diff --git a/tasks/main.yml b/tasks/main.yml index c0b3b60..9b30656 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,43 +1,45 @@ -- name: docker directory - file: +- name: Dossier pour le service docker + ansible.builtin.file: path: /opt/{{ docker_mastodon_service_id }}/ state: directory -- name: prepare docker-compose.yml - template: +- name: Prepare docker-compose.yml + ansible.builtin.template: src: "{{ item }}" dest: /opt/{{ docker_mastodon_service_id }}/ with_items: - docker-compose.yml - .env.production - -- name: generate secrets +- name: Generation des secrets when: docker_mastodon_gen_secrets is true block: - - - name: docker-compose-gen-secrets - shell: | - docker compose down - echo "Placer les valeurs suivantes dans les variables du playbook mastodon :" - echo SECRET_KEY_BASE=$(docker-compose run --rm web bundle exec rake secret) - echo OTP_SECRET=$(docker-compose run --rm web bundle exec rake secret) - docker compose run --rm web bundle exec rake mastodon:webpush:generate_vapid_key - args: - chdir: /opt/{{ docker_mastodon_service_id }}/ - register: secrets - - - debug: - msg: "{{ secrets.stdout_lines }}" - -- name: Playbook stops here if docker_mastodon_gen_secrets is set - assert: + + - name: Script pour la génération des secrets + ansible.builtin.shell: | + docker compose down + echo "Placer les valeurs suivantes dans les variables du playbook mastodon :" + echo SECRET_KEY_BASE=$(docker compose run --rm web bundle exec rake secret) + echo OTP_SECRET=$(docker compose run --rm web bundle exec rake secret) + docker compose run --rm web bundle exec rake mastodon:webpush:generate_vapid_key + docker compose run --rm web bin/rails db:encryption:init + docker compose down + args: + chdir: /opt/{{ docker_mastodon_service_id }}/ + register: secrets + + - name: Affiche les secrets + ansible.builtin.debug: + msg: "{{ secrets.stdout_lines }}" + +- name: On s'arrête ici si docker_mastodon_gen_secrets est défini + ansible.builtin.assert: that: - docker_mastodon_gen_secrets is false ### initialize-data -- name: docker-compose-initialize-data - shell: | +- name: Migration BDD et précompilation + ansible.builtin.shell: | docker compose down docker compose run --rm web rails db:migrate docker compose run --rm web rails assets:precompile @@ -46,8 +48,8 @@ chdir: /opt/{{ docker_mastodon_service_id }}/ when: docker_mastodon_initialize_data is true -- name: docker-compose-up - shell: | +- name: Démarrage + ansible.builtin.shell: | docker compose up -d args: chdir: /opt/{{ docker_mastodon_service_id }}/ diff --git a/templates/.env.production b/templates/.env.production index b4c51ea..b3425ca 100644 --- a/templates/.env.production +++ b/templates/.env.production @@ -31,14 +31,25 @@ ES_PASS=password # Secrets # ------- -# Make sure to use `rake secret` to generate secrets +# Make sure to use `bundle exec rake secret` to generate secrets # ------- SECRET_KEY_BASE={{ docker_mastodon_secret_key_base }} OTP_SECRET={{ docker_mastodon_otp_secret }} +# Encryption secrets +# ------------------ +# Must be available (and set to same values) for all server processes +# These are private/secret values, do not share outside hosting environment +# Use `bin/rails db:encryption:init` to generate fresh secrets +# Do not change these secrets once in use, as this would cause data loss and other issues +# ------------------ +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ docker_mastodon_active_record_encryption_deterministic_key }} +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ docker_mastodon_active_record_encryption_key_derivation_salt }} +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ docker_mastodon_active_record_encryption_primary_key }} + # Web Push # -------- -# Generate with `rake mastodon:webpush:generate_vapid_key` +# Generate with `bundle exec rake mastodon:webpush:generate_vapid_key` # -------- VAPID_PRIVATE_KEY={{ docker_mastodon_vapid_private_key }} VAPID_PUBLIC_KEY={{ docker_mastodon_vapid_public_key }} @@ -59,6 +70,13 @@ AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY= S3_ALIAS_HOST=files.example.com +# IP and session retention +# ----------------------- +# Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml +# to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). +# ----------------------- +IP_RETENTION_PERIOD=31556952 +SESSION_RETENTION_PERIOD=31556952 {% if docker_mastodon_oidc_enabled is true %} # OpenID Connect configuration diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 7082762..f4785f0 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -1,5 +1,4 @@ # {{ ansible_managed }} -version: '3' services: db: restart: always @@ -36,7 +35,7 @@ services: - mastodon healthcheck: # prettier-ignore - test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1'] + test: ['CMD-SHELL',"curl -s --noproxy localhost localhost:3000/health | grep -q 'OK' || exit 1"] depends_on: - db - redis @@ -53,16 +52,16 @@ services: streaming: - image: tootsuite/mastodon:{{ docker_mastodon_image_version }} + image: tootsuite/mastodon-streaming:{{ docker_mastodon_image_version }} restart: always env_file: .env.production - command: node ./streaming + command: node ./streaming/index.js networks: - traefik - mastodon healthcheck: # prettier-ignore - test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1'] + test: ['CMD-SHELL', "curl -s --noproxy localhost localhost:4000/api/v1/streaming/health | grep -q 'OK' || exit 1"] labels: - traefik.enable=true - traefik.docker.network=traefik