* Remove ansible from this repo.
* Adding a git push.
+++ /dev/null
-[defaults]
-inventory = inventory
-interpreter_python = /usr/bin/python3
-
-[ssh_connection]
-pipelining = True
+++ /dev/null
-[lemmy]
-# to get started, copy this file to `inventory` and adjust the values below.
-# - `myuser@example.com`: replace with the destination you use to connect to your server via ssh
-# - `domain=example.com`: replace `example.com` with your lemmy domain
-# - `letsencrypt_contact_email=your@email.com` replace `your@email.com` with your email address,
-# to get notifications if your ssl cert expires
-# - `lemmy_base_dir=/srv/lemmy`: the location on the server where lemmy can be installed, can be any folder
-# if you are upgrading from a previous version, set this to `/lemmy`
-myuser@example.com domain=example.com letsencrypt_contact_email=your@email.com lemmy_base_dir=/srv/lemmy
-
-[all:vars]
-ansible_connection=ssh
+++ /dev/null
----
-- hosts: all
-
- # Install python if required
- # https://www.josharcher.uk/code/ansible-python-connection-failure-ubuntu-server-1604/
- gather_facts: False
- pre_tasks:
- - name: check lemmy_base_dir
- fail:
- msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file."
- when: lemmy_base_dir is not defined
-
- - name: install python for Ansible
- # python2-minimal instead of python-minimal for ubuntu 20.04 and up
- raw: test -e /usr/bin/python || (apt -y update && apt install -y python3-minimal python3-setuptools)
- args:
- executable: /bin/bash
- register: output
- changed_when: output.stdout != ''
-
- - setup: # gather facts
-
- tasks:
- - name: install dependencies
- apt:
- update_cache: yes
- pkg:
- - 'nginx'
- - 'docker-compose'
- - 'docker.io'
- - 'certbot'
-
- - name: install certbot-nginx on ubuntu < 20
- apt:
- pkg:
- - 'python-certbot-nginx'
- when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<')
-
- - name: install certbot-nginx on ubuntu > 20
- apt:
- pkg:
- - 'python3-certbot-nginx'
- when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')
-
- - name: request initial letsencrypt certificate
- command: certbot certonly --nginx --agree-tos --cert-name '{{ domain }}' -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
- args:
- creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem'
-
- - name: create lemmy folder
- file:
- path: '{{item.path}}'
- owner: '{{item.owner}}'
- state: directory
- with_items:
- - path: '{{lemmy_base_dir}}'
- owner: 'root'
- - path: '{{lemmy_base_dir}}/volumes/'
- owner: 'root'
- - path: '{{lemmy_base_dir}}/volumes/pictrs/'
- owner: '991'
-
- - block:
- - name: add template files
- template:
- src: '{{item.src}}'
- dest: '{{item.dest}}'
- mode: '{{item.mode}}'
- with_items:
- - src: 'templates/docker-compose.yml'
- dest: '{{lemmy_base_dir}}/docker-compose.yml'
- mode: '0600'
- - src: 'templates/nginx.conf'
- dest: '/etc/nginx/sites-enabled/lemmy.conf'
- mode: '0644'
- vars:
- lemmy_docker_image: "dessalines/lemmy:{{ lookup('file', 'VERSION') }}"
- lemmy_docker_ui_image: "dessalines/lemmy-ui:{{ lookup('file', 'VERSION') }}"
- lemmy_port: "8536"
- lemmy_ui_port: "1235"
-
- - name: add minimal config file (only during initial setup)
- template:
- src: 'templates/config.hjson'
- dest: '{{lemmy_base_dir}}/lemmy.hjson'
- mode: '0600'
- force: false
- owner: '1000'
- group: '1000'
- vars:
- postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}"
- jwt_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/jwt chars=ascii_letters,digits') }}"
-
- - name: enable and start docker service
- systemd:
- name: docker
- enabled: yes
- state: started
-
- - name: start docker-compose
- docker_compose:
- project_src: '{{lemmy_base_dir}}'
- state: present
- pull: yes
- remove_orphans: yes
-
- - name: reload nginx with new config
- shell: nginx -s reload
-
- - name: certbot renewal cronjob
- cron:
- special_time: daily
