diff --git a/tasks/main.yml b/tasks/main.yml index d08c5a5..25dbbe2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,20 +6,6 @@ tags: - setup - build -- name: Fetch hex - shell: - chdir: "/home/repositories/pleroma/" - cmd: "MIX_ENV=prod mix local.hex --force" - tags: - - setup - - build -- name: Fetch rebar - shell: - chdir: "/home/repositories/pleroma/" - cmd: "MIX_ENV=prod mix local.rebar --force" - tags: - - setup - - build - name: Fetch dependencies shell: chdir: "/home/repositories/pleroma/" @@ -29,7 +15,7 @@ - build - name: Ensure that output dir is created file: - path: '/etc/pleroma' + path: "{{ pleroma.root }}" state: directory follow: yes tags: @@ -38,7 +24,16 @@ - name: Build pleroma shell: chdir: "/home/repositories/pleroma/" - cmd: "MIX_ENV=prod mix release --path /etc/pleroma" + cmd: "MIX_ENV=prod mix release --path {{ pleroma.root }}" tags: - setup - build +- name: Copy systemd service file + template: + follow: yes + src: 'pleroma.service.j2' + dest: '/etc/systemd/system/pleroma.service' + notify: Run service actions + tags: + - pleroma + - systemd diff --git a/templates/pleroma.service.j2 b/templates/pleroma.service.j2 new file mode 100644 index 0000000..c452388 --- /dev/null +++ b/templates/pleroma.service.j2 @@ -0,0 +1,28 @@ +[Unit] +Description=Pleroma +After=network.target + +[Service] +ExecStart=/bin/pleroma +Restart=on-failure +DynamicUser=true +ProtectSystem=strict +BindReadOnlyPaths={{ pleroma.data }}:/pleroma-data +RootDirectory={{ pleroma.root }} +ProtectSystem=strict +PrivateUsers=true +NoNewPrivileges=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes +PrivateTmp=yes +PrivateDevices=yes + +[Install] +WantedBy=multi-user.target