diff options
author | reverite <samantha@chalker.io> | 2018-04-03 13:25:58 -0700 |
---|---|---|
committer | reverite <samantha@chalker.io> | 2018-04-03 13:25:58 -0700 |
commit | 96841ad190ebbe86e80aae6ecf11fc3766841818 (patch) | |
tree | d7cee6d2e7081c794a9209b99acd49a778efa314 /deploy | |
parent | 7718fb922543162e3bdafebf503a08e84faeb173 (diff) |
reshuffle 2018-04-03
Diffstat (limited to 'deploy')
-rw-r--r-- | deploy/conf/nginx.conf (renamed from deploy/.docker/nginx/nginx.conf) | 51 | ||||
-rw-r--r-- | deploy/docker-compose.yml | 109 | ||||
-rwxr-xr-x | deploy/setup-mastodon.sh | 12 |
3 files changed, 57 insertions, 115 deletions
diff --git a/deploy/.docker/nginx/nginx.conf b/deploy/conf/nginx.conf index 9326f6d..ec7f51e 100644 --- a/deploy/.docker/nginx/nginx.conf +++ b/deploy/conf/nginx.conf @@ -3,8 +3,8 @@ map $http_upgrade $connection_upgrade { '' close; } -upstream netdatacontainer { - server netdata:19999; +upstream netdata { + server 127.0.0.1:19999; keepalive 64; } @@ -13,7 +13,7 @@ server { listen [::]:80; server_name plural.cafe; - root /var/www/html; + root /home/mastodon/public; location /.well-known/acme-challenge/ { allow all; @@ -41,9 +41,6 @@ server { ssl_stapling on; ssl_stapling_verify on; - resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s; - resolver_timeout 5s; - ssl_dhparam /etc/ssl/dhparam.pem; keepalive_timeout 70; @@ -56,9 +53,12 @@ server { add_header Referrer-Policy "same-origin"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - ssl_certificate /etc/ssl/fullchain.pem; - ssl_certificate_key /etc/ssl/privkey.pem; - ssl_trusted_certificate /etc/ssl/cert.pem; + ssl_certificate /home/mastodon/.acme.sh/certs/fullchain.pem; + ssl_certificate_key /home/mastodon/.acme.sh/certs/privkey.pem; + ssl_trusted_certificate /home/mastodon/.acme.sh/certs/cert.pem; + + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; + resolver_timeout 5s; return 301 "https://plural.cafe/@${subdomain}"; } @@ -80,9 +80,6 @@ server { ssl_stapling on; ssl_stapling_verify on; - resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s; - resolver_timeout 5s; - ssl_dhparam /etc/ssl/dhparam.pem; keepalive_timeout 70; @@ -95,11 +92,14 @@ server { add_header Referrer-Policy "same-origin"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - ssl_certificate /etc/ssl/fullchain.pem; - ssl_certificate_key /etc/ssl/privkey.pem; - ssl_trusted_certificate /etc/ssl/cert.pem; + ssl_certificate /home/mastodon/.acme.sh/certs/fullchain.pem; + ssl_certificate_key /home/mastodon/.acme.sh/certs/privkey.pem; + ssl_trusted_certificate /home/mastodon/.acme.sh/certs/cert.pem; + + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; + resolver_timeout 5s; - root /var/www/html; + root /home/mastodon/public; #add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';"; add_header Access-Control-Allow-Origin "https://$host"; @@ -109,15 +109,20 @@ server { try_files $uri @proxy; } + location /_matrix { + proxy_pass http://127.0.0.1:8008; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_request_headers on; + } + location /sw.js { add_header Cache-Control "public, max-age=0"; try_files $uri @proxy; } - - location = /sysinfo { - return 301 /sysinfo/; - } + location = /sysinfo { + return 301 /sysinfo/; + } location ~ /sysinfo/(?<ndpath>.*) { proxy_redirect off; @@ -130,7 +135,7 @@ server { proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; - proxy_pass http://netdatacontainer/$ndpath$is_args$args; + proxy_pass http://netdata/$ndpath$is_args$args; gzip on; gzip_proxied any; @@ -164,7 +169,7 @@ server { proxy_set_header Proxy ""; proxy_pass_header Server; - proxy_pass http://mstweb:3000; + proxy_pass http://127.0.0.1:3000; proxy_buffering on; proxy_redirect off; proxy_http_version 1.1; @@ -187,7 +192,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header Proxy ""; - proxy_pass http://mststreaming:4000; + proxy_pass http://127.0.0.1:4000; proxy_buffering off; proxy_redirect off; proxy_http_version 1.1; diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index b6de5fd..f412c55 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -1,34 +1,14 @@ -version: '3' +version: '2.3' services: - nginx: - restart: always - image: nginx:mainline - command: nginx -g 'daemon off;' - networks: - - external_network - - mstweb_network - - mststreaming_network - - netdata_network - volumes: - - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro - - ./.docker/nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro - - ./.docker/nginx/dhparam.pem:/etc/ssl/dhparam.pem:ro - - ./.docker/nginx/certs/fullchain.pem:/etc/ssl/fullchain.pem:ro - - ./.docker/nginx/certs/privkey.pem:/etc/ssl/privkey.pem:ro - - ./.docker/nginx/certs/cert.pem:/etc/ssl/cert.pem:ro - - ./public:/var/www/html:ro - ports: - - "80:80" - - "443:443" - netdata: restart: always image: titpetric/netdata restart: unless-stopped cap_add: - SYS_PTRACE + ports: + - "127.0.0.1:19999:19999" volumes: - ./.docker/netdata:/etc/netdata - /proc:/host/proc:ro @@ -37,7 +17,7 @@ services: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro networks: - - netdata_network + - external_network mstdb: restart: always @@ -63,7 +43,12 @@ services: # restart: always # image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.3 # environment: +# - bootstrap.memory_lock=true # - "ES_JAVA_OPTS=-Xms512m -Xmx512m" +# ulimits: +# memlock: +# soft: -1 +# hard: -1 # networks: # - mstes_network # volumes: @@ -75,88 +60,32 @@ services: image: pluralcafe/mastodon:stable restart: always env_file: ./.docker/mastodon/.env.production - command: bash -c "rake db:migrate; bundle exec rails s -p 3000 -b '0.0.0.0'" networks: - external_network - mstdb_network - mstredis_network - - mstweb_network + ports: + - "127.0.0.1:3000:3000" + - "127.0.0.1:4000:4000" depends_on: - mstdb - mstredis # - mstes volumes: - ./public/system:/mastodon/public/system - - ./public/assets:/tmp/assets - - ./public/packs:/tmp/packs - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro - mststreaming: - image: pluralcafe/mastodon:stable - restart: always - env_file: ./.docker/mastodon/.env.production - command: yarn start - networks: - - mstdb_network - - mstredis_network - - mststreaming_network - depends_on: - - mstdb - - mstredis - volumes: - - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro - - mstsidekiq: - image: pluralcafe/mastodon:stable - restart: always - env_file: ./.docker/mastodon/.env.production - command: bundle exec sidekiq -q default -q mailers -q pull -q push - depends_on: - - mstdb - - mstredis - networks: - - external_network - - mstdb_network - - mstredis_network - - mstweb_network - - mststreaming_network - volumes: - - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro - - ./public/system:/mastodon/public/system - -# mrxsynapse: -# image: avhost/docker-matrix:latest -# restart: always -# command: start -# environment: -# - SERVER_NAME=plural.cafe -# - REPORT_STATS=yes -# - MATRIX_UID=981 -# - MATRIX_GID=981 -# networks: -# - mrxsynapse_network -# - mrxdb_network -# - external_network -# ports: -# - "8448:8448" -# - "3478:3478" -# volumes: -# - /etc/localtime:/etc/localtime:ro -# - /etc/timezone:/etc/timezone:ro -# - ./.docker/matrix:/data - networks: external_network: + driver: bridge + enable_ipv6: true + ipam: + driver: default + config: + - subnet: 172.18.0.0/16 + - subnet: 2001:19f0:5:46d5::/64 mstdb_network: internal: true mstredis_network: internal: true - mststreaming_network: - internal: true - mstweb_network: - internal: true - netdata_network: - internal: true diff --git a/deploy/setup-mastodon.sh b/deploy/setup-mastodon.sh index 239be66..ff06c05 100755 --- a/deploy/setup-mastodon.sh +++ b/deploy/setup-mastodon.sh @@ -1,14 +1,16 @@ #!/bin/bash -[ -z "$YML_LOC" ] && YML_LOC="$HOME" +[ -z "$YML_LOC" ] && YML_LOC="$(pwd)" cd $YML_LOC echo "Setting up the instance..." echo +mkdir -p "$YML_LOC/.docker/mastodon" curl -fsSL https://raw.githubusercontent.com/tootsuite/mastodon/master/.env.production.sample -o "$YML_LOC/.docker/mastodon/.env.production" MUID="$(docker-compose run --rm mstweb id -u 2>/dev/null)" +MGID="$(docker-compose run --rm mstweb id -g 2>/dev/null)" SECRET_KEY_BASE=$(hexdump -vn 64 -e ' /1 "%02x"' /dev/urandom) OTP_SECRET=$(hexdump -vn 64 -e ' /1 "%02x"' /dev/urandom) @@ -18,7 +20,7 @@ sed -i 's|ES_HOST=es|ES_HOST=mstes|' $YML_LOC/.docker/mastodon/.env.production sed -i "s|SECRET_KEY_BASE=|SECRET_KEY_BASE=$SECRET_KEY_BASE|" $YML_LOC/.docker/mastodon/.env.production sed -i "s|OTP_SECRET=|OTP_SECRET=$OTP_SECRET|" $YML_LOC/.docker/mastodon/.env.production sed -i "s|# UID=1000|UID=$MUID|" $YML_LOC/.docker/mastodon/.env.production -sed -i "s|# GID=1000|GID=$MUID|" $YML_LOC/.docker/mastodon/.env.production +sed -i "s|# GID=1000|GID=$MGID|" $YML_LOC/.docker/mastodon/.env.production docker-compose run --rm mstweb rake db:migrate (openssl dhparam -rand /dev/urandom -out $YML_LOC/.docker/nginx/dhparam.pem 4096 2>&1 >/dev/null) & pid=$! @@ -27,3 +29,9 @@ echo echo "Mostly set up. Modify .docker/mastodon/.env.production settings and then" echo "you can do a 'docker-compose up -d' on this instance. OpenSSL is still" echo "running, so wait a bit for it to finish too." +echo +echo "There is an Nginx configuration file in conf/nginx.conf you can use." +echo +echo "Also, when you're going to the instance, register and then run this command:" +echo "docker-compose run --rm mstweb rake mastodon:make_admin USERNAME=yourusername" +echo |