ctucx.git: ansible-configs

My personal ansible roles and playbooks [deprecated in favor of nixos]

commit 6935d9926b70ab6c9f4dc111c70ded56fab63708
parent dd74e0f452f6e1bb75fb248e851ab2fee0c3dc4e
Author: Leah (ctucx) <leah@ctu.cx>
Date: Thu, 4 Mar 2021 00:31:37 +0100

update configguations, playbook
5 files changed, 270 insertions(+), 30 deletions(-)
A
config-files/quitschi/pleroma.exs
|
200
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
config-files/wanderduene/pleroma.exs
|
4
++++
M
configuration/quitschi.yml
|
69
+++++++++++++++++++++++++++++++++++++++++++++------------------------
M
configuration/wanderduene.yml
|
25
+++++++++++++++++++------
M
playbook.yml
|
2
++
diff --git a/config-files/quitschi/pleroma.exs b/config-files/quitschi/pleroma.exs
@@ -0,0 +1,200 @@
+import Config
+
+config :pleroma, Pleroma.Web.Endpoint,
+  url: [host: "trans-agenda.de", scheme: "https", port: 443],
+  http: [ip: {127, 0, 0, 1}, port: 4000]
+
+config :pleroma, Pleroma.Repo,
+  adapter:    Ecto.Adapters.Postgres,
+  username:   "pleroma",
+  database:   "pleroma",
+  socket_dir: "/run/postgresql",
+  pool_size: 10
+
+import_config("/var/lib/pleroma/secret.exs")
+
+# Configure web push notifications
+config :web_push_encryption, :vapid_details, subject: "mailto:pleroma@trans-agenda.de"
+
+config :pleroma, :database, rum_enabled: false
+config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
+config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+
+config :pleroma, :static_fe, enabled: false
+
+config :pleroma, :frontend_configurations,
+  pleroma_fe: %{
+    theme: "mammal",
+    background: "/static/bg.png",
+    logo: "/static/logo.png",
+    nsfwCensorImage: "/static/nsfw.png",
+    chatDisabled: true,
+    webPushNotifications: true,
+    showFeaturesPanel: true,
+    collapseMessageWithSubject: true,
+    hideUserStats: false
+  }
+
+config :pleroma, :instance,
+  name: "trans-agenda.de",
+  email: "the@trans-agenda.de",
+  notify_email: "the@trans-agenda.de",
+  limit: 5000,
+  registrations_open: true,
+  account_approval_required: true,
+  account_activation_required: true,
+  invites_enabled: true,
+  remote_post_retention_days: 180,
+  external_user_synchronization: true,
+  upload_limit: 50_000_000,
+  avatar_upload_limit: 10_000_000,
+  background_upload_limit: 10_000_000,
+  banner_upload_limit: 10_000_000,
+  allowed_post_formats: [
+    "text/plain",
+    "text/html",
+    "text/markdown"
+  ],
+  quarantined_instances: [
+    "search.fedi.app",
+    "freespeechextremist.com",
+    "gleasonator.com",
+    "gab.com",
+    "gab.ai",
+    "spinster.xyz",
+    "clubcyberia.co",
+    "glowers.club",
+    "shitposter.club",
+    "social.urspringer.de",
+    "pleroma.soykaf.com",
+    "nnia.space",
+    "kiwifarms.cc",
+    "wintermute.fr.to",
+    "anitwitter.moe",
+    "brighteon.social",
+    "cawfee.club",
+    "community.halle-leaks.de",
+    "crypto-group-buy.com",
+    "freefedifollowers.ga",
+    "freevoice.space",
+    "glindr.org",
+    "gs.smuglo.li",
+    "pl.smuglo.li",
+    "humblr.social",
+    "jaeger.website",
+    "lets.saynoto.lgbt",
+    "libre.tube",
+    "neckbeard.xyz",
+    "newjack.city",
+    "ohai.su",
+    "pawoo.net",
+    "pieville.net",
+    "play.xmr.101010.pl",
+    "pleroma.rareome.ga",
+    "preteengirls.biz",
+    "skippers-bin.com",
+    "sneak.berlin",
+    "the.hedgehoghunter.club",
+    "toot.canberrasocial.net",
+    "video.halle-leaks.de",
+    "weedis.life",
+    "yggdrasil.social",
