Merge pull request #130 from yalh76/develop

Upgrade to 2.7.4

10 files changed, 286 insertions, 39 deletions

diff --git a/conf/.env.production.sample b/conf/.env.production.sample
new file mode 100644
index 0000000..d6bd0c6
--- /dev/null
+++ b/conf/.env.production.sample
@@ -0,0 +1,232 @@
+# Service dependencies
+# You may set REDIS_URL instead for more advanced options
+# You may also set REDIS_NAMESPACE to share Redis between multiple Mastodon servers
+REDIS_HOST=localhost
+REDIS_PORT=6379
+# You may set DATABASE_URL instead for more advanced options
+DB_HOST=localhost
+DB_USER=__DB_USER__
+DB_NAME=__DB_NAME__
+DB_PASS=__DB_PWD__
+DB_PORT=5432
+# Optional ElasticSearch configuration
+# ES_ENABLED=true
+# ES_HOST=es
+# ES_PORT=9200
+
+# Federation
+# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation.
+# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
+LOCAL_DOMAIN=__DOMAIN__
+
+# Changing LOCAL_HTTPS in production is no longer supported. (Mastodon will always serve https:// links)
+
+# Use this only if you need to run mastodon on a different domain than the one used for federation.
+# You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md
+# DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING.
+# WEB_DOMAIN=mastodon.example.com
+
+# Use this if you want to have several aliases handler@example1.com
+# handler@example2.com etc. for the same user. LOCAL_DOMAIN should not
+# be added. Comma separated values
+# ALTERNATE_DOMAINS=example1.com,example2.com
+
+# Application secrets
+# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+SECRET_KEY_BASE=__SECRET_KEY_BASE__
+OTP_SECRET=__OTP_SECRET__
+
+# VAPID keys (used for push notifications
+# You can generate the keys using the following command (first is the private key, second is the public one)
+# You should only generate this once per instance. If you later decide to change it, all push subscription will
+# be invalidated, requiring the users to access the website again to resubscribe.
+#
+# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
+#
+# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
+VAPID_PRIVATE_KEY=__VAPID_PRIVATE_KEY__
+VAPID_PUBLIC_KEY=__VAPID_PUBLIC_KEY__
+
+# Registrations
+# Single user mode will disable registrations and redirect frontpage to the first profile
+# SINGLE_USER_MODE=true
+# Prevent registrations with following e-mail domains
+# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
+# Only allow registrations with the following e-mail domains
+# EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc
+
+# Optionally change default language
+DEFAULT_LOCALE=__LANGUAGE__
+
+# E-mail configuration
+# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
+# If you want to use an SMTP server without authentication (e.g local Postfix relay)
+# then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and
+# *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough).
+SMTP_SERVER=localhost
+SMTP_PORT=25
+#SMTP_LOGIN=
+#SMTP_PASSWORD=
+SMTP_FROM_ADDRESS=__SMTP_FROM_ADDRESS__
+#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN
+#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
+SMTP_AUTH_METHOD=none
+#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt
+SMTP_OPENSSL_VERIFY_MODE=none
+#SMTP_ENABLE_STARTTLS_AUTO=true
+#SMTP_TLS=true
+
+# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files.
+# PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system
+# PAPERCLIP_ROOT_URL=/system
+
+# Optional asset host for multi-server setups
+# The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN
+# if WEB_DOMAIN is not set. For example, the server may have the
+# following header field:
+# Access-Control-Allow-Origin: https://example.com/
+# CDN_HOST=https://assets.example.com
+
+# S3 (optional)
+# The attachment host must allow cross origin request from WEB_DOMAIN or
+# LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the
+# following header field:
+# Access-Control-Allow-Origin: https://192.168.1.123:9000/
+# S3_ENABLED=true
+# S3_BUCKET=
+# AWS_ACCESS_KEY_ID=
