about summary refs log tree commit diff
diff options
context:
space:
mode:
-rwxr-xr-xcron-backup.sh26
-rw-r--r--docker-compose-with-nginx.md248
-rw-r--r--nginx.conf152
3 files changed, 426 insertions, 0 deletions
diff --git a/cron-backup.sh b/cron-backup.sh
new file mode 100755
index 0000000..e3b1b4a
--- /dev/null
+++ b/cron-backup.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Cron job scripts for Mastodon backup and maintenance
+# Usage: ./cron-backup.sh daily
+#        ./cron-backup.sh hourly
+# Prepend COMPOSE= env for location to docker-compose
+# Prepend COMPOSE_LOC= for location to docker-compose.yml
+
+# Adapted from https://github.com/rtucker/mastodon/blob/production/local/cron.daily/mastodon
+
+NOW_SEC=$(date -Iseconds)
+COMPOSE="$(command -v docker-compose)"
+
+[ -z "$COMPOSE" ] && COMPOSE="/usr/local/bin/docker-compose"
+[ ! -z "$COMPOSE_LOC" ] && COMPOSE=" -f $COMPOSE_LOC"
+
+if [ "$1" == 'daily' ]; then
+  find $BACKUP_LOC -type f -name postgres-daily.* -mtime +7 -delete
+  $COMPOSE_LOC exec -T -u postgres db sh -c "umask 0377 && /usr/local/bin/pg_dump -Fc -h db -d postgres -U postgres" > "$BACKUP_LOC/postgres-daily.$NOW_SEC.pgsql"
+  $COMPOSE_LOC run -T --rm web rake mastodon:media:remove_remote
+fi
+
+if [ "$1" == 'hourly' ]; then
+  find $BACKUP_LOC -type f -name postgres-hourly.* -mmin +360 -delete
+  $COMPOSE exec -T -u postgres db sh -c "umask 0377 && /usr/local/bin/pg_dump -Fc -h db -d postgres -U postgres" > "$BACKUP_LOC/postgres-hourly.$NOW_SEC.pgsql"
+fi
diff --git a/docker-compose-with-nginx.md b/docker-compose-with-nginx.md
new file mode 100644
index 0000000..d2c0a98
--- /dev/null
+++ b/docker-compose-with-nginx.md
@@ -0,0 +1,248 @@
+# Run docker-compose with nginx
+
+## docker-compose.yml
+
+Put your [.env.production](https://github.com/tootsuite/mastodon/blob/master/.env.production.sample) in the same directory where your docker-compose.yml is and modify the /path/to's with your own:
+
+```
+version: '3'
+services:
+
+  db:
+    restart: always
+    image: postgres:9-alpine
+    networks:
+      - db_network
+    volumes:
+      - ./.db:/var/lib/postgresql/data
+
+  redis:
+    restart: always
+    image: redis:alpine
+    networks:
+      - redis_network
+    volumes:
+      - ./.redis:/data
+
+#  es:
+#    restart: always
+#    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.1.3
+#    environment:
+#      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+#    networks:
+#      - internal_network
+#    volumes:
+#      - ./elasticsearch:/usr/share/elasticsearch/data
+
+  web:
+    image: pluralcafe/mastodon:stable
+    restart: always
+    env_file: .env.production
+    command: bundle exec rails s -p 3000 -b '0.0.0.0'
+    networks:
+      - db_network
+      - web_network
+      - redis_network
+    depends_on:
+      - db
+      - redis
+#      - es
+    volumes:
+      - ./public/system:/mastodon/public/system
+      - /etc/localtime:/etc/localtime:ro
+
+  streaming:
+    image: pluralcafe/mastodon:stable
+    restart: always
+    env_file: .env.production
+    command: yarn start
+    networks:
+      - db_network
+      - streaming_network
+      - redis_network
+    depends_on:
+      - db
+      - redis
+
+  sidekiq:
+    image: pluralcafe/mastodon:stable
+    restart: always
+    env_file: .env.production
+    command: bundle exec sidekiq -q default -q mailers -q pull -q push
+    depends_on:
+      - db
+      - redis
+    networks:
+      - external_network
+      - db_network
+      - redis_network
+    volumes:
+      - ./public/system:/mastodon/public/system
+
+  nginx:
+    image: nginx:alpine
+    restart: always
+    environment:
+      - NGINX_SERVER=example.com
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/site.template:ro
+      - ./public:/var/www/html:ro
+      - /var/log/nginx:/var/log/nginx
+      - /var/cache/nginx:/var/cache/nginx
+      - /path/to/letsencrypt/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro
+      - /path/to/letsencrypt/key.pem:/etc/ssl/private/key.pem:ro
+      - /path/to/letsencrypt/cert.pem:/etc/ssl/certs/cert.pem:ro
+      - /path/to/dhparam.pem:/etc/ssl/dhparam.pem:ro
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - external_network
+      - web_network
+      - streaming_network
+    command: sh -c "(cat /etc/nginx/conf.d/site.template | sed 's|NGINX_SERVER|$NGINX_SERVER|g') > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
+
+networks:
+  external_network:
+  db_network:
+    internal: true
+  redis_network:
+    internal: true
+  web_network:
+    internal: true
+  streaming_network:
+    internal: true
+```
+
+## nginx.conf (No Modifications)
+
+```
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  listen 80;
+  listen [::]:80;
+  
+  server_name NGINX_SERVER;
+
+  root /var/www/html;
+  location /.well-known/acme-challenge/ { allow all; }
+  location / { return 301 https://$host$request_uri; }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name NGINX_SERVER;
+  server_tokens off;
+
+  ssl_certificate /etc/ssl/certs/fullchain.pem;
+  ssl_certificate_key /etc/ssl/private/key.pem;
+  ssl_trusted_certificate /etc/ssl/certs/cert.pem;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL;
+  ssl_prefer_server_ciphers on;
+  ssl_ecdh_curve secp521r1:secp384r1;
+  ssl_session_cache shared:TLS:2m;
