Deploy mastodon v0.1

roles/mastodon/tasks/db.yml

@@ -0,0 +1,30 @@
+---
+- name: Populate database variables
+  ansible.builtin.include_vars:
+    file: db.yml
+
+- name: Create DB instance for mastodon
+  containers.podman.podman_container:
+    name: database
+    image: docker.io/library/postgres:17
+    network:
+      - "{{ mastodon_networks['mastodon_internal']['name'] }}"
+    env:
+      POSTGRES_DB: mastodon
+      POSTGRES_USER: "{{ mastodon_database.username }}"
+      POSTGRES_PASSWORD: "{{ mastodon_database.password }}"
+    volumes:
+      - "/home/apps/mastodon/postgresql:/var/lib/postgresql/data:Z"
+    generate_systemd:
+      new: true
+      restart_policy: "always"
+      path: "~/.config/systemd/user/"
+      force: true
+    healthcheck: "pg_isready -U postgres"
+
+- name: Activate database container service
+  ansible.builtin.systemd_service:
+    name: container-database.service
+    state: started
+    enabled: true
+    scope: user

roles/mastodon/tasks/elasticsearch.yml

@@ -0,0 +1,31 @@
+---
+- name: Create Elasticsearch instance for mastodon
+  containers.podman.podman_container:
+    name: elasticsearch
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.29
+    network:
+      - "{{ mastodon_networks['mastodon_internal']['name'] }}"
+      - "{{ mastodon_networks['mastodon_external']['name'] }}"
+    volumes:
+      - "/home/apps/mastodon/elasticsearch:/usr/share/elasticsearch/data:Z"
+    env:
+      ES_JAVA_OPTS: "-Xms512m -Xmx512m -Des.enforce.bootstrap.checks=true"
+      xpack.license.self_generated.type: "basic"
+      xpack.security.enabled: "false"
+      xpack.watcher.enabled: "false"
+      xpack.graph.enabled: "false"
+      xpack.ml.enabled: "false"
+      bootstrap.memory_lock: "true"
+      cluster.name: "es-mastodon"
+      discovery.type: "single-node"
+      thread_pool.write.queue_size: "1000"
+    #    generate_systemd:
+    #      new: true
+    #      restart_policy: "always"
+    #      path: "~/.config/systemd/user/"
+    #      force: true
+    restart_policy: "always"
+    healthcheck: "curl --silent --fail localhost:9200/_cluster/health || exit 1"
+    ulimit:
+      - "nofile=65536:65536"
+      - "memlock=-1:-1"

roles/mastodon/tasks/main.yml

@@ -0,0 +1,39 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for mastodon
+
+- name: Setup mastodon networks
+  containers.podman.podman_network:
+    name: "{{ item['key'] }}"
+    driver: "{{ item['value']['driver'] }}"
+    disable_dns: "{{ item['value']['disable_dns'] }}"
+  loop: "{{ mastodon_networks | dict2items }}"
+
+- name: Setup local directories
+  ansible.builtin.file:
+    name: "{{ item }}"
+    state: directory
+  loop: "{{ mastodon_local_dirs }}"
+
+- name: Populate active record variables
+  ansible.builtin.include_vars:
+    file: web.yml
+
+- name: Populate smtp variables
+  ansible.builtin.include_vars:
+    file: smtp.yml
+
+- name: Create database container instance
+  ansible.builtin.include_tasks: db.yml
+
+- name: Create redis container instance
+  ansible.builtin.include_tasks: redis.yml
+
+- name: Create elasticsearch container instance
+  ansible.builtin.include_tasks: elasticsearch.yml
+
+- name: Create web container instance
+  ansible.builtin.include_tasks: web.yml
+
+- name: Create sidekiq container instance
+  ansible.builtin.include_tasks: sidekiq.yml

roles/mastodon/tasks/redis.yml

@@ -0,0 +1,22 @@
+---
+- name: Create Redis instance for mastodon
+  containers.podman.podman_container:
+    name: redis
+    image: docker.io/library/redis:7
+    network:
+      - "{{ mastodon_networks['mastodon_internal']['name'] }}"
+    volumes:
+      - "/home/apps/mastodon/redis:/data:Z"
+    generate_systemd:
+      new: true
+      restart_policy: "always"
+      path: "~/.config/systemd/user/"
+      force: true
+    healthcheck: "redis-cli ping"
+
+- name: Activate elasticsearch container service
+  ansible.builtin.systemd_service:
+    name: container-redis.service
+    state: started
+    enabled: true
+    scope: user

