WIP for the instance configuration

inventory-prod

@@ -1,5 +1,5 @@
 [mastodon-app-servers]
-mastodon-app-01 ansible_host=ec2-52-40-81-237.us-west-2.compute.amazonaws.com
+mastodon-app-01 ansible_host=ec2-52-24-241-3.us-west-2.compute.amazonaws.com
 
 [ec2-bastion]
 localhost ansible_connection=local

mastodon.yml

@@ -6,11 +6,17 @@
   user: fedora
   become: yes
 
+  vars:
+    - region: us-west-2
+
   vars_files:
   - ./vars/users.yml
+  - ./vault.yml
 
   pre_tasks:
     - shell: dnf install -y python2 libselinux-python
 
   roles:
     - users
+    - docker-engine
+    - mastodon-compose

roles/docker-engine/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: docker installed
+  dnf:
+    state: installed
+    name: "{{item}}"
+  with_items:
+    - docker
+    - docker-compose
+
+- name: docker running and enabled
+  service:
+    name: docker
+    state: started
+    enabled: yes

roles/loadbalancer/tasks/main.yml

@@ -1,22 +1,36 @@
 ---
-- name: elb exists
-  ec2_elb_lb:
-    name: newtype-institute
-    region: "{{region}}"
-    state: present
-    subnets:
-      - "{{applications_subnet.subnet.id}}"
-    listeners:
-      - protocol: http
-        load_balancer_port: 80
-        instance_port: 80
-        proxy_protocol: yes
+# - name: elb exists
+#   ec2_elb_lb:
+#     name: newtype-institute
+#     region: "{{region}}"
+#     state: absent
 
-- name: instances are in elb
-  ec2_elb:
+# - name: Application Load Balancer
+#   elb_application_lb:
+#     name: newtype-institute
+#     security_groups:
+#       - "{{instance_security.group_id}}" # XXX: move this to using its own SG
+#     subnets:
+#       - subnet-012345678
+#       - subnet-abcdef000
+#     listeners:
+#       - Protocol: HTTP
+#         Port: 80
+#         SslPolicy: ELBSecurityPolicy-2015-05
+#         Certificates:
+#           - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
+#         DefaultActions:
+#           - Type: forward # Required. Only 'forward' is accepted at this time
+#             TargetGroupName: # Required. The name of the target group
+#     state: present
+
+# we just create an EIP since we only have one web worker; when there is more than one, let's move
+# to an ALB. i dont want to pay an extra 50 dollars a month to save myself 20 minutes next year.
+
+- name: EIP attached to instanced
+  ec2_eip:
+    device_id: "{{instance_up.tagged_instances[0].id}}"
     region: "{{region}}"
-    instance_id: "{{item.id}}"
-    ec2_elbs: "newtype-institute"
-    wait: no
-    state: present
-  with_items: "{{instance_up.tagged_instances}}"
+  register: eip
+
+- debug: msg="{{eip}}"

roles/mastodon-compose/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: psycopg2 is installed locally
+  dnf:
+    name: python2-psycopg2
+    state: installed
+
+- name: mastodon database exists
+  postgresql_db:
+    name: mastodon
+    state: present
+    login_host: "{{vault_rds_host}}"
+    login_user: "{{ansible_vault_rds_master_username}}"
+    login_password: "{{ansible_vault_rds_master_password}}"
+
+- name: mastodon working directory exists
+  file:
+    state: directory
+    owner: root
+    group: admins
+    mode: 0770
+    path: /var/lib/mastodon-docker
+
+- name: docker-compose up to date
+  template:
+    src: docker-compose.yaml.j2
+    dest: /var/lib/mastodon-docker/docker-compose.yml
+    owner: root
+    group: admins
+    mode: 0660
+
+- name: production environment file up to date
+  template:
+    src: production.sh.j2
+    dest: /var/lib/mastodon-docker/.env.production
+    owner: root
+    group: admins
+    mode: 0660

roles/mastodon-compose/templates/docker-compose.yaml.j2

@@ -0,0 +1,40 @@
+version: '3'
+services:
+
+  redis:
+    restart: always
+    image: redis:4.0-alpine
+
+  web:
+    image: gargron/mastodon
+    restart: always
+    env_file: .env.production
+    command: bundle exec rails s -p 3000 -b '0.0.0.0'
+    ports:
+      - "3000:3000"
+    depends_on:
+      - redis
+    volumes:
+      - ./public/assets:/mastodon/public/assets
+      - ./public/packs:/mastodon/public/packs
+      - ./public/system:/mastodon/public/system
+
+  streaming:
+    image: gargron/mastodon
+    restart: always
+    env_file: .env.production
+    command: npm run start
+    ports:
+      - "4000:4000"
+    depends_on:
+      - redis
+
+  sidekiq:
+    image: gargron/mastodon
+    restart: always
+    env_file: .env.production
+    command: bundle exec sidekiq -q default -q mailers -q pull -q push
+    depends_on:
+      - redis
+    volumes:
+      - ./public/system:/mastodon/public/system