+  ssl_session_timeout 10m;
+  ssl_session_tickets off;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  resolver 8.8.8.8 8.8.4.4 valid=300s;
+  resolver_timeout 5s;
+
+  ssl_dhparam /etc/ssl/dhparam.pem;
+
+  keepalive_timeout 70;
+  sendfile on;
+  client_max_body_size 0;
+
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Referrer-Policy "same-origin";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';";
+  add_header Access-Control-Allow-Origin https://NGINX_SERVER;
+  add_header X-Cache-Status $upstream_cache_status;
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location /sw.js {
+    add_header Cache-Control "public, max-age=0";
+    try_files $uri @proxy;
+  }
+
+  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+
+    gzip on;
+    gzip_disable "msie6";
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+    proxy_pass_header Server;
+
+    proxy_pass http://web:3000;
+    proxy_buffering on;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    proxy_cache CACHE;
+    proxy_cache_valid 200 7d;
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+    proxy_cache_lock on;
+    proxy_cache_revalidate on;
+
+    tcp_nodelay on;
+  }
+
+  location /api/v1/streaming {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+
+    proxy_pass http://streaming:4000;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  error_page 403 /assets/403.html;
+  error_page 404 /assets/404.html;
+  error_page 410 /assets/410.html;
+  error_page 422 /assets/422.html;
+  error_page 500 501 502 503 504 /assets/500.html;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=2g use_temp_path=off;
+```
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..4098153
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,152 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name plural.cafe;
+  root /home/mastodon/live/public;
+  location /.well-known/acme-challenge/ { allow all; }
+  location / { return 301 https://$host$request_uri; }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name ~^(?<subdomain>\w+)\.plural\.cafe$;
+  server_tokens off;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
+  ssl_prefer_server_ciphers on;
+  ssl_ecdh_curve secp384r1;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
+  ssl_session_tickets off;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s;
+  resolver_timeout 5s;
+
+  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
+
+  ssl_certificate     /etc/letsencrypt/live/plural.cafe/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/plural.cafe/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/plural.cafe/chain.pem;
+
+  keepalive_timeout    70;
+  sendfile             on;
+  client_max_body_size 0;
+
+  gzip off;
+
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Referrer-Policy "same-origin";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+  return 301 "https://plural.cafe/@${subdomain}";
+}
+
+server {
+  listen 443 ssl http2 default_server;
+  listen [::]:443 ssl http2 default_server;
+  server_name plural.cafe;
+  server_tokens off;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL;
+  ssl_prefer_server_ciphers on;
+  ssl_ecdh_curve secp384r1;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
+  ssl_session_tickets off;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s;
+  resolver_timeout 5s;
+
+  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
+
+  ssl_certificate     /etc/letsencrypt/live/plural.cafe/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/plural.cafe/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/plural.cafe/chain.pem;
+
+  keepalive_timeout    70;
+  sendfile             on;
+  client_max_body_size 0;
+
+  root /home/mastodon/live/public;
+
+  gzip off; # anti-BREACH
+
+  add_header X-Terms-Of-Service "https://plural.cafe/about/more";
+  add_header X-Source-Code "https://github.com/pluralcafe/mastodon";
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Content-Security-Policy "frame-ancestors 'none'; base-uri 'self'; form-action 'self'; default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self' https://fonts.googleapis.com/ 'sha256-deDIoPlRijnpfbTDYsK+8JmDfUBmpwpnb0L/SUV8NeU=' 'sha256-dsU/1vqKDGkqSAJVJCzaxo3alnWrTU/iQqFREt5QB+g='; img-src * data: https://d2rm2wyqhf92ej.cloudfront.net/; media-src 'self' data: https://d2rm2wyqhf92ej.cloudfront.net/; worker-src 'self'; frame-src https://player.vimeo.com https://youtube.com https://www.youtube.com; font-src 'self' data: https://fonts.gstatic.com/; connect-src 'self' wss://plural.cafe";
+  add_header Referrer-Policy "same-origin";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location /sw.js {
+    add_header Cache-Control "public, max-age=0";
+    try_files $uri @proxy;
+  }
+
+  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+    proxy_pass_header Server;
+
+    proxy_pass http://127.0.0.1:3000;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  location /api/v1/streaming {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+
+    proxy_pass http://127.0.0.1:4000;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  error_page 403 /assets/403.html;
+  error_page 404 /assets/404.html;
+  error_page 410 /assets/410.html;
+  error_page 422 /assets/422.html;
+  error_page 500 501 502 503 504 /assets/500.html;
+}
+