web-app-bluesky: refactor role, add Cloudflare DNS integration, split tasks

Changes: add AppView port; add CSP whitelist; new tasks (01_pds, 02_social_app, 03_dns); switch templates to BLUESKY_* vars; update docker-compose and env; TCP healthcheck; remove admin_password from schema. Conversation context: https://chatgpt.com/share/68b85276-e0ec-800f-90ec-480a1d528593
2025-09-09 19:57:16 +02:00 · 2025-09-03 16:37:35 +02:00
parent a1130e33d7
commit d2dc2eab5f
10 changed files with 230 additions and 86 deletions
--- a/roles/web-app-bluesky/config/main.yml
+++ b/roles/web-app-bluesky/config/main.yml
@@ -1,19 +1,38 @@
-images:
-  pds:              "ghcr.io/bluesky-social/pds:latest"
-pds:
-  version:          "latest"
 features:
  matomo:           true
  css:              true
  desktop:          true
-  central_database: true
+  central_database: false
  logout:           true
 server:
  domains:
    canonical:
      web:  "bskyweb.{{ PRIMARY_DOMAIN }}"
      api:  "bluesky.{{ PRIMARY_DOMAIN }}"
+      view: "view.bluesky.{{ PRIMARY_DOMAIN }}"
+  csp:
+    whitelist:
+      connect-src:
+        - "{{ WEB_PROTOCOL }}://{{ BLUESKY_API_DOMAIN }}"
+        - https://plc.directory
+        - https://bsky.social
+        - https://api.bsky.app
+        - https://public.api.bsky.app
+        - https://events.bsky.app
+        - https://statsigapi.net
+        - https://ip.bsky.app
+        - wss://bsky.network
+        - wss://*.bsky.app
 docker:
  services:
    database:
-      enabled: true
+      enabled: false
+    web:
+      enabled: true # @see https://github.com/bluesky-social/social-app
+    view:
+      enabled: false
+    pds:
+      image:    "ghcr.io/bluesky-social/pds"
+      version:  "latest"
+  volumes:
+    pds_data:   "pds_data"