From 8550be23e6dd30ab24b109185ead7ae432903cce Mon Sep 17 00:00:00 2001 From: reverite Date: Tue, 27 Mar 2018 22:05:35 -0700 Subject: rearrange --- cron-backup.sh | 26 ---- deploy/.docker/nginx/nginx.conf | 207 +++++++++++++++++++++++++ deploy/docker-compose.yml | 162 ++++++++++++++++++++ deploy/scripts/backup.sh | 18 +++ deploy/scripts/update-containers.sh | 12 ++ deploy/setup-mastodon.sh | 27 ++++ docker-compose-with-nginx.md | 292 ------------------------------------ nginx.conf | 152 ------------------- 8 files changed, 426 insertions(+), 470 deletions(-) delete mode 100755 cron-backup.sh create mode 100644 deploy/.docker/nginx/nginx.conf create mode 100644 deploy/docker-compose.yml create mode 100755 deploy/scripts/backup.sh create mode 100755 deploy/scripts/update-containers.sh create mode 100755 deploy/setup-mastodon.sh delete mode 100644 docker-compose-with-nginx.md delete mode 100644 nginx.conf diff --git a/cron-backup.sh b/cron-backup.sh deleted file mode 100755 index e3b1b4a..0000000 --- a/cron-backup.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -# Cron job scripts for Mastodon backup and maintenance -# Usage: ./cron-backup.sh daily -# ./cron-backup.sh hourly -# Prepend COMPOSE= env for location to docker-compose -# Prepend COMPOSE_LOC= for location to docker-compose.yml - -# Adapted from https://github.com/rtucker/mastodon/blob/production/local/cron.daily/mastodon - -NOW_SEC=$(date -Iseconds) -COMPOSE="$(command -v docker-compose)" - -[ -z "$COMPOSE" ] && COMPOSE="/usr/local/bin/docker-compose" -[ ! -z "$COMPOSE_LOC" ] && COMPOSE=" -f $COMPOSE_LOC" - -if [ "$1" == 'daily' ]; then - find $BACKUP_LOC -type f -name postgres-daily.* -mtime +7 -delete - $COMPOSE_LOC exec -T -u postgres db sh -c "umask 0377 && /usr/local/bin/pg_dump -Fc -h db -d postgres -U postgres" > "$BACKUP_LOC/postgres-daily.$NOW_SEC.pgsql" - $COMPOSE_LOC run -T --rm web rake mastodon:media:remove_remote -fi - -if [ "$1" == 'hourly' ]; then - find $BACKUP_LOC -type f -name postgres-hourly.* -mmin +360 -delete - $COMPOSE exec -T -u postgres db sh -c "umask 0377 && /usr/local/bin/pg_dump -Fc -h db -d postgres -U postgres" > "$BACKUP_LOC/postgres-hourly.$NOW_SEC.pgsql" -fi diff --git a/deploy/.docker/nginx/nginx.conf b/deploy/.docker/nginx/nginx.conf new file mode 100644 index 0000000..9326f6d --- /dev/null +++ b/deploy/.docker/nginx/nginx.conf @@ -0,0 +1,207 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream netdatacontainer { + server netdata:19999; + keepalive 64; +} + +server { + listen 80; + listen [::]:80; + + server_name plural.cafe; + root /var/www/html; + + location /.well-known/acme-challenge/ { + allow all; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ~^(?\w+)\.plural\.cafe$; + server_tokens off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp521r1:secp384r1; + ssl_session_cache shared:TLS:2m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s; + resolver_timeout 5s; + + ssl_dhparam /etc/ssl/dhparam.pem; + + keepalive_timeout 70; + sendfile on; + client_max_body_size 0; + + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy "same-origin"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + ssl_certificate /etc/ssl/fullchain.pem; + ssl_certificate_key /etc/ssl/privkey.pem; + ssl_trusted_certificate /etc/ssl/cert.pem; + + return 301 "https://plural.cafe/@${subdomain}"; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name plural.cafe; + server_tokens off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp521r1:secp384r1; + ssl_session_cache shared:TLS:2m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s; + resolver_timeout 5s; + + ssl_dhparam /etc/ssl/dhparam.pem; + + keepalive_timeout 70; + sendfile on; + client_max_body_size 0; + + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy "same-origin"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + ssl_certificate /etc/ssl/fullchain.pem; + ssl_certificate_key /etc/ssl/privkey.pem; + ssl_trusted_certificate /etc/ssl/cert.pem; + + root /var/www/html; + + #add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';"; + add_header Access-Control-Allow-Origin "https://$host"; + add_header X-Cache-Status $upstream_cache_status; + + location / { + try_files $uri @proxy; + } + + location /sw.js { + add_header Cache-Control "public, max-age=0"; + try_files $uri @proxy; + } + + + location = /sysinfo { + return 301 /sysinfo/; + } + + location ~ /sysinfo/(?.*) { + proxy_redirect off; + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + proxy_pass http://netdatacontainer/$ndpath$is_args$args; + + gzip on; + gzip_proxied any; + gzip_types *; + } + + location ~ ^/(emoji|packs|sounds) { + add_header Cache-Control "public, max-age=31536000, immutable"; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + try_files $uri @proxy; + } + + location ~ ^/system/(?(media_attachments|accounts|preview_cards)/.+) { + return 301 "https://d2rm2wyqhf92ej.cloudfront.net/$req"; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://mstweb:3000; + proxy_buffering on; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_cache CACHE; + proxy_cache_valid 200 7d; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_cache_revalidate on; + + tcp_nodelay on; + } + + location /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + + proxy_pass http://mststreaming:4000; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + error_page 403 /assets/403.html; + error_page 404 /assets/404.html; + error_page 410 /assets/410.html; + error_page 422 /assets/422.html; + error_page 500 501 502 503 504 /assets/500.html; +} + +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=2g use_temp_path=off; diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml new file mode 100644 index 0000000..b6de5fd --- /dev/null +++ b/deploy/docker-compose.yml @@ -0,0 +1,162 @@ +version: '3' +services: + + nginx: + restart: always + image: nginx:mainline + command: nginx -g 'daemon off;' + networks: + - external_network + - mstweb_network + - mststreaming_network + - netdata_network + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - ./.docker/nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro + - ./.docker/nginx/dhparam.pem:/etc/ssl/dhparam.pem:ro + - ./.docker/nginx/certs/fullchain.pem:/etc/ssl/fullchain.pem:ro + - ./.docker/nginx/certs/privkey.pem:/etc/ssl/privkey.pem:ro + - ./.docker/nginx/certs/cert.pem:/etc/ssl/cert.pem:ro + - ./public:/var/www/html:ro + ports: + - "80:80" + - "443:443" + + netdata: + restart: always + image: titpetric/netdata + restart: unless-stopped + cap_add: + - SYS_PTRACE + volumes: + - ./.docker/netdata:/etc/netdata + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + networks: + - netdata_network + + mstdb: + restart: always + image: postgres:9.6-alpine + networks: + - mstdb_network + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - ./.docker/mastodon/db:/var/lib/postgresql/data + + mstredis: + restart: always + image: redis:alpine + networks: + - mstredis_network + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - ./.docker/mastodon/redis:/data + +# mstes: +# restart: always +# image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.3 +# environment: +# - "ES_JAVA_OPTS=-Xms512m -Xmx512m" +# networks: +# - mstes_network +# volumes: +# - /etc/localtime:/etc/localtime:ro +# - /etc/timezone:/etc/timezone:ro +# - ./.docker/mastodon/es:/usr/share/elasticsearch/data + + mstweb: + image: pluralcafe/mastodon:stable + restart: always + env_file: ./.docker/mastodon/.env.production + command: bash -c "rake db:migrate; bundle exec rails s -p 3000 -b '0.0.0.0'" + networks: + - external_network + - mstdb_network + - mstredis_network + - mstweb_network + depends_on: + - mstdb + - mstredis +# - mstes + volumes: + - ./public/system:/mastodon/public/system + - ./public/assets:/tmp/assets + - ./public/packs:/tmp/packs + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + + mststreaming: + image: pluralcafe/mastodon:stable + restart: always + env_file: ./.docker/mastodon/.env.production + command: yarn start + networks: + - mstdb_network + - mstredis_network + - mststreaming_network + depends_on: + - mstdb + - mstredis + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + + mstsidekiq: + image: pluralcafe/mastodon:stable + restart: always + env_file: ./.docker/mastodon/.env.production + command: bundle exec sidekiq -q default -q mailers -q pull -q push + depends_on: + - mstdb + - mstredis + networks: + - external_network + - mstdb_network + - mstredis_network + - mstweb_network + - mststreaming_network + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - ./public/system:/mastodon/public/system + +# mrxsynapse: +# image: avhost/docker-matrix:latest +# restart: always +# command: start +# environment: +# - SERVER_NAME=plural.cafe +# - REPORT_STATS=yes +# - MATRIX_UID=981 +# - MATRIX_GID=981 +# networks: +# - mrxsynapse_network +# - mrxdb_network +# - external_network +# ports: +# - "8448:8448" +# - "3478:3478" +# volumes: +# - /etc/localtime:/etc/localtime:ro +# - /etc/timezone:/etc/timezone:ro +# - ./.docker/matrix:/data + +networks: + external_network: + mstdb_network: + internal: true + mstredis_network: + internal: true + mststreaming_network: + internal: true + mstweb_network: + internal: true + netdata_network: + internal: true diff --git a/deploy/scripts/backup.sh b/deploy/scripts/backup.sh new file mode 100755 index 0000000..b9a4b06 --- /dev/null +++ b/deploy/scripts/backup.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +[ -z "$COMPOSE" ] && COMPOSE="$(command -v docker-compose)" +[ -z "$COMPOSE" ] && COMPOSE="/usr/local/bin/docker-compose" +[ -z "$YML_LOC" ] && YML_LOC="$HOME/docker-compose.yml" + +COMPOSE="$COMPOSE -f $YML_LOC" + +if [ "$1" == 'daily' ]; then + find $HOME/backups -type f -name postgres-daily.* -mtime +7 -delete + $COMPOSE exec -T -u postgres mstdb sh -c "umask 0377 && /usr/local/bin/pg_dump -Fc -h mstdb -d postgres -U postgres" > "$HOME/backups/postgres-daily.$(date -Iseconds).pgsql" + $COMPOSE run -T --rm web rake mastodon:media:remove_remote +fi + +if [ "$1" == 'hourly' ]; then + find $HOME/backups -type f -name postgres-hourly.* -mmin +360 -delete + $COMPOSE exec -T -u postgres mstdb sh -c "umask 0377 && /usr/local/bin/pg_dump -Fc -h mstdb -d postgres -U postgres" > "$HOME/backups/postgres-hourly.$(date -Iseconds).pgsql" +fi diff --git a/deploy/scripts/update-containers.sh b/deploy/scripts/update-containers.sh new file mode 100755 index 0000000..ff63e9e --- /dev/null +++ b/deploy/scripts/update-containers.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +[ -z "$COMPOSE" ] && COMPOSE="$(command -v docker-compose)" +[ -z "$COMPOSE" ] && COMPOSE="/usr/local/bin/docker-compose" + +cd $HOME + +($COMPOSE pull 2>&1 | grep --silent "Downloaded newer") && \ + $COMPOSE up -d && \ + docker cp $($COMPOSE ps -q mstweb):/mastodon/public/assets public/ && \ + docker cp $($COMPOSE ps -q mstweb):/mastodon/public/packs public/ && \ + docker image prune -f diff --git a/deploy/setup-mastodon.sh b/deploy/setup-mastodon.sh new file mode 100755 index 0000000..14ae9af --- /dev/null +++ b/deploy/setup-mastodon.