+# AWS_SECRET_ACCESS_KEY=
+# S3_REGION=
+# S3_PROTOCOL=http
+# S3_HOSTNAME=192.168.1.123:9000
+
+# S3 (Minio Config (optional) Please check Minio instance for details)
+# The attachment host must allow cross origin request - see the description
+# above.
+# S3_ENABLED=true
+# S3_BUCKET=
+# AWS_ACCESS_KEY_ID=
+# AWS_SECRET_ACCESS_KEY=
+# S3_REGION=
+# S3_PROTOCOL=https
+# S3_HOSTNAME=
+# S3_ENDPOINT=
+# S3_SIGNATURE_VERSION=
+
+# Swift (optional)
+# The attachment host must allow cross origin request - see the description
+# above.
+# SWIFT_ENABLED=true
+# SWIFT_USERNAME=
+# For Keystone V3, the value for SWIFT_TENANT should be the project name
+# SWIFT_TENANT=
+# SWIFT_PASSWORD=
+# Some OpenStack V3 providers require PROJECT_ID (optional)
+# SWIFT_PROJECT_ID=
+# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid
+# issues with token rate-limiting during high load.
+# SWIFT_AUTH_URL=
+# SWIFT_CONTAINER=
+# SWIFT_OBJECT_URL=
+# SWIFT_REGION=
+# Defaults to 'default'
+# SWIFT_DOMAIN_NAME=
+# Defaults to 60 seconds. Set to 0 to disable
+# SWIFT_CACHE_TTL=
+
+# Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare)
+# S3_ALIAS_HOST=
+
+# Streaming API integration
+# STREAMING_API_BASE_URL=
+
+# Advanced settings
+# If you need to use pgBouncer, you need to disable prepared statements:
+# PREPARED_STATEMENTS=false
+
+# Cluster number setting for streaming API server.
+# If you comment out following line, cluster number will be `numOfCpuCores - 1`.
+STREAMING_CLUSTER_NUM=1
+
+# Docker mastodon user
+# If you use Docker, you may want to assign UID/GID manually.
+# UID=1000
+# GID=1000
+
+# LDAP authentication (optional)
+# LDAP_ENABLED=true
+# LDAP_HOST=localhost
+# LDAP_PORT=389
+# LDAP_METHOD=simple_tls
+# LDAP_BASE=ou=users,dc=yunohost,dc=org
+# LDAP_BIND_DN=uid=__LDAP_USER__,ou=users,dc=yunohost,dc=org
+# LDAP_PASSWORD=__LDAP_PASSWORD__
+# LDAP_UID=uid
+# LDAP_SEARCH_FILTER="%{uid}=%{email}"
+
+# PAM authentication (optional)
+# PAM authentication uses for the email generation the "email" pam variable
+# and optional as fallback PAM_DEFAULT_SUFFIX
+# The pam environment variable "email" is provided by:
+# https://github.com/devkral/pam_email_extractor
+# PAM_ENABLED=true
+# Fallback email domain for email address generation (LOCAL_DOMAIN by default)
+# PAM_EMAIL_DOMAIN=example.com
+# Name of the pam service (pam "auth" section is evaluated)
+# PAM_DEFAULT_SERVICE=rpam
+# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default)
+# PAM_CONTROLLED_SERVICE=rpam
+
+# Global OAuth settings (optional) :
+# If you have only one strategy, you may want to enable this
+# OAUTH_REDIRECT_AT_SIGN_IN=true
+
+# Optional CAS authentication (cf. omniauth-cas) :
+# CAS_ENABLED=true
+# CAS_URL=https://sso.myserver.com/
+# CAS_HOST=sso.myserver.com/
+# CAS_PORT=443
+# CAS_SSL=true
+# CAS_VALIDATE_URL=
+# CAS_CALLBACK_URL=
+# CAS_LOGOUT_URL=
+# CAS_LOGIN_URL=
+# CAS_UID_FIELD='user'
+# CAS_CA_PATH=
+# CAS_DISABLE_SSL_VERIFICATION=false
+# CAS_UID_KEY='user'
+# CAS_NAME_KEY='name'
+# CAS_EMAIL_KEY='email'
+# CAS_NICKNAME_KEY='nickname'
+# CAS_FIRST_NAME_KEY='firstname'
+# CAS_LAST_NAME_KEY='lastname'
+# CAS_LOCATION_KEY='location'
+# CAS_IMAGE_KEY='image'
+# CAS_PHONE_KEY='phone'
+
+# Optional SAML authentication (cf. omniauth-saml)
+# SAML_ENABLED=true
+# SAML_ACS_URL=
+# SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback
+# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
+# SAML_IDP_CERT=
+# SAML_IDP_CERT_FINGERPRINT=
+# SAML_NAME_IDENTIFIER_FORMAT=
+# SAML_CERT=
+# SAML_PRIVATE_KEY=
+# SAML_SECURITY_WANT_ASSERTION_SIGNED=true
+# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
+# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
+# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1"
+# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
+# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42"
+# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4"
+# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
+# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
+# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
