From 566b163e7993260d6f72c8691cbf72bb174309f2 Mon Sep 17 00:00:00 2001
From: Erik Stambaugh <erik@erikstambaugh.com>
Date: Thu, 8 Feb 2024 21:32:23 -0800
Subject: [PATCH] Add phanpy and fix deprecated http2 for nginx while we're
 there

---
 ansible/roles/mastodon/templates/nginx.conf   | 19 +++----
 ansible/roles/nginx/files/docker-compose.yaml |  2 +
 ansible/roles/nginx/tasks/main.yaml           |  6 ++-
 ansible/roles/phanpy/tasks/main.yaml          | 54 +++++++++++++++++++
 ansible/site.yaml                             |  1 +
 5 files changed, 68 insertions(+), 14 deletions(-)
 create mode 100644 ansible/roles/phanpy/tasks/main.yaml

diff --git a/ansible/roles/mastodon/templates/nginx.conf b/ansible/roles/mastodon/templates/nginx.conf
index d5862bd..18f46fd 100644
--- a/ansible/roles/mastodon/templates/nginx.conf
+++ b/ansible/roles/mastodon/templates/nginx.conf
@@ -28,20 +28,19 @@ server {
 
 server {
   server_name {{ domain_name }};
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  listen 8448 ssl http2 default_server;
-  listen [::]:8448 ssl http2 default_server;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  listen 8448 ssl default_server;
+  listen [::]:8448 ssl default_server;
+  http2 on;
 
   allow {{ my_ip }}/32;
   allow 127.0.0.1/32;
   allow 172.18.0.0/16;
   deny all;
 
-#  ssl_trusted_certificate   /etc/letsencrypt/live/{{ domain_name }}/chain.pem;
   ssl_certificate           /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
   ssl_certificate_key       /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
-#  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
@@ -204,13 +203,7 @@ server {
     tcp_nodelay on;
   }
 
-#  location /phanpy/ {
-#    # X-Auth-Request-Redirect
-#    #add_header X-Auth-Request-Redirect "https://{{ domain_name }}/phanpy";
-#    autoindex off;
-#    alias /phanpy/;
-#    include /etc/nginx/mime.types;
-#  }
+  include /etc/nginx/static.d/*.conf;
 
   error_page 404 500 501 502 503 504 /500.html;
 }
diff --git a/ansible/roles/nginx/files/docker-compose.yaml b/ansible/roles/nginx/files/docker-compose.yaml
index e56f962..5e7e9d8 100644
--- a/ansible/roles/nginx/files/docker-compose.yaml
+++ b/ansible/roles/nginx/files/docker-compose.yaml
@@ -6,6 +6,8 @@ services:
     restart: unless-stopped
     volumes:
       - /srv/nginx/conf.d:/etc/nginx/conf.d:ro
+      - /srv/nginx/static.d:/etc/nginx/static.d:ro
+      - /srv/nginx/static:/static:ro
       - /srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
       - /srv/certbot/etc:/etc/letsencrypt
       - /srv/certbot/www:/var/www/certbot
diff --git a/ansible/roles/nginx/tasks/main.yaml b/ansible/roles/nginx/tasks/main.yaml
index 219dddc..41bb707 100644
--- a/ansible/roles/nginx/tasks/main.yaml
+++ b/ansible/roles/nginx/tasks/main.yaml
@@ -8,9 +8,13 @@
 
 - name: base path
   file:
-    path: "/srv/nginx/conf.d"
+    path: "/srv/nginx/{{ item }}"
     state: directory
     recurse: true
+  with_items:
+    - "conf.d"
+    - "static"
+    - "static.d"
 
 - name: copy docker-compose
   copy:
diff --git a/ansible/roles/phanpy/tasks/main.yaml b/ansible/roles/phanpy/tasks/main.yaml
new file mode 100644
index 0000000..e11654f
--- /dev/null
+++ b/ansible/roles/phanpy/tasks/main.yaml
@@ -0,0 +1,54 @@
+---
+
+#- name: install base apps
+#  apt:
+#    force_apt_get: yes
+#    name:
+#      - git
+
+- name: phanpy path
+  file:
+    path: "/srv/nginx/static/phanpy"
+    state: directory
+    recurse: true
+
+- name: source
+  git:
+    repo: "https://tea.entar.net/teh/mastodon.git"
+    dest: /srv/mastodon/src
+    version: deploy
+
+- name: get phanpy url
+  shell: |
+    curl -s "https://api.github.com/repos/cheeaun/phanpy/releases/latest" | grep /phanpy-dist.tar.gz | cut -d '"' -f 4
+  args:
+    executable: /bin/bash
+  register: phanpyurl
+
+#- name: get phanpy release
+#  get_url:
+#    url: "{{ phanpyurl.stdout }}"
+#    dest: /tmp/phanpy-dist.tar.gz
+
+- name: unzip release
+  unarchive:
+    src: "{{ phanpyurl.stdout }}"
+    dest: /srv/nginx/static/phanpy
+    remote_src: yes
+
+- name: nginx static conf
+  copy:
+    dest: /srv/nginx/static.d/phanpy.conf
+    content: |
+      location /phanpy/ {
+        autoindex off;
+        alias /static/phanpy/;
+        index index.html;
+        include /etc/nginx/mime.types;
+      }
+  register: nginxconf
+
+- name: reload nginx
+  command: docker exec -t nginx nginx -s reload
+  when: nginxconf.changed or phanpyurl.changed
+
diff --git a/ansible/site.yaml b/ansible/site.yaml
index a9c3aa8..05d0eb7 100644
--- a/ansible/site.yaml
+++ b/ansible/site.yaml
@@ -13,4 +13,5 @@
     - { role: nginx, become: yes }
     - { role: mastodon, become: yes }
     - { role: fediblockhole, become: yes }
+    - { role: phanpy, become: yes }