Mastodon: allow internal chess host & refactor var names; OpenLDAP: safer get_app_conf

- Add ALLOWED_PRIVATE_ADDRESSES to .env (from svc-db-postgres) to handle 422 Mastodon::PrivateNetworkAddressError - Switch docker-compose to MASTODON_* variables and align vars/main.yml - Always run 01_setup.yml during deployment (removed conditional flag) - OpenLDAP: remove implicit True default on network.local to avoid unintended truthy behavior Context: chess.infinito.nexus resolved to 192.168.200.30 (private IP) from Mastodon; targeted allowlist unblocks federation lookups. Ref: https://chat.openai.com/share/REPLACE_WITH_THIS_CONVERSATION_LINK
2025-09-07 18:57:12 +02:00 · 2025-09-03 21:44:47 +02:00
parent 3769e66d8d
commit 4f8ce598a9
7 changed files with 21 additions and 22 deletions
--- a/roles/svc-db-openldap/tasks/main.yml
+++ b/roles/svc-db-openldap/tasks/main.yml
@@ -37,7 +37,7 @@
 - name: "Reset LDAP Credentials"
  include_tasks: 01_credentials.yml
  when:
-    - applications | get_app_conf(application_id, 'network.local', True)
+    - applications | get_app_conf(application_id, 'network.local')
    - applications | get_app_conf(application_id, 'provisioning.credentials', True)

 - name: "create directory {{openldap_ldif_host_path}}{{item}}"
--- a/roles/svc-db-openldap/vars/main.yml
+++ b/roles/svc-db-openldap/vars/main.yml
@@ -21,4 +21,4 @@ openldap_version:               "{{ applications | get_app_conf(application_id,
 openldap_volume:                "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
 openldap_network:               "{{ applications | get_app_conf(application_id, 'docker.network', True) }}"

-openldap_network_expose_local:  "{{ applications | get_app_conf(application_id, 'network.public', True) | bool or applications | get_app_conf(application_id, 'network.local', True) | bool }}"
+openldap_network_expose_local:  "{{ applications | get_app_conf(application_id, 'network.public', True) | bool or applications | get_app_conf(application_id, 'network.local') | bool }}"
--- a/roles/web-app-mastodon/config/main.yml
+++ b/roles/web-app-mastodon/config/main.yml
@@ -1,5 +1,4 @@
 single_user_mode:     false                                           # Set true for initial setup
-setup:                true                                            # Set true in inventory file to execute the setup and initializing procedures, don't know if this is still necessary @todo test it                        
 features:
  matomo:             true
  css:                true
--- a/roles/web-app-mastodon/tasks/main.yml
+++ b/roles/web-app-mastodon/tasks/main.yml
@@ -19,5 +19,4 @@
    docker_compose_flush_handlers: true

 - name: "start setup procedures for mastodon"
-  include_tasks: 01_setup.yml
-  when: mastodon_setup | bool 
+  include_tasks: 01_setup.yml
--- a/roles/web-app-mastodon/templates/docker-compose.yml.j2
+++ b/roles/web-app-mastodon/templates/docker-compose.yml.j2
@@ -3,8 +3,8 @@
  web:
 {% set container_port = 3000 %}
 {% set container_healthcheck = 'health' %}
-    container_name: {{ mastodon_name }}
-    image: "{{ mastodon_image }}:{{ mastodon_version }}"
+    container_name: {{ MASTODON_NAME }}
+    image: "{{ MASTODON_IMAGE }}:{{ MASTODON_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p {{ container_port }}"
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
@@ -18,8 +18,8 @@
  streaming:
 {% set container_port = 4000 %}
 {% set container_healthcheck = 'api/v1/streaming/health' %}
-    container_name: {{ mastodon_streaming_name }}
-    image: "{{ mastodon_streaming_image }}:{{ mastodon_streaming_version }}"
+    container_name: {{ MASTODON_STREAMING_NAME }}
+    image: "{{ MASTODON_STREAMING_IMAGE }}:{{ MASTODON_STREAMING_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
    command: node ./streaming
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
@@ -29,8 +29,8 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}

  sidekiq:
-    container_name: {{ mastodon_sidekiq_name }}
-    image: "{{ mastodon_image }}:{{ mastodon_version }}"
+    container_name: {{ MASTODON_SIDEKIQ_NAME }}
+    image: "{{ MASTODON_IMAGE }}:{{ MASTODON_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
    command: bundle exec sidekiq
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
@@ -45,5 +45,5 @@

 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
  data:
-    name: "{{ mastodon_volume }}"
+    name: "{{ MASTODON_VOLUME }}"
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}
--- a/roles/web-app-mastodon/templates/env.j2
+++ b/roles/web-app-mastodon/templates/env.j2
@@ -5,7 +5,8 @@

 LOCAL_DOMAIN={{ domains | get_domain(application_id) }}
 ALTERNATE_DOMAINS="{{ domains['web-app-mastodon'][1:] | join(',') }}"
-SINGLE_USER_MODE={{ applications | get_app_conf(application_id, 'single_user_mode', True) }}
+SINGLE_USER_MODE={{ applications | get_app_conf(application_id, 'single_user_mode') }}
+ALLOWED_PRIVATE_ADDRESSES={{ MASTODON_ALLOWED_PRIVATE_ADDRESSES }}

 # Credentials

--- a/roles/web-app-mastodon/vars/main.yml
+++ b/roles/web-app-mastodon/vars/main.yml
@@ -3,12 +3,12 @@ application_id:               "web-app-mastodon"
 database_type:                "postgres"

 # Mastodon Specific
-mastodon_version:             "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.version', True) }}"
-mastodon_image:               "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.image', True) }}"
-mastodon_name:                "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.name', True) }}"
-mastodon_volume:              "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
-mastodon_streaming_version:   "{{ applications | get_app_conf(application_id, 'docker.services.streaming.version', True) }}"
-mastodon_streaming_image:     "{{ applications | get_app_conf(application_id, 'docker.services.streaming.image', True) }}"
-mastodon_streaming_name:      "{{ applications | get_app_conf(application_id, 'docker.services.streaming.name', True) }}"
-mastodon_sidekiq_name:        "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.name', True) }}_sidekiq"
-mastodon_setup:               "{{ applications | get_app_conf(application_id, 'setup', True) }}"
+MASTODON_VERSION:                     "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.version') }}"
+MASTODON_IMAGE:                       "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.image') }}"
+MASTODON_NAME:                        "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.name') }}"
+MASTODON_VOLUME:                      "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+MASTODON_STREAMING_VERSION:           "{{ applications | get_app_conf(application_id, 'docker.services.streaming.version') }}"
+MASTODON_STREAMING_IMAGE:             "{{ applications | get_app_conf(application_id, 'docker.services.streaming.image') }}"
+MASTODON_STREAMING_NAME:              "{{ applications | get_app_conf(application_id, 'docker.services.streaming.name') }}"
+MASTODON_SIDEKIQ_NAME:                "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.name') }}_sidekiq"
+MASTODON_ALLOWED_PRIVATE_ADDRESSES:   "{{ networks.local['svc-db-postgres'].subnet if 'web-app-chess' in group_names else ''}}"