From 51a97cb37edbfc127e8381b85f907b6de9066cd4 Mon Sep 17 00:00:00 2001
From: Erik Stambaugh <erik@erikstambaugh.com>
Date: Sat, 20 Jan 2024 08:34:40 -0800
Subject: [PATCH] Add ssl config and create masto schema

---
 ansible/roles/certbot/tasks/main.yaml    | 24 ++++++++++++++++++++++++
 ansible/roles/mastodon/tasks/main.yaml   | 17 +++++++++++++++++
 ansible/roles/nginx/templates/nginx.conf |  2 +-
 3 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/certbot/tasks/main.yaml b/ansible/roles/certbot/tasks/main.yaml
index 9983be3..d1afda9 100644
--- a/ansible/roles/certbot/tasks/main.yaml
+++ b/ansible/roles/certbot/tasks/main.yaml
@@ -27,6 +27,30 @@
 #    dest: /srv/nginx/conf.d/certbot.conf
 #  register: nginxconf
 
+- name: nginx options
+  copy:
+    dest: /srv/certbot/etc/options-ssl-nginx.conf
+    content: |
+      # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7
+      ssl_session_timeout 1d;
+      ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+      ssl_session_tickets off;
+      
+      # modern configuration
+      ssl_protocols TLSv1.3;
+      ssl_prefer_server_ciphers off;
+      
+      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+      add_header Strict-Transport-Security "max-age=63072000" always;
+      
+      # OCSP stapling
+      ssl_stapling on;
+      ssl_stapling_verify on;
+
+
+
+# diffie helman parameters
+
 - name: launch certbot
   command: docker compose up -d
   args:
diff --git a/ansible/roles/mastodon/tasks/main.yaml b/ansible/roles/mastodon/tasks/main.yaml
index f49e6a4..4aadcdd 100644
--- a/ansible/roles/mastodon/tasks/main.yaml
+++ b/ansible/roles/mastodon/tasks/main.yaml
@@ -114,11 +114,28 @@
 
 ## finally, let's launch mastodon
 
+# XXX FIXME: this should handle DB upgrades when appropriate
+# -- check the upgrade instructions for any major release really
+
 - name: launch mastodon
   command: docker compose up -d
   args:
     chdir: /srv/mastodon
 
+# create an admin user!
+# -- it's in lib/tasks/mastodon.rake under User.new
+# or https://docs.joinmastodon.org/admin/tootctl/#accounts-create
+
+- name: check for any tables at all
+  command: docker exec -it mastodon_db psql -U postgres mastodon_production -P pager=off -c '\dt'
+  register: hazschema
+
+- name: initialize mastodon database
+  command: docker compose run -it --rm mastodon_web bundle exec rails db:setup
+  args:
+    chdir: /srv/mastodon
+  when: hazschema.stdout is match("Did not find any relations")
+
 - name: restart mastodon
   command: docker compose restart
   args:
diff --git a/ansible/roles/nginx/templates/nginx.conf b/ansible/roles/nginx/templates/nginx.conf
index 6e67700..525d6e5 100644
--- a/ansible/roles/nginx/templates/nginx.conf
+++ b/ansible/roles/nginx/templates/nginx.conf
@@ -37,7 +37,7 @@ http {
         ssl_certificate_key /etc/letsencrypt/live/{{domain_name}}/privkey.pem;
 
         include /etc/letsencrypt/options-ssl-nginx.conf;
-        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+#        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
         location / {
             try_files $uri $uri/ /index.html;