diff options
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/.env.production.sample | 232 | ||||
| -rw-r--r-- | conf/app-mastodon.src | 6 | ||||
| -rw-r--r-- | conf/app-rbenv.src | 6 | ||||
| -rw-r--r-- | conf/app-ruby-build.src | 6 | ||||
| -rw-r--r-- | conf/app.src | 6 | ||||
| -rw-r--r-- | conf/cron | 2 | ||||
| -rw-r--r-- | conf/mastodon-sidekiq.service | 5 | ||||
| -rw-r--r-- | conf/mastodon-streaming.service | 4 | ||||
| -rw-r--r-- | conf/mastodon-web.service | 3 | ||||
| -rw-r--r-- | conf/nginx.conf | 55 |
10 files changed, 286 insertions, 39 deletions
diff --git a/conf/.env.production.sample b/conf/.env.production.sample new file mode 100644 index 0000000..d6bd0c6 --- /dev/null +++ b/conf/.env.production.sample @@ -0,0 +1,232 @@ +# Service dependencies +# You may set REDIS_URL instead for more advanced options +# You may also set REDIS_NAMESPACE to share Redis between multiple Mastodon servers +REDIS_HOST=localhost +REDIS_PORT=6379 +# You may set DATABASE_URL instead for more advanced options +DB_HOST=localhost +DB_USER=__DB_USER__ +DB_NAME=__DB_NAME__ +DB_PASS=__DB_PWD__ +DB_PORT=5432 +# Optional ElasticSearch configuration +# ES_ENABLED=true +# ES_HOST=es +# ES_PORT=9200 + +# Federation +# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation. +# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com. +LOCAL_DOMAIN=__DOMAIN__ + +# Changing LOCAL_HTTPS in production is no longer supported. (Mastodon will always serve https:// links) + +# Use this only if you need to run mastodon on a different domain than the one used for federation. +# You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md +# DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING. +# WEB_DOMAIN=mastodon.example.com + +# Use this if you want to have several aliases handler@example1.com +# handler@example2.com etc. for the same user. LOCAL_DOMAIN should not +# be added. Comma separated values +# ALTERNATE_DOMAINS=example1.com,example2.com + +# Application secrets +# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose) +SECRET_KEY_BASE=__SECRET_KEY_BASE__ +OTP_SECRET=__OTP_SECRET__ + +# VAPID keys (used for push notifications +# You can generate the keys using the following command (first is the private key, second is the public one) +# You should only generate this once per instance. If you later decide to change it, all push subscription will +# be invalidated, requiring the users to access the website again to resubscribe. +# +# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose) +# +# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html +VAPID_PRIVATE_KEY=__VAPID_PRIVATE_KEY__ +VAPID_PUBLIC_KEY=__VAPID_PUBLIC_KEY__ + +# Registrations +# Single user mode will disable registrations and redirect frontpage to the first profile +# SINGLE_USER_MODE=true +# Prevent registrations with following e-mail domains +# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc +# Only allow registrations with the following e-mail domains +# EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc + +# Optionally change default language +DEFAULT_LOCALE=__LANGUAGE__ + +# E-mail configuration +# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers +# If you want to use an SMTP server without authentication (e.g local Postfix relay) +# then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and +# *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough). +SMTP_SERVER=localhost +SMTP_PORT=25 +#SMTP_LOGIN= +#SMTP_PASSWORD= +SMTP_FROM_ADDRESS=__SMTP_FROM_ADDRESS__ +#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN +#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail +SMTP_AUTH_METHOD=none +#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt +SMTP_OPENSSL_VERIFY_MODE=none +#SMTP_ENABLE_STARTTLS_AUTO=true +#SMTP_TLS=true + +# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files. +# PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system +# PAPERCLIP_ROOT_URL=/system + +# Optional asset host for multi-server setups +# The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN +# if WEB_DOMAIN is not set. For example, the server may have the +# following header field: +# Access-Control-Allow-Origin: https://example.com/ +# CDN_HOST=https://assets.example.com + +# S3 (optional) +# The attachment host must allow cross origin request from WEB_DOMAIN or +# LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the +# following header field: +# Access-Control-Allow-Origin: https://192.168.1.123:9000/ +# S3_ENABLED=true +# S3_BUCKET= +# AWS_ACCESS_KEY_ID= +# AWS_SECRET_ACCESS_KEY= +# S3_REGION= +# S3_PROTOCOL=http +# S3_HOSTNAME=192.168.1.123:9000 + +# S3 (Minio Config (optional) Please check Minio instance for details) +# The attachment host must allow cross origin request - see the description +# above. +# S3_ENABLED=true +# S3_BUCKET= +# AWS_ACCESS_KEY_ID= +# AWS_SECRET_ACCESS_KEY= +# S3_REGION= +# S3_PROTOCOL=https +# S3_HOSTNAME= +# S3_ENDPOINT= +# S3_SIGNATURE_VERSION= + +# Swift (optional) +# The attachment host must allow cross origin request - see the description +# above. +# SWIFT_ENABLED=true +# SWIFT_USERNAME= +# For Keystone V3, the value for SWIFT_TENANT should be the project name +# SWIFT_TENANT= +# SWIFT_PASSWORD= +# Some OpenStack V3 providers require PROJECT_ID (optional) +# SWIFT_PROJECT_ID= +# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid +# issues with token rate-limiting during high load. +# SWIFT_AUTH_URL= +# SWIFT_CONTAINER= +# SWIFT_OBJECT_URL= +# SWIFT_REGION= +# Defaults to 'default' +# SWIFT_DOMAIN_NAME= +# Defaults to 60 seconds. Set to 0 to disable +# SWIFT_CACHE_TTL= + +# Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare) +# S3_ALIAS_HOST= + +# Streaming API integration +# STREAMING_API_BASE_URL= + +# Advanced settings +# If you need to use pgBouncer, you need to disable prepared statements: +# PREPARED_STATEMENTS=false + +# Cluster number setting for streaming API server. +# If you comment out following line, cluster number will be `numOfCpuCores - 1`. +STREAMING_CLUSTER_NUM=1 + +# Docker mastodon user +# If you use Docker, you may want to assign UID/GID manually. +# UID=1000 +# GID=1000 + +# LDAP authentication (optional) +# LDAP_ENABLED=true +# LDAP_HOST=localhost +# LDAP_PORT=389 +# LDAP_METHOD=simple_tls +# LDAP_BASE=ou=users,dc=yunohost,dc=org +# LDAP_BIND_DN=uid=__LDAP_USER__,ou=users,dc=yunohost,dc=org +# LDAP_PASSWORD=__LDAP_PASSWORD__ +# LDAP_UID=uid +# LDAP_SEARCH_FILTER="%{uid}=%{email}" + +# PAM authentication (optional) +# PAM authentication uses for the email generation the "email" pam variable +# and optional as fallback PAM_DEFAULT_SUFFIX +# The pam environment variable "email" is provided by: +# https://github.com/devkral/pam_email_extractor +# PAM_ENABLED=true +# Fallback email domain for email address generation (LOCAL_DOMAIN by default) +# PAM_EMAIL_DOMAIN=example.com +# Name of the pam service (pam "auth" section is evaluated) +# PAM_DEFAULT_SERVICE=rpam +# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default) +# PAM_CONTROLLED_SERVICE=rpam + +# Global OAuth settings (optional) : +# If you have only one