about summary refs log tree commit diff
diff options
10 files changed, 295 insertions, 241 deletions
diff --git a/deploy/conf/.env.ambassador b/deploy/conf/.env.ambassador
new file mode 100644
index 0000000..6643bc5
--- /dev/null
+++ b/deploy/conf/.env.ambassador
@@ -0,0 +1,18 @@
diff --git a/deploy/conf/.env.production b/deploy/conf/.env.production
new file mode 100644
index 0000000..3d1181c
--- /dev/null
+++ b/deploy/conf/.env.production
@@ -0,0 +1,54 @@
+# Generate with `docker-compose run --rm web rake secret`
+# Instance keys for push notifications
+# Generate with `docker-compose run --rm web rake mastodon:webpush:generate_vapid_key`
+# email
+# jortage
+# necessary for docker
+# configuration
+# should be the fucking default
diff --git a/deploy/conf/common-ssl.conf b/deploy/conf/common-ssl.conf
new file mode 100644
index 0000000..e30b7b8
--- /dev/null
+++ b/deploy/conf/common-ssl.conf
@@ -0,0 +1,28 @@
+server_tokens off;
+ssl_certificate /srv/plural.cafe/.acme.sh/plural.cafe/fullchain.cer;
+ssl_certificate_key /srv/plural.cafe/.acme.sh/plural.cafe/plural.cafe.key;
+ssl_trusted_certificate /srv/plural.cafe/.acme.sh/plural.cafe/plural.cafe.cer;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+ssl_ecdh_curve X25519:secp384r1:prime256v1;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:TLS:2m;
+ssl_session_timeout 10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+keepalive_timeout 70;
+sendfile on;
+client_max_body_size 0;
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header Referrer-Policy "same-origin";
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+resolver [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
+resolver_timeout 5s;
diff --git a/deploy/conf/nginx.conf b/deploy/conf/nginx.conf
index 7804345..d8ccfce 100644
--- a/deploy/conf/nginx.conf
+++ b/deploy/conf/nginx.conf
@@ -3,21 +3,14 @@ map $http_upgrade $connection_upgrade {
   ''      close;
-upstream dockernetdata {
-  server netdata:19999;
-  keepalive 64;
 server {
   listen 80;
   listen [::]:80;
-  server_name $NGINX_HOST;
-  root /var/www/html;
+  server_name plural.cafe *.plural.cafe;
+  server_tokens off;
-  location /.well-known/acme-challenge/ {
-      allow all;
-  }
+  root /srv/plural.cafe/html;
   location / {
       return 301 https://$host$request_uri;
@@ -29,34 +22,8 @@ server {
   listen [::]:443 ssl http2;
   server_name ~^(?<subdomain>\w+)\.plural\.cafe$;
-  server_tokens off;
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ecdh_curve X25519:secp384r1;
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:TLS:2m;
-  ssl_session_timeout 10m;
-  ssl_session_tickets off;
-  ssl_stapling on;
-  ssl_stapling_verify on;
-  keepalive_timeout 70;
-  sendfile on;
-  client_max_body_size 0;
-  add_header X-Frame-Options DENY;
-  add_header X-Content-Type-Options nosniff;
-  add_header X-XSS-Protection "1; mode=block";
-  add_header Referrer-Policy "same-origin";
-  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-  ssl_certificate /home/mastodon/.acme.sh/certs/fullchain.pem;
-  ssl_certificate_key /home/mastodon/.acme.sh/certs/privkey.pem;
-  ssl_trusted_certificate /home/mastodon/.acme.sh/certs/cert.pem;
-  resolver [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
-  resolver_timeout 5s;
+  include /etc/nginx/snippets/common-ssl.conf;
   return 301 "https://plural.cafe/@${subdomain}";
@@ -65,44 +32,25 @@ server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
-  server_name $NGINX_HOST;
-  server_tokens off;
+  server_name plural.cafe;
+  include /etc/nginx/snippets/common-ssl.conf;
