From 4f8ce598a9b001a581dfc2ab58addab210ccf64b Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Wed, 3 Sep 2025 21:44:47 +0200
Subject: [PATCH] Mastodon: allow internal chess host & refactor var names;
 OpenLDAP: safer get_app_conf

- Add ALLOWED_PRIVATE_ADDRESSES to .env (from svc-db-postgres) to handle 422 Mastodon::PrivateNetworkAddressError
- Switch docker-compose to MASTODON_* variables and align vars/main.yml
- Always run 01_setup.yml during deployment (removed conditional flag)
- OpenLDAP: remove implicit True default on network.local to avoid unintended truthy behavior

Context: chess.infinito.nexus resolved to 192.168.200.30 (private IP) from Mastodon; targeted allowlist unblocks federation lookups.

Ref: https://chat.openai.com/share/REPLACE_WITH_THIS_CONVERSATION_LINK
---
 roles/svc-db-openldap/tasks/main.yml           |  2 +-
 roles/svc-db-openldap/vars/main.yml            |  2 +-
 roles/web-app-mastodon/config/main.yml         |  1 -
 roles/web-app-mastodon/tasks/main.yml          |  3 +--
 .../templates/docker-compose.yml.j2            | 14 +++++++-------
 roles/web-app-mastodon/templates/env.j2        |  3 ++-
 roles/web-app-mastodon/vars/main.yml           | 18 +++++++++---------
 7 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/roles/svc-db-openldap/tasks/main.yml b/roles/svc-db-openldap/tasks/main.yml
index 8557c307..34190169 100644
--- a/roles/svc-db-openldap/tasks/main.yml
+++ b/roles/svc-db-openldap/tasks/main.yml
@@ -37,7 +37,7 @@
 - name: "Reset LDAP Credentials"
   include_tasks: 01_credentials.yml
   when:
-    - applications | get_app_conf(application_id, 'network.local', True)
+    - applications | get_app_conf(application_id, 'network.local')
     - applications | get_app_conf(application_id, 'provisioning.credentials', True)
 
 - name: "create directory {{openldap_ldif_host_path}}{{item}}"
diff --git a/roles/svc-db-openldap/vars/main.yml b/roles/svc-db-openldap/vars/main.yml
index df7de847..996f6d33 100644
--- a/roles/svc-db-openldap/vars/main.yml
+++ b/roles/svc-db-openldap/vars/main.yml
@@ -21,4 +21,4 @@ openldap_version:               "{{ applications | get_app_conf(application_id,
 openldap_volume:                "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
 openldap_network:               "{{ applications | get_app_conf(application_id, 'docker.network', True) }}"
 
-openldap_network_expose_local:  "{{ applications | get_app_conf(application_id, 'network.public', True) | bool or applications | get_app_conf(application_id, 'network.local', True) | bool }}"
\ No newline at end of file
+openldap_network_expose_local:  "{{ applications | get_app_conf(application_id, 'network.public', True) | bool or applications | get_app_conf(application_id, 'network.local') | bool }}"
\ No newline at end of file
diff --git a/roles/web-app-mastodon/config/main.yml b/roles/web-app-mastodon/config/main.yml
index ad8ffd9e..c89ebdec 100644
--- a/roles/web-app-mastodon/config/main.yml
+++ b/roles/web-app-mastodon/config/main.yml
@@ -1,5 +1,4 @@
 single_user_mode:     false                                           # Set true for initial setup
-setup:                true                                            # Set true in inventory file to execute the setup and initializing procedures, don't know if this is still necessary @todo test it                        
 features:
   matomo:             true
   css:                true
diff --git a/roles/web-app-mastodon/tasks/main.yml b/roles/web-app-mastodon/tasks/main.yml
index a0096a66..a79bb6b9 100644
--- a/roles/web-app-mastodon/tasks/main.yml
+++ b/roles/web-app-mastodon/tasks/main.yml
@@ -19,5 +19,4 @@
     docker_compose_flush_handlers: true
 