- name: certbot-renew-lemmy
- user: root
- job: "certbot certonly --nginx --cert-name '{{ domain }}' -d '{{ domain }}' --deploy-hook 'nginx -s reload'"
+++ /dev/null
-{
- # for more info about the config, check out the documentation
- # https://join-lemmy.org/docs/en/administration/configuration.html
-
- database: {
- host: postgres
- password: "{{ postgres_password }}"
- }
- hostname: "{{ domain }}"
- pictrs_url: "http://pictrs:8080"
- email: {
- smtp_server: "postfix:25"
- smtp_from_address: "noreply@{{ domain }}"
- use_tls: false
- }
-}
+++ /dev/null
-limit_req_zone $binary_remote_addr zone=lemmy_ratelimit:10m rate=1r/s;
-
-server {
- listen 80;
- listen [::]:80;
- server_name {{domain}};
- location /.well-known/acme-challenge/ {
- root /var/www/certbot;
- }
- location / {
- return 301 https://$host$request_uri;
- }
-}
-
-server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name {{domain}};
-
- ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
-
- # Various TLS hardening settings
- # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_prefer_server_ciphers on;
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- ssl_session_timeout 10m;
- ssl_session_cache shared:SSL:10m;
- ssl_session_tickets off;
- ssl_stapling on;
- ssl_stapling_verify on;
-
- # Hide nginx version
- server_tokens off;
-
- # Enable compression for JS/CSS/HTML bundle, for improved client load times.
- # It might be nice to compress JSON, but leaving that out to protect against potential
- # compression+encryption information leak attacks like BREACH.
- gzip on;
- gzip_types text/css application/javascript image/svg+xml;
- gzip_vary on;
-
- # Only connect to this site via HTTPS for the two years
- add_header Strict-Transport-Security "max-age=63072000";
-
- # Various content security headers
- add_header Referrer-Policy "same-origin";
- add_header X-Content-Type-Options "nosniff";
- add_header X-Frame-Options "DENY";
- add_header X-XSS-Protection "1; mode=block";
-
- # Upload limit for pictrs
- client_max_body_size 20M;
-
- # frontend
- location / {
- # The default ports:
- # lemmy_ui_port: 1235
- # lemmy_port: 8536
-
- set $proxpass "http://0.0.0.0:{{lemmy_ui_port}}";
- if ($http_accept = "application/activity+json") {
- set $proxpass "http://0.0.0.0:{{lemmy_port}}";
- }
- if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
- set $proxpass "http://0.0.0.0:{{lemmy_port}}";
- }
- if ($request_method = POST) {
- set $proxpass "http://0.0.0.0:{{lemmy_port}}";
- }
- proxy_pass $proxpass;
-
- rewrite ^(.+)/+$ $1 permanent;
-
- # Send actual client IP upstream
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
-
- # backend
- location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
- proxy_pass http://0.0.0.0:{{lemmy_port}};
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
-
- # Rate limit
- limit_req zone=lemmy_ratelimit burst=30 nodelay;
-
- # Add IP forwarding headers
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
-
-
- # Redirect pictshare images to pictrs
- location ~ /pictshare/(.*)$ {
- return 301 /pictrs/image/$1;
- }
-
-}
-
-# Anonymize IP addresses
-# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/
-map $remote_addr $remote_addr_anon {
- ~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
- ~(?P<ip>[^:]+:[^:]+): $ip::;
- 127.0.0.1 $remote_addr;
- ::1 $remote_addr;
- default 0.0.0.0;
-}
-log_format main '$remote_addr_anon - $remote_user [$time_local] "$request" '
-'$status $body_bytes_sent "$http_referer" "$http_user_agent"';
-access_log /var/log/nginx/access.log main;
git add ../prod/docker-compose.yml
# Setting the version for Ansible
- pushd ../../
- echo $new_tag > "ansible/VERSION"
- git add "ansible/VERSION"
+ pushd ../../../lemmy-ansible
+ echo $new_tag > "VERSION"
+ git add "VERSION"
+ git commit -m"Updating VERSION"
+ git push
popd
fi
projects / lemmy.git / commitdiff