+  root /srv/plural.cafe/html;
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ecdh_curve X25519:secp384r1;
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:TLS:2m;
-  ssl_session_timeout 10m;
-  ssl_session_tickets off;
-  ssl_stapling on;
-  ssl_stapling_verify on;
-  keepalive_timeout 70;
-  sendfile on;
-  client_max_body_size 0;
-  add_header X-Frame-Options DENY;
-  add_header X-Content-Type-Options nosniff;
-  add_header X-XSS-Protection "1; mode=block";
-  add_header Referrer-Policy "same-origin";
-  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-  ssl_certificate /etc/ssl/fullchain.pem;
-  ssl_certificate_key /etc/ssl/privkey.pem;
-  ssl_trusted_certificate /etc/ssl/cert.pem;
-  resolver [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
-  resolver_timeout 5s;
-  root /var/www/html;
-  #add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';";
-  add_header Access-Control-Allow-Origin "https://$host";
   add_header X-Cache-Status $upstream_cache_status;
-  location / {
-    try_files $uri @proxy;
+  # hang up on scrubs
+  if ($http_user_agent ~* (fedsearch|gabsocial|fedichive|seekport|dotbot|semrush|fasthttp|^\d+$|wdestiny|megaindex|webmeup|fedi-block)) {
+	return 444;
   location /sw.js {
@@ -110,45 +58,13 @@ server {
     try_files $uri @proxy;
-  location = /sysinfo {
-    return 301 /sysinfo/;
-  }
-  location ~ /sysinfo/(?<ndpath>.*) {
-    proxy_redirect off;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-Host $host;
-    proxy_set_header X-Forwarded-Server $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_http_version 1.1;
-    proxy_pass_request_headers on;
-    proxy_set_header Connection "keep-alive";
-    proxy_store off;
-    proxy_pass http://dockernetdata/$ndpath$is_args$args;
-    gzip on;
-    gzip_proxied any;
-    gzip_types *;
-  }
   location ~ ^/(emoji|packs|sounds) {
-    add_header Cache-Control "public, max-age=31536000, immutable";
-    gzip on;
-    gzip_disable "msie6";
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_comp_level 6;
-    gzip_buffers 16 8k;
-    gzip_http_version 1.1;
-    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+	expires max;
     try_files $uri @proxy;
-  location ~ ^/system/(?<req>(media_attachments|accounts|preview_cards)/.+) {
-    return 301 "https://d2rm2wyqhf92ej.cloudfront.net/$req";
+  location / {
+    try_files $uri @proxy;
   location @proxy {
@@ -157,9 +73,14 @@ server {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;
     proxy_set_header Proxy "";
+    proxy_hide_header X-Frame-Options;
+    proxy_hide_header X-Content-Type-Options;
+    proxy_hide_header X-XSS-Protection;
+    proxy_hide_header Referrer-Policy;
+    proxy_hide_header Strict-Transport-Security;
     proxy_pass_header Server;
-    proxy_pass http://mstweb:3000;
+    proxy_pass;
     proxy_buffering on;
     proxy_redirect off;
     proxy_http_version 1.1;
@@ -182,7 +103,7 @@ server {
     proxy_set_header X-Forwarded-Proto https;
     proxy_set_header Proxy "";
-    proxy_pass http://mststreaming:4000;
+    proxy_pass;
     proxy_buffering off;
     proxy_redirect off;
     proxy_http_version 1.1;
@@ -192,6 +113,11 @@ server {
     tcp_nodelay on;
+  location /api/v2/search {
+	access_log off;
+	try_files $uri @proxy;
+  }
   error_page 403 /assets/403.html;
   error_page 404 /assets/404.html;
   error_page 410 /assets/410.html;
diff --git a/deploy/conf/robots.txt b/deploy/conf/robots.txt
new file mode 100644
index 0000000..e70ee85
--- /dev/null
+++ b/deploy/conf/robots.txt
@@ -0,0 +1,3 @@
+User-agent: *
+Disallow: /media_proxy/
