Remove hex and rebar, use paths and add service file

tasks/main.yml

@@ -6,20 +6,6 @@
   tags:
         - setup
         - build
-- name: Fetch hex
-  shell:
-        chdir: "/home/repositories/pleroma/"
-        cmd: "MIX_ENV=prod mix local.hex --force"
-  tags:
-        - setup
-        - build
-- name: Fetch rebar
-  shell:
-        chdir: "/home/repositories/pleroma/"
-        cmd: "MIX_ENV=prod mix local.rebar --force"
-  tags:
-        - setup
-        - build
 - name: Fetch dependencies
   shell:
         chdir: "/home/repositories/pleroma/"
@@ -29,7 +15,7 @@
         - build
 - name: Ensure that output dir is created
   file:
-        path: '/etc/pleroma'
+        path: "{{ pleroma.root }}"
         state: directory
         follow: yes
   tags:
@@ -38,7 +24,16 @@
 - name: Build pleroma
   shell:
         chdir: "/home/repositories/pleroma/"
-        cmd: "MIX_ENV=prod mix release --path /etc/pleroma"
+        cmd: "MIX_ENV=prod mix release --path {{ pleroma.root }}"
   tags:
         - setup
         - build
+- name: Copy systemd service file
+  template:
+        follow: yes
+        src: 'pleroma.service.j2'
+        dest: '/etc/systemd/system/pleroma.service'
+  notify: Run service actions
+  tags:
+        - pleroma
+        - systemd

templates/pleroma.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=Pleroma
+After=network.target
+
+[Service]
+ExecStart=/bin/pleroma
+Restart=on-failure
+DynamicUser=true
+ProtectSystem=strict
+BindReadOnlyPaths={{ pleroma.data }}:/pleroma-data
+RootDirectory={{ pleroma.root }}
+ProtectSystem=strict
+PrivateUsers=true
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+PrivateTmp=yes
+PrivateDevices=yes
+
+[Install]
+WantedBy=multi-user.target