+    "anime.website",
+    "collapsitarian.io",
+    "pleroma.gretagangbang.biz",
+    "gitmo.life"
+  ]
+
+config :pleroma, Pleroma.Emails.Mailer,
+  enabled: true,
+  adapter: Swoosh.Adapters.SMTP,
+  relay: "wanderduene.ctu.cx",
+  username: "the@trans-agenda.de",
+  password: "{{ lookup('diskcache', 'passwordstore', 'E-Mail/the@trans-agenda.de')}}",
+  port: 465,
+  ssl: true,
+  auth: :always
+
+config :pleroma, :media_proxy,
+  enabled: false,
+  redirect_on_failure: true,
+  base_url: "https://cache.domain.tld"
+
+config :pleroma, :fetch_initial_posts,
+  enabled: false,
+  pages: 1
+
+config :pleroma, :chat, enabled: false
+
+config :pleroma, :mrf,
+  policies: [Pleroma.Web.ActivityPub.MRF.SimplePolicy]
+
+config :pleroma, :mrf_simple,
+  reject: [
+    "search.fedi.app",
+    "freespeechextremist.com",
+    "gleasonator.com",
+    "gab.com",
+    "gab.ai",
+    "spinster.xyz",
+    "clubcyberia.co",
+    "glowers.club",
+    "shitposter.club",
+    "social.urspringer.de",
+    "pleroma.soykaf.com",
+    "nnia.space",
+    "kiwifarms.cc",
+    "wintermute.fr.to",
+    "anitwitter.moe",
+    "brighteon.social",
+    "cawfee.club",
+    "community.halle-leaks.de",
+    "crypto-group-buy.com",
+    "freefedifollowers.ga",
+    "freevoice.space",
+    "glindr.org",
+    "gs.smuglo.li",
+    "pl.smuglo.li",
+    "humblr.social",
+    "jaeger.website",
+    "lets.saynoto.lgbt",
+    "libre.tube",
+    "neckbeard.xyz",
+    "newjack.city",
+    "ohai.su",
+    "pawoo.net",
+    "pieville.net",
+    "play.xmr.101010.pl",
+    "pleroma.rareome.ga",
+    "preteengirls.biz",
+    "skippers-bin.com",
+    "sneak.berlin",
+    "the.hedgehoghunter.club",
+    "toot.canberrasocial.net",
+    "video.halle-leaks.de",
+    "weedis.life",
+    "yggdrasil.social",
+    "anime.website",
+    "collapsitarian.io",
+    "pleroma.gretagangbang.biz",
+    "gitmo.life"
+  ]
+																																		
+config :pleroma, :emoji,
+  shortcode_globs: ["/emoji/custom/**/*.png"],
+  groups: [
+    "Bahn":           "/emoji/cuties/Bahn/*.png",
+    "Blobs":          "/emoji/cuties/Blobs/*.png",
+    "Bread":          "/emoji/cuties/Bread/*.png",
+    "LGBTIQ*":        "/emoji/cuties/LGBTIQ\*/*.png",
+    "Signale":        "/emoji/cuties/Signale/*.png",
+    "Naughty_Goose":  "/emoji/cuties/naughty_goose/*.png",
+    'Technology':     "/emoji/cuties/Technology/*.png",
+    "Transportation": "/emoji/cuties/Transportation/*.png",
+    "Chaos":          "/emoji/chaos/*.png",
+    "Femojis":        "/emoji/femojis/*.png"
+  ]
+
+config :pleroma, configurable_from_database: false
+
+config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool, Pleroma.Upload.Filter.AnonymizeFilename, Pleroma.Upload.Filter.Dedupe]
diff --git a/config-files/wanderduene/pleroma.exs b/config-files/wanderduene/pleroma.exs
@@ -226,3 +226,7 @@ config :pleroma, :emoji,
     "Chaos":          "/emoji/chaos/*.png",
     "Femojis":        "/emoji/femojis/*.png"
   ]
+
+config :pleroma, configurable_from_database: false
+
+config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool, Pleroma.Upload.Filter.AnonymizeFilename, Pleroma.Upload.Filter.Dedupe]
diff --git a/configuration/quitschi.yml b/configuration/quitschi.yml
@@ -46,9 +46,7 @@ network:
       loopback: true
     - name: eth0
       ipv4:
-        address: 75.119.137.201
-        gateway: 75.119.128.1
-        netmask: 255.255.255.0
+        dhcp: true
       ipv6:
         address: 2a02:c206:3007:0378::1
         gateway: fe80::1