+Disallow: /interact/
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index ed09d0c..c8a2cba 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -1,167 +1,170 @@
 version: '2.4'
-  nginx:
-    restart: always
-    image: nginx:mainline-alpine
-    ports:
-      - 80:80
-      - 443:443
-    environment:
-      - NGINX_HOST=plural.cafe
-    volumes:
-      - /etc/localtime:/etc/localtime:ro
-      - ./.docker/nginx/nginx.conf:/etc/nginx/conf.d/web.template:ro
-      - ./.acme.sh/${NGINX_HOST}_ecc/${NGINX_HOST}.cer:/etc/ssl/cert.pem:ro
-      - ./.acme.sh/${NGINX_HOST}_ecc/${NGINX_HOST}.key:/etc/ssl/privkey.pem:ro
-      - ./.acme.sh/${NGINX_HOST}_ecc/fullchain.cer:/etc/ssl/fullchain.pem:ro
-      - ./public:/var/www/html:ro
-    command: sh -c "envsubst \"`env | awk -F = '{printf \" $$%s\", $$1}'`\" < /etc/nginx/conf.d/web.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
-    networks:
-      - external_network
-      - mstweb_network
-      - mststreaming_network
-      - netdata_network
-  netdata:
-    restart: always
-    image: titpetric/netdata
-    cap_add:
-      - SYS_PTRACE
+  # automatically update images
+  watchtower:
+    image: containrrr/watchtower
+    restart: unless-stopped
-      - /etc/localtime:/etc/localtime:ro
-      - ./.docker/netdata:/etc/netdata
-      - /proc:/host/proc:ro
-      - /sys:/host/sys:ro
       - /var/run/docker.sock:/var/run/docker.sock
-      - netdata_network
+      - external
+  # may not be necessary with recent docker, need to investigate
+    image: robbertkl/ipv6nat
     restart: always
+    privileged: true
+    network_mode: host
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /lib/modules:/lib/modules:ro
-    privileged: true
-    network_mode: host
-    image: robbertkl/ipv6nat
-  mstdb:
-    restart: always
-    image: postgres:9.6-alpine
-    networks:
-      - mstdb_network
+  logrotate:
+    image: blacklabelops/logrotate
+    restart: unless-stopped
+    environment:
+      - LOGS_DIRECTORIES=/var/lib/docker/containers
       - /etc/localtime:/etc/localtime:ro
-      - ./.docker/mastodon/db:/var/lib/postgresql/data
+      - /var/lib/docker/containers:/var/lib/docker/containers
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "50m"
+        max-file: "3"
-  mstredis:
+  db:
     restart: always
-    image: redis:4-alpine
+    image: postgres:11-alpine
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "postgres"]
-      - mstredis_network
+      - db_network
       - /etc/localtime:/etc/localtime:ro
-      - ./.docker/mastodon/redis:/data
+      - /etc/timezone:/etc/timezone:ro
+      - ./mastodon/db:/var/lib/postgresql/data
-  mstes:
+  redis:
     restart: always
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.3
-    environment:
-      - bootstrap.memory_lock=true
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
+    image: redis:alpine
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
-      - mstes_network
+      - redis_network
       - /etc/localtime:/etc/localtime:ro
-      - ./.docker/mastodon/es:/usr/share/elasticsearch/data
+      - /etc/timezone:/etc/timezone:ro
+      - ./mastodon/redis:/data
-  mstweb:
-    image: pluralcafe/mastodon:stable
+  mastodon-web:
+    image: pluralcafe/mastodon:edge
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --spider --header 'x-forwarded-proto: https' --proxy=off localhost:3000/health || exit 1"]
     restart: always
-    env_file: ./.docker/mastodon/.env.production
-    environment:
-      - MAX_THREADS=15
-    command: sh -c "rm -f /mastodon/tmp/pids/server.pid; rake db:migrate; bundle exec rails s -p 3000 -b ''"
