Initialize branch for install strfry-policies.

2023-08-11 12:28:48 -07:00 · 2023-08-11 12:28:48 -07:00 · b529402a87
commit b529402a87
parent 26275894fa
7 changed files with 53 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # Ansible Role: strfry

-This Ansible Role builds and installs [strfry](https://github.com/hoytech/strfry). It is intended to be composed with a separate role to handle the web proxy configuration.
+This Ansible Role builds and installs [strfry](https://github.com/hoytech/strfry), and also sets up [strfry-policies](https://gitlab.com/soapbox-pub/strfry-policies). It is intended to be composed with a separate role to handle the web proxy configuration.

 Tested on:
 * Archlinux
@ -17,6 +17,7 @@ None.
 strfry_version: beta # git repository branch or release tag
 strfry_make_jobs: "{{ ansible_processor_cores }}" # number of CPUs to build with
 strfry_skip_config: no
+strfry_policies_enabled: yes
 ```

 See the role [defaults](defaults/main.yml).
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -9,6 +9,9 @@ strfry_system_user: strfry
 strfry_data_path: /var/lib/strfry
 strfry_db: "./strfry-db/" # Becomes /var/lib/strfry/strfry-db

+strfry_policies_enabled: true
+strfry_policies_path:  "{{ strfry_data_path }}/strfry-policy.ts"
+
 strfry_dbParams:
  # Maximum number of threads/processes that can simultaneously have LMDB transactions open (restart required)
  maxreaders: 256
--- a/tasks/deno.yml
+++ b/tasks/deno.yml
@ -29,6 +29,7 @@
    remote_src: true
    extra_opts:
      - -j
+  when: install_deno

 - name: 'Save meta information about the version of {{ app_name }} that was installed'
  community.general.ini_file:
@ -39,3 +40,4 @@
    value: "{{ deno_latest_release_tag.json.tag_name | replace('v','') }}"
    backup: true
    no_extra_spaces: true
+  when: install_deno
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -5,13 +5,11 @@
    dest: "{{ strfry_binary_path }}"
    mode: 0755
    remote_src: true
-  become: true

 - name: Setup strfry service unit
  ansible.builtin.template:
    src: strfry.service
    dest: /etc/systemd/system/strfry.service
-  become: true
  notify: restart strfry

 - name: Ensure strfry is enabled on boot
@ -19,7 +17,6 @@
    name: strfry
    enabled: true
    state: started
-  become: true

 - name: Configure strfry
  ansible.builtin.template:
@ -28,7 +25,16 @@
    owner: "{{ strfry_system_user }}"
    group: "{{ strfry_system_group }}"
  when: not strfry_skip_config
-  become: true
+  tags: config
+  notify: restart strfry
+
+- name: Configure basic strfry-policies only if a configuration does not already exist
+  ansible.builtin.template:
+    src: strfry-policy.ts
+    dest: "{{ strfry_policies_path }}"
+    owner: "{{ strfry_system_user }}"
+    group: "{{ strfry_system_group }}"
+  when: not strfry_skip_config
  tags: config
  notify: restart strfry

@ -39,7 +45,6 @@
    owner: "{{ strfry_system_user }}"
    group: "{{ strfry_system_group }}"
  when: strfry_db.startswith('/')
-  become: true

 - name: Ensure the configured database directory exists.
  ansible.builtin.file:
@ -48,4 +53,3 @@
    owner: "{{ strfry_system_user }}"
    group: "{{ strfry_system_group }}"
  when: not strfry_db.startswith('/')
-  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -6,12 +6,18 @@
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"

+- name: Set up local user account
+  include_tasks:
+    file: setup-user.yml
+    apply:
+      become: true
+
 - name: Install Deno
-  ansible.builtin.include_tasks:
+  include_tasks:
    file: deno.yml
    apply:
-      tags: deno
      become: true
+  when: strfry_policies_enabled
        
 - name: Install build dependencies
  ansible.builtin.package:
@ -19,12 +25,11 @@
    state: present
  become: true

- name: Set up local user account
-  import_tasks: setup-user.yml
-
- name: Run build tasks
-  import_tasks: build.yml
-  tags: build
+- name: Run build tasks as the ansible user (must not be root)
+  include_tasks: build.yml

 - name: Proceeding with installation
-  import_tasks: install.yml
+  include_tasks:
+    file: install.yml
+    apply:
+      become: true
--- a/tasks/setup-user.yml
+++ b/tasks/setup-user.yml
@ -8,7 +8,6 @@
      - /usr/sbin
    patterns: nologin
  register: nologin_bin
-  become: true

 - name: Create the strfry group
  ansible.builtin.group:
@ -16,7 +15,6 @@
    state: present
    system: true
  when: strfry_system_group != "root"
-  become: true

 - name: Create the strfry system user
  ansible.builtin.user:
@ -27,7 +25,6 @@
    create_home: false
    home: "{{ strfry_data_path }}"
  when: strfry_system_user != "root"
-  become: true

 - name: Ensure strfry_path exists.
  ansible.builtin.file:
@ -36,4 +33,3 @@
    group: "{{ strfry_system_group }}"
    state: directory
    mode: '0750'
-  become: true
--- a/templates/strfry-policy.ts
+++ b/templates/strfry-policy.ts
@ -0,0 +1,21 @@
+#!/bin/sh
+//bin/true; exec deno run "$0" "$@"
+import {
+    antiDuplicationPolicy,
+    hellthreadPolicy,
+    pipeline,
+    rateLimitPolicy,
+    readStdin,
+    writeStdout,
+  } from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/v0.1.0/mod.ts';
+  
+  for await (const msg of readStdin()) {
+    const result = await pipeline(msg, [
+      [hellthreadPolicy, { limit: 100 }],
+      [antiDuplicationPolicy, { ttl: 60000, minLength: 50 }],
+      [rateLimitPolicy, { whitelist: ['127.0.0.1'] }],
+    ]);
+  
+    writeStdout(result);
+  }
+