From c699e1f7a79354bdaa51474b30074c6e3005fc27 Mon Sep 17 00:00:00 2001 From: Tagada <36127788+Tagadda@users.noreply.github.com> Date: Sat, 24 Feb 2024 23:28:27 +0100 Subject: Packaging v2 (#399) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Convert to v2 (#383) * convert script * v2 * Auto-update README * Update documentation cc @panomaki * Bump ruby version from 3.0.6 to 3.2.2 * v2 * Auto-update README * woops * v2 * v2 * s/final_path/install_dir * Update PRE_INSTALL.md * too soon... * v2 * v2 * v2 * Update tests.toml * Update doc/PRE_INSTALL.md Co-authored-by: Alexandre Aubin * Update doc/PRE_INSTALL_fr.md Co-authored-by: Alexandre Aubin * Update tests.toml Co-authored-by: Alexandre Aubin * Update tests.toml Co-authored-by: Alexandre Aubin * Update doc/PRE_INSTALL.md Co-authored-by: Alexandre Aubin * Update doc/PRE_INSTALL_fr.md Co-authored-by: Alexandre Aubin * Apply suggestions * Update manifest.toml * Auto-update README * Update manifest.toml * Update scripts * Auto-update README * Remove SSO integration * Use new mail mechanism * cleaning * Update manifest.toml --------- Co-authored-by: yunohost-bot Co-authored-by: Alexandre Aubin Co-authored-by: Éric Gaspar <46165813+ericgaspar@users.noreply.github.com> * Bump ynh version * Auto-update README * Update manifest.toml * Update doc/PRE_INSTALL.md Co-authored-by: Alexandre Aubin * Add service setting for app shell * Use logrotate * smtp config follow-up Sidekiq service can be properly hardened since it doesn't use sendmail anymore o/ * Fix mkdir failing if /var/log/mastodon already exists * upgrade: Rename database to match packaging v2 * Bump 4.1.6~ynh2 * Auto-update README * Disable install.private test * remove full_domain * 4.1.7 (#403) * 4.1.7 * Auto-update README * Update manifest.toml * Auto-update README --------- Co-authored-by: yunohost-bot Co-authored-by: Tagada <36127788+Tagadda@users.noreply.github.com> * fix * fix * Don't swap when running on a LXC * Hardcore the needed RAM * Auto-update README * Auto-update README * Update manifest.toml * Auto-update README * Update _common.sh * Auto-update README * cleaning * cleaning * Auto-update README * Auto-update README * Update tests.toml * Fix restore * Fix manifest.toml * Auto-update README * Auto-update README * add `tootctl self-destruct` info * format * Auto-update README * lol autotranslate * break line * break lines * translation from french * update version * Auto-update README * Update manifest.toml --------- Co-authored-by: yunohost-bot Co-authored-by: Alexandre Aubin Co-authored-by: Éric Gaspar <46165813+ericgaspar@users.noreply.github.com> Co-authored-by: ericgaspar Co-authored-by: OniriCorpe --- conf/.env.production.sample | 41 +++++++++++++++++++++-------------------- conf/app.src | 7 ------- conf/cron | 10 +++++----- conf/mastodon-sidekiq.service | 22 ++++++++++++---------- conf/mastodon-streaming.service | 4 +++- conf/mastodon-web.service | 6 ++++-- conf/nginx.conf | 2 +- 7 files changed, 46 insertions(+), 46 deletions(-) delete mode 100644 conf/app.src (limited to 'conf') diff --git a/conf/.env.production.sample b/conf/.env.production.sample index 21cc8e5..7005b5d 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -30,11 +30,14 @@ DB_NAME=__DB_NAME__ DB_PASS=__DB_PWD__ DB_PORT=5432 -# ElasticSearch (optional) +# Elasticsearch (optional) # ------------------------ -# ES_ENABLED=true -# ES_HOST=es +ES_ENABLED=false +# ES_HOST=localhost # ES_PORT=9200 +# Authentication for ES (optional) +# ES_USER=elastic +# ES_PASS=password # Secrets # ------- @@ -54,17 +57,12 @@ VAPID_PUBLIC_KEY=__VAPID_PUBLIC_KEY__ # ------------ SMTP_SERVER=localhost SMTP_PORT=25 -#SMTP_LOGIN= -#SMTP_PASSWORD= -SMTP_FROM_ADDRESS=__ADMIN_MAIL__ -#SMTP_REPLY_TO= -#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN -SMTP_DELIVERY_METHOD=sendmail # delivery method can also be smtp -SMTP_AUTH_METHOD=none -#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt +SMTP_LOGIN=__APP__ +SMTP_PASSWORD=__MAIL_PWD__ +SMTP_FROM_ADDRESS=Mastodon <__APP__@__DOMAIN__> +SMTP_DELIVERY_METHOD=smtp +SMTP_AUTH_METHOD=plain SMTP_OPENSSL_VERIFY_MODE=none -#SMTP_ENABLE_STARTTLS_AUTO=true -#SMTP_TLS=true # Registrations # ------------ @@ -80,16 +78,13 @@ DEFAULT_LOCALE=__LANGUAGE__ # File storage (optional) # ----------------------- -# S3_ENABLED=true -# S3_BUCKET= +S3_ENABLED=false +# S3_BUCKET=files.example.com # AWS_ACCESS_KEY_ID= # AWS_SECRET_ACCESS_KEY= -# S3_REGION= -# S3_PROTOCOL=http -# S3_HOSTNAME=192.168.1.123:9000 -# S3_ALIAS_HOST= +# S3_ALIAS_HOST=files.example.com -# LDAP authentication (optional) +# IP and session retention # ----------------------- LDAP_ENABLED=true LDAP_HOST=localhost @@ -105,3 +100,9 @@ LDAP_UID_CONVERSION_ENABLED=true LDAP_UID_CONVERSION_SEARCH=., - LDAP_UID_CONVERSION_REPLACE=_ LDAP_TLS_NO_VERIFY=true + +# Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml +# to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). +# ----------------------- +IP_RETENTION_PERIOD=1209600 +SESSION_RETENTION_PERIOD=1209600 diff --git a/conf/app.src b/conf/app.src deleted file mode 100644 index a6999e4..0000000 --- a/conf/app.src +++ /dev/null @@ -1,7 +0,0 @@ -SOURCE_URL=https://github.com/tootsuite/mastodon/archive/refs/tags/v4.2.8.tar.gz -SOURCE_SUM=ccecdfaab5f84cfaeb193eff2b7b795f7bdd08aa872e265dcb2625310f2c9478 -SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=tar.gz -SOURCE_IN_SUBDIR=true -SOURCE_FILENAME= -SOURCE_EXTRACT=true diff --git a/conf/cron b/conf/cron index 339d3c4..02b2a6a 100644 --- a/conf/cron +++ b/conf/cron @@ -1,7 +1,7 @@ # This is a system cron file, see crontab(5) # m h dom mon dow user command -@daily __APP__ cd __FINAL_PATH__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl media remove -@monthly __APP__ cd __FINAL_PATH__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl media remove-orphans -@monthly __APP__ cd __FINAL_PATH__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl accounts cull -@monthly __APP__ cd __FINAL_PATH__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl statuses remove -@monthly __APP__ cd __FINAL_PATH__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl preview_cards remove +@daily __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl media remove +@monthly __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl media remove-orphans +@monthly __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl accounts cull +@monthly __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl statuses remove +@monthly __APP__ cd __INSTALL_DIR__/live && __YNH_RUBY_LOAD_PATH__ __LD_PRELOAD__ RAILS_ENV=production bin/tootctl preview_cards remove diff --git a/conf/mastodon-sidekiq.service b/conf/mastodon-sidekiq.service index 25a46fb..14bd592 100644 --- a/conf/mastodon-sidekiq.service +++ b/conf/mastodon-sidekiq.service @@ -5,15 +5,17 @@ After=network.target [Service] Type=simple User=__APP__ -WorkingDirectory=__FINALPATH__/live +WorkingDirectory=__INSTALL_DIR__/live Environment="__LD_PRELOAD__" Environment="RAILS_ENV=production" Environment="DB_POOL=25" Environment="MALLOC_ARENA_MAX=2" Environment="__YNH_RUBY_LOAD_PATH__" -ExecStart=__FINALPATH__/live/bin/bundle exec sidekiq -c 25 +ExecStart=__INSTALL_DIR__/live/bin/bundle exec sidekiq -c 25 TimeoutSec=15 Restart=always +StandardOutput=append:/var/log/__APP__/__APP__-sidekiq.log +StandardError=inherit # Sandboxing options to harden security # Depending on specificities of your service/app, you may need to tweak these @@ -21,17 +23,17 @@ Restart=always # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html NoNewPrivileges=no PrivateTmp=yes -#PrivateDevices=yes -#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -#RestrictNamespaces=yes -#RestrictRealtime=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes DevicePolicy=closed ProtectSystem=full ProtectControlGroups=yes -#ProtectKernelModules=yes -#ProtectKernelTunables=yes -#LockPersonality=yes -#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service index c88e0fa..f63945e 100644 --- a/conf/mastodon-streaming.service +++ b/conf/mastodon-streaming.service @@ -5,7 +5,7 @@ After=network.target [Service] Type=simple User=__APP__ -WorkingDirectory=__FINALPATH__/live +WorkingDirectory=__INSTALL_DIR__/live Environment="NODE_ENV=production" Environment="PORT=__PORT_STREAM__" Environment="STREAMING_CLUSTER_NUM=1" @@ -13,6 +13,8 @@ Environment="__YNH_NODE_LOAD_PATH__" ExecStart=__YNH_NODE__ ./streaming TimeoutSec=15 Restart=always +StandardOutput=append:/var/log/__APP__/__APP__-streaming.log +StandardError=inherit # Sandboxing options to harden security # Depending on specificities of your service/app, you may need to tweak these diff --git a/conf/mastodon-web.service b/conf/mastodon-web.service index 334233b..133fc3b 100644 --- a/conf/mastodon-web.service +++ b/conf/mastodon-web.service @@ -5,15 +5,17 @@ After=network.target [Service] Type=simple User=__APP__ -WorkingDirectory=__FINALPATH__/live +WorkingDirectory=__INSTALL_DIR__/live Environment="__LD_PRELOAD__" Environment="RAILS_ENV=production" Environment="PORT=__PORT_WEB__" Environment="__YNH_RUBY_LOAD_PATH__" -ExecStart=__FINALPATH__/live/bin/bundle exec puma -C config/puma.rb +ExecStart=__INSTALL_DIR__/live/bin/bundle exec puma -C config/puma.rb ExecReload=/bin/kill -SIGUSR1 $MAINPID TimeoutSec=15 Restart=always +StandardOutput=append:/var/log/__APP__/__APP__-web.log +StandardError=inherit # Sandboxing options to harden security # Depending on specificities of your service/app, you may need to tweak these diff --git a/conf/nginx.conf b/conf/nginx.conf index 4b1f76b..09e4a84 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,6 +1,6 @@ client_max_body_size 99m; -root __FINALPATH__/live/public; +root __INSTALL_DIR__/live/public; location / { -- cgit v1.2.3-70-g09d2