web-app-bluesky: refactor role, add Cloudflare DNS integration, split tasks

Changes: add AppView port; add CSP whitelist; new tasks (01_pds, 02_social_app, 03_dns); switch templates to BLUESKY_* vars; update docker-compose and env; TCP healthcheck; remove admin_password from schema. Conversation context: https://chatgpt.com/share/68b85276-e0ec-800f-90ec-480a1d528593
2025-09-09 11:47:14 +02:00 · 2025-09-03 16:37:35 +02:00
parent a1130e33d7
commit d2dc2eab5f
10 changed files with 230 additions and 86 deletions
--- a/roles/web-app-bluesky/tasks/01_pds.yml
+++ b/roles/web-app-bluesky/tasks/01_pds.yml
@@ -0,0 +1,30 @@
+# The following lines should be removed when the following issue is closed:
+# https://github.com/bluesky-social/pds/issues/52
+
+- name: Download pdsadmin tarball
+  get_url:
+    url: "https://github.com/lhaig/pdsadmin/releases/download/v1.0.0-dev/pdsadmin_Linux_x86_64.tar.gz"
+    dest: "{{ BLUESKY_PDSADMIN_TMP_TAR }}"
+    mode: '0644'
+  notify:
+    - docker compose up
+    - docker compose build
+
+- name: Create {{ BLUESKY_PDSADMIN_DIR }}
+  file:
+    path: "{{ BLUESKY_PDSADMIN_DIR }}"
+    state: directory
+    mode: '0755'
+    
+- name: Extract pdsadmin tarball
+  unarchive:
+    src: "{{ BLUESKY_PDSADMIN_TMP_TAR }}"
+    dest: "{{ BLUESKY_PDSADMIN_DIR }}"
+    remote_src: yes
+    mode: '0755'
+
+- name: Ensure pdsadmin is executable
+  file:
+    path: "{{ BLUESKY_PDSADMIN_FILE }}"
+    mode: '0755'
+    state: file
--- a/roles/web-app-bluesky/tasks/02_social_app.yml
+++ b/roles/web-app-bluesky/tasks/02_social_app.yml
@@ -0,0 +1,8 @@
+- name: clone social app repository
+  git:
+    repo: "https://github.com/bluesky-social/social-app.git"
+    dest: "{{ BLUESKY_SOCIAL_APP_DIR }}"
+    version: "main"
+  notify:
+    - docker compose up
+    - docker compose build
--- a/roles/web-app-bluesky/tasks/03_dns.yml
+++ b/roles/web-app-bluesky/tasks/03_dns.yml
@@ -0,0 +1,73 @@
+---
+# Creates Cloudflare DNS records for Bluesky:
+# - PDS/API host (A/AAAA)
+# - Handle TXT verification (_atproto)
+# - Optional Web UI host (A/AAAA)
+# - Optional custom AppView host (A/AAAA)
+#
+# Requirements:
+#   DNS_PROVIDER == 'cloudflare'
+#   CLOUDFLARE_API_TOKEN set
+#
+# Inputs (inventory/vars):
+#   BLUESKY_API_DOMAIN, BLUESKY_WEB_DOMAIN, BLUESKY_VIEW_DOMAIN
+#   BLUESKY_WEB_ENABLED (bool), BLUESKY_VIEW_ENABLED (bool)
+#   PRIMARY_DOMAIN
+#   networks.internet.ip4 (and optionally networks.internet.ip6)
+
+- name: "DNS (Cloudflare) for Bluesky – base records"
+  include_role:
+    name: sys-dns-cloudflare-records
+  when: DNS_PROVIDER | lower == 'cloudflare'
+  vars:
+    cloudflare_records:
+      # 1) PDS / API host
+      - type: A
+        zone: "{{ BLUESKY_API_DOMAIN | to_zone }}"
+        name: "{{ BLUESKY_API_DOMAIN }}"
+        content: "{{ networks.internet.ip4 }}"
+        proxied: false
+
+      - type: AAAA
+        zone: "{{ BLUESKY_API_DOMAIN | to_zone }}"
+        name: "{{ BLUESKY_API_DOMAIN }}"
+        content: "{{ networks.internet.ip6 | default('') }}"
+        proxied: false
+        state: "{{ (networks.internet.ip6 is defined and (networks.internet.ip6 | string) | length > 0) | ternary('present','absent') }}"
+
+      # 2) Handle verification for primary handle (Apex)
+      - type: TXT
+        zone: "{{ PRIMARY_DOMAIN | to_zone }}"
+        name: "_atproto.{{ PRIMARY_DOMAIN }}"
+        value: "did=did:web:{{ BLUESKY_API_DOMAIN }}"
+
+      # 3) Web UI host (only if enabled)
+      - type: A
+        zone: "{{ BLUESKY_WEB_DOMAIN | to_zone }}"
+        name: "{{ BLUESKY_WEB_DOMAIN }}"
+        content: "{{ networks.internet.ip4 }}"
+        proxied: true
+        state: "{{ (BLUESKY_WEB_ENABLED | bool) | ternary('present','absent') }}"
+
+      - type: AAAA
+        zone: "{{ BLUESKY_WEB_DOMAIN | to_zone }}"
+        name: "{{ BLUESKY_WEB_DOMAIN }}"
+        content: "{{ networks.internet.ip6 | default('') }}"
+        proxied: true
+        state: "{{ (BLUESKY_WEB_ENABLED | bool) and (networks.internet.ip6 is defined) and ((networks.internet.ip6 | string) | length > 0) | ternary('present','absent') }}"
+
+      # 4) Custom AppView host (only if you actually run one and it's not api.bsky.app)
+      - type: A
+        zone: "{{ BLUESKY_VIEW_DOMAIN | to_zone }}"
+        name: "{{ BLUESKY_VIEW_DOMAIN }}"
+        content: "{{ networks.internet.ip4 }}"
+        proxied: false
+        state: "{{ (BLUESKY_VIEW_ENABLED | bool) and (BLUESKY_VIEW_DOMAIN != 'api.bsky.app') | ternary('present','absent') }}"
+
+      - type: AAAA
+        zone: "{{ BLUESKY_VIEW_DOMAIN | to_zone }}"
+        name: "{{ BLUESKY_VIEW_DOMAIN }}"
+        content: "{{ networks.internet.ip6 | default('') }}"
+        proxied: false
+        state: "{{ (BLUESKY_VIEW_ENABLED | bool) and (BLUESKY_VIEW_DOMAIN != 'api.bsky.app') and (networks.internet.ip6 is defined) and ((networks.internet.ip6 | string) | length > 0) | ternary('present','absent') }}"
+
--- a/roles/web-app-bluesky/tasks/main.yml
+++ b/roles/web-app-bluesky/tasks/main.yml
@@ -1,48 +1,39 @@
 - name: "include docker-compose role"
  include_role: 
    name: docker-compose
+  vars:
+    docker_compose_flush_handlers: false

