Raw refactoring of roles

2025-10-31 02:10:05 +00:00 · 2025-05-09 17:47:33 +02:00
parent 82f442f40e
commit 5b47333955
177 changed files with 1483 additions and 1041 deletions
--- a/roles/docker-bluesky/meta/schema.yml
+++ b/roles/docker-bluesky/meta/schema.yml
@@ -0,0 +1,13 @@
+credentials:
+  jwt_secret:
+    description: "Secret used for JWT signing (base64, 64 bytes)"
+    algorithm: "plain"
+    validation: "^[A-Za-z0-9+/=]{86,}$"  # 64 bytes base64 = ~86 characters without newline
+  plc_rotation_key_k256_private_key_hex:
+    description: "PLC rotation key in hex format (32 bytes)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+  admin_password:
+    description: "Initial admin password for Bluesky PDS"
+    algorithm: "plain"
+    validation: "^.{12,}$"
--- a/roles/docker-bluesky/templates/env.j2
+++ b/roles/docker-bluesky/templates/env.j2
@@ -4,9 +4,9 @@ PDS_SERVICE_DID="did:web:{{domains.bluesky_api}}"

 # See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/
 PDS_SERVICE_HANDLE_DOMAINS=".{{primary_domain}}"
-PDS_JWT_SECRET="{{applications.bluesky.pds.jwt_secret}}"
-PDS_ADMIN_PASSWORD="{{applications.bluesky.pds.admin_password}}"
-PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{applications.bluesky.pds.plc_rotation_key_k256_private_key_hex}}"
+PDS_JWT_SECRET="{{applications.bluesky.credentials.jwt_secret}}"
+PDS_ADMIN_PASSWORD="{{applications.bluesky.credentials.admin_password}}"
+PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{applications.bluesky.credentials.plc_rotation_key_k256_private_key_hex}}"
 PDS_CRAWLERS=https://bsky.network
 PDS_EMAIL_SMTP_URL=smtps://{{ users['no-reply'].email }}:{{ users['no-reply'].mailu_token }}@{{system_email.host}}:{{system_email.port}}/
 PDS_EMAIL_FROM_ADDRESS={{ users['no-reply'].email }}
--- a/roles/docker-bluesky/vars/configuration.yml
+++ b/roles/docker-bluesky/vars/configuration.yml
@@ -0,0 +1,14 @@
+users:
+  administrator:
+  email:    "{{users.administrator.email}}"
+pds:
+  version:              "latest"
+credentials:  
+  #jwt_secret:                                                          # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n'
+  #plc_rotation_key_k256_private_key_hex:                               # Needs to be defined in inventory file - Use: openssl rand -hex 32 
+  #admin_password:                                                      # Needs to be defined in inventory file - Use: openssl rand -base64 16
+features:
+  matomo: true
+  css: true
+  landingpage_iframe: true
+  central_database: true