Add ssl config and create masto schema

2024-01-20 08:34:40 -08:00 · 2024-01-20 08:34:40 -08:00 · 51a97cb37e
commit 51a97cb37e
parent 95757effb7
3 changed files with 42 additions and 1 deletions
--- a/ansible/roles/certbot/tasks/main.yaml
+++ b/ansible/roles/certbot/tasks/main.yaml
@ -27,6 +27,30 @@
 #    dest: /srv/nginx/conf.d/certbot.conf
 #  register: nginxconf

+- name: nginx options
+  copy:
+    dest: /srv/certbot/etc/options-ssl-nginx.conf
+    content: |
+      # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7
+      ssl_session_timeout 1d;
+      ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+      ssl_session_tickets off;
+      
+      # modern configuration
+      ssl_protocols TLSv1.3;
+      ssl_prefer_server_ciphers off;
+      
+      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+      add_header Strict-Transport-Security "max-age=63072000" always;
+      
+      # OCSP stapling
+      ssl_stapling on;
+      ssl_stapling_verify on;
+
+
+
+# diffie helman parameters
+
 - name: launch certbot
  command: docker compose up -d
  args:
--- a/ansible/roles/mastodon/tasks/main.yaml
+++ b/ansible/roles/mastodon/tasks/main.yaml
@ -114,11 +114,28 @@

 ## finally, let's launch mastodon

+# XXX FIXME: this should handle DB upgrades when appropriate
+# -- check the upgrade instructions for any major release really
+
 - name: launch mastodon
  command: docker compose up -d
  args:
    chdir: /srv/mastodon

+# create an admin user!
+# -- it's in lib/tasks/mastodon.rake under User.new
+# or https://docs.joinmastodon.org/admin/tootctl/#accounts-create
+
+- name: check for any tables at all
+  command: docker exec -it mastodon_db psql -U postgres mastodon_production -P pager=off -c '\dt'
+  register: hazschema
+
+- name: initialize mastodon database
+  command: docker compose run -it --rm mastodon_web bundle exec rails db:setup
+  args:
+    chdir: /srv/mastodon
+  when: hazschema.stdout is match("Did not find any relations")
+
 - name: restart mastodon
  command: docker compose restart
  args:
--- a/ansible/roles/nginx/templates/nginx.conf
+++ b/ansible/roles/nginx/templates/nginx.conf
@ -37,7 +37,7 @@ http {
        ssl_certificate_key /etc/letsencrypt/live/{{domain_name}}/privkey.pem;

        include /etc/letsencrypt/options-ssl-nginx.conf;
-        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+#        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        location / {
            try_files $uri $uri/ /index.html;