diff options
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/.env.production.sample | 22 | ||||
| -rw-r--r-- | conf/cron | 10 | ||||
| -rw-r--r-- | conf/mastodon-sidekiq.service | 38 | ||||
| -rw-r--r-- | conf/mastodon-streaming.service | 40 | ||||
| -rw-r--r-- | conf/mastodon-web.service | 38 |
5 files changed, 85 insertions, 63 deletions
diff --git a/conf/.env.production.sample b/conf/.env.production.sample index 7005b5d..d934fa8 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -1,5 +1,5 @@ # This is a sample configuration file. You can generate your configuration -# with the `rake mastodon:setup` interactive setup wizard, but to customize +# with the `bundle exec rails mastodon:setup` interactive setup wizard, but to customize # your setup even further, you'll need to edit it manually. This sample does # not demonstrate all available configuration options. Please look at # https://docs.joinmastodon.org/admin/config/ for the full documentation. @@ -20,7 +20,6 @@ LOCAL_DOMAIN=__DOMAIN__ # ----- REDIS_HOST=localhost REDIS_PORT=6379 -REDIS_NAMESPACE=__REDIS_NAMESPACE__ # PostgreSQL # ---------- @@ -41,14 +40,25 @@ ES_ENABLED=false # Secrets # ------- -# Make sure to use `rake secret` to generate secrets +# Make sure to use `bundle exec rails secret` to generate secrets # ------- SECRET_KEY_BASE=__SECRET_KEY_BASE__ OTP_SECRET=__OTP_SECRET__ +# Encryption secrets +# ------------------ +# Must be available (and set to same values) for all server processes +# These are private/secret values, do not share outside hosting environment +# Use `bin/rails db:encryption:init` to generate fresh secrets +# Do not change these secrets once in use, as this would cause data loss and other issues +# ------------------ +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=__ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY__ +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=__ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT__ +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=__ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY__ + # Web Push # -------- -# Generate with `rake mastodon:webpush:generate_vapid_key` +# Generate with `bundle exec rails mastodon:webpush:generate_vapid_key` # -------- VAPID_PRIVATE_KEY=__VAPID_PRIVATE_KEY__ VAPID_PUBLIC_KEY=__VAPID_PUBLIC_KEY__ @@ -104,5 +114,5 @@ LDAP_TLS_NO_VERIFY=true # Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml # to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). # ----------------------- -IP_RETENTION_PERIOD=1209600 -SESSION_RETENTION_PERIOD=1209600 +IP_RETENTION_PERIOD=31556952 +SESSION_RETENTION_PERIOD=31556952 @@ -1,7 +1,7 @@ # This is a system cron file, see crontab(5) # m h dom mon dow user command -@daily __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl media remove -@monthly __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl media remove-orphans -@monthly __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl accounts cull -@monthly __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl statuses remove -@monthly __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl preview_cards remove +@daily __APP__ cd __INSTALL_DIR__/live && PATH=__PATH_WITH_RUBY__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl media remove +@monthly __APP__ cd __INSTALL_DIR__/live && PATH=__PATH_WITH_RUBY__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl media remove-orphans +@monthly __APP__ cd __INSTALL_DIR__/live && PATH=__PATH_WITH_RUBY__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl accounts cull +@monthly __APP__ cd __INSTALL_DIR__/live && PATH=__PATH_WITH_RUBY__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl statuses remove +@monthly __APP__ cd __INSTALL_DIR__/live && PATH=__PATH_WITH_RUBY__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl preview_cards remove diff --git a/conf/mastodon-sidekiq.service b/conf/mastodon-sidekiq.service index 14bd592..0048c61 100644 --- a/conf/mastodon-sidekiq.service +++ b/conf/mastodon-sidekiq.service @@ -6,33 +6,37 @@ After=network.target Type=simple User=__APP__ WorkingDirectory=__INSTALL_DIR__/live -Environment="__LD_PRELOAD__" Environment="RAILS_ENV=production" Environment="DB_POOL=25" Environment="MALLOC_ARENA_MAX=2" -Environment="__YNH_RUBY_LOAD_PATH__" +Environment="__LD_PRELOAD__" +Environment="PATH=__PATH_WITH_RUBY__" ExecStart=__INSTALL_DIR__/live/bin/bundle exec sidekiq -c 25 TimeoutSec=15 Restart=always StandardOutput=append:/var/log/__APP__/__APP__-sidekiq.log StandardError=inherit -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=no -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed +# Proc filesystem +# Capabilities +# Security +NoNewPrivileges=true +# Sandboxing ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes +PrivateTmp=true +PrivateDevices=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +DevicePolicy=closed +# System Call Filtering SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service index f63945e..735fe4c 100644 --- a/conf/mastodon-streaming.service +++ b/conf/mastodon-streaming.service @@ -1,5 +1,5 @@ [Unit] -Description=__APP__-streaming +Description=__APP__-streaming on port __PORT_STREAM__ After=network.target [Service] @@ -9,29 +9,33 @@ WorkingDirectory=__INSTALL_DIR__/live Environment="NODE_ENV=production" Environment="PORT=__PORT_STREAM__" Environment="STREAMING_CLUSTER_NUM=1" -Environment="__YNH_NODE_LOAD_PATH__" -ExecStart=__YNH_NODE__ ./streaming +Environment="PATH=__PATH_WITH_NODEJS__" +ExecStart=__NODEJS_DIR__/node ./streaming TimeoutSec=15 Restart=always StandardOutput=append:/var/log/__APP__/__APP__-streaming.log StandardError=inherit -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed +# Proc filesystem +# Capabilities +# Security +NoNewPrivileges=true +# Sandboxing ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes +PrivateTmp=true +PrivateDevices=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +DevicePolicy=closed +# System Call Filtering SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps diff --git a/conf/mastodon-web.service b/conf/mastodon-web.service index 133fc3b..2635c71 100644 --- a/conf/mastodon-web.service +++ b/conf/mastodon-web.service @@ -6,10 +6,10 @@ After=network.target Type=simple User=__APP__ WorkingDirectory=__INSTALL_DIR__/live -Environment="__LD_PRELOAD__" Environment="RAILS_ENV=production" Environment="PORT=__PORT_WEB__" -Environment="__YNH_RUBY_LOAD_PATH__" +Environment="__LD_PRELOAD__" +Environment="PATH=__PATH_WITH_RUBY__" ExecStart=__INSTALL_DIR__/live/bin/bundle exec puma -C config/puma.rb ExecReload=/bin/kill -SIGUSR1 $MAINPID TimeoutSec=15 @@ -17,22 +17,26 @@ Restart=always StandardOutput=append:/var/log/__APP__/__APP__-web.log StandardError=inherit -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed +# Proc filesystem +# Capabilities +# Security +NoNewPrivileges=true +# Sandboxing ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes +PrivateTmp=true +PrivateDevices=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +DevicePolicy=closed +# System Call Filtering SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps |