diff options
| author | Starfall <us@starfall.systems> | 2023-01-17 13:59:40 -0600 |
|---|---|---|
| committer | Starfall <us@starfall.systems> | 2023-01-17 14:26:55 -0600 |
| commit | 7515716e7f3950a3a6de04aac1b88215aa40795e (patch) | |
| tree | 9a67642bfde79cfef092de8b87a3c80bd2ccad43 /deploy/conf | |
| parent | 0d0c26b589a0fedb4cf336683da4c0272a4391d1 (diff) | |
update almost everything except the setup script
Diffstat (limited to 'deploy/conf')
| -rw-r--r-- | deploy/conf/.env.ambassador | 18 | ||||
| -rw-r--r-- | deploy/conf/.env.production | 54 | ||||
| -rw-r--r-- | deploy/conf/common-ssl.conf | 28 | ||||
| -rw-r--r-- | deploy/conf/nginx.conf | 146 | ||||
| -rw-r--r-- | deploy/conf/robots.txt | 3 |
5 files changed, 139 insertions, 110 deletions
diff --git a/deploy/conf/.env.ambassador b/deploy/conf/.env.ambassador new file mode 100644 index 0000000..6643bc5 --- /dev/null +++ b/deploy/conf/.env.ambassador @@ -0,0 +1,18 @@ +DB_HOST=db +DB_USER=ambassador +DB_NAME=postgres +DB_PASS=<REPLACE ME> +DB_PORT=5432 +AMBASSADOR_TOKEN=<REPLACE ME> +INSTANCE_HOST=https://plural.cafe +BOOSTS_PER_CYCLE=1 +THRESHOLD_INTERVAL_DAYS=30 +BOOST_MIN_DAYS=1 +BOOST_MAX_DAYS=3 +THRESHOLD_CHECK_INTERVAL=15 +CYCLE_INTERVAL=15 +BOOST_MIN_HOURS=12 +THRESHOLD_NUMERATOR=1 +THRESHOLD_DENOMINATOR=1 +USER_BOOST_LIMIT=1 +USER_BOOST_INTERVAL_HOURS=72 diff --git a/deploy/conf/.env.production b/deploy/conf/.env.production new file mode 100644 index 0000000..3d1181c --- /dev/null +++ b/deploy/conf/.env.production @@ -0,0 +1,54 @@ +REDIS_HOST=redis +REDIS_PORT=6379 + +DB_HOST=db +DB_USER=postgres +DB_NAME=postgres +DB_PASS=<REPLACE ME> +DB_PORT=5432 + +LOCAL_DOMAIN=plural.cafe +DEFAULT_LOCALE=en-cafe + +# Generate with `docker-compose run --rm web rake secret` +SECRET_KEY_BASE=<REPLACE ME> +OTP_SECRET=<REPLACE ME> + +# Instance keys for push notifications +# Generate with `docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` +VAPID_PRIVATE_KEY=<REPLACE ME> +VAPID_PUBLIC_KEY=<REPLACE ME> + +# email +SMTP_SERVER=smtp.mailgun.org +SMTP_PORT=2525 +SMTP_LOGIN=postmaster@plural.cafe +SMTP_PASSWORD=<REPLACE ME> +SMTP_FROM_ADDRESS=noreply@plural.cafe + +# jortage +S3_ENABLED=true +S3_BUCKET=pluralcafe +AWS_ACCESS_KEY_ID=pluralcafe +AWS_SECRET_ACCESS_KEY=<REPLACE ME> +S3_REGION=jort +S3_PROTOCOL=https +S3_HOSTNAME=pool-api.jortage.com +S3_ENDPOINT=https://pool-api.jortage.com +S3_SIGNATURE_VERSION=v4 +S3_ALIAS_HOST=pool.jortage.com/pluralcafe + +# necessary for docker +UID=991 +GID=991 + +# configuration +MAX_TOOT_CHARS=5000 +MAX_PINNED_TOOTS=5 +MAX_BIO_CHARS=2000 +MAX_PROFILE_FIELDS=10 +MAX_DISPLAY_NAME_CHARS=100 + +# should be the fucking default +AUTHORIZED_FETCH=true +DISALLOW_UNAUTHENTICATED_API_ACCESS=true diff --git a/deploy/conf/common-ssl.conf b/deploy/conf/common-ssl.conf new file mode 100644 index 0000000..e30b7b8 --- /dev/null +++ b/deploy/conf/common-ssl.conf @@ -0,0 +1,28 @@ +server_tokens off; + +ssl_certificate /srv/plural.cafe/.acme.sh/plural.cafe/fullchain.cer; +ssl_certificate_key /srv/plural.cafe/.acme.sh/plural.cafe/plural.cafe.key; +ssl_trusted_certificate /srv/plural.cafe/.acme.sh/plural.cafe/plural.cafe.cer; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; +ssl_ecdh_curve X25519:secp384r1:prime256v1; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:TLS:2m; +ssl_session_timeout 10m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; + +keepalive_timeout 70; +sendfile on; +client_max_body_size 0; + +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header Referrer-Policy "same-origin"; +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + +resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; +resolver_timeout 5s; diff --git a/deploy/conf/nginx.conf b/deploy/conf/nginx.conf index 7804345..d8ccfce 100644 --- a/deploy/conf/nginx.conf +++ b/deploy/conf/nginx.conf @@ -3,21 +3,14 @@ map $http_upgrade $connection_upgrade { '' close; } -upstream dockernetdata { - server netdata:19999; - keepalive 64; -} - server { listen 80; listen [::]:80; - server_name $NGINX_HOST; - root /var/www/html; + server_name plural.cafe *.plural.cafe; + server_tokens off; - location /.well-known/acme-challenge/ { - allow all; - } + root /srv/plural.cafe/html; location / { return 301 https://$host$request_uri; @@ -29,34 +22,8 @@ server { listen [::]:443 ssl http2; server_name ~^(?