strategy, you may want to enable this +# OAUTH_REDIRECT_AT_SIGN_IN=true + +# Optional CAS authentication (cf. omniauth-cas) : +# CAS_ENABLED=true +# CAS_URL=https://sso.myserver.com/ +# CAS_HOST=sso.myserver.com/ +# CAS_PORT=443 +# CAS_SSL=true +# CAS_VALIDATE_URL= +# CAS_CALLBACK_URL= +# CAS_LOGOUT_URL= +# CAS_LOGIN_URL= +# CAS_UID_FIELD='user' +# CAS_CA_PATH= +# CAS_DISABLE_SSL_VERIFICATION=false +# CAS_UID_KEY='user' +# CAS_NAME_KEY='name' +# CAS_EMAIL_KEY='email' +# CAS_NICKNAME_KEY='nickname' +# CAS_FIRST_NAME_KEY='firstname' +# CAS_LAST_NAME_KEY='lastname' +# CAS_LOCATION_KEY='location' +# CAS_IMAGE_KEY='image' +# CAS_PHONE_KEY='phone' + +# Optional SAML authentication (cf. omniauth-saml) +# SAML_ENABLED=true +# SAML_ACS_URL= +# SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback +# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO +# SAML_IDP_CERT= +# SAML_IDP_CERT_FINGERPRINT= +# SAML_NAME_IDENTIFIER_FORMAT= +# SAML_CERT= +# SAML_PRIVATE_KEY= +# SAML_SECURITY_WANT_ASSERTION_SIGNED=true +# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true +# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true +# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1" +# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" +# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241" +# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42" +# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4" +# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1" +# SAML_ATTRIBUTES_STATEMENTS_VERIFIED= +# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= + +# Use HTTP proxy for outgoing request (optional) +# http_proxy=http://gateway.local:8118 +# Access control for hidden service. +# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true diff --git a/conf/app-mastodon.src b/conf/app-mastodon.src deleted file mode 100644 index 4c68e9c..0000000 --- a/conf/app-mastodon.src +++ /dev/null @@ -1,6 +0,0 @@ -SOURCE_URL=https://github.com/tootsuite/mastodon/archive/v2.7.1.tar.gz -SOURCE_SUM=d0a9d6f4514f78fcdc76943ce2518ce5008378c65b5ecbb3644026dc97c18ec1 -SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=tar.gz -SOURCE_IN_SUBDIR=true -SOURCE_FILENAME= diff --git a/conf/app-rbenv.src b/conf/app-rbenv.src deleted file mode 100644 index d60155b..0000000 --- a/conf/app-rbenv.src +++ /dev/null @@ -1,6 +0,0 @@ -SOURCE_URL=https://github.com/rbenv/rbenv/archive/v1.1.1.tar.gz -SOURCE_SUM=41f1a60714c55eceb21d692a469aee1ec4f46bba351d0dfcb0c660ff9cf1a1c9 -SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=tar.gz -SOURCE_IN_SUBDIR=true -SOURCE_FILENAME= diff --git a/conf/app-ruby-build.src b/conf/app-ruby-build.src deleted file mode 100644 index b32b7b9..0000000 --- a/conf/app-ruby-build.src +++ /dev/null @@ -1,6 +0,0 @@ -SOURCE_URL=https://github.com/rbenv/ruby-build/archive/v20181225.tar.gz -SOURCE_SUM=5ace4787ace47384dc419b20f5eb5a59f1174e00bfabcfed74a175033cd0b18a -SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=tar.gz -SOURCE_IN_SUBDIR=true -SOURCE_FILENAME= diff --git a/conf/app.src b/conf/app.src new file mode 100644 index 0000000..9d7227b --- /dev/null +++ b/conf/app.src @@ -0,0 +1,6 @@ +SOURCE_URL=https://github.com/tootsuite/mastodon/archive/v2.7.4.tar.gz +SOURCE_SUM=0e542c57228d482a068b05f639d8fe53dd9d413f7e7ce93cd1a088bd4d8d8366 +SOURCE_SUM_PRG=sha256sum +SOURCE_FORMAT=tar.gz +SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= @@ -1,2 +1,2 @@ RAILS_ENV=production -@daily cd __FINAL__PATH__/live && __FINAL__PATH__/.rbenv/shims/bundle exec rake __USER__:media:remove_remote +@daily