-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathlemmy-almalinux.yml
321 lines (293 loc) · 9.73 KB
/
lemmy-almalinux.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
---
- name: Install Lemmy
hosts: all
gather_facts: true
vars_files:
- "inventory/host_vars/{{ domain }}/vars.yml"
pre_tasks:
- name: Assert that Ansible version is >= 2.11.0
delegate_to: localhost
ansible.builtin.assert:
that:
- "ansible_version.full is version('2.11.0', '>=')"
fail_msg: "This playbook requires Ansible 2.11.0 or higher"
become: false
# This is not needed for this playbook as it predates its existence
# But we're keeping it for funsies :)
- name: Check lemmy_base_dir
ansible.builtin.fail:
msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file."
when: lemmy_base_dir is not defined
- name: Check for legacy passwords/postgres file
delegate_to: localhost
ansible.builtin.stat:
path: "inventory/host_vars/{{ domain }}/passwords/postgres"
register: postgres_password_file
become: false
- name: Legacy use of passwords/postgres file
delegate_to: localhost
ansible.builtin.fail:
msg: >-
In current versions of the Lemmy Ansible playbooks, the passwords/postgres file must be renamed to passwords/postgres.psk.
See https://github.com/LemmyNet/lemmy-ansible#upgrading
when: postgres_password_file.stat.exists
become: false
- name: Check for vars.yml file
delegate_to: localhost
ansible.builtin.stat:
path: "inventory/host_vars/{{ domain }}/vars.yml"
register: vars_file
become: false
- name: Missing vars.yml file
delegate_to: localhost
ansible.builtin.fail:
msg: >-
Missing vars.yml file, please refer to the installations instructions. See https://github.com/LemmyNet/lemmy-ansible#install
and https://github.com/LemmyNet/lemmy-ansible#upgrading
when: not vars_file.stat.exists
become: false
handlers:
- name: Reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
- name: Reload firewalld
ansible.builtin.systemd:
name: firewalld
state: reloaded
vars:
lemmy_port: "{{ 32767 | random(start=1024) }}"
tasks:
- name: Ensure target system is >= EL9
ansible.builtin.assert:
that:
- ansible_distribution in ['AlmaLinux', 'CentOS', 'RedHat', 'Rocky']
- ansible_distribution_major_version | int >= 9
fail_msg: "This playbook requires Enterprise Linux 9 or greater on the target server"
tags:
- always
- name: Enable CRB repository
ansible.builtin.yum_repository:
name: almalinux-crb
description: AlmaLinux $releasever - CRB
mirrorlist: https://mirrors.almalinux.org/mirrorlist/$releasever/crb
gpgcheck: true
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
enabled: true
tags:
- dependencies
- name: Install epel-release
ansible.builtin.dnf:
state: present
name: epel-release
tags:
- dependencies
- name: Install dependencies
ansible.builtin.dnf:
state: present
name:
- certbot
- cronie
- curl
- nginx
- podman
- podman-compose
- podman-docker
- python3-certbot-nginx
- python3-docker
- python3-pip
- python3-podman
- python3-virtualenv
- python3-setuptools
tags:
- dependencies
- name: Gather service facts
ansible.builtin.service_facts:
tags:
- firewalld
- name: Allow http/httpd traffic to public zone in firewalld
ansible.posix.firewalld:
service: "{{ item }}"
state: enabled
zone: public
permanent: true
immediate: true
loop:
- http
- https
when: "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'"
tags:
- firewalld
- name: Adjust SELinux to allow HTTPD scripts and modules to connect to the network
ansible.posix.seboolean:
name: httpd_can_network_connect
state: true
persistent: true
tags:
- nginx
- selinux
- name: Start and enable nginx.service
ansible.builtin.systemd:
name: nginx.service
state: started
enabled: true
tags:
- certbot
- certbot_initial
- nginx
- ssl
# TODO: certbot logic needs to be re-worked
- name: Request initial letsencrypt certificate
ansible.builtin.command: certbot certonly --nginx --agree-tos --cert-name '{{ domain }}' -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
args:
