diff --git a/.gitignore b/.gitignore index 6d0e0ba46c..2feec03c14 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ ansible/inventory +ansible/passwords/ diff --git a/ansible/lemmy.yml b/ansible/lemmy.yml index 8830f2034e..144479a65e 100644 --- a/ansible/lemmy.yml +++ b/ansible/lemmy.yml @@ -22,14 +22,28 @@ file: path={{item.path}} state=directory with_items: - { path: '/lemmy/' } + - { path: '/lemmy/volumes/' } + - { path: '/var/www/certbot' } - name: add all template files template: src={{item.src}} dest={{item.dest}} with_items: - - { src: '../docker/prod/docker-compose.yml', dest: '/lemmy/docker-compose.yml' } - - { src: 'nginx.conf', dest: '/lemmy/nginx.conf' } + - { src: 'templates/env', dest: '/lemmy/.env' } + - { src: 'templates/docker-compose.yml', dest: '/lemmy/docker-compose.yml' } + - { src: 'templates/nginx.conf', dest: '/lemmy/nginx.conf' } + vars: + postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}" + jwt_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/jwt chars=ascii_letters,digits') }}" - - name: request letsencrypt certificates + - name: set env file permissions + file: + path: "/lemmy/.env" + state: touch + mode: 0600 + access_time: preserve + modification_time: preserve + + - name: request initial letsencrypt certificate command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' args: creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem' @@ -46,9 +60,9 @@ state: present pull: yes - - name: renew certbot certificates + - name: certbot renewal cronjob cron: special_time=daily name=certbot-renew user=root - job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'" + job="certbot certonly --webroot --webroot-path=/var/www/certbot -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'" diff --git a/docker/prod/docker-compose.yml b/ansible/templates/docker-compose.yml similarity index 52% rename from docker/prod/docker-compose.yml rename to ansible/templates/docker-compose.yml index 271054fd5d..6904e6b2ef 100644 --- a/docker/prod/docker-compose.yml +++ b/ansible/templates/docker-compose.yml @@ -1,32 +1,32 @@ version: '2.4' services: + db: image: postgres:12-alpine restart: always environment: - POSTGRES_USER: rrr - POSTGRES_PASSWORD: rrr - POSTGRES_DB: rrr + POSTGRES_USER=lemmy + POSTGRES_PASSWORD=${DATABASE_PASSWORD} + POSTGRES_DB=lemmy volumes: - - db:/var/lib/postgresql/data + - ./volumes/db:/var/lib/postgresql/data healthcheck: - test: ["CMD-SHELL", "pg_isready -U rrr"] + test: ["CMD-SHELL", "pg_isready -U lemmy"] interval: 5s timeout: 5s retries: 20 + lemmy: image: dessalines/lemmy:v0.0.7.3 + restart: always ports: - "8536:8536" environment: - LEMMY_FRONT_END_DIR: /app/dist - DATABASE_URL: postgres://rrr:rrr@db:5432/rrr - JWT_SECRET: changeme - HOSTNAME: rrr - restart: always + LEMMY_FRONT_END_DIR=/app/dist + DATABASE_URL=postgres://rrr:rrr@db:5432/rrr + JWT_SECRET=${JWT_SECRET} + HOSTNAME=${DOMAIN} depends_on: db: condition: service_healthy -volumes: - db: diff --git a/ansible/templates/env b/ansible/templates/env new file mode 100644 index 0000000000..e97aeef7dc --- /dev/null +++ b/ansible/templates/env @@ -0,0 +1,4 @@ +DOMAIN={{ domain }} +DATABASE_PASSWORD={{ postgres_password }} +DATABASE_URL=postgres://lemmy:${DATABASE_PASSWORD}@db:5432/lemmy +JWT_SECRET={{ jwt_password }} diff --git a/ansible/nginx.conf b/ansible/templates/nginx.conf similarity index 100% rename from ansible/nginx.conf rename to ansible/templates/nginx.conf