From a96e4667759bc2b5abaa2d815753115c89c231b5 Mon Sep 17 00:00:00 2001 From: Jake Jarvis Date: Fri, 23 Dec 2022 20:49:48 -0500 Subject: [PATCH] bunch of fixes for stricter Ubuntu 22.04 permissions --- README.md | 8 ++++--- init.sh | 25 +++++++++++++++++---- scripts/install.sh | 54 +++++++++++++++++++++++++++------------------- scripts/upgrade.sh | 18 ++++++++++------ 4 files changed, 70 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 51836be..b1e87f4 100644 --- a/README.md +++ b/README.md @@ -20,9 +20,11 @@ The [wiki of this repo](https://github.com/jakejarvis/mastodon-utils/wiki) and t ***AGAIN, DEFINITELY DO NOT JUST RUN THIS IF YOU'RE NOT ME!!! ๐Ÿ˜Š*** ```sh -git clone https://github.com/jakejarvis/mastodon-utils.git /home/mastodon/utils && cd /home/mastodon/utils +mkdir -p /home/mastodon +git clone https://github.com/jakejarvis/mastodon-utils.git /home/mastodon/utils +cd /home/mastodon/utils -# install Mastodon on fresh Ubuntu 20.04: +# install Mastodon on fresh Ubuntu box: ./scripts/install.sh # back up Postgres, Redis, and secrets: @@ -54,7 +56,7 @@ git clone https://github.com/jakejarvis/mastodon-utils.git /home/mastodon/utils **The following scripts are highly opinionated, catastrophically destructive, and very specific to me.**ย Check them out line-by-line instead of running them. -- [`install.sh`](scripts/install.sh): Assumes an absolutely clean install of Ubuntu 20.04 and installs Mastodon ***with all of the quirks from this repo.*** Configure `MASTODON_USER` and other paths in [`init.sh`](init.sh) first if necessary. [Get the far less dangerous version of `install.sh` here instead.](https://github.com/jakejarvis/mastodon-installer/blob/main/install.sh) +- [`install.sh`](scripts/install.sh): Assumes an absolutely clean install of Ubuntu and installs Mastodon ***with all of the quirks from this repo.*** Configure `MASTODON_USER` and other paths in [`init.sh`](init.sh) first if necessary. [Get the far less dangerous version of `install.sh` here instead.](https://github.com/jakejarvis/mastodon-installer/blob/main/install.sh) - [`upgrade.sh`](scripts/upgrade.sh): Upgrades Mastodon server (latest version if vanilla Mastodon, latest commit if `glitch-soc`) and ***re-applies every patch*** listed below. [Get the far less dangerous version of `upgrade.sh` here instead.](https://github.com/jakejarvis/mastodon-installer/blob/main/upgrade.sh) ## Patches diff --git a/init.sh b/init.sh index f5396d1..f27f4bc 100755 --- a/init.sh +++ b/init.sh @@ -43,15 +43,32 @@ fi # run a given command as MASTODON_USER (`as_mastodon whoami`) as_mastodon() { - # don't do unnecessary sudo'ing if we're already mastodon + # crazy bandaids to make sure node & ruby are always available to MASTODON_USER + # support quotes in args: https://stackoverflow.com/a/68898864/1438024 + CMD=$( + ( + PS4='+' + exec 2>&1 + set -x + true "$@" + ) | sed 's/^+*true //' + ) + if [ -s "$RBENV_ROOT/bin/rbenv" ]; then + CMD="eval \"\$(\"$RBENV_ROOT\"/bin/rbenv init - bash)\"; $CMD" + fi + if [ -s "$NVM_DIR/nvm.sh" ]; then + CMD="source \"$NVM_DIR/nvm.sh\"; $CMD" + fi + + # don't do unnecessary sudo'ing if we're already MASTODON_USER if [ "$(whoami)" != "$MASTODON_USER" ]; then - sudo -u "$MASTODON_USER" env "PATH=$PATH" "$@" + sudo -u "$MASTODON_USER" env "PATH=$PATH" "NVM_DIR=$NVM_DIR" "RBENV_ROOT=$RBENV_ROOT" bash -c "$CMD" else - "$@" + bash -c "$CMD" fi } # run 'bin/tootctl' as MASTODON_USER in APP_ROOT from anywhere (`tootctl version`) tootctl() { - ( cd "$APP_ROOT" && as_mastodon RAILS_ENV=production ruby "$APP_ROOT/bin