creates: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
tags:
- certbot
- certbot_initial
- ssl
- name: Create lemmy folder
ansible.builtin.file:
path: "{{ item.path }}"
owner: "{{ item.owner }}"
state: directory
mode: "0755"
loop:
- path: "{{ lemmy_base_dir }}/{{ domain }}/"
owner: "root"
- path: "{{ lemmy_base_dir }}/{{ domain }}/volumes/"
owner: "root"
- path: "{{ lemmy_base_dir }}/{{ domain }}/volumes/pictrs/"
owner: "991" # Matches docker-compose UID in docker-compose.yml
- path: "/var/cache/lemmy/{{ domain }}/"
owner: "www-data"
tags:
- directories
- name: Set lemmy_port fact
ansible.builtin.set_fact:
lemmy_port: "{{ lemmy_web_port | default(32767 | random(start=1024)) }}"
tags:
- always
- name: Distribute docker/podman templates
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- src: "templates/docker-compose.yml"
dest: "{{ lemmy_base_dir }}/{{ domain }}/docker-compose.yml"
mode: "0600"
- src: "templates/nginx_internal.conf"
dest: "{{ lemmy_base_dir }}/{{ domain }}/nginx_internal.conf"
mode: "0644"
vars:
lemmy_docker_image: "docker.io/dessalines/lemmy:{{ lemmy_version | default(lookup('file', 'VERSION')) }}"
lemmy_docker_ui_image: "docker.io/dessalines/lemmy-ui:{{ lemmy_ui_version | default(lemmy_version | default(lookup('file', 'VERSION'))) }}"
tags:
- docker
- podman
# TODO: Move to templates/, keeping consistent with upstream currently
# to ensure documentation is accurate
- name: Add the config.hjson
ansible.builtin.template:
# src: "templates/{{ domain }}/config.hjson"
src: "inventory/host_vars/{{ domain }}/config.hjson"
dest: "{{ lemmy_base_dir }}/{{ domain }}/lemmy.hjson"
mode: "0600"
owner: "1000" # Match UID in container
group: "1000" # Match GID in container
tags:
- configs
# TODO: Move to files/, keeping consistent with upstream currently
# to ensure documentation is accurate
- name: Add the customPostgresql.conf
ansible.builtin.template:
# src: "files/{{ domain }}/customPostgresql.conf"
src: "inventory/host_vars/{{ domain }}/customPostgresql.conf"
dest: "{{ lemmy_base_dir }}/{{ domain }}/customPostgresql.conf"
mode: "0644"
owner: root
group: root
tags:
- configs
- postgresql
- name: Distribute nginx proxy_params configuration
ansible.builtin.copy:
src: files/proxy_params
dest: "{{ lemmy_base_dir }}/{{ domain }}/proxy_params"
owner: root
group: root
mode: "0644"
tags:
- nginx
- name: Distribute nginx site templates
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- src: "templates/nginx.conf"
dest: "/etc/nginx/conf.d/{{ domain }}.conf"
mode: "0644"
notify: Reload nginx
tags:
- nginx
# TODO: Check if this is necessary with EL & podman
# - name: Copy docker config
# ansible.builtin.copy:
# src: "{{ ansible_playbook }}/files/docker-daemon.json"
# dest: /etc/docker/daemon.json
# mode: '0644'
# TODO: podman-compose should wrap this safely
# TODO: This was an incorrect assumption, module uses docker python module, not cli
# - name: Run podman-compose
# docker_compose:
# project_src: "{{ lemmy_base_dir }}/{{ domain }}"
# state: present
# pull: yes
# remove_orphans: yes
# tags:
# - docker
# - docker_compose
# - podman
# - podman_compose
- name: Start and enable podman service
ansible.builtin.systemd:
name: podman.service
state: started
enabled: true
tags:
- docker
- podman
- name: Run podman-compose pull
ansible.builtin.command: podman-compose pull
args:
chdir: "{{ lemmy_base_dir }}/{{ domain }}"
changed_when: true
tags:
- docker
- podman
- name: Run podman-compose up
ansible.builtin.command: podman-compose up -d
args:
chdir: "{{ lemmy_base_dir }}/{{ domain }}"
changed_when: true
tags:
- docker
- podman
# This isn't using any jinja2 templating currently
- name: Distribute /etc/sysconfig/certbot
ansible.builtin.template:
src: "templates/sysconfig-certbot.j2"
dest: "/etc/sysconfig/certbot"
mode: "0644"
tags:
- certbot
- ssl
- name: Enable certbot-renew.timer
ansible.builtin.systemd:
name: certbot-renew.timer
state: started
enabled: true
tags:
- certbot
- ssl