart: unless-stopped + ports: + - 9696:80 + \ No newline at end of file diff --git a/templates/nginx.conf b/templates/nginx.conf index 7ab078b..dada661 100644 --- a/templates/nginx.conf +++ b/templates/nginx.conf @@ -63,4 +63,5 @@ server { } } + access_log /var/log/nginx/access.log combined; From 0232df1562aeee010f557803a758f14840051370 Mon Sep 17 00:00:00 2001 From: Sanat Sathaye Date: Sun, 3 Dec 2023 17:14:53 +0530 Subject: [PATCH 62/68] Fix alma playbook running on non-alma system --- lemmy-almalinux.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index 4e236bb..75b86d1 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -65,11 +65,11 @@ lemmy_port: "{{ 32767 | random(start=1024) }}" tasks: - name: Ensure target system is >= EL9 - ansible.builtin.fail: - msg: "This playbook requires Enterprise Linux 9 or greater" - when: - - ansible_distribution not in ['AlmaLinux', 'CentOS', 'RedHat', 'Rocky'] - - ansible_distribution_major_version | int < 9 + ansible.builtin.assert: + that: + - ansible_distribution in ['AlmaLinux', 'CentOS', 'RedHat', 'Rocky'] + - ansible_distribution_major_version | int >= 9 + fail_msg: "This playbook requires Enterprise Linux 9 or greater" tags: - always From 1178eed471dd6176ce659ce672d271d953badeb5 Mon Sep 17 00:00:00 2001 From: Sanat Sathaye Date: Mon, 4 Dec 2023 01:43:57 +0530 Subject: [PATCH 63/68] Fix debian playbook running on non-debian system --- lemmy-almalinux.yml | 2 +- lemmy.yml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lemmy-almalinux.yml b/lemmy-almalinux.yml index 75b86d1..3cfb8a8 100644 --- a/lemmy-almalinux.yml +++ b/lemmy-almalinux.yml @@ -69,7 +69,7 @@ that: - ansible_distribution in ['AlmaLinux', 'CentOS', 'RedHat', 'Rocky'] - ansible_distribution_major_version | int >= 9 - fail_msg: "This playbook requires Enterprise Linux 9 or greater" + fail_msg: "This playbook requires Enterprise Linux 9 or greater on the target server" tags: - always diff --git a/lemmy.yml b/lemmy.yml index 37404ac..a03a9ad 100644 --- a/lemmy.yml +++ b/lemmy.yml @@ -69,6 +69,12 @@ name: nginx state: reloaded tasks: + - name: Ensure target system is Debian or Ubuntu + ansible.builtin.assert: + that: + - ansible_distribution in ['Debian', 'Ubuntu'] + fail_msg: "This playbook requires Debian or Ubuntu on the target server" + - name: Install aptitude ansible.builtin.apt: name: aptitude From d2236338a896349083d338516a41ff821d3b0818 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Fri, 15 Dec 2023 06:51:55 -0500 Subject: [PATCH 64/68] Updating VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 543466e..1cf0537 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.18.5 +0.19.0 From 6ecaeaa36b385267151be4f8e1760018a19dc135 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Sat, 16 Dec 2023 03:09:11 -0500 Subject: [PATCH 65/68] Adding a 1GB shm size for postgres, to prevent shared space error. (#204) Context: https://stackoverflow.com/a/56754077/1655478 --- templates/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 6256534..6e879f2 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -102,6 +102,7 @@ services: - ./customPostgresql.conf:/etc/postgresql.conf restart: always command: postgres -c config_file=/etc/postgresql.conf + shm_size: 1g logging: *default-logging postfix: From 82fefeef9cf1cc907bd82b3a94e592e7d61de7f0 Mon Sep 17 00:00:00 2001 From: Tim Coombs Date: Mon, 18 Dec 2023 11:15:12 +1100 Subject: [PATCH 66/68] Version 1.3.0 (#206) * feat: 0.19.x * chore: upgrade pictrs to 0.4.6 * chore: upgrade pictrs to 0.4.7 * chore: readme upgrade instructions * Update README.md 1.3.1 stuff * fix: remove 1.3.1 - wrong branch * fix: remove placeholder about downtime * fix: prettier thinks this is better... * fix: add back downtime nonsense! * fix: fix command runner * fix: complete docs with estimated downtimes and ways to upgrade pictrs --- README.md | 42 ++++++++++++++++++++++++++++++++++++ templates/docker-compose.yml | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a873e3b..c23c3bb 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,48 @@ If you wish to see another distribution on the list, please test on the latest c Since version `1.1.0` we no longer default to using `main` but use tags to make sure deployments are versioned. With every new release all migration steps shall be written below so make sure you check out the [Lemmy Releases Changelog](https://github.com/LemmyNet/lemmy/blob/main/RELEASES.md) to see if there are any config changes with the releases since your last read. +### Upgrading to 1.3.0 (Lemmy 0.19.0 & pictrs-0.4.7) + +This is a major change and has required reading! tl;dr + +- Lemmy has been upgraded to 0.19.0 +- pict-rs has been upgraded to 0.4.7 + - pict-rs has not been integrated with postgres yet +- "Optional Modules" are now available to be added to your lemmy install as provided by the community. + - The first being pictrs-safety + +#### Steps + +- Prepare