diff --git a/.devfiles/hooks/.gitkeep b/.devfiles/hooks/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/.devfiles/hooks/commit-msg.sh b/.devfiles/hooks/commit-msg.sh deleted file mode 100644 index 1c54b90..0000000 --- a/.devfiles/hooks/commit-msg.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail - -cog verify --file "$1" diff --git a/.devfiles/hooks/pre-commit.sh b/.devfiles/hooks/pre-commit.sh deleted file mode 100644 index c8d84f5..0000000 --- a/.devfiles/hooks/pre-commit.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail - -root="$(git rev-parse --show-toplevel)" - -cd "$root" - -export PATH=$PATH:.devfiles/bin - -gitleaks git - -# Only validate encrypted files if we are tracking any -if [[ -e .ageboxreg.yml ]]; then - agebox validate --no-decrypt -fi diff --git a/.devfiles/justfile b/.devfiles/justfile index 2d9a105..1833382 100644 --- a/.devfiles/justfile +++ b/.devfiles/justfile @@ -1,22 +1,14 @@ set dotenv-load := true -export PATH := source_dir() + "/bin:" + source_dir() + "/scripts:" + env("PATH") export AGEBOX_DEBUG := "0" export AGEBOX_PUBLIC_KEYS := source_dir() + "/public_keys.txt" -# Install agebox from the latest github realse -install-agebox: - curl -sSL "https://github.com/slok/agebox/releases/latest/download/agebox-linux-amd64" -o .devfiles/bin/agebox - chmod + x .devfiles/bin/agebox - -[no-cd] -install-hooks: - cog install-hook --all +fetch-deps: + .devfiles/scripts/fetch_gh_release.sh "slok/agebox" "agebox-linux-amd64" "agebox" # Easy and simple file repository encryption tool based on Age. -[working-directory('..')] agebox +ARGS="--help": - @agebox {{ ARGS }} + @.devfiles/bin/agebox {{ ARGS }} # Encrypt the provided files, relative to project root. encrypt +FILES: (agebox "encrypt " + FILES) @@ -34,11 +26,7 @@ decrypt-all: (agebox "decrypt --all --force") reencrypt: (agebox "reencrypt") # Show the content of an encrypted file to stdout. -crypt-peek +FILES: (agebox "cat " + FILES) +peek +FILES: (agebox "cat " + FILES) # Validate that all tracked files are encrypted. -crypt-check:(agebox "validate --no-decrypt ") - -# Validate no credentials are pushed to git -leaks: - @gitleaks git --verbose --redact +check:(agebox "validate --no-decrypt ") diff --git a/.devfiles/scripts/.gitkeep b/.devfiles/scripts/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/.devfiles/scripts/dependecy-check.sh b/.devfiles/scripts/dependecy-check.sh deleted file mode 100755 index 684a14b..0000000 --- a/.devfiles/scripts/dependecy-check.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -root="$(git rev-parse --show-toplevel)" - -export PATH=$root/.devfiles/bin:$root/.devfiles/scripts:$PATH - -devtools=( - age - agebox - cog - gitleaks -) - -missing_tools=() - -for cmd in "${devtools[@]}"; do - if ! command -v "$cmd" &>/dev/null; then - missing_tools+=("$cmd") - fi -done - -if [[ ${#missing_tools[@]} != 0 ]]; then - echo "The following tools where not found:" - printf "%s\n" "${missing_tools[@]}" - exit 1 -else - echo -e "All tools are installed!" -fi diff --git a/.devfiles/scripts/gitignore.sh b/.devfiles/scripts/gitignore.sh deleted file mode 100755 index 0b5100d..0000000 --- a/.devfiles/scripts/gitignore.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -root="$(git rev-parse --show-toplevel)" - -base_url="https://git.alecodes.page/api/v1/gitignore/templates" - -query="$*" - -list_available() { - curl -Ssl $base_url | jq -r '.[]' -} - -if [[ -z $query ]]; then - list_available - exit 0 -fi - -tmp_file="$(mktemp)" - -for template in $query; do - # Capitalize the string - template=${template,,} - template=${template^} - - response="$(curl -Ssl "$base_url/$template")" - name="$(echo "$response" | jq -r '.name')" - content="$(echo "$response" | jq -r '.source')" - - if [[ "$content" == "null" ]]; then - echo "Template not found, available options:" - list_available - exit 1 - fi - - printf "\n### %s\n\n%s\n\n" "$name" "$content" >>"$tmp_file" -done - -sed -i -ne "/#### -- TEMPLATES BEGIN -- ####/ {p; r $tmp_file" -e ':a; n; /#### -- TEMPLATES END -- ####/ {p; b}; ba}; p' "$root/.gitignore" - -rm "$tmp_file" diff --git