+    env_file: ./mastodon/.env.production
+    command: sh -c "rm -f /mastodon/tmp/pids/server.pid; RAILS_ENV=production bundle exec rails db:migrate; bundle exec rails s -p 3000 -b ''"
-      - mstdb_network
-      - mstes_network
-      - mstredis_network
-      - mstweb_network
+      - db_network
+      - redis_network
+      - external
-      - mstdb
-      - mstredis
-      - mstes
+      - ipv6nat
+      - db
+      - redis
+    ports:
+      - ""
       - /etc/localtime:/etc/localtime:ro
-      - ./public/system:/mastodon/public/system
+      - /etc/timezone:/etc/timezone:ro
+      - ./html/system:/mastodon/public/system
-  mststreaming:
-    image: pluralcafe/mastodon:stable
+  mastodon-streaming:
+    image: pluralcafe/mastodon:edge
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --spider --header 'x-forwarded-proto: https' --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
     restart: always
-    env_file: .docker/mastodon/.env.production
+    env_file: ./mastodon/.env.production
     command: yarn start
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
-      - mstdb_network
-      - mstredis_network
-      - mststreaming_network
+      - db_network
+      - redis_network
+      - external
-      - mstdb
-      - mstredis
+      - db
+      - redis
+    ports:
+      - ""
-  mstsidekiq:
-    image: pluralcafe/mastodon:stable
+  sidekiq:
+    image: pluralcafe/mastodon:edge
     restart: always
-    env_file: .docker/mastodon/.env.production
-    environment:
-      - DB_POOL=10
-    command: bundle exec sidekiq -q default -q mailers -q pull -q push
+    env_file: ./mastodon/.env.production
+    command: bundle exec sidekiq -q default -q mailers -q push -q pull -q scheduler
-      - mstdb
-      - mstes
-      - mstredis
+      - ipv6nat
+      - db
+      - redis
-      - external_network
-      - mstdb_network
-      - mstes_network
-      - mstredis_network
+      - external
+      - db_network
+      - redis_network
-      - ./public/system:/mastodon/public/system
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ./html/system:/mastodon/public/system
-  mstbarkeep:
+  # after the Twitter migration of november 2022, separating ingress only makes sense
+  sidekiq-ingress:
+    image: pluralcafe/mastodon:edge
+    restart: always
+    env_file: ./mastodon/.env.production
+    command: bundle exec sidekiq -q default -q ingress
+    depends_on:
+      - ipv6nat
+      - db
+      - redis
+    networks:
+      - external
+      - db_network
+      - redis_network
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ./html/system:/mastodon/public/system
+  barkeep:
     image: pluralcafe/barkeep
     restart: always
-    env_file: ./.docker/mastodon/.env.ambassador
+    env_file: ./mastodon/.env.ambassador
     command: yarn start
-      - mstdb
+      - db
+      - ipv6nat
+      - mastodon-web
-      - external_network
-      - mstdb_network
+      - external
+      - db_network
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
-  external_network:
+  external:
     driver: bridge
     enable_ipv6: true
       driver: default
         - subnet:
-        - subnet: fd00:dead:beef::/48
-  mstdb_network:
-    internal: true
-  mstes_network:
-    internal: true
-  mstredis_network:
-    internal: true
-  mststreaming_network:
-    internal: true
-  mstweb_network:
-    internal: true
-  netdata_network:
+        - subnet: fd00:0000:0000::/48
+  db_network:
     internal: true
+  redis_network:
+      internal: true