to have downtime as the database needs to perform migrations! +- Run `git pull && git checkout 1.3.0` +- Run your regular deployment. Example: `ansible-playbook -i inventory/hosts lemmy.yml --become` +- Lemmy will now be down! In testing this takes from 20 to 60 minutes. + - If you are bored you can ssh into your server, and check the logs on postgres for updates + - `docker compose logs -f postgres` while ssh'd and in your Lemmy directory + +#### Update your pict-rs sled-database (Optional) + +If you are happy for pict-rs to be down _for a while_ go straight to our `1.3.1` git tag which updates pictrs to 0.5.0. Otherwise keep reading. +Starting with 0.5.0 your database will automatically upgrade to the latest version, which will cause downtime for your users. +As such there is an intermediary step where you can upgrade your database in the background to prepare for 0.5 (Reference documentation)[https://git.asonix.dog/asonix/pict-rs/releases#user-content-upgrade-preparation-endpoint]. This ensure no-one is caught out by unforseen downtime of multiple services. + +Once you have deployed lemmy-ansible `1.3.0` tag, please continue (if you want): + +- Take note of what your pict-rs API Key is under `vars.yml` +- Take note of what your docker network name is. (It's normally the domain without any extra characters) + - You should be able to find it via: `docker network ls | grep _default` if in doubt. +- Run the following command replacing `api-key` with the pict-rs api key, & `youdomain` with the network name. +- `docker run --network yourdomain_default --rm curlimages/curl:8.5.0 --silent -XPOST -H'X-Api-Token: api-key' 'http://pictrs:8080/internal/prepare_upgrade'` +- This will start the background process updating your database from 0.4 to 0.5 compatible. + +This is only Optional, and takes a shorter amount of time than the Lemmy database upgrade, but on huge installations it may take a lot longer. + +#### Optional Module(s) + +Our first optional module is [pictrs-safety](https://github.com/db0/pictrs-safety). See the repo linked for more information, especially for integration with pictrs (which is what it is for) Thanks to @db0 for their contribution. +See the `pictrs_safety_env_vars` under `examples/vars.yml` for relevant options (and the two password variables) +To enable this module to be used you must ADD `pictrs_safety: true` to your `vars.yml`. + ### Upgrading to 1.2.1 (Lemmy 0.18.5) This is a minor change which fixes the issue with the Postgres container not using the `customPostgres.conf` file. diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 6e879f2..85d0ab5 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -60,7 +60,7 @@ services: logging: *default-logging pictrs: - image: docker.io/asonix/pictrs:0.4.3 + image: docker.io/asonix/pictrs:0.4.7 # this needs to match the pictrs url in lemmy.hjson hostname: pictrs # we can set options to pictrs like this, here we set max. image size and forced format for conversion From aecc0e261f1e7e8434b630361f4f5aa8b43f1097 Mon Sep 17 00:00:00 2001 From: Tim Coombs Date: Tue, 19 Dec 2023 04:21:54 +1100 Subject: [PATCH 67/68] fix: nginx real-ips in logs & docker constant resolution for scaling containers (#209) --- templates/nginx_internal.conf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/templates/nginx_internal.conf b/templates/nginx_internal.conf index 6129583..765ff1a 100644 --- a/templates/nginx_internal.conf +++ b/templates/nginx_internal.conf @@ -5,6 +5,12 @@ events { } http { + # Docker internal DNS IP so we always get the newer containers without having to + # restart/reload the docker container / nginx configuration + resolver 127.0.0.11 valid=5s; + # set the real_ip when from docker internal ranges. Ensuring our internal nginx + # container can always see the correct ips in the logs + set_real_ip_from 172.0.0.0/8; # We construct a string consistent of the "request method" and "http accept header" # and then apply soem ~simply regexp matches to that combination to decide on the # HTTP upstream we should proxy the request to. @@ -37,6 +43,8 @@ http { } server { + set $lemmy_ui "lemmy-ui:1234"; + set $lemmy "lemmy:8536"; # this is the port inside docker, not the public one yet listen 1236; listen 8536; @@ -59,12 +67,12 @@ http { # security.txt location = /.well-known/security.txt { - proxy_pass "http://lemmy-ui:1234"; + proxy_pass "http://$lemmy_ui"; } # backend location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known|version|sitemap.xml) { - proxy_pass "http://lemmy:8536"; + proxy_pass "http://$lemmy"; # Send actual client IP upstream include proxy_params; From 68d68d0a4c140460a25adafb1f855aa6bd383d85 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Wed, 20 Dec 2023 09:26:56 -0500 Subject: [PATCH 68/68] Updating VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 1cf0537..41915c7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.19.0 +0.19.1