a/.env.agebox b/.env.agebox deleted file mode 100644 index ae7ac75..0000000 Binary files a/.env.agebox and /dev/null differ diff --git a/.gitleaksignore b/.gitleaksignore deleted file mode 100644 index 284c7b0..0000000 --- a/.gitleaksignore +++ /dev/null @@ -1,3 +0,0 @@ -467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/lemmy.hjson:generic-api-key:12 -467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/lemmy.hjson:generic-api-key:8 -467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/pictrs.toml:generic-api-key:2 diff --git a/.justfile b/.justfile index 9b84444..8c48d89 100644 --- a/.justfile +++ b/.justfile @@ -1,5 +1,4 @@ -# Repo management tasks -mod repo '.devfiles/justfile' +import '.devfiles/justfile' export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt" export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt" diff --git a/cog.toml b/cog.toml deleted file mode 100644 index 2f52731..0000000 --- a/cog.toml +++ /dev/null @@ -1,31 +0,0 @@ -from_latest_tag = false -ignore_merge_commits = true -disable_changelog = false -disable_bump_commit = false -generate_mono_repository_global_tag = true -generate_mono_repository_package_tags = true -branch_whitelist = [] -skip_ci = "[skip ci]" -skip_untracked = false -pre_bump_hooks = [] -post_bump_hooks = [] -pre_package_bump_hooks = [] -post_package_bump_hooks = [] - -[git_hooks] - -[git_hooks.pre-commit] -path = ".devfiles/hooks/pre-commit.sh" - -[git_hooks.commit-msg] -path = ".devfiles/hooks/commit-msg.sh" - -[commit_types] - -[changelog] -path = "CHANGELOG.md" -authors = [] - -[bump_profiles] - -[packages] diff --git a/files/docker/lemmy/customPostgresql.sql b/files/docker/lemmy/customPostgresql.sql new file mode 100644 index 0000000..4cff0f6 --- /dev/null +++ b/files/docker/lemmy/customPostgresql.sql @@ -0,0 +1,32 @@ +-- DB Version: 17 +-- OS Type: linux +-- DB Type: web +-- Total Memory (RAM): 512 MB +-- Data Storage: hdd + +ALTER SYSTEM SET + max_connections = '200'; +ALTER SYSTEM SET + shared_buffers = '128MB'; +ALTER SYSTEM SET + effective_cache_size = '384MB'; +ALTER SYSTEM SET + maintenance_work_mem = '32MB'; +ALTER SYSTEM SET + checkpoint_completion_target = '0.9'; +ALTER SYSTEM SET + wal_buffers = '3932kB'; +ALTER SYSTEM SET + default_statistics_target = '100'; +ALTER SYSTEM SET + random_page_cost = '4'; +ALTER SYSTEM SET + effective_io_concurrency = '2'; +ALTER SYSTEM SET + work_mem = '327kB'; +ALTER SYSTEM SET + huge_pages = 'off'; +ALTER SYSTEM SET + min_wal_size = '1GB'; +ALTER SYSTEM SET + max_wal_size = '4GB'; diff --git a/files/docker/lemmy/docker-stack.yaml b/files/docker/lemmy/docker-stack.yaml new file mode 100644 index 0000000..441787d --- /dev/null +++ b/files/docker/lemmy/docker-stack.yaml @@ -0,0 +1,131 @@ +networks: + reverse_proxy: + external: true + +configs: + lemmy_customPostgresql.sql: + external: true + +secrets: + lemmy_lemmy.hjson: + external: true + lemmy_postgres_pass.txt: + external: true + lemmy_pictrs.toml: + external: true + +volumes: + ui_themes: + pictrs: + db: + +services: + lemmy: + image: dessalines/lemmy:0.19.8 + restart: always + networks: + - default + - reverse_proxy + environment: + - RUST_LOG="info" + secrets: + - source: lemmy_lemmy.hjson + target: /config/config.hjson + deploy: + rollback_config: + failure_action: continue + update_config: + delay: 2s + failure_action: rollback + order: start-first + placement: + constraints: + - node.labels.services_kind==${SERVICE_KIND:-common} + labels: + - traefik.enable=true + - traefik.http.routers.lemmy.rule=Host(`lemmy.alecodes.page`) && (PathRegexp(`^/(api|pictrs|feeds|nodeinfo|\\.well-known)`) || HeaderRegexp(`Accept`, `^application/.