diff --git a/.gitignore b/.gitignore index b75cf19..5f15658 100644 --- a/.gitignore +++ b/.gitignore @@ -14,4 +14,3 @@ pubkey .s3_id .s3_secret ansible/credentials -ansible/mastodon_secrets.yaml diff --git a/Makefile b/Makefile index b33962d..6250f14 100644 --- a/Makefile +++ b/Makefile @@ -21,6 +21,9 @@ terraform: config.mk ssh: config.mk $(MAKE) -C ansible ssh +reboot: config.mk + $(MAKE) -C ansible reboot + #ansible: # @$(MAKE) -C ansible diff --git a/ansible/Makefile b/ansible/Makefile index 339b636..9b31deb 100644 --- a/ansible/Makefile +++ b/ansible/Makefile @@ -10,12 +10,18 @@ SSH := ssh -o "StrictHostKeyChecking=no" -o UserKnownHostsFile=/dev/null -o Prox default: ansible ansible: toolcheck inventory.yaml + @echo + @echo Attempting to configure to the target host. This might take a few tries the first time. + @echo timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE_ID) "/bin/true"; do sleep 0.5; done' export ANSIBLE_NOCOWS=1; ansible-playbook -i inventory.yaml --private-key ../terraform/privkey -l social site.yaml ssh: inventory.yaml $(SSH) $(INSTANCE_ID) +reboot: inventory.yaml + aws --region $(AWS_REGION) ec2 reboot-instances --instance-ids $(INSTANCE_ID) + inventory.yaml: inventory.tmpl.yaml sedline sed $(SEDLINE) inventory.tmpl.yaml > inventory.yaml diff --git a/ansible/roles/mastodon/tasks/main.yaml b/ansible/roles/mastodon/tasks/main.yaml index 41b515d..f49e6a4 100644 --- a/ansible/roles/mastodon/tasks/main.yaml +++ b/ansible/roles/mastodon/tasks/main.yaml @@ -24,15 +24,27 @@ dest: /srv/mastodon/docker-compose.yaml register: compose -## generate a secrets file if we need one -# FIXME: what's in the mastodon_secrets.yaml file should be in credential lookup like db_password is - -- name: check mastodon secrets var file +## generate secrets if they're needed +- name: check secret_key_base delegate_to: localhost become: false stat: - path: mastodon_secrets.yaml - register: mastosecrets + path: credentials/mastodon/secret_key_base + register: secret_key_base_file + +- name: check otp_secret + delegate_to: localhost + become: false + stat: + path: credentials/mastodon/otp_secret + register: otp_secret_file + +- name: check vapid_secrets + delegate_to: localhost + become: false + stat: + path: credentials/mastodon/vapid_secrets + register: vapid_secrets_file - name: env file stub template: @@ -41,42 +53,52 @@ vars: db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}" alternate_domains: "mastodon_web" - when: mastosecrets.stat.exists != true + when: secret_key_base_file.stat.exists != true or otp_secret_file.stat.exists != true or vapid_secrets_file.stat.exists != true - name: get SECRET_KEY_BASE shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1 args: chdir: /srv/mastodon register: skb - when: mastosecrets.stat.exists != true + when: secret_key_base_file.stat.exists != true + +- name: store SECRET_KEY_BASE + delegate_to: localhost + become: false + copy: + dest: credentials/mastodon/secret_key_base + content: "{{skb.stdout}}" + when: secret_key_base_file.stat.exists != true - name: get OTP_SECRET shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1 args: chdir: /srv/mastodon register: otp - when: mastosecrets.stat.exists != true + when: otp_secret_file.stat.exists != true + +- name: store OTP_SECRET + delegate_to: localhost + become: false + copy: + dest: credentials/mastodon/otp_secret + content: "{{otp.stdout}}" + when: secret_key_base_file.stat.exists != true - name: get vapid secrets command: docker compose run --rm mastodon_web rake mastodon:webpush:generate_vapid_key args: chdir: /srv/mastodon register: vapid - when: mastosecrets.stat.exists != true + when: vapid_secrets_file.stat.exists != true -- name: create mastodon secrets file +- name: store vapid secrets delegate_to: localhost become: false - template: - src: templates/mastodon_secrets.yaml - dest: mastodon_secrets.yaml - when: mastosecrets.stat.exists != true - - ## now that we have a secrets file, read it in and make the env file again - -- name: read env secret vars - include_vars: - file: mastodon_secrets.yaml + copy: + dest: credentials/mastodon/vapid_secrets + content: "{{vapid.stdout}}" + when: vapid_secrets_file.stat.exists != true - name: env file template: @@ -84,6 +106,9 @@ dest: /srv/mastodon/.env.production vars: db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}" + secret_key_base: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/secret_key_base') }}" + otp_secret: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/otp_secret') }}" + vapid_secrets: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/vapid_secrets') }}" alternate_domains: "mastodon_web" register: envfile @@ -101,3 +126,11 @@ when: envfile.changed or compose.changed + +## --- + +- name: clean up docker + command: docker system prune -f + + + diff --git a/ansible/roles/mastodon/templates/mastodon_secrets.yaml b/ansible/roles/mastodon/templates/mastodon_secrets.yaml deleted file mode 100644 index e457384..0000000 --- a/ansible/roles/mastodon/templates/mastodon_secrets.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -secret_key_base: {{skb.stdout}} -otp_secret: {{otp.stdout}} -vapid_secrets: | - {{vapid.stdout | indent(2)}}