@@ -60,6 +58,12 @@ files:
     mode:    "0755"
     owner:   "leah"
     group:   "nginx"
+  /etc/nginx/passwd/synapse:
+    state:   "file"
+    content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/synapse returnall=true')}}"
+    mode:    "0600"
+    owner:   "nginx"
+    group:   "nginx"
 
 services:
   openssh:

@@ -106,22 +110,6 @@ services:
         locations:
           - path: /node-exporter
             proxy: http://127.0.0.1:9100/metrics
-      trans-agenda.de:
-        ssl:
-          enable: true
-          cert: "/var/lib/acme-redirect/live/trans-agenda.de/fullchain"
-          privkey: "/var/lib/acme-redirect/live/trans-agenda.de/privkey"
-        locations:
-          - path: "/.well-known/matrix/client"
-            extraConfig: '
-              add_header Content-Type application/json;
-              return 200 "{\"m.homeserver\": {\"base_url\": \"https://matrix.trans-agenda.de\"}}";
-            '
-          - path: "/.well-known/matrix/server"
-            extraConfig: '
-              add_header Content-Type application/json;
-              return 200 "{\"m.server\": \"matrix.trans-agenda.de:443\"}";
-            '
 
   synapse:
     enable: true

@@ -140,7 +128,7 @@ services:
           tls: false
           x_forwarded: true
           resources:
-            - names: ["client"]
+            - names: ["client", "metrics"]
               compress: true
             - names: ["federation"]
               compress: false

@@ -166,16 +154,16 @@ services:
       url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"]
       url_preview_ip_range_whitelist: []
       url_preview_url_blacklist: []
+      enable_registration: true
+      registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/quitschi/synapse/secret')}}"
       enable_registration_captcha: true
+      recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
       recaptcha_public_key: "{{ lookup('diskcache', 'passwordstore', 'Server/quitschi/synapse/recaptcha.pub')}}"
       recaptcha_private_key: "{{ lookup('diskcache', 'passwordstore', 'Server/quitschi/synapse/recaptcha.priv')}}"
       turn_uris: []
       turn_shared_secret: ""
-      enable_registration: true
-      enable_metrics: false
-      registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/quitschi/synapse/secret')}}"
-      recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
       turn_user_lifetime: "1h"
+      enable_metrics: true
       user_creation_max_duration: 1209600000
       bcrypt_rounds: 12
       allow_guest_access: false

@@ -245,3 +233,35 @@ services:
         enable: true
         cert: "/var/lib/acme-redirect/live/matrix.trans-agenda.de/fullchain"
         privkey: "/var/lib/acme-redirect/live/matrix.trans-agenda.de/privkey"
+      extraConfig: "
+        location /_synapse {
+          proxy_pass http://127.0.0.1:8008;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          auth_basic 'Authorization required';
+          auth_basic_user_file /etc/nginx/passwd/synapse;
+        }
+      "
+
+  pleroma:
+    enable: true
+    configFile: config-files/quitschi/pleroma.exs
+    secretsContent: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/pleroma.secrets returnall=true')}}"
+    nginx:
+      enable: true
+      domain: "trans-agenda.de"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/trans-agenda.de/fullchain"
+        privkey: "/var/lib/acme-redirect/live/trans-agenda.de/privkey"
+      extraConfig: "
+        location /.well-known/matrix/server {
+              add_header Content-Type application/json;
+              return 200 '{\"m.server\": \"matrix.trans-agenda.de:443\"}';          
+        }
+
+        location /.well-known/matrix/client {
+              add_header Content-Type application/json;
+              return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.trans-agenda.de\"}}';
+        }
+      "+
\ No newline at end of file
diff --git a/configuration/wanderduene.yml b/configuration/wanderduene.yml
@@ -98,6 +98,12 @@ files:
     mode:    "0600"
     owner:   "nginx"
     group:   "nginx"
+  /etc/nginx/passwd/synapse:
+    state:   "file"
+    content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/synapse returnall=true')}}"
+    mode:    "0600"
+    owner:   "nginx"
+    group:   "nginx"
 
 
 services:

@@ -320,7 +326,7 @@ services:
           tls: false
           x_forwarded: true
           resources:
-            - names: ["client"]
+            - names: ["client", "metrics"]
               compress: true
             - names: ["federation"]
               compress: false

@@ -346,14 +352,14 @@ services:
       url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"]
       url_preview_ip_range_whitelist: []
       url_preview_url_blacklist: []
-      enable_registration_captcha: false
-      turn_uris: []
-      turn_shared_secret: ""
       enable_registration: false
-      enable_metrics: false
       registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/wanderduene/synapse.secret')}}"
+      enable_registration_captcha: false
       recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+      turn_uris: []
+      turn_shared_secret: ""
       turn_user_lifetime: "1h"
+      enable_metrics: true
       user_creation_max_duration: 1209600000
       bcrypt_rounds: 12
       allow_guest_access: false

@@ -411,7 +417,14 @@ services:
         enable: true
         cert: "/var/lib/acme-redirect/live/matrix.ctu.cx/fullchain"
         privkey: "/var/lib/acme-redirect/live/matrix.ctu.cx/privkey"
-
+      extraConfig: "
+        location /_synapse {
+          proxy_pass http://127.0.0.1:8008;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          auth_basic 'Authorization required';
+          auth_basic_user_file /etc/nginx/passwd/synapse;
+        }
+      "
   prometheus:
     enable: true
     nginx:
diff --git a/playbook.yml b/playbook.yml
@@ -97,6 +97,8 @@
       tags: nginx
     - role: synapse
       tags: synapse
+    - role: pleroma
+      tags: pleroma
     - role: backup
       tags: backup