*`)) + - traefik.http.services.lemmy.loadbalancer.server.port=8536 + - traefik.http.middlewares.lemmy-max-bodysize.buffering.maxRequestBodyBytes=20971520 # 20M + - traefik.http.routers.lemmy.middlewares=lemmy-max-bodysize + + lemmy_ui: + image: dessalines/lemmy-ui:0.19.8 + restart: always + networks: + - default + - reverse_proxy + environment: + - LEMMY_UI_LEMMY_INTERNAL_HOST=tasks.lemmy:8536 + - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.alecodes.page + - LEMMY_UI_HTTPS=true + volumes: + - ui_themes:/app/extra_themes + deploy: + rollback_config: + failure_action: continue + update_config: + delay: 2s + failure_action: rollback + order: start-first + placement: + constraints: + - node.labels.services_kind==${SERVICE_KIND:-common} + labels: + - "traefik.enable=true" + - "traefik.http.middlewares.lemmy-ui-client-max-bodysize.buffering.maxRequestBodyBytes=20971520" # 20M + - "traefik.http.routers.lemmy-ui.middlewares=lemmy-ui-client-max-bodysize" + - "traefik.http.routers.lemmy-ui.rule=Host(`lemmy.alecodes.page`)" + - "traefik.http.routers.lemmy-ui.service=lemmy-ui" + - "traefik.http.services.lemmy-ui.loadbalancer.server.port=1234" + + - "traefik.http.routers.lemmy-security-txt.rule=Host(`lemmy.alecodes.page`) && Path(`/.well-known/security.txt`)" + - "traefik.http.routers.lemmy-security-txt.service=lemmy-security-txt" + - "traefik.http.services.lemmy-security-txt.loadbalancer.server.port=1234" + + pictrs: + image: asonix/pictrs:0.5.16 + restart: always + # this needs to match the pictrs url in lemmy_lemmy.hjson + entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -c /run/secrets/lemmy_pictrs.toml run + secrets: + - lemmy_pictrs.toml + environment: + - RUST_BACKTRACE=full + user: 991:991 + volumes: + - pictrs:/mnt:Z + deploy: + rollback_config: + failure_action: continue + update_config: + delay: 2s + failure_action: rollback + order: start-first + placement: + constraints: + - node.labels.services_kind==${SERVICE_KIND:-common} + + lemmy_db: + image: pgautoupgrade/pgautoupgrade:17-bookworm + restart: always + secrets: + - lemmy_postgres_pass.txt + configs: + - source: lemmy_customPostgresql.sql + target: /docker-entrypoint-initdb.d/config.sql + environment: + - POSTGRES_USER=lemmy + - POSTGRES_PASSWORD_FILE=/run/secrets/lemmy_postgres_pass.txt + - POSTGRES_DB=lemmy + volumes: + - db:/var/lib/postgresql/data:Z + deploy: + rollback_config: + failure_action: continue + update_config: + delay: 2s + failure_action: rollback + order: start-first + placement: + constraints: + - node.labels.services_kind==${SERVICE_KIND:-common} diff --git a/files/docker/lemmy/lemmy.hjson b/files/docker/lemmy/lemmy.hjson new file mode 100644 index 0000000..00222e4 --- /dev/null +++ b/files/docker/lemmy/lemmy.hjson @@ -0,0 +1,21 @@ +{ + # for more info about the config, check out the documentation + # https://join-lemmy.org/docs/en/administration/configuration.html + hostname: "lemmy.alecodes.page" + tls_enabled: true + database: { + host: "tasks.lemmy_db" + password: "529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8" + } + pictrs: { + url: "http://tasks.pictrs:8080/" + api_key: "529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8" + } + email: { + smtp_server: "smtp.gmail.com:587" + smtp_login: "ale.navarro.parra@gmail.com" + smtp_password: "steuuamhzngjgfwn" + smtp_from_address: "ale.navarro.parra@gmail.com" + tls_type: "starttls" + } +} diff --git a/files/docker/lemmy/pictrs.toml b/files/docker/lemmy/pictrs.toml new file mode 100644 index 0000000..6d156d0 --- /dev/null +++ b/files/docker/lemmy/pictrs.toml @@ -0,0 +1,10 @@ +[server] +api_key = '529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8' + +[media.animation] +max_width = 256 +max_height = 256 +max_frame_count = 400 + +[media.video] +video_codec = 'vp9' diff --git a/files/docker/lemmy/postgres_pass.txt b/files/docker/lemmy/postgres_pass.txt new file mode 100644 index 0000000..ac5ba52 --- /dev/null +++ b/files/docker/lemmy/postgres_pass.txt @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +65343339376264393533303231656562316534643432643737653132646561316266386363376331 +6137323165303633633535653537336436333834363564660a303934353533643965323636346536 +38613331623336303130383261623162333437363830326434393463333564623032383434316130 +6564646161353937320a666531326338663433326431346539346335346430653032643530386231 +64636263343437333066323163336637386639643836336438663730623633633666383737353461 +62656262626537303838613764366565393863393961373564343230363433343737303834353037 +31653136323563333164303766636539313362363434336430303962653633316661623932396137 +39353136643865303636 diff --git a/playbooks/docker/services.yaml b/playbooks/docker/services.yaml index 5e1c169..dabe244 100644 --- a/playbooks/docker/services.yaml +++ b/playbooks/docker/services.yaml @@ -20,3 +20,38 @@ # name: "{{ project_name }}" # compose: # - "{{ lookup('file', '../../files/docker/rss/docker-stack.yaml') | from_yaml }}" + + - name: Deploy Lemmy Services + vars: + project_name: lemmy + block: + - name: Create config + loop: + - customPostgresql.sql + community.docker.docker_config: + name: '{{ project_name + "_" + item }}' + data: "{{ lookup('file', '../../files/docker/lemmy/{{ item }}') | b64encode }}" + data_is_b64: true + state: present + labels: + com.docker.stack.namespace: "{{ project_name }}" + - name: Create secrets + loop: + - lemmy.hjson + - postgres_pass.txt + - pictrs.toml + community.docker.docker_secret: + name: '{{ project_name + "_" + item }}' + data: "{{ lookup('file', '../../files/docker/lemmy/{{ item }}') | b64encode }}" + data_is_b64: true + state: present + labels: + com.docker.stack.namespace: "{{ project_name }}" + - name: Deploy lemmy stack + # environment: "{{ lookup('ini', '../../files/docker/lemmy/.env') }}" + community.docker.docker_stack: + state: present + prune: true + name: "{{ project_name }}" + compose: + - "{{ lookup('file', '../../files/docker/lemmy/docker-stack.yaml') | from_yaml }}" diff --git a/roles/common/files/robo_key b/roles/common/files/robo_key new file mode 100644 index 0000000..3bb907f --- /dev/null +++ b/roles/common/files/robo_key @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +34326137303139636664306330643433353766383839373262633531633336336434326136633331 +6266336136633662366234303339343435633935653835330a313337386531346535633164363732 +33333162663564343032323038353737663532616133353538626265646665393131336132393863 +3335613064643365380a366633363531363332663939343030373265343438633365633264376236 +30313862373337343961363164666166633137636232646365666333333261356264313235643365 +36663336636132376366396338346164303066343234613236633561393063313636616630303838 +33636231373465333830613630393366653363643561396465363765383764326538633464366530 +66626363336565343832373631363237653333653265616331623938356266343235656239656134 +66306565646333656337336632636162356531666337613766396439623135633430623132643335 +32373965613962336338633933346437396139393539656437326666363661653231653230313634 +61633032316436646663616437343161363534383365656364303131646636643232366361653231 +30643839343961366665653265666662386537623738356537393364336365396136346361656538 +38653936613261306632386665336162666539646564666232353064646564643036343437396566 +64656261633534316166656564326563323732316436316161303633373564653834356433366561 +39643164373866346531353037613563623038626536616434316266323130643534303736653263 +63643632316562616462333835343437613865363763323464646231343066393264653833383662 +30326332373432326665306338383963333137376538373839626631356236353838376332636132 +64636632336139396437356336326331343832346166386136356239323966376532346130613833 +36316633633536653163313166396238373139383763306532346334343466366136636339646235 +66326162323666306566616339353930353732336538303835366132363139336462373736366538 +39636138383536363332326534356366313362353739373666303133326364643832616431316363 +35393364386536393761303733336230633832646531623264616463323862313565316566666137 +30306433313563313363643034356265316564393166336361663431633930663361356432313861 +38393732626237353131 diff --git a/roles/common/files/robo_key.agebox b/roles/common/files/robo_key.agebox deleted file mode 100644 index 93e0f99..0000000 --- a/roles/common/files/robo_key.agebox +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> X25519 gYcsPablv8DX5YR2YElCe9IYxd4jACU30GaL97JfETM -PSYUSaAkiHBtprz6qUKqP8RFPkgHCwwnFCACzKlsGU0 ---- giGOMUX2iMWaixyGM7ZxyCPMz10xFxNIJA9vpsJEW+4 -JvtpT(~AnfL3$PyU !]oޘב/׏L S:b-frql=@wrq6{eۃlg u{bL_>cb4?e})Pp|D,oIX_cpG%yG)`sR7PRKu% z0aԮXKr>'SLwppIo/M /2:@.n9 cXG_-ObOPTDƙ`p:F{,xULa1erB\J BqesBѽ="X70=vyWǁ }U'!: ;pnr2D*nQv4%|KxH\1:D40r{ \ No newline at end of file