diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg deleted file mode 100644 index 696466297c..0000000000 --- a/ansible/ansible.cfg +++ /dev/null @@ -1,6 +0,0 @@ -[defaults] -inventory = inventory -interpreter_python = /usr/bin/python3 - -[ssh_connection] -pipelining = True diff --git a/ansible/inventory.example b/ansible/inventory.example deleted file mode 100644 index c5f98653d4..0000000000 --- a/ansible/inventory.example +++ /dev/null @@ -1,12 +0,0 @@ -[lemmy] -# to get started, copy this file to `inventory` and adjust the values below. -# - `myuser@example.com`: replace with the destination you use to connect to your server via ssh -# - `domain=example.com`: replace `example.com` with your lemmy domain -# - `letsencrypt_contact_email=your@email.com` replace `your@email.com` with your email address, -# to get notifications if your ssl cert expires -# - `lemmy_base_dir=/srv/lemmy`: the location on the server where lemmy can be installed, can be any folder -# if you are upgrading from a previous version, set this to `/lemmy` -myuser@example.com domain=example.com letsencrypt_contact_email=your@email.com lemmy_base_dir=/srv/lemmy - -[all:vars] -ansible_connection=ssh diff --git a/ansible/lemmy.yml b/ansible/lemmy.yml deleted file mode 100644 index 831efaafb0..0000000000 --- a/ansible/lemmy.yml +++ /dev/null @@ -1,115 +0,0 @@ ---- -- hosts: all - - # Install python if required - # https://www.josharcher.uk/code/ansible-python-connection-failure-ubuntu-server-1604/ - gather_facts: False - pre_tasks: - - name: check lemmy_base_dir - fail: - msg: "`lemmy_base_dir` is unset. if you are upgrading from an older version, add `lemmy_base_dir=/lemmy` to your inventory file." - when: lemmy_base_dir is not defined - - - name: install python for Ansible - # python2-minimal instead of python-minimal for ubuntu 20.04 and up - raw: test -e /usr/bin/python || (apt -y update && apt install -y python3-minimal python3-setuptools) - args: - executable: /bin/bash - register: output - changed_when: output.stdout != '' - - - setup: # gather facts - - tasks: - - name: install dependencies - apt: - update_cache: yes - pkg: - - 'nginx' - - 'docker-compose' - - 'docker.io' - - 'certbot' - - - name: install certbot-nginx on ubuntu < 20 - apt: - pkg: - - 'python-certbot-nginx' - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<') - - - name: install certbot-nginx on ubuntu > 20 - apt: - pkg: - - 'python3-certbot-nginx' - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=') - - - name: request initial letsencrypt certificate - command: certbot certonly --nginx --agree-tos --cert-name '{{ domain }}' -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' - args: - creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem' - - - name: create lemmy folder - file: - path: '{{item.path}}' - owner: '{{item.owner}}' - state: directory - with_items: - - path: '{{lemmy_base_dir}}' - owner: 'root' - - path: '{{lemmy_base_dir}}/volumes/' - owner: 'root' - - path: '{{lemmy_base_dir}}/volumes/pictrs/' - owner: '991' - - - block: - - name: add template files - template: - src: '{{item.src}}' - dest: '{{item.dest}}' - mode: '{{item.mode}}' - with_items: - - src: 'templates/docker-compose.yml' - dest: '{{lemmy_base_dir}}/docker-compose.yml' - mode: '0600' - - src: 'templates/nginx.conf' - dest: '/etc/nginx/sites-enabled/lemmy.conf' - mode: '0644' - vars: - lemmy_docker_image: "dessalines/lemmy:{{ lookup('file', 'VERSION') }}" - lemmy_docker_ui_image: "dessalines/lemmy-ui:{{ lookup('file', 'VERSION') }}" - lemmy_port: "8536" - lemmy_ui_port: "1235" - - - name: add minimal config file (only during initial setup) - template: - src: 'templates/config.hjson' - dest: '{{lemmy_base_dir}}/lemmy.hjson' - mode: '0600' - force: false - owner: '1000' - group: '1000' - vars: - postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}" - jwt_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/jwt chars=ascii_letters,digits') }}" - - - name: enable and start docker service - systemd: - name: docker - enabled: yes - state: started - - - name: start docker-compose - docker_compose: - project_src: '{{lemmy_base_dir}}' - state: present - pull: yes - remove_orphans: yes - - - name: reload nginx with new config - shell: nginx -s reload - - - name: certbot renewal cronjob - cron: - special_time: daily - name: certbot-renew-lemmy - user: root - job: "certbot certonly --nginx --cert-name '{{ domain }}' -d '{{ domain }}' --deploy-hook 'nginx -s reload'" diff --git a/ansible/templates/config.hjson b/ansible/templates/config.hjson deleted file mode 100644 index 5f7ca33267..0000000000 --- a/ansible/templates/config.hjson +++ /dev/null @@ -1,16 +0,0 @@ -{ - # for more info about the config, check out the documentation - # https://join-lemmy.org/docs/en/administration/configuration.html - - database: { - host: postgres - password: "{{ postgres_password }}" - } - hostname: "{{ domain }}" - pictrs_url: "http://pictrs:8080" - email: { - smtp_server: "postfix:25" - smtp_from_address: "noreply@{{ domain }}" - use_tls: false - } -} diff --git a/ansible/templates/nginx.conf b/ansible/templates/nginx.conf deleted file mode 100644 index 64cf4afe90..0000000000 --- a/ansible/templates/nginx.conf +++ /dev/null @@ -1,117 +0,0 @@ -limit_req_zone $binary_remote_addr zone=lemmy_ratelimit:10m rate=1r/s; - -server { - listen 80; - listen [::]:80; - server_name {{domain}}; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{domain}}; - - ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; - - # Various TLS hardening settings - # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_session_timeout 10m; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - # Hide nginx version - server_tokens off; - - # Enable compression for JS/CSS/HTML bundle, for improved client load times. - # It might be nice to compress JSON, but leaving that out to protect against potential - # compression+encryption information leak attacks like BREACH. - gzip on; - gzip_types text/css application/javascript image/svg+xml; - gzip_vary on; - - # Only connect to this site via HTTPS for the two years - add_header Strict-Transport-Security "max-age=63072000"; - - # Various content security headers - add_header Referrer-Policy "same-origin"; - add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options "DENY"; - add_header X-XSS-Protection "1; mode=block"; - - # Upload limit for pictrs - client_max_body_size 20M; - - # frontend - location / { - # The default ports: - # lemmy_ui_port: 1235 - # lemmy_port: 8536 - - set $proxpass "http://0.0.0.0:{{lemmy_ui_port}}"; - if ($http_accept = "application/activity+json") { - set $proxpass "http://0.0.0.0:{{lemmy_port}}"; - } - if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") { - set $proxpass "http://0.0.0.0:{{lemmy_port}}"; - } - if ($request_method = POST) { - set $proxpass "http://0.0.0.0:{{lemmy_port}}"; - } - proxy_pass $proxpass; - - rewrite ^(.+)/+$ $1 permanent; - - # Send actual client IP upstream - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - - # backend - location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) { - proxy_pass http://0.0.0.0:{{lemmy_port}}; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Rate limit - limit_req zone=lemmy_ratelimit burst=30 nodelay; - - # Add IP forwarding headers - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - - - # Redirect pictshare images to pictrs - location ~ /pictshare/(.*)$ { - return 301 /pictrs/image/$1; - } - -} - -# Anonymize IP addresses -# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/ -map $remote_addr $remote_addr_anon { - ~(?P\d+\.\d+\.\d+)\. $ip.0; - ~(?P[^:]+:[^:]+): $ip::; - 127.0.0.1 $remote_addr; - ::1 $remote_addr; - default 0.0.0.0; -} -log_format main '$remote_addr_anon - $remote_user [$time_local] "$request" ' -'$status $body_bytes_sent "$http_referer" "$http_user_agent"'; -access_log /var/log/nginx/access.log main; diff --git a/docker/prod/deploy.sh b/docker/prod/deploy.sh index 2caea980ce..bc31bb6280 100755 --- a/docker/prod/deploy.sh +++ b/docker/prod/deploy.sh @@ -13,9 +13,11 @@ if [ ! -z "${third_semver##*[!0-9]*}" ]; then git add ../prod/docker-compose.yml # Setting the version for Ansible - pushd ../../ - echo $new_tag > "ansible/VERSION" - git add "ansible/VERSION" + pushd ../../../lemmy-ansible + echo $new_tag > "VERSION" + git add "VERSION" + git commit -m"Updating VERSION" + git push popd fi