- name: "include role sys-stk-front-proxy for {{ application_id }}"
+- name: "Include front proxy for {{ BLUESKY_API_DOMAIN }}:{{ BLUESKY_API_PORT }}"
  include_role:
    name: sys-stk-front-proxy
  vars:
-    domain: "{{ item.domain }}"
-    http_port: "{{ item.http_port }}"
-  loop:
-    - { domain: "{{domains[application_id].api", http_port: "{{ports.localhost.http['web-app-bluesky_api']}}" }
-    - { domain: "{{domains[application_id].web}}", http_port: "{{ports.localhost.http['web-app-bluesky_web']}}" }
+    domain: "{{ BLUESKY_API_DOMAIN }}"
+    http_port: "{{ BLUESKY_API_PORT }}"

-# The following lines should be removed when the following issue is closed:
-# https://github.com/bluesky-social/pds/issues/52
+- name: "Include front proxy for {{ BLUESKY_WEB_DOMAIN }}:{{ BLUESKY_WEB_PORT }}"
+  include_role:
+    name: sys-stk-front-proxy
+  vars:
+    domain: "{{ BLUESKY_WEB_DOMAIN }}"
+    http_port: "{{ BLUESKY_WEB_PORT }}"
+  when: BLUESKY_WEB_ENABLED | bool

- name: Download pdsadmin tarball
-  get_url:
-    url: "https://github.com/lhaig/pdsadmin/releases/download/v1.0.0-dev/pdsadmin_Linux_x86_64.tar.gz"
-    dest: "{{pdsadmin_temporary_tar_path}}"
-    mode: '0644'
+- name: "Include front proxy for {{ BLUESKY_VIEW_DOMAIN }}:{{ BLUESKY_VIEW_PORT }}"
+  include_role:
+    name: sys-stk-front-proxy
+  vars:
+    domain: "{{ BLUESKY_VIEW_DOMAIN }}"
+    http_port: "{{ BLUESKY_VIEW_PORT }}"
+  when: BLUESKY_VIEW_ENABLED | bool

- name: Create {{pdsadmin_folder_path}}
-  file:
-    path: "{{pdsadmin_folder_path}}"
-    state: directory
-    mode: '0755'
-    
- name: Extract pdsadmin tarball
-  unarchive:
-    src: "{{pdsadmin_temporary_tar_path}}"
-    dest: "{{pdsadmin_folder_path}}"
-    remote_src: yes
-    mode: '0755'
+- name: "Execute PDS routines"
+  ansible.builtin.include_tasks: "01_pds.yml"

- name: Ensure pdsadmin is executable
-  file:
-    path: "{{pdsadmin_file_path}}"
-    mode: '0755'
-    state: file
+- name: "Execute Social App routines"
+  ansible.builtin.include_tasks: "02_social_app.yml"
+  when: BLUESKY_WEB_ENABLED | bool

- name: clone social app repository
-  git:
-    repo: "https://github.com/bluesky-social/social-app.git"
-    dest: "{{social_app_path}}"
-    version: "main"
-  notify: docker compose up 
+- name: "DNS for Bluesky"
+  include_tasks: "03_dns.yml"
+  when: DNS_PROVIDER | lower == 'cloudflare'