about summary refs log tree commit diff
diff options
context:
space:
mode:
-rwxr-xr-xdeploy/setup-mastodon.sh14
-rw-r--r--in-a-box/.docker/nginx/nginx.conf133
-rw-r--r--in-a-box/docker-compose.yml91
3 files changed, 233 insertions, 5 deletions
diff --git a/deploy/setup-mastodon.sh b/deploy/setup-mastodon.sh
index ff06c05..e394184 100755
--- a/deploy/setup-mastodon.sh
+++ b/deploy/setup-mastodon.sh
@@ -23,15 +23,19 @@ sed -i "s|# UID=1000|UID=$MUID|" $YML_LOC/.docker/mastodon/.env.production
 sed -i "s|# GID=1000|GID=$MGID|" $YML_LOC/.docker/mastodon/.env.production
 
 docker-compose run --rm mstweb rake db:migrate
-(openssl dhparam -rand /dev/urandom -out $YML_LOC/.docker/nginx/dhparam.pem 4096 2>&1 >/dev/null) & pid=$!
 
 echo
-echo "Mostly set up. Modify .docker/mastodon/.env.production settings and then"
-echo "you can do a 'docker-compose up -d' on this instance. OpenSSL is still"
-echo "running, so wait a bit for it to finish too."
+echo "Mostly set up. Modify .docker/mastodon/.env.production settings, run"
+echo "'docker-compose run --rm mstweb rake mastodon:webpush:generate_vapid_key'"
+echo "and then replace those values in .env.production as well. When you're"
+echo "finished, just run 'docker-compose up -d'."
 echo
-echo "There is an Nginx configuration file in conf/nginx.conf you can use."
+echo "There is an Nginx configuration file in conf/nginx.conf you can use. Just"
+echo "copy it to /etc/nginx/conf.d/ directory as root then start Nginx."
 echo
 echo "Also, when you're going to the instance, register and then run this command:"
 echo "docker-compose run --rm mstweb rake mastodon:make_admin USERNAME=yourusername"
 echo
+echo "Finally, to update, just run 'docker-compose pull' and it will pull the"
+echo "newest image from Docker Hub, and then 'docker-compose up -d' to restart."
+echo
diff --git a/in-a-box/.docker/nginx/nginx.conf b/in-a-box/.docker/nginx/nginx.conf
new file mode 100644
index 0000000..64404b9
--- /dev/null
+++ b/in-a-box/.docker/nginx/nginx.conf
@@ -0,0 +1,133 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  listen 80;
+  listen [::]:80;
+
+  server_name $NGINX_HOST;
+  root /var/www/html;
+
+  location /.well-known/acme-challenge/ {
+      allow all;
+  }
+
+  location / {
+      return 301 https://$host$request_uri;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name $NGINX_HOST;
+  server_tokens off;
+
+  ssl_protocols TLSv1.2;
+  ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL;
+  ssl_ecdh_curve secp384r1;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:TLS:2m;
+  ssl_session_timeout 10m;
+  ssl_session_tickets off;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  keepalive_timeout 70;
+  sendfile on;
+  client_max_body_size 0;
+
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Referrer-Policy "same-origin";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+  ssl_certificate /etc/ssl/fullchain.pem;
+  ssl_certificate_key /etc/ssl/privkey.pem;
+  ssl_trusted_certificate /etc/ssl/cert.pem;
+
+  resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
+  resolver_timeout 5s;
+
+  root /var/www/html;
+
+  add_header Access-Control-Allow-Origin "https://$host";
+  add_header X-Cache-Status $upstream_cache_status;
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location /sw.js {
+    add_header Cache-Control "public, max-age=0";
+    try_files $uri @proxy;
+  }
+
+  location ~ ^/(emoji|packs|sounds|system/media_attachments/files) {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+
+    gzip on;
+    gzip_disable "msie6";
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+    proxy_pass_header Server;
+
+    proxy_pass http://mstweb:3000;
+    proxy_buffering on;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    proxy_cache CACHE;
+    proxy_cache_valid 200 7d;
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+    proxy_cache_lock on;
+    proxy_cache_revalidate on;
+
+    tcp_nodelay on;
+  }
+
+  location /api/v1/streaming {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+
+    proxy_pass http://mstweb:4000;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  error_page 403 /assets/403.html;
+  error_page 404 /assets/404.html;
+  error_page 410 /assets/410.html;
+  error_page 422 /assets/422.html;
+  error_page 500 501 502 503 504 /assets/500.html;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=2g use_temp_path=off;
diff --git a/in-a-box/docker-compose.yml b/in-a-box/docker-compose.yml
new file mode 100644
index 0000000..ff71cea
--- /dev/null
+++ b/in-a-box/docker-compose.yml
@@ -0,0 +1,91 @@
+version: '2.1'
+services:
+
+  nginx:
+    restart: always
+    image: nginx:mainline
+    volumes:
+      - ./.docker/nginx/nginx.conf:/etc/nginx/conf.d/template.ro:ro
+#     Replace the /path/to/letsencrypt/stuff.pem with wherever the corresponding files are:
+      - /path/to/letsencrypt/fullchain.pem:/etc/ssl/fullchain.pem:ro
+      - /path/to/letsencrypt/privkey.pem:/etc/ssl/privkey.pem:ro
+      - /path/to/letsencrypt/cert.pem:/etc/ssl/cert.pem:ro
+      - ./public:/var/www/html:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "80:80"
+      - "443:443"
+    environment:
+#       Replace example.com with your webserver:
+      - NGINX_HOST=example.com
+    networks:
+      - external_network
+    command: sh -c "envsubst \"`env | awk -F = '{printf \" $$%s, $$1}'`\" < /etc/nginx/conf.d/template.ro > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
+
+  mstdb:
+    restart: always
+    image: postgres:10.3-alpine
+    networks:
+      - mstdb_network
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ./.docker/mastodon/db:/var/lib/postgresql/data
+
+  mstredis:
+    restart: always
+    image: redis:alpine
+    networks:
+      - mstredis_network
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ./.docker/mastodon/redis:/data
+
+#  mstes:
+#    restart: always
+#    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.3
+#    environment:
+#      - bootstrap.memory_lock=true
+#      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+#    ulimits:
+#      memlock:
+#        soft: -1
+#        hard: -1
+#    networks:
+#      - mstes_network
+#    volumes:
+#      - /etc/localtime:/etc/localtime:ro
+#      - /etc/timezone:/etc/timezone:ro
+#      - ./.docker/mastodon/es:/usr/share/elasticsearch/data
+
+  mstweb:
+    image: pluralcafe/mastodon:stable
+    restart: always
+# Get .env.production from https://raw.githubusercontent.com/tootsuite/mastodon/master/.env.production.sample
+    env_file: ./.docker/mastodon/.env.production
+    networks:
+      - external_network
+      - mstdb_network
+      - mstredis_network
+    depends_on:
+      - mstdb
+      - mstredis
+#      - mstes
+    volumes:
+      - ./public/system:/mastodon/public/system
+      - /etc/localtime:/etc/localtime:ro
+
+networks:
+  external_network:
+# Uncomment the below for IPv6 support and fill in the last subnet
+# with the IPv6 subnet your hosting provider gave you
+#    driver: bridge
+#    enable_ipv6: true
+#    ipam:
+#      driver: default
+#      config:
+#        - subnet: 172.18.0.0/16
+#        - subnet: 2600:1111:2222:3333::/64
+  mstdb_network:
+    internal: true
+  mstredis_network:
+    internal: true