cd __FINAL__PATH__/live && /opt/rbenv/versions/2.6.0/bin/bundle exec rake __USER__:media:remove_remote diff --git a/conf/mastodon-sidekiq.service b/conf/mastodon-sidekiq.service index c799356..920fcf4 100644 --- a/conf/mastodon-sidekiq.service +++ b/conf/mastodon-sidekiq.service @@ -7,8 +7,9 @@ User=__APP__ WorkingDirectory=__FINALPATH__/live Environment="RAILS_ENV=production" - Environment="DB_POOL=20" - ExecStart=__FINALPATH__/.rbenv/versions/2.6.0/bin/bundle exec sidekiq -c 20 -q default -q mailers -q pull -q push + Environment="DB_POOL=25" + Environment="MALLOC_ARENA_MAX=2" + ExecStart=/opt/rbenv/versions/2.6.0/bin/bundle exec sidekiq -c 25 TimeoutSec=15 Restart=always StandardError=syslog diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service index 689d482..2e130d5 100644 --- a/conf/mastodon-streaming.service +++ b/conf/mastodon-streaming.service @@ -8,7 +8,9 @@ WorkingDirectory=__FINALPATH__/live Environment="NODE_ENV=production" Environment="PORT=__PORT_STREAM__" - ExecStart=/usr/bin/npm run start + Environment="STREAMING_CLUSTER_NUM=1" + Environment=PATH=__NODEJS_PATH__ + ExecStart=__NODEJS_PATH__/node ./streaming TimeoutSec=15 Restart=always StandardError=syslog diff --git a/conf/mastodon-web.service b/conf/mastodon-web.service index dd6f6d7..c95ba7f 100644 --- a/conf/mastodon-web.service +++ b/conf/mastodon-web.service @@ -8,7 +8,8 @@ WorkingDirectory=__FINALPATH__/live Environment="RAILS_ENV=production" Environment="PORT=__PORT_WEB__" - ExecStart=__FINALPATH__/.rbenv/versions/2.6.0/bin/bundle exec puma -C config/puma.rb + ExecStart=/opt/rbenv/versions/2.6.0/bin/bundle exec puma -C config/puma.rb + ExecReload=/bin/kill -SIGUSR1 $MAINPID TimeoutSec=15 Restart=always StandardError=syslog diff --git a/conf/nginx.conf b/conf/nginx.conf index a183a31..190c650 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -10,31 +10,48 @@ location / { rewrite ^ https://$server_name$request_uri? permanent; } + proxy_set_header Accept-Encoding ""; try_files $uri @proxy; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; } -# add to v1.4 assets -location ~ ^/(assets|system/media_attachments/files|system/accounts/avatars) { +location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { add_header Cache-Control "public, max-age=31536000, immutable"; + add_header Strict-Transport-Security "max-age=31536000"; try_files $uri @proxy; - } +} + +location /sw.js { + add_header Cache-Control "public, max-age=0"; + add_header Strict-Transport-Security "max-age=31536000"; + try_files $uri @proxy; +} location @proxy { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_pass_header Server; - proxy_pass http://127.0.0.1:__PORT_WEB__; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - tcp_nodelay on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://127.0.0.1:3000; + proxy_buffering on; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + #proxy_cache CACHE; + proxy_cache_valid 200 7d; + proxy_cache_valid 410 24h; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + add_header X-Cached $upstream_cache_status; + add_header Strict-Transport-Security "max-age=31536000"; + + tcp_nodelay on; } location /api/v1/streaming { @@ -42,11 +59,17 @@ location /api/v1/streaming { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; - proxy_pass http://127.0.0.1:__PORT_STREAM__; + proxy_set_header Proxy ""; + + proxy_pass http://127.0.0.1:4000; proxy_buffering off; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; + tcp_nodelay on; } + + +error_page 500 501 502 503 504 /500.html;
\ No newline at end of file |