开源软件名称（OpenSource Name）：

开源软件地址(OpenSource Url)：

开源编程语言(OpenSource Language)：

开源软件介绍(OpenSource Introduction)：

Ansible playbook for installing Mastodon

This playbook contains several roles for provisioning a ready-to-go Mastodon instance.

Prerequisites for running the playbook

• Python 3.x
• Virtualenv (>= 15.0.3)
• pip/python-pip (>= 8.x)

for testing purposes:

• Vagrant >= 2.2.19

Setup

$ virtualenv -p /usr/bin/python3 env
$ source env/bin/activate
$ git clone https://github.com/mastodon/mastodon-ansible.git
$ cd mastodon-ansible
$ pip install -r requirements.txt

Running the playbooks

Bare

This playbook is intended to be run on a "bare" (virtual) server, with the support for provisioning the Mastodon stack as well as a PostgresSQL and Redis database.

Typing secret content directly at the command line (without a prompt) leaves the secret string in your shell history. You should use Ansible Vault to secure your Mastodon database credentials for the use with Ansible instead.

The /templates/secrets.yml.tpl contains an example template that you can use.

To encrypt secrets.yml, use this following command:

$ ansible-vault encrypt secrets.yml

Then run the playbook as following:

$ ansible-playbook playbook.yml --ask-vault-pass -i <your-host-here>, -u <remote-user> --ask-become-pass -e 'ansible_python_interpreter=/usr/bin/python3' --extra-vars="@secrets.yml"

If you prefer not to use Ansible Vault, you can run the playbook as following:

$ ansible-playbook playbook.yml -i <your-host-here>, -u <remote-user> --ask-become-pass -e 'ansible_python_interpreter=/usr/bin/python3' --extra-vars="mastodon_db_password=your-password redis_pass=your-password mastodon_host=example.com"

The playbook is using become for some of its tasks, hence the user you connect to the instance with will have to have access to sudo. It should ask you for the password in due time.

Note: This assumes you're within the virtualenv already.

After the playbook has finished its execution, Mastodon now should be available at the hostname you defined and you're not required run the Mastodon setup wizard. As Email servers differ widely from configuration to configuration you must edit the .env.production file and add your own email server details followed by restart of Mastodon services.

To edit .env.production, follow these steps:

ssh yourmachine
su - mastodon
cd ~/live
nano .env.production
systemctl restart mastodon-*.service

To see a list of available environment variables for your Mastodon installation, please refer to the Mastodon documentation.

Roles

By default, the playbook runs all of the roles defined here in sequence. You can skip any of them by specifying --skip-tags=<role-name>.

Example

Skipping the postgres role:

$ ansible-playbook playbook.yml --skip-tags=postgres -i <your-host>, -u <your-user>

web

This role contains the following tasks:

• repositories.yml: Adds required package repositories to pull in the latest software (e.g. yarn, nodejs)
• packages.yml: Installs all the required packages for Mastodon to run (see vars/<distro>_vars.yml for a list)
• ruby.yml: Installs rbenv/ruby globally so you can run Mastodon (it's a Ruby on Rails app)
• user.yml: Adds a user to run Mastodon with since you shouldn't be running Mastodon under a privileged account.
• firewall-cmd.yml: Starts and enables firewall for RHEL based systems and permitting SSH, HTTP and HTTPS, as not using a firewall is insecure.
• ufw.yml: Starts and enables firewall for Debian based systems and permitting SSH, HTTP and HTTPS, as not using a firewall is insecure.
• mastodon.yml: Downloads and installs latest version of Mastodon and all of its required dependencies. This role generates required secrets and installs env.production file, not requiring to run the Mastodon setup wizard.
• nginx.yml: Installs Mastodon configuration for NGINX and sets correct SELinux policies for RHEL systems.
• nodejs.yml: Enables NodeJS 16 DNF module for RHEL 8+ systems to ensure that we have correct NodeJS version installed.
• redis.yml: Secures Redis installation with a password as you shouldn't run redis with no password protection.
• selfsigned-ssl.yml: Generates self-signed SSL certificates when LetsEncrypt not used as Mastodon requires SSL to function.

Settings

PostgresSQL

This role installs PostgresSQL, adds a database (named mastodon_instance by default) and a user (named mastodon by default). For connecting to the database it can either use a local socket by setting the variable mastodon_db_login_unix_socket to the directory the Postgres socket lives in (/var/run/postgresql by default under Ubuntu 18.04) or a remote PostgreSQL instance you have installed somewhere else. You will than have to set the mastodon_db_login_host (IP address or hostname of database), mastodon_db_port (the port the database is accessible on; default 5432), mastodon_db_login_user (the administrative user to connect to the database with) and mastodon_db_login_password.

Settings

If you configure your PostgresSQL on another server, you need to configure these settings additionally:

Examples

• Install PostgresSQL, create the database and user:

$ ansible-playbook playbook -i <your-host-here>, -u <remote-user> --extra-vars="mastodon_db_password=your-password mastodon_db_login_unix_socket='/var/run/postgresql'"

• PostgreSQL installed on host mastodob-db, create the database and the user:

$ ansible-playbook playbook -i <your-host-here>, -u <remote-user> --extra-vars="mastodon_db_password=your-password mastodon_db_login_host=mastodon-db mastodon_db_port=5432 mastodon_db_login_user=your-admin-db-user mastodon_db_login_password=your-password"

redis

This role installs the Redis key-value store, used by Mastodon, and its client libraries.

Settings

Docker

FIXME

Testing

Testing is done using Goss. The tests are in the goss.yaml file and include variables from the vars.yaml file.

Continuous Integration

This repository is regularly running tests using GitHub Actions. Its configuration can be found in .github/workflows/test.yml.

Local testing

$ vagrant up

This should provision a new instance within VirtualBox and run all the tests necessary to verify the Ansible playbook is valid. By default it runs the bare provisioning.

TODO

• Add LB role