diff --git a/deploy/scripts/backup.sh b/deploy/scripts/backup.sh
index ae2c774..df49890 100755
--- a/deploy/scripts/backup.sh
+++ b/deploy/scripts/backup.sh
@@ -11,7 +11,7 @@
 if [ "$1" == 'daily' ]; then
-	find $BACKUP_LOC -type f -name postgres-daily.* -mtime +7 -delete
+	find $BACKUP_LOC -type f -name postgres-daily.* -mtime +3 -delete
 	$COMPOSE exec -T -u postgres db sh -c "umask 0377 && /usr/local/bin/pg_dump -Fc -h db -d postgres -U postgres" > "$BACKUP_LOC/postgres-daily.$(date -Iseconds).pgsql"
 	$COMPOSE run -T --rm rails rake mastodon:media:remove_remote
diff --git a/deploy/scripts/update-containers.sh b/deploy/scripts/update-containers.sh
deleted file mode 100644
index 302731c..0000000
--- a/deploy/scripts/update-containers.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-[ -z "$COMPOSE" ] && COMPOSE="$(command -v docker-compose)"
-[ -z "$COMPOSE" ] && COMPOSE="/usr/local/bin/docker-compose"
-cd "$HOME" || exit
-[ -z "$NGINX_WEBHOOK" ] || printf "Content-Type: text/plain\r\n\r\n"
-($COMPOSE pull 2>&1 | grep --silent "Downloaded newer") && {
-  $COMPOSE up -d
-  docker cp "$($COMPOSE ps -q mstweb):/mastodon/public/assets" public/
-  docker cp "$($COMPOSE ps -q mstweb):/mastodon/public/packs" public/
-  docker system prune --all -f
-  curl -sS "https://raw.githubusercontent.com/pluralcafe/utils/master/deploy/docker-compose.yml" > docker-compose.yml
diff --git a/deploy/setup-mastodon.sh b/deploy/setup-mastodon.sh
index e394184..165bbf4 100755
--- a/deploy/setup-mastodon.sh
+++ b/deploy/setup-mastodon.sh
@@ -1,5 +1,17 @@
+# copy files
+install docker-compose.yaml     /srv/plural.cafe/docker-compose.yaml
+install conf/nginx.conf         /etc/nginx/sites-available/pluralcafe
+install conf/common-ssl.conf    /etc/nginx/snippets/common-ssl.conf
+install conf/robots.txt         /srv/plural.cafe/html/robots.txt
+install scripts/backup.sh       /srv/plural.cafe/scripts/backup.sh
+install conf/.env.ambassador    /srv/plural.cafe/mastodon/.env.ambassador
+install conf/.env.production    /srv/plural.cafe/mastodon/.env.production
+# TODO some edits here
+# TODO rewrite the below
 [ -z "$YML_LOC" ] && YML_LOC="$(pwd)"
 cd $YML_LOC
diff --git a/maintenance b/maintenance
new file mode 100644
index 0000000..f214eff
--- /dev/null
+++ b/maintenance
@@ -0,0 +1,29 @@
+# clean up docker images
+/usr/bin/docker system prune -f 2>&1 >/dev/null
+# clear out old remote statuses that have never been touched (favorited, followed, etc)
+# the "Content cache retention period" setting is significantly more aggressive since it removes *all* old remote posts
+sudo docker-compose exec mastodon-web tootctl statuses remove --days 90
+# these are useful maintenance tasks but already covered by other settings
+# just turn autovacuum on
+sudo docker-compose exec -u 70 db psql -c 'VACUUM ANALYZE;'
+# covered by the new "Media cache retention period" setting
+sudo docker-compose exec mastodon-web tootctl media remove --days 30
+sudo docker-compose exec mastodon-web tootctl preview_cards remove --days 30
+# run these only with careful consideration, they're slow and may require taking the instance down for maintenance
+# clear out nonextant remote accounts (this will nuke monsterpit and pv... :c )
+sudo docker-compose exec mastodon-web tootctl accounts cull
+# remove loose media files, quite slow but should save una a little bit of costs
+sudo docker-compose exec mastodon-web tootctl media remove-orphans
+# postgres vacuum full, requires instance down
+# first line requies pgstattuple module
+SELECT * FROM pgstattuple('table'); -- see if free_percent is high