diff --git a/README.md b/README.md index 8ef898a..5f2057a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Ansible Role: strfry -This Ansible Role builds and installs [strfry](https://github.com/hoytech/strfry). It is intended to be composed with a separate role to handle the web proxy configuration. +This Ansible Role builds and installs [strfry](https://github.com/hoytech/strfry), and also sets up [strfry-policies](https://gitlab.com/soapbox-pub/strfry-policies). It is intended to be composed with a separate role to handle the web proxy configuration. Tested on: * Archlinux @@ -17,6 +17,7 @@ None. strfry_version: beta # git repository branch or release tag strfry_make_jobs: "{{ ansible_processor_cores }}" # number of CPUs to build with strfry_skip_config: no +strfry_policies_enabled: yes ``` See the role [defaults](defaults/main.yml). diff --git a/defaults/main.yml b/defaults/main.yml index 8265540..a457e8a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,6 +9,9 @@ strfry_system_user: strfry strfry_data_path: /var/lib/strfry strfry_db: "./strfry-db/" # Becomes /var/lib/strfry/strfry-db +strfry_policies_enabled: true +strfry_policies_path: "{{ strfry_data_path }}/strfry-policy.ts" + strfry_dbParams: # Maximum number of threads/processes that can simultaneously have LMDB transactions open (restart required) maxreaders: 256 diff --git a/tasks/deno.yml b/tasks/deno.yml index 5e2fced..435a55c 100644 --- a/tasks/deno.yml +++ b/tasks/deno.yml @@ -29,6 +29,7 @@ remote_src: true extra_opts: - -j + when: install_deno - name: 'Save meta information about the version of {{ app_name }} that was installed' community.general.ini_file: @@ -39,3 +40,4 @@ value: "{{ deno_latest_release_tag.json.tag_name | replace('v','') }}" backup: true no_extra_spaces: true + when: install_deno diff --git a/tasks/install.yml b/tasks/install.yml index fd285c8..8985bd7 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -5,13 +5,11 @@ dest: "{{ strfry_binary_path }}" mode: 0755 remote_src: true - become: true - name: Setup strfry service unit ansible.builtin.template: src: strfry.service dest: /etc/systemd/system/strfry.service - become: true notify: restart strfry - name: Ensure strfry is enabled on boot @@ -19,7 +17,6 @@ name: strfry enabled: true state: started - become: true - name: Configure strfry ansible.builtin.template: @@ -28,7 +25,16 @@ owner: "{{ strfry_system_user }}" group: "{{ strfry_system_group }}" when: not strfry_skip_config - become: true + tags: config + notify: restart strfry + +- name: Configure basic strfry-policies only if a configuration does not already exist + ansible.builtin.template: + src: strfry-policy.ts + dest: "{{ strfry_policies_path }}" + owner: "{{ strfry_system_user }}" + group: "{{ strfry_system_group }}" + when: not strfry_skip_config tags: config notify: restart strfry @@ -39,7 +45,6 @@ owner: "{{ strfry_system_user }}" group: "{{ strfry_system_group }}" when: strfry_db.startswith('/') - become: true - name: Ensure the configured database directory exists. ansible.builtin.file: @@ -47,5 +52,4 @@ state: directory owner: "{{ strfry_system_user }}" group: "{{ strfry_system_group }}" - when: not strfry_db.startswith('/') - become: true \ No newline at end of file + when: not strfry_db.startswith('/') \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 4cf1191..00ccee0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,12 +6,18 @@ - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" +- name: Set up local user account + include_tasks: + file: setup-user.yml + apply: + become: true + - name: Install Deno - ansible.builtin.include_tasks: + include_tasks: file: deno.yml apply: - tags: deno become: true + when: strfry_policies_enabled - name: Install build dependencies ansible.builtin.package: @@ -19,12 +25,11 @@ state: present become: true -- name: Set up local user account - import_tasks: setup-user.yml - -- name: Run build tasks - import_tasks: build.yml - tags: build +- name: Run build tasks as the ansible user (must not be root) + include_tasks: build.yml - name: Proceeding with installation - import_tasks: install.yml \ No newline at end of file + include_tasks: + file: install.yml + apply: + become: true \ No newline at end of file diff --git a/tasks/setup-user.yml b/tasks/setup-user.yml index 716fbe8..1ffb2a9 100644 --- a/tasks/setup-user.yml +++ b/tasks/setup-user.yml @@ -8,7 +8,6 @@ - /usr/sbin patterns: nologin register: nologin_bin - become: true - name: Create the strfry group ansible.builtin.group: @@ -16,7 +15,6 @@ state: present system: true when: strfry_system_group != "root" - become: true - name: Create the strfry system user ansible.builtin.user: @@ -27,7 +25,6 @@ create_home: false home: "{{ strfry_data_path }}" when: strfry_system_user != "root" - become: true - name: Ensure strfry_path exists. ansible.builtin.file: @@ -36,4 +33,3 @@ group: "{{ strfry_system_group }}" state: directory mode: '0750' - become: true diff --git a/templates/strfry-policy.ts b/templates/strfry-policy.ts new file mode 100644 index 0000000..2ba83c3 --- /dev/null +++ b/templates/strfry-policy.ts @@ -0,0 +1,21 @@ +#!/bin/sh +//bin/true; exec deno run "$0" "$@" +import { + antiDuplicationPolicy, + hellthreadPolicy, + pipeline, + rateLimitPolicy, + readStdin, + writeStdout, + } from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/v0.1.0/mod.ts'; + + for await (const msg of readStdin()) { + const result = await pipeline(msg, [ + [hellthreadPolicy, { limit: 100 }], + [antiDuplicationPolicy, { ttl: 60000, minLength: 50 }], + [rateLimitPolicy, { whitelist: ['127.0.0.1'] }], + ]); + + writeStdout(result); + } + \ No newline at end of file