roles/mastodon-compose/templates/production.sh.j2

@@ -0,0 +1,98 @@
+# Service dependencies
+# You may set REDIS_URL instead for more advanced options
+# You may also set REDIS_NAMESPACE to share Redis between multiple Mastodon servers
+REDIS_HOST=redis
+REDIS_PORT=6379
+# You may set DATABASE_URL instead for more advanced options
+DB_HOST={{vault_rds_host}}
+DB_USER={{ansible_vault_rds_master_username}}
+DB_NAME=mastodon
+DB_PASS={{ansible_vault_rds_master_password}}
+DB_PORT=5432
+
+# Federation
+# Note: Changing LOCAL_DOMAIN or LOCAL_HTTPS at a later time will cause unwanted side effects.
+# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
+LOCAL_DOMAIN=newtype.institute
+LOCAL_HTTPS=true
+
+# Application secrets
+# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+PAPERCLIP_SECRET={{paperclip_secret}}
+SECRET_KEY_BASE={{base_secret}}
+OTP_SECRET={{otp_secret}}
+
+# VAPID keys (used for push notifications
+# You can generate the keys using the following command (first is the private key, second is the public one)
+# You should only generate this once per instance. If you later decide to change it, all push subscription will
+# be invalidated, requiring the users to access the website again to resubscribe.
+#
+# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
+#
+# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
+VAPID_PRIVATE_KEY={{vapid_private}}
+VAPID_PUBLIC_KEY={{vapid_public}}
+
+# Registrations
+# Single user mode will disable registrations and redirect frontpage to the first profile
+# SINGLE_USER_MODE=true
+# Prevent registrations with following e-mail domains
+# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
+# Only allow registrations with the following e-mail domains
+# EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc
+
+# Optionally change default language
+DEFAULT_LOCALE=en
+
+# E-mail configuration
+# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
+# If you want to use an SMTP server without authentication (e.g local Postfix relay)
+# then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and
+# *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough).
+SMTP_SERVER=
+SMTP_PORT=587
+SMTP_LOGIN=
+SMTP_PASSWORD=
+SMTP_FROM_ADDRESS=haro@newtype.institute
+#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN
+#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
+#SMTP_AUTH_METHOD=plain
+#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt
+#SMTP_OPENSSL_VERIFY_MODE=peer
+#SMTP_ENABLE_STARTTLS_AUTO=true
+#SMTP_TLS=true
+
+# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files.
+# PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system
+# PAPERCLIP_ROOT_URL=/system
+
+# Optional asset host for multi-server setups
+# CDN_HOST=https://assets.newtype.institute
+
+# S3 (optional)
+S3_ENABLED=true
+S3_BUCKET={{s3_bucket}}
+AWS_ACCESS_KEY_ID={{s3_access_key_id}}
+AWS_SECRET_ACCESS_KEY={{s3_secret_access_key}}
+S3_REGION={{region}}
+# S3_PROTOCOL=http
+# S3_HOSTNAME=192.168.1.123:9000
+
+# Optional alias for S3 if you want to use Cloudfront or Cloudflare in front
+# S3_CLOUDFRONT_HOST=
+
+# Streaming API integration
+# STREAMING_API_BASE_URL=
+
+# Advanced settings
+# If you need to use pgBouncer, you need to disable prepared statements:
+# PREPARED_STATEMENTS=false
+
+# Cluster number setting for streaming API server.
+# If you comment out following line, cluster number will be `numOfCpuCores - 1`.
+STREAMING_CLUSTER_NUM=1
+
+# Docker mastodon user
+# If you use Docker, you may want to assign UID/GID manually.
+UID=10000
+GID=10000

vars/users.yml

@@ -3,7 +3,23 @@ app_host_groups:
     gid: 10001
     system: no
 
+  - name: mastodon
+    gid: 5000
+    system: yes
+
+  - name: docker
+    gid: 5001
+    system: yes
+
 app_host_users:
+  - name: mastodon
+    comment: mastodon system user
+    state: present
+    uid: 5000
+    group: mastodon
+    groups: []
+    public_key: ""
+
   - name: rrix
     comment: Ryan Rix
     state: present
@@ -12,3 +28,4 @@ app_host_users:
     group: admins
     groups:
       - wheel
+      - docker