 - name: "start setup procedures for mastodon"
-  include_tasks: 01_setup.yml
-  when: mastodon_setup | bool 
\ No newline at end of file
+  include_tasks: 01_setup.yml
\ No newline at end of file
diff --git a/roles/web-app-mastodon/templates/docker-compose.yml.j2 b/roles/web-app-mastodon/templates/docker-compose.yml.j2
index 3d68c13f..2369765c 100644
--- a/roles/web-app-mastodon/templates/docker-compose.yml.j2
+++ b/roles/web-app-mastodon/templates/docker-compose.yml.j2
@@ -3,8 +3,8 @@
   web:
 {% set container_port = 3000 %}
 {% set container_healthcheck = 'health' %}
-    container_name: {{ mastodon_name }}
-    image: "{{ mastodon_image }}:{{ mastodon_version }}"
+    container_name: {{ MASTODON_NAME }}
+    image: "{{ MASTODON_IMAGE }}:{{ MASTODON_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p {{ container_port }}"
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
@@ -18,8 +18,8 @@
   streaming:
 {% set container_port = 4000 %}
 {% set container_healthcheck = 'api/v1/streaming/health' %}
-    container_name: {{ mastodon_streaming_name }}
-    image: "{{ mastodon_streaming_image }}:{{ mastodon_streaming_version }}"
+    container_name: {{ MASTODON_STREAMING_NAME }}
+    image: "{{ MASTODON_STREAMING_IMAGE }}:{{ MASTODON_STREAMING_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: node ./streaming
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
@@ -29,8 +29,8 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
   sidekiq:
-    container_name: {{ mastodon_sidekiq_name }}
-    image: "{{ mastodon_image }}:{{ mastodon_version }}"
+    container_name: {{ MASTODON_SIDEKIQ_NAME }}
+    image: "{{ MASTODON_IMAGE }}:{{ MASTODON_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: bundle exec sidekiq
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
@@ -45,5 +45,5 @@
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
   data:
-    name: "{{ mastodon_volume }}"
+    name: "{{ MASTODON_VOLUME }}"
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}
\ No newline at end of file
diff --git a/roles/web-app-mastodon/templates/env.j2 b/roles/web-app-mastodon/templates/env.j2
index 63069052..4e5f172f 100644
--- a/roles/web-app-mastodon/templates/env.j2
+++ b/roles/web-app-mastodon/templates/env.j2
@@ -5,7 +5,8 @@
 
 LOCAL_DOMAIN={{ domains | get_domain(application_id) }}
 ALTERNATE_DOMAINS="{{ domains['web-app-mastodon'][1:] | join(',') }}"
-SINGLE_USER_MODE={{ applications | get_app_conf(application_id, 'single_user_mode', True) }}
+SINGLE_USER_MODE={{ applications | get_app_conf(application_id, 'single_user_mode') }}
+ALLOWED_PRIVATE_ADDRESSES={{ MASTODON_ALLOWED_PRIVATE_ADDRESSES }}
 
 # Credentials
 
diff --git a/roles/web-app-mastodon/vars/main.yml b/roles/web-app-mastodon/vars/main.yml
index 59da5a03..681e34e8 100644
--- a/roles/web-app-mastodon/vars/main.yml
+++ b/roles/web-app-mastodon/vars/main.yml
@@ -3,12 +3,12 @@ application_id:               "web-app-mastodon"
 database_type:                "postgres"
 
 # Mastodon Specific
-mastodon_version:             "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.version', True) }}"
-mastodon_image:               "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.image', True) }}"
-mastodon_name:                "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.name', True) }}"
-mastodon_volume:              "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
-mastodon_streaming_version:   "{{ applications | get_app_conf(application_id, 'docker.services.streaming.version', True) }}"
-mastodon_streaming_image:     "{{ applications | get_app_conf(application_id, 'docker.services.streaming.image', True) }}"
-mastodon_streaming_name:      "{{ applications | get_app_conf(application_id, 'docker.services.streaming.name', True) }}"
-mastodon_sidekiq_name:        "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.name', True) }}_sidekiq"
-mastodon_setup:               "{{ applications | get_app_conf(application_id, 'setup', True) }}"
\ No newline at end of file
+MASTODON_VERSION:                     "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.version') }}"
+MASTODON_IMAGE:                       "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.image') }}"
+MASTODON_NAME:                        "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.name') }}"
+MASTODON_VOLUME:                      "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+MASTODON_STREAMING_VERSION:           "{{ applications | get_app_conf(application_id, 'docker.services.streaming.version') }}"
+MASTODON_STREAMING_IMAGE:             "{{ applications | get_app_conf(application_id, 'docker.services.streaming.image') }}"
+MASTODON_STREAMING_NAME:              "{{ applications | get_app_conf(application_id, 'docker.services.streaming.name') }}"
+MASTODON_SIDEKIQ_NAME:                "{{ applications | get_app_conf(application_id, 'docker.services.mastodon.name') }}_sidekiq"
+MASTODON_ALLOWED_PRIVATE_ADDRESSES:   "{{ networks.local['svc-db-postgres'].subnet if 'web-app-chess' in group_names else ''}}"
\ No newline at end of file