roles/mastodon/tasks/sidekiq.yml

@@ -0,0 +1,48 @@
+---
+# TODO: it's not idempotent
+- name: Create Sidekiq instance of mastodon
+  containers.podman.podman_container:
+    name: sidekiq
+    image: ghcr.io/mastodon/mastodon:v4.5.5
+    network:
+      - "{{ mastodon_networks['mastodon_internal']['name'] }}"
+      - "{{ mastodon_networks['mastodon_external']['name'] }}"
+    command: "bundle exec sidekiq"
+    env:
+      LOCAL_DOMAIN: "wtf.lt"
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+      DB_HOST: database
+      DB_NAME: mastodon
+      DB_USER: "{{ mastodon_database.username }}"
+      DB_PASS: "{{ mastodon_database.password }}"
+      DB_PORT: 5432
+      ES_ENABLED: true
+      ES_HOST: elasticsearch
+      ES_PORT: 9200
+      ES_PRESET: single_node_cluster
+      ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ active_record_encryption.DETERMINISTIC_KEY }}"
+      ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ active_record_encryption.KEY_DERIVATION_SALT }}"
+      ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ active_record_encryption.PRIMARY_KEY }}"
+      SECRET_KEY_BASE: "{{ secret_key_base }}"
+      SMTP_SERVER: "{{ smtp.SERVER }}"
+      SMTP_PORT: "{{ smtp.PORT }}"
+      SMTP_LOGIN: "{{ smtp.LOGIN }}"
+      SMTP_PASSWORD: "{{ smtp.PASSWORD }}"
+      SMTP_FROM_ADDRESS: "{{ smtp.FROM_ADDRESS }}"
+      TRUSTED_PROXY_IP: "127.0.0.1/8,::1/128,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7"
+    volumes:
+      - "/home/apps/mastodon/system:/mastodon/public/system:z"
+    generate_systemd:
+      new: true
+      restart_policy: "always"
+      path: "~/.config/systemd/user/"
+      force: true
+    healthcheck: "ps aux | grep '[s]idekiq 8' || false"
+
+- name: Activate sidekiq container service
+  ansible.builtin.systemd_service:
+    name: container-sidekiq.service
+    state: started
+    enabled: true
+    scope: user

roles/mastodon/tasks/web.yml

@@ -0,0 +1,64 @@
+---
+- name: Populate active record variables
+  ansible.builtin.include_vars:
+    file: web.yml
+
+- name: Create Web instance of mastodon
+  containers.podman.podman_container:
+    name: mastodon
+    image: ghcr.io/mastodon/mastodon:v4.5.5
+    network:
+      - "{{ mastodon_networks['mastodon_internal']['name'] }}"
+      - "{{ mastodon_networks['mastodon_external']['name'] }}"
+    command: "bundle exec puma -C config/puma.rb"
+    env:
+      LOCAL_DOMAIN: "wtf.lt"
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+      DB_HOST: database
+      DB_NAME: mastodon
+      DB_USER: "{{ mastodon_database.username }}"
+      DB_PASS: "{{ mastodon_database.password }}"
+      DB_PORT: 5432
+      ES_ENABLED: true
+      ES_HOST: elasticsearch
+      ES_PORT: 9200
+      ES_PRESET: single_node_cluster
+      ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ active_record_encryption.DETERMINISTIC_KEY }}"
+      ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ active_record_encryption.KEY_DERIVATION_SALT }}"
+      ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ active_record_encryption.PRIMARY_KEY }}"
+      VAPID_PRIVATE_KEY: "{{ vapid.PRIVATE_KEY }}"
+      VAPID_PUBLIC_KEY: "{{ vapid.PUBLIC_KEY }}"
+      SECRET_KEY_BASE: "{{ secret_key_base }}"
+      SMTP_SERVER: "{{ smtp.SERVER }}"
+      SMTP_PORT: "{{ smtp.PORT }}"
+      SMTP_LOGIN: "{{ smtp.LOGIN }}"
+      SMTP_PASSWORD: "{{ smtp.PASSWORD }}"
+      SMTP_FROM_ADDRESS: "{{ smtp.FROM_ADDRESS }}"
+      # inspect traefik container and add the IP address here
+      TRUSTED_PROXY_IP: "127.0.0.1/8,::1/128,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7"
+    label:
+      traefik.enable: "true"
+      traefik.http.routers.mastodon.rule: "Host(`wtf.lt`)"
+      traefik.http.middlewares.mastodon-https-redirect.redirectscheme.scheme: "https"
+      traefik.http.routers.mastodon.middlewares: "mastodon-https-redirect"
+      traefik.http.routers.mastodon-secure.entrypoints: "https"
+      traefik.http.routers.mastodon-secure.rule: "Host(`wtf.lt`)"
+      traefik.http.routers.mastodon-secure.tls: "true"
+      traefik.http.routers.mastodon-secure.tls.certresolver: "lets-encrypt"
+      traefik.http.services.mastodon.loadbalancer.server.port: "3000"
+    volumes:
+      - "/home/apps/mastodon/system:/mastodon/public/system:z"
+    generate_systemd:
+      new: true
+      restart_policy: "always"
+      path: "~/.config/systemd/user/"
+      force: true
+    healthcheck: "curl -s --noproxy localhost localhost:3000/health | grep -q OK"
+
+- name: Activate mastodon web container service
+  ansible.builtin.systemd_service:
+    name: container-mastodon.service
+    state: started
+    enabled: true
+    scope: user