+
+# Use HTTP proxy for outgoing request (optional)
+# http_proxy=http://gateway.local:8118
+# Access control for hidden service.
+# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
diff --git a/conf/app-mastodon.src b/conf/app-mastodon.src
deleted file mode 100644
index 4c68e9c..0000000
--- a/conf/app-mastodon.src
+++ /dev/null
@@ -1,6 +0,0 @@
-SOURCE_URL=https://github.com/tootsuite/mastodon/archive/v2.7.1.tar.gz
-SOURCE_SUM=d0a9d6f4514f78fcdc76943ce2518ce5008378c65b5ecbb3644026dc97c18ec1 
-SOURCE_SUM_PRG=sha256sum
-SOURCE_FORMAT=tar.gz
-SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=
diff --git a/conf/app-rbenv.src b/conf/app-rbenv.src
deleted file mode 100644
index d60155b..0000000
--- a/conf/app-rbenv.src
+++ /dev/null
@@ -1,6 +0,0 @@
-SOURCE_URL=https://github.com/rbenv/rbenv/archive/v1.1.1.tar.gz
-SOURCE_SUM=41f1a60714c55eceb21d692a469aee1ec4f46bba351d0dfcb0c660ff9cf1a1c9
-SOURCE_SUM_PRG=sha256sum
-SOURCE_FORMAT=tar.gz
-SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=
diff --git a/conf/app-ruby-build.src b/conf/app-ruby-build.src
deleted file mode 100644
index b32b7b9..0000000
--- a/conf/app-ruby-build.src
+++ /dev/null
@@ -1,6 +0,0 @@
-SOURCE_URL=https://github.com/rbenv/ruby-build/archive/v20181225.tar.gz
-SOURCE_SUM=5ace4787ace47384dc419b20f5eb5a59f1174e00bfabcfed74a175033cd0b18a 
-SOURCE_SUM_PRG=sha256sum
-SOURCE_FORMAT=tar.gz
-SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=
diff --git a/conf/app.src b/conf/app.src
new file mode 100644
index 0000000..9d7227b
--- /dev/null
+++ b/conf/app.src
@@ -0,0 +1,6 @@
+SOURCE_URL=https://github.com/tootsuite/mastodon/archive/v2.7.4.tar.gz
+SOURCE_SUM=0e542c57228d482a068b05f639d8fe53dd9d413f7e7ce93cd1a088bd4d8d8366 
+SOURCE_SUM_PRG=sha256sum
+SOURCE_FORMAT=tar.gz
+SOURCE_IN_SUBDIR=true
+SOURCE_FILENAME=
diff --git a/conf/cron b/conf/cron
index 2b80d85..2c319fa 100644
--- a/conf/cron
+++ b/conf/cron
@@ -1,2 +1,2 @@
 RAILS_ENV=production
-@daily cd __FINAL__PATH__/live && __FINAL__PATH__/.rbenv/shims/bundle exec rake __USER__:media:remove_remote
+@daily cd __FINAL__PATH__/live && /opt/rbenv/versions/2.6.0/bin/bundle exec rake __USER__:media:remove_remote
diff --git a/conf/mastodon-sidekiq.service b/conf/mastodon-sidekiq.service
index c799356..920fcf4 100644
--- a/conf/mastodon-sidekiq.service
+++ b/conf/mastodon-sidekiq.service
@@ -7,8 +7,9 @@
  User=__APP__
  WorkingDirectory=__FINALPATH__/live
  Environment="RAILS_ENV=production"
- Environment="DB_POOL=20"
- ExecStart=__FINALPATH__/.rbenv/versions/2.6.0/bin/bundle exec sidekiq -c 20 -q default -q mailers -q pull -q push
+ Environment="DB_POOL=25"
+ Environment="MALLOC_ARENA_MAX=2"
+ ExecStart=/opt/rbenv/versions/2.6.0/bin/bundle exec sidekiq -c 25
  TimeoutSec=15
  Restart=always
  StandardError=syslog
diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service
index 689d482..2e130d5 100644
--- a/conf/mastodon-streaming.service
+++ b/conf/mastodon-streaming.service
@@ -8,7 +8,9 @@
  WorkingDirectory=__FINALPATH__/live
  Environment="NODE_ENV=production"
  Environment="PORT=__PORT_STREAM__"
- ExecStart=/usr/bin/npm run start
+ Environment="STREAMING_CLUSTER_NUM=1"
+ Environment=PATH=__NODEJS_PATH__
+ ExecStart=__NODEJS_PATH__/node ./streaming
  TimeoutSec=15
  Restart=always
  StandardError=syslog
diff --git a/conf/mastodon-web.service b/conf/mastodon-web.service
index dd6f6d7..c95ba7f 100644
--- a/conf/mastodon-web.service
+++ b/conf/mastodon-web.service
@@ -8,7 +8,8 @@
  WorkingDirectory=__FINALPATH__/live
  Environment="RAILS_ENV=production"
  Environment="PORT=__PORT_WEB__"
- ExecStart=__FINALPATH__/.rbenv/versions/2.6.0/bin/bundle exec puma -C config/puma.rb
+ ExecStart=/opt/rbenv/versions/2.6.0/bin/bundle exec puma -C config/puma.rb
+ ExecReload=/bin/kill -SIGUSR1 $MAINPID
  TimeoutSec=15
  Restart=always
  StandardError=syslog
diff --git a/conf/nginx.conf b/conf/nginx.conf
index a183a31..190c650 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -10,31 +10,48 @@ location / {
 	rewrite ^ https://$server_name$request_uri? permanent;
 	}
 
