add ElasticSearch notes

2025-04-26 04:35:21 -04:00 · 2022-12-12 10:25:40 -05:00 · 2022-12-12 10:25:40 -05:00 · 68386a800a
commit 68386a800a
parent 5ef58edd14
7 changed files with 89 additions and 64 deletions
--- a/README.md
+++ b/README.md
@ -7,6 +7,7 @@ Random opinionated helper scripts & front-end customizations for my [personal Ma
 The [wiki of this repo](https://github.com/jakejarvis/mastodon-scripts/wiki) and the [`/etc` folder](etc/) are simply my way of not forgetting how I did something, which I do quite a bit. Refer there for random notes on PgBouncer, Grafana, etc. but **DO NOT BLINDLY COPY & PASTE** anything there without doing your own research!

 - [Grafana & Prometheus](https://github.com/jakejarvis/mastodon-scripts/wiki/Prometheus-&-Grafana)
+- [ElasticSearch](https://github.com/jakejarvis/mastodon-scripts/wiki/ElasticSearch)
 - [PgBouncer](https://github.com/jakejarvis/mastodon-scripts/wiki/Postgres-&-PgBouncer)
 - [Brotli compression](https://github.com/jakejarvis/mastodon-scripts/wiki/Brotli-compression-for-nginx)

--- a/etc/elasticsearch/elasticsearch.yml
+++ b/etc/elasticsearch/elasticsearch.yml
@ -0,0 +1,53 @@
+# ======================== Elasticsearch Configuration =========================
+#
+# NOTE: Elasticsearch comes with reasonable defaults for most settings.
+#       Before you set out to tweak and tune the configuration, make sure you
+#       understand what are you trying to accomplish and the consequences.
+#
+# The primary way of configuring a node is via this file. This template lists
+# the most important settings you may want to configure for a production cluster.
+#
+# Please consult the documentation for further information on configuration options:
+# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
+#
+# ----------------------------------- Paths ------------------------------------
+#
+# Path to directory where to store the data (separate multiple locations by comma):
+#
+path.data: /var/lib/elasticsearch
+#
+# Path to log files:
+#
+path.logs: /var/log/elasticsearch
+#
+# ---------------------------------- Network -----------------------------------
+#
+# By default Elasticsearch is only accessible on localhost. Set a different
+# address here to expose this node on the network:
+#
+# network.host: 0.0.0.0
+#
+# By default Elasticsearch listens for HTTP traffic on the first free port it
+# finds starting at 9200. Set a specific HTTP port here:
+#
+http.port: 9200
+#
+# For more information, consult the network module documentation.
+#
+# ---------------------------------- Security ----------------------------------
+#
+#                                 *** WARNING ***
+#
+# Elasticsearch security features are not enabled by default.
+# These features are free, but require configuration changes to enable them.
+# This means that users don’t have to provide credentials and can get full access
+# to the cluster. Network connections are also not encrypted.
+#
+# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
+# Refer to the following documentation for instructions.
+#
+# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
+#
+
+# shuts up constant warning logs about security (N/A because of strict firewall):
+xpack.security.enabled: false
--- a/etc/elasticsearch/jvm.options.d/heap-size.options
+++ b/etc/elasticsearch/jvm.options.d/heap-size.options
@ -0,0 +1,2 @@
+-Xms1g
+-Xmx1g
--- a/etc/grafana/grafana.ini
+++ b/etc/grafana/grafana.ini
@ -33,13 +33,16 @@ default_theme = dark
 disable_login = true
 disable_login_form = true

+[auth.anonymous]
+hide_version = true
+
 [auth.grafana_com]
 enabled = true
 allow_sign_up = false
-client_id =
-client_secret =
+client_id = XXXXXX
+client_secret = XXXXXX
 scopes = user:email
-allowed_organizations =
+allowed_organizations = XXXXXX

 [metrics]
 enabled = false
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@ -1,4 +1,4 @@
-user mastodon; # jake: changed from nginx
+user mastodon; # changed from 'nginx'
 worker_processes auto;
 pid /run/nginx.pid;

@ -7,7 +7,7 @@ load_module modules/ngx_http_brotli_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;

 events {
-	worker_connections 768;
+	worker_connections 1024;
 }

 http {
@ -24,7 +24,14 @@ http {
 	keepalive_timeout 65;
 	types_hash_max_size 2048;

-	# jake: added (prometheus target)
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	# stats for prometheus nginx exporter
 	server {
 		listen 9181;
 		location /metrics {
@ -34,13 +41,6 @@ http {
 		}
 	}

-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
 	##
 	# Virtual Host Configs
 	##
--- a/etc/nginx/sites-available/default.conf
+++ b/etc/nginx/sites-available/default.conf
@ -1,4 +1,6 @@
-# don't respond to direct IP address requests
+# don't respond to direct IP address requests:
+# https://www.codedodle.com/disable-direct-ip-access-nginx.html
+
 server {
  listen 80 default_server;
  listen [::]:80 default_server;
--- a/etc/nginx/sites-available/mastodon.conf
+++ b/etc/nginx/sites-available/mastodon.conf
@ -1,3 +1,5 @@
+# modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
+
 map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
@ -23,7 +25,7 @@ server {
    return 301 https://$host$request_uri;
  } # managed by Certbot

-  return 404; # managed by Certbot
+  return 403;
 }

 server {
@ -62,8 +64,8 @@ server {
             image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
  gzip_min_length 256;

-  # jake: added
  # https://github.com/google/ngx_brotli#sample-configuration
+  # https://github.com/jakejarvis/mastodon-scripts/wiki/Brotli-compression-for-nginx
  brotli on;
  brotli_comp_level 4;
  brotli_static on;
@ -74,60 +76,22 @@ server {
               image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
  brotli_min_length 256;

-  location / {
-    try_files $uri @proxy;
-  }
-
-  # jake: added
+  # add shortcut to public Grafana dashboard
  location ~ ^/dashboard/?$ {
    return 302 https://grafana.pipe.fail/public-dashboards/b5ca7a7c8e844f90b0973d2ab02bad0a;
  }

-  # If Docker is used for deployment and Rails serves static files,
-  # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
+  location / {
+    try_files $uri @proxy;
+  }
+
  location = /sw.js {
    add_header Cache-Control "public, max-age=604800, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    try_files $uri =404;
  }

-  location ~ ^/assets/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/avatars/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/emoji/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/headers/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/packs/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/shortcuts/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/sounds/ {
+  location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    try_files $uri =404;
@ -155,7 +119,7 @@ server {

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

-    # jake: added (debugging)
+    # debugging
    add_header Via "1.1 $proxy_host" always;

    tcp_nodelay on;
@ -167,7 +131,7 @@ server {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Proxy "";
-    # jake: removed
+    # remove 'Server: Mastodon' response header
    # proxy_pass_header Server;

    proxy_pass http://backend;
@ -182,11 +146,11 @@ server {
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;

-    # jake: added (security)
+    # security
    proxy_hide_header Referrer-Policy;
    add_header Referrer-Policy "strict-origin" always;

-    # jake: added (debugging)
+    # debugging
    add_header Via "1.1 $proxy_host" always;
    add_header X-Cache-Status $upstream_cache_status always;
    add_header X-Got-Milk "2%" always;