commit 6935d9926b70ab6c9f4dc111c70ded56fab63708
parent dd74e0f452f6e1bb75fb248e851ab2fee0c3dc4e
Author: Leah (ctucx) <leah@ctu.cx>
Date: Thu, 4 Mar 2021 00:31:37 +0100
parent dd74e0f452f6e1bb75fb248e851ab2fee0c3dc4e
Author: Leah (ctucx) <leah@ctu.cx>
Date: Thu, 4 Mar 2021 00:31:37 +0100
update configguations, playbook
5 files changed, 270 insertions(+), 30 deletions(-)
A
|
200
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/config-files/quitschi/pleroma.exs b/config-files/quitschi/pleroma.exs @@ -0,0 +1,200 @@ +import Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "trans-agenda.de", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: 4000] + +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + database: "pleroma", + socket_dir: "/run/postgresql", + pool_size: 10 + +import_config("/var/lib/pleroma/secret.exs") + +# Configure web push notifications +config :web_push_encryption, :vapid_details, subject: "mailto:pleroma@trans-agenda.de" + +config :pleroma, :database, rum_enabled: false +config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" +config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" + +config :pleroma, :static_fe, enabled: false + +config :pleroma, :frontend_configurations, + pleroma_fe: %{ + theme: "mammal", + background: "/static/bg.png", + logo: "/static/logo.png", + nsfwCensorImage: "/static/nsfw.png", + chatDisabled: true, + webPushNotifications: true, + showFeaturesPanel: true, + collapseMessageWithSubject: true, + hideUserStats: false + } + +config :pleroma, :instance, + name: "trans-agenda.de", + email: "the@trans-agenda.de", + notify_email: "the@trans-agenda.de", + limit: 5000, + registrations_open: true, + account_approval_required: true, + account_activation_required: true, + invites_enabled: true, + remote_post_retention_days: 180, + external_user_synchronization: true, + upload_limit: 50_000_000, + avatar_upload_limit: 10_000_000, + background_upload_limit: 10_000_000, + banner_upload_limit: 10_000_000, + allowed_post_formats: [ + "text/plain", + "text/html", + "text/markdown" + ], + quarantined_instances: [ + "search.fedi.app", + "freespeechextremist.com", + "gleasonator.com", + "gab.com", + "gab.ai", + "spinster.xyz", + "clubcyberia.co", + "glowers.club", + "shitposter.club", + "social.urspringer.de", + "pleroma.soykaf.com", + "nnia.space", + "kiwifarms.cc", + "wintermute.fr.to", + "anitwitter.moe", + "brighteon.social", + "cawfee.club", + "community.halle-leaks.de", + "crypto-group-buy.com", + "freefedifollowers.ga", + "freevoice.space", + "glindr.org", + "gs.smuglo.li", + "pl.smuglo.li", + "humblr.social", + "jaeger.website", + "lets.saynoto.lgbt", + "libre.tube", + "neckbeard.xyz", + "newjack.city", + "ohai.su", + "pawoo.net", + "pieville.net", + "play.xmr.101010.pl", + "pleroma.rareome.ga", + "preteengirls.biz", + "skippers-bin.com", + "sneak.berlin", + "the.hedgehoghunter.club", + "toot.canberrasocial.net", + "video.halle-leaks.de", + "weedis.life", + "yggdrasil.social", + "anime.website", + "collapsitarian.io", + "pleroma.gretagangbang.biz", + "gitmo.life" + ] + +config :pleroma, Pleroma.Emails.Mailer, + enabled: true, + adapter: Swoosh.Adapters.SMTP, + relay: "wanderduene.ctu.cx", + username: "the@trans-agenda.de", + password: "{{ lookup('diskcache', 'passwordstore', 'E-Mail/the@trans-agenda.de')}}", + port: 465, + ssl: true, + auth: :always + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true, + base_url: "https://cache.domain.tld" + +config :pleroma, :fetch_initial_posts, + enabled: false, + pages: 1 + +config :pleroma, :chat, enabled: false + +config :pleroma, :mrf, + policies: [Pleroma.Web.ActivityPub.MRF.SimplePolicy] + +config :pleroma, :mrf_simple, + reject: [ + "search.fedi.app", + "freespeechextremist.com", + "gleasonator.com", + "gab.com", + "gab.ai", + "spinster.xyz", + "clubcyberia.co", + "glowers.club", + "shitposter.club", + "social.urspringer.de", + "pleroma.soykaf.com", + "nnia.space", + "kiwifarms.cc", + "wintermute.fr.to", + "anitwitter.moe", + "brighteon.social", + "cawfee.club", + "community.halle-leaks.de", + "crypto-group-buy.com", + "freefedifollowers.ga", + "freevoice.space", + "glindr.org", + "gs.smuglo.li", + "pl.smuglo.li", + "humblr.social", + "jaeger.website", + "lets.saynoto.lgbt", + "libre.tube", + "neckbeard.xyz", + "newjack.city", + "ohai.su", + "pawoo.net", + "pieville.net", + "play.xmr.101010.pl", + "pleroma.rareome.ga", + "preteengirls.biz", + "skippers-bin.com", + "sneak.berlin", + "the.hedgehoghunter.club", + "toot.canberrasocial.net", + "video.halle-leaks.de", + "weedis.life", + "yggdrasil.social", + "anime.website", + "collapsitarian.io", + "pleroma.gretagangbang.biz", + "gitmo.life" + ] + +config :pleroma, :emoji, + shortcode_globs: ["/emoji/custom/**/*.png"], + groups: [ + "Bahn": "/emoji/cuties/Bahn/*.png", + "Blobs": "/emoji/cuties/Blobs/*.png", + "Bread": "/emoji/cuties/Bread/*.png", + "LGBTIQ*": "/emoji/cuties/LGBTIQ\*/*.png", + "Signale": "/emoji/cuties/Signale/*.png", + "Naughty_Goose": "/emoji/cuties/naughty_goose/*.png", + 'Technology': "/emoji/cuties/Technology/*.png", + "Transportation": "/emoji/cuties/Transportation/*.png", + "Chaos": "/emoji/chaos/*.png", + "Femojis": "/emoji/femojis/*.png" + ] + +config :pleroma, configurable_from_database: false + +config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool, Pleroma.Upload.Filter.AnonymizeFilename, Pleroma.Upload.Filter.Dedupe]
diff --git a/config-files/wanderduene/pleroma.exs b/config-files/wanderduene/pleroma.exs @@ -226,3 +226,7 @@ config :pleroma, :emoji, "Chaos": "/emoji/chaos/*.png", "Femojis": "/emoji/femojis/*.png" ] + +config :pleroma, configurable_from_database: false + +config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool, Pleroma.Upload.Filter.AnonymizeFilename, Pleroma.Upload.Filter.Dedupe]
diff --git a/configuration/quitschi.yml b/configuration/quitschi.yml @@ -46,9 +46,7 @@ network: loopback: true - name: eth0 ipv4: - address: 75.119.137.201 - gateway: 75.119.128.1 - netmask: 255.255.255.0 + dhcp: true ipv6: address: 2a02:c206:3007:0378::1 gateway: fe80::1 @@ -60,6 +58,12 @@ files: mode: "0755" owner: "leah" group: "nginx" + /etc/nginx/passwd/synapse: + state: "file" + content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/synapse returnall=true')}}" + mode: "0600" + owner: "nginx" + group: "nginx" services: openssh: @@ -106,22 +110,6 @@ services: locations: - path: /node-exporter proxy: http://127.0.0.1:9100/metrics - trans-agenda.de: - ssl: - enable: true - cert: "/var/lib/acme-redirect/live/trans-agenda.de/fullchain" - privkey: "/var/lib/acme-redirect/live/trans-agenda.de/privkey" - locations: - - path: "/.well-known/matrix/client" - extraConfig: ' - add_header Content-Type application/json; - return 200 "{\"m.homeserver\": {\"base_url\": \"https://matrix.trans-agenda.de\"}}"; - ' - - path: "/.well-known/matrix/server" - extraConfig: ' - add_header Content-Type application/json; - return 200 "{\"m.server\": \"matrix.trans-agenda.de:443\"}"; - ' synapse: enable: true @@ -140,7 +128,7 @@ services: tls: false x_forwarded: true resources: - - names: ["client"] + - names: ["client", "metrics"] compress: true - names: ["federation"] compress: false @@ -166,16 +154,16 @@ services: url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"] url_preview_ip_range_whitelist: [] url_preview_url_blacklist: [] + enable_registration: true + registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/quitschi/synapse/secret')}}" enable_registration_captcha: true + recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" recaptcha_public_key: "{{ lookup('diskcache', 'passwordstore', 'Server/quitschi/synapse/recaptcha.pub')}}" recaptcha_private_key: "{{ lookup('diskcache', 'passwordstore', 'Server/quitschi/synapse/recaptcha.priv')}}" turn_uris: [] turn_shared_secret: "" - enable_registration: true - enable_metrics: false - registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/quitschi/synapse/secret')}}" - recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" turn_user_lifetime: "1h" + enable_metrics: true user_creation_max_duration: 1209600000 bcrypt_rounds: 12 allow_guest_access: false @@ -245,3 +233,35 @@ services: enable: true cert: "/var/lib/acme-redirect/live/matrix.trans-agenda.de/fullchain" privkey: "/var/lib/acme-redirect/live/matrix.trans-agenda.de/privkey" + extraConfig: " + location /_synapse { + proxy_pass http://127.0.0.1:8008; + proxy_set_header X-Forwarded-For $remote_addr; + auth_basic 'Authorization required'; + auth_basic_user_file /etc/nginx/passwd/synapse; + } + " + + pleroma: + enable: true + configFile: config-files/quitschi/pleroma.exs + secretsContent: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/pleroma.secrets returnall=true')}}" + nginx: + enable: true + domain: "trans-agenda.de" + sslOnly: true + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/trans-agenda.de/fullchain" + privkey: "/var/lib/acme-redirect/live/trans-agenda.de/privkey" + extraConfig: " + location /.well-known/matrix/server { + add_header Content-Type application/json; + return 200 '{\"m.server\": \"matrix.trans-agenda.de:443\"}'; + } + + location /.well-known/matrix/client { + add_header Content-Type application/json; + return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.trans-agenda.de\"}}'; + } + "+ \ No newline at end of file
diff --git a/configuration/wanderduene.yml b/configuration/wanderduene.yml @@ -98,6 +98,12 @@ files: mode: "0600" owner: "nginx" group: "nginx" + /etc/nginx/passwd/synapse: + state: "file" + content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/synapse returnall=true')}}" + mode: "0600" + owner: "nginx" + group: "nginx" services: @@ -320,7 +326,7 @@ services: tls: false x_forwarded: true resources: - - names: ["client"] + - names: ["client", "metrics"] compress: true - names: ["federation"] compress: false @@ -346,14 +352,14 @@ services: url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"] url_preview_ip_range_whitelist: [] url_preview_url_blacklist: [] - enable_registration_captcha: false - turn_uris: [] - turn_shared_secret: "" enable_registration: false - enable_metrics: false registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/wanderduene/synapse.secret')}}" + enable_registration_captcha: false recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + turn_uris: [] + turn_shared_secret: "" turn_user_lifetime: "1h" + enable_metrics: true user_creation_max_duration: 1209600000 bcrypt_rounds: 12 allow_guest_access: false @@ -411,7 +417,14 @@ services: enable: true cert: "/var/lib/acme-redirect/live/matrix.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/matrix.ctu.cx/privkey" - + extraConfig: " + location /_synapse { + proxy_pass http://127.0.0.1:8008; + proxy_set_header X-Forwarded-For $remote_addr; + auth_basic 'Authorization required'; + auth_basic_user_file /etc/nginx/passwd/synapse; + } + " prometheus: enable: true nginx:
diff --git a/playbook.yml b/playbook.yml @@ -97,6 +97,8 @@ tags: nginx - role: synapse tags: synapse + - role: pleroma + tags: pleroma - role: backup tags: backup