+	proxy_set_header Accept-Encoding "";
 	try_files $uri @proxy;
 
 	# Include SSOWAT user panel.
 	include conf.d/yunohost_panel.conf.inc;
 }
 
-# add to v1.4 assets
-location ~ ^/(assets|system/media_attachments/files|system/accounts/avatars) {
+location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
     add_header Cache-Control "public, max-age=31536000, immutable";
+    add_header Strict-Transport-Security "max-age=31536000";
     try_files $uri @proxy;
-  }
+}
+
+location /sw.js {
+    add_header Cache-Control "public, max-age=0";
+    add_header Strict-Transport-Security "max-age=31536000";
+    try_files $uri @proxy;
+}
 
 location @proxy {
-	proxy_set_header Host $host;
-	proxy_set_header X-Real-IP $remote_addr;
-	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	proxy_set_header X-Forwarded-Proto https;
-	proxy_pass_header Server;
-	proxy_pass http://127.0.0.1:__PORT_WEB__;
-	proxy_buffering off;
-	proxy_redirect off;
-	proxy_http_version 1.1;
-	proxy_set_header Upgrade $http_upgrade;
-	proxy_set_header Connection "upgrade";
-	tcp_nodelay on;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+    proxy_pass_header Server;
+
+    proxy_pass http://127.0.0.1:3000;
+    proxy_buffering on;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    #proxy_cache CACHE;
+    proxy_cache_valid 200 7d;
+    proxy_cache_valid 410 24h;
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+    add_header X-Cached $upstream_cache_status;
+    add_header Strict-Transport-Security "max-age=31536000";
+
+    tcp_nodelay on;
 }
 
 location /api/v1/streaming {
@@ -42,11 +59,17 @@ location /api/v1/streaming {
 	proxy_set_header X-Real-IP $remote_addr;
 	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	proxy_set_header X-Forwarded-Proto https;
-	proxy_pass http://127.0.0.1:__PORT_STREAM__;
+	proxy_set_header Proxy "";
+	
+	proxy_pass http://127.0.0.1:4000;
 	proxy_buffering off;
 	proxy_redirect off;
 	proxy_http_version 1.1;
 	proxy_set_header Upgrade $http_upgrade;
 	proxy_set_header Connection "upgrade";
+	
 	tcp_nodelay on;
 }
+
+
+error_page 500 501 502 503 504 /500.html;
\ No newline at end of file