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +[ -z "$YML_LOC" ] && YML_LOC="$HOME" +cd $YML_LOC + +echo "Setting up the instance..." +echo + +curl -fsSL https://raw.githubusercontent.com/tootsuite/mastodon/master/.env.production.sample -o "$YML_LOC/.docker/mastodon/.env.production" + +MUID="$(docker-compose run --rm mstweb id -u 2>/dev/null)" +SECRET_KEY_BASE=$(hexdump -vn 64 -e ' /1 "%02x"' /dev/urandom) +OTP_SECRET=$(hexdump -vn 64 -e ' /1 "%02x"' /dev/urandom) + +sed -i 's|REDIS_HOST=redis|REDIS_HOST=mstredis|' $YML_LOC/.docker/mastodon/.env.production +sed -i 's|DB_HOST=db|DB_HOST=mstdb|' $YML_LOC/.docker/mastodon/.env.production +sed -i 's|ES_HOST=es|ES_HOST=mstes|' $YML_LOC/.docker/mastodon/.env.production +sed -i "s|SECRET_KEY_BASE=|SECRET_KEY_BASE=$SECRET_KEY_BASE|" $YML_LOC/.docker/mastodon/.env.production +sed -i "s|OTP_SECRET=|OTP_SECRET=$OTP_SECRET|" $YML_LOC/.docker/mastodon/.env.production + +docker-compose run --rm mstweb rake db:migrate +(openssl dhparam -rand /dev/urandom -out $YML_LOC/.docker/nginx/dhparam.pem 4096 2>&1 >/dev/null) & pid=$! + +echo +echo "Mostly set up. Modify .docker/mastodon/.env.production settings and then" +echo "you can do a 'docker-compose up -d' on this instance. OpenSSL is still" +echo "running, so wait a bit for it to finish too." diff --git a/docker-compose-with-nginx.md b/docker-compose-with-nginx.md deleted file mode 100644 index 4a8aa09..0000000 --- a/docker-compose-with-nginx.md +++ /dev/null @@ -1,292 +0,0 @@ -# Run docker-compose with nginx - -## docker-compose.yml - -Put your [.env.production](https://github.com/tootsuite/mastodon/blob/master/.env.production.sample) in the same directory where your docker-compose.yml is and modify the /path/to's with your own: - -``` -version: '3' -services: - - db: - restart: always - image: postgres:9-alpine - networks: - - db_network - volumes: - - ./.db:/var/lib/postgresql/data - - redis: - restart: always - image: redis:alpine - networks: - - redis_network - volumes: - - ./.redis:/data - -# es: -# restart: always -# image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.1.3 -# environment: -# - "ES_JAVA_OPTS=-Xms512m -Xmx512m" -# networks: -# - internal_network -# volumes: -# - ./elasticsearch:/usr/share/elasticsearch/data - - web: - image: pluralcafe/mastodon:stable - restart: always - env_file: .env.production - command: bundle exec rails s -p 3000 -b '0.0.0.0' - networks: - - db_network - - web_network - - redis_network - depends_on: - - db - - redis -# - es - volumes: - - ./public/system:/mastodon/public/system - - /etc/localtime:/etc/localtime:ro - - streaming: - image: pluralcafe/mastodon:stable - restart: always - env_file: .env.production - command: yarn start - networks: - - db_network - - streaming_network - - redis_network - depends_on: - - db - - redis - - sidekiq: - image: pluralcafe/mastodon:stable - restart: always - env_file: .env.production - command: bundle exec sidekiq -q default -q mailers -q pull -q push - depends_on: - - db - - redis - networks: - - external_network - - db_network - - redis_network - volumes: - - ./public/system:/mastodon/public/system - - nginx: - image: nginx:alpine - restart: always - environment: - - NGINX_SERVER=example.com - volumes: - - ./nginx.conf:/etc/nginx/conf.d/site.template:ro - - ./public:/var/www/html:ro - - /var/log/nginx:/var/log/nginx - - /var/cache/nginx:/var/cache/nginx - - /path/to/letsencrypt/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro - - /path/to/letsencrypt/key.pem:/etc/ssl/private/key.pem:ro - - /path/to/letsencrypt/cert.pem:/etc/ssl/certs/cert.pem:ro - - /path/to/dhparam.pem:/etc/ssl/dhparam.pem:ro - ports: - - "80:80" - - "443:443" - networks: - - external_network - - web_network - - streaming_network - command: sh -c "(cat /etc/nginx/conf.d/site.template | sed 's|NGINX_SERVER|$NGINX_SERVER|g') > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'" - -networks: - external_network: - db_network: - internal: true - redis_network: - internal: true - web_network: - internal: true - streaming_network: - internal: true -``` - -## nginx.conf (No Modifications) - -``` -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -server { - listen 80; - listen [::]:80; - - server_name NGINX_SERVER; - - root /var/www/html; - location /.well-known/acme-challenge/ { allow all; } - location / { return 301 https://$host$request_uri; } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name NGINX_SERVER; - server_tokens off; - - ssl_certificate /etc/ssl/certs/fullchain.pem; - ssl_certificate_key /etc/ssl/private/key.pem; - ssl_trusted_certificate /etc/ssl/certs/cert.pem; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; - ssl_prefer_server_ciphers on; - ssl_ecdh_curve secp521r1:secp384r1; - ssl_session_cache shared:TLS:2m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - - ssl_dhparam /etc/ssl/dhparam.pem; - - keepalive_timeout 70; - sendfile on; - client_max_body_size 0; - - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "same-origin"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';"; - add_header Access-Control-Allow-Origin https://NGINX_SERVER; - add_header X-Cache-Status $upstream_cache_status; - - location / { - try_files $uri @proxy; - } - - location /sw.js { - add_header Cache-Control "public, max-age=0"; - try_files $uri @proxy; - } - - location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { - add_header Cache-Control "public, max-age=31536000, immutable"; - - gzip on; - gzip_disable "msie6"; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - try_files $uri @proxy; - } - - location @proxy { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Proxy ""; - proxy_pass_header Server; - - proxy_pass http://web:3000; - proxy_buffering on; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_cache CACHE; - proxy_cache_valid 200 7d; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - proxy_cache_lock on; - proxy_cache_revalidate on; - - tcp_nodelay on; - } - - location /api/v1/streaming { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Proxy ""; - - proxy_pass http://streaming:4000; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - tcp_nodelay on; - } - - error_page 403 /assets/403.html; - error_page 404 /assets/404.html; - error_page 410 /assets/410.html; - error_page 422 /assets/422.html; - error_page 500 501 502 503 504 /assets/500.html; -} - -proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=2g use_temp_path=off; -``` - - - -## Start Services as Daemon - -For initial installation: - -``` -$ docker-compose pull -Pulling redis (redis:alpine)... -alpine: Pulling from library/redis -Digest: sha256:692147c8a1673fc172f12724f5313e00b8459291e3fe17a10856b4d2c0bf56fb -Status: Image is up to date for redis:alpine -Pulling db (postgres:9-alpine)... -9-alpine: Pulling from library/postgres -Digest: sha256:49f5c42990833857f4caa6d06437b3ce6391e830b05e07c11c6c7737be535649 -Status: Image is up to date for postgres:9-alpine -Pulling streaming (pluralcafe/mastodon:stable)... -stable: Pulling from pluralcafe/mastodon -Digest: sha256:10d01d4376454e86bddcdb836b8d088e9eff4a390a1b4e0250b7893dd87f307e -Status: Downloaded newer image for pluralcafe/mastodon:stable -Pulling sidekiq (pluralcafe/mastodon:stable)... -stable: Pulling from pluralcafe/mastodon -Digest: sha256:10d01d4376454e86bddcdb836b8d088e9eff4a390a1b4e0250b7893dd87f307e -Status: Image is up to date for pluralcafe/mastodon:stable -Pulling web (pluralcafe/mastodon:stable)... -stable: Pulling from pluralcafe/mastodon -Digest: sha256:10d01d4376454e86bddcdb836b8d088e9eff4a390a1b4e0250b7893dd87f307e -Status: Image is up to date for pluralcafe/mastodon:stable - -$ docker-compose up -d -Starting redis... done -Starting db... done -Starting nginx... done -Starting web... done -Starting streaming... done -Starting sidekiq... done -``` - -For updating: - -``` -$ (docker-compose pull 2>&1 | grep --silent "Downloaded newer") && (docker-compose stop && docker-compose up -d) -``` diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index 4098153..0000000 --- a/nginx.conf +++ /dev/null @@ -1,152 +0,0 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -server { - listen 80 default_server; - listen [::]:80 default_server; - server_name plural.cafe; - root /home/mastodon/live/public; - location /.well-known/acme-challenge/ { allow all; } - location / { return 301 https://$host$request_uri; } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ~^(?\w+)\.plural\.cafe$; - server_tokens off; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; - ssl_prefer_server_ciphers on; - ssl_ecdh_curve secp384r1; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s; - resolver_timeout 5s; - - ssl_dhparam /etc/ssl/certs/dhparam4096.pem; - - ssl_certificate /etc/letsencrypt/live/plural.cafe/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/plural.cafe/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/plural.cafe/chain.pem; - - keepalive_timeout 70; - sendfile on; - client_max_body_size 0; - - gzip off; - - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "same-origin"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - - return 301 "https://plural.cafe/@${subdomain}"; -} - -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - server_name plural.cafe; - server_tokens off; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; - ssl_prefer_server_ciphers on; - ssl_ecdh_curve secp384r1; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s; - resolver_timeout 5s; - - ssl_dhparam /etc/ssl/certs/dhparam4096.pem; - - ssl_certificate /etc/letsencrypt/live/plural.cafe/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/plural.cafe/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/plural.cafe/chain.pem; - - keepalive_timeout 70; - sendfile on; - client_max_body_size 0; - - root /home/mastodon/live/public; - - gzip off; # anti-BREACH - - add_header X-Terms-Of-Service "https://plural.cafe/about/more"; - add_header X-Source-Code "https://github.com/pluralcafe/mastodon"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'; base-uri 'self'; form-action 'self'; default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self' https://fonts.googleapis.com/ 'sha256-deDIoPlRijnpfbTDYsK+8JmDfUBmpwpnb0L/SUV8NeU=' 'sha256-dsU/1vqKDGkqSAJVJCzaxo3alnWrTU/iQqFREt5QB+g='; img-src * data: https://d2rm2wyqhf92ej.cloudfront.net/; media-src 'self' data: https://d2rm2wyqhf92ej.cloudfront.net/; worker-src 'self'; frame-src https://player.vimeo.com https://youtube.com https://www.youtube.com; font-src 'self' data: https://fonts.gstatic.com/; connect-src 'self' wss://plural.cafe"; - add_header Referrer-Policy "same-origin"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - - location / { - try_files $uri @proxy; - } - - location /sw.js { - add_header Cache-Control "public, max-age=0"; - try_files $uri @proxy; - } - - location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { - add_header Cache-Control "public, max-age=31536000, immutable"; - try_files $uri @proxy; - } - - location @proxy { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Proxy ""; - proxy_pass_header Server; - - proxy_pass http://127.0.0.1:3000; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - tcp_nodelay on; - } - - location /api/v1/streaming { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Proxy ""; - - proxy_pass http://127.0.0.1:4000; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - tcp_nodelay on; - } - - error_page 403 /assets/403.html; - error_page 404 /assets/404.html; - error_page 410 /assets/410.html; - error_page 422 /assets/422.html; - error_page 500 501 502 503 504 /assets/500.html; -} - -- cgit