vault.yml

@@ -1,10 +1,54 @@
 $ANSIBLE_VAULT;1.1;AES256
-62393733656331633939343234373961346431393133633630656464623762393434643230653363
-3838653133653739396634316361333230313863396263380a623866326166643962306662613965
-31353065336333666535663266393763383638633834386434633734613133353865613562643163
-3565333363336663310a336465396437393930383962316563643331653331326236663764653935
-66653762663232313034313832333364333362626163313438346139613437393437333765363935
-37623135313064383462313965343234616566376333343730623063363839366136393132316536
-64346362383131626238653531313234393435663734623336613562623662623537323439306238
-37393037643830303063643739613937323539663732393334396161646536613764366334623465
-6432
+61346331323964353735313938353835343632363365623065363734626131643833393031613130
+6633613133383361393461373164376237316237313565330a626236356433376534613637316163
+66396130363365376431623030306136316465626337363963343030363837363063333061343632
+3164376630336334650a616431303164313930366262353163646631306230343364613561333032
+61373434666632376131666132383037383436353265663237313839636264663061663063623131
+30353333323935333338346230653731323933653761393265626332346238333163396333663234
+33353863626166313434623638316532353764353430663338333831326539303536333435373533
+39623335323665653138343064636265613539626335356663663834303464393635343739643561
+65656161653964613731643437343665323930666430353436343663343166633862366134303838
+65666137633466363331393739336633306536333836336137633438643438303639666533323965
+63306361346232306235386539653466333238653333653432393364396164323537373066336332
+66323038646666643661313439333165303432393263613935643832313531616266353937393935
+64663163613133323138343262353031656435333234376632323933656232623331666433356634
+65373431353835613133383730623764336432343830646430653633633434306634663866393939
+62363436383735373430383335623135306263356263313035626431616635363332396437323863
+30616261323435366163643166643666383766633834363737623931623735356231613637303333
+32616233666533313031323462373666373933333735653332636138323437613763343333383234
+61353564396536313263386338346432623464356565633233613665333462326433653034316266
+65313431356639363631633763383838623364383163386661306236303364393435316335326162
+31346463313034376633353066613065336638356666643631383733393763643136343161313937
+33366334316535323266386264663033343739333930656263313630383337396564366566373263
+36336465393462623430373562333335363032643434363362393664646164386566343365623937
+64393963396334396262366130623538303665313933393865633962653230383935326339356333
+62626338633032353562393465343238383362633638333334393231623339623466396464326535
+61383538663938386463383866616165626335366531633966616631613736353131376333656563
+62343730653462613233306265646639363535313663353631373632336261393234663339333437
+31666662393731333539656538636233393762643739363965613231323266383232353262343364
+34643666346564346635636361636638313263613833383235333635323032363138353135653366
+37333337653036336537333536363636353666316664663438343965336337643537326130303133
+30326538376236623630653635343566373662316239386531343838343934643539356539623339
+33316664643763363533366434346539303430653234353933623964636664616233313030653232
+34333564346333353934656364653961666132313735666435313738316238333133336134636334
+61646337663563366662643938636534666139626531306434663566326162643838663839316633
+34346439353135616136633766623266333431313664626166623933393037333230356232653631
+65666235386366393061346465303238353536303031623338626562616437376632303034373231
+38626163376465356231633466383264643234666366376433376334363261326466366263376433
+38643136396663656661323130303833356663376564306666396331656431323062633332336532
+66396661323132653835356439636639346132316437633565333063616261366539383634343130
+63636134653038346433386362336165366431623361616663633234333830336331633334303163
+64333937633861333930663636393361353731656438663263353834633762333939303233326162
+63373735643630393566636231313732323562623166336434323266393365623632366238393237
+35346536653136333964396139386237353032643931316138613033396362626132303436313133
+63633765653630343337323065616136333832323638306135353965623937623137353237333335
+37326531316265663630656138376231336461313138653739343665363638383262666663323266
+32396262663162613063613065343038626534316632383765316232366366616238626537643031
+62646561383536346233666533656330396365303133353462653565323739626335633636613563
+33343564656264376635653637653731633432326161356165383866303334323231616438653932
+65316438646666363836646433313833646435303434653030653065666139346364396137376637
+38383238613661373234323639656639333863373162633939363234663361623862386266633562
+31633834643033666236393363303334303036376633383237666266346566353061386563373262
+32306531666332386662616438393735653236646666323136653266633537373565663834353066
+31323863343535373539663462303737616661316333643830386362396565643361326265653865
+66343536303737356136303533306238366430643836383637623862646561663264