<subdomain>\w+)\.plural\.cafe$; - server_tokens off; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; - ssl_ecdh_curve X25519:secp384r1; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:TLS:2m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - keepalive_timeout 70; - sendfile on; - client_max_body_size 0; - - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "same-origin"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - - ssl_certificate /home/mastodon/.acme.sh/certs/fullchain.pem; - ssl_certificate_key /home/mastodon/.acme.sh/certs/privkey.pem; - ssl_trusted_certificate /home/mastodon/.acme.sh/certs/cert.pem; - - resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; - resolver_timeout 5s; + + include /etc/nginx/snippets/common-ssl.conf; return 301 "https://plural.cafe/@${subdomain}"; } @@ -65,44 +32,25 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name $NGINX_HOST; - server_tokens off; + server_name plural.cafe; + + include /etc/nginx/snippets/common-ssl.conf; + root /srv/plural.cafe/html; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; - ssl_ecdh_curve X25519:secp384r1; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:TLS:2m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - keepalive_timeout 70; - sendfile on; - client_max_body_size 0; - - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "same-origin"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - - ssl_certificate /etc/ssl/fullchain.pem; - ssl_certificate_key /etc/ssl/privkey.pem; - ssl_trusted_certificate /etc/ssl/cert.pem; - - resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; - resolver_timeout 5s; - - root /var/www/html; - - #add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';"; - add_header Access-Control-Allow-Origin "https://$host"; add_header X-Cache-Status $upstream_cache_status; - location / { - try_files $uri @proxy; + # hang up on scrubs + if ($http_user_agent ~* (fedsearch|gabsocial|fedichive|seekport|dotbot|semrush|fasthttp|^\d+$|wdestiny|megaindex|webmeup|fedi-block)) { + return 444; } location /sw.js { @@ -110,45 +58,13 @@ server { try_files $uri @proxy; } - location = /sysinfo { - return 301 /sysinfo/; - } - - location ~ /sysinfo/(?<ndpath>.*) { - proxy_redirect off; - proxy_set_header Host $host; - - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_pass_request_headers on; - proxy_set_header Connection "keep-alive"; - proxy_store off; - proxy_pass http://dockernetdata/$ndpath$is_args$args; - - gzip on; - gzip_proxied any; - gzip_types *; - } - location ~ ^/(emoji|packs|sounds) { - add_header Cache-Control "public, max-age=31536000, immutable"; - - gzip on; - gzip_disable "msie6"; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - + expires max; try_files $uri @proxy; } - location ~ ^/system/(?<req>(media_attachments|accounts|preview_cards)/.+) { - return 301 "https://d2rm2wyqhf92ej.cloudfront.net/$req"; + location / { + try_files $uri @proxy; } location @proxy { @@ -157,9 +73,14 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header Proxy ""; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header X-XSS-Protection; + proxy_hide_header Referrer-Policy; + proxy_hide_header Strict-Transport-Security; proxy_pass_header Server; - proxy_pass http://mstweb:3000; + proxy_pass http://127.0.0.1:3010; proxy_buffering on; proxy_redirect off; proxy_http_version 1.1; @@ -182,7 +103,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header Proxy ""; - proxy_pass http://mststreaming:4000; + proxy_pass http://127.0.0.1:3011; proxy_buffering off; proxy_redirect off; proxy_http_version 1.1; @@ -192,6 +113,11 @@ server { tcp_nodelay on; } + location /api/v2/search { + access_log off; + try_files $uri @proxy; + } + error_page 403 /assets/403.html; error_page 404 /assets/404.html; error_page 410 /assets/410.html; diff --git a/deploy/conf/robots.txt b/deploy/conf/robots.txt new file mode 100644 index 0000000..e70ee85 --- /dev/null +++ b/deploy/conf/robots.txt @@ -0,0 +1,3 @@ +User-agent: * +Disallow: /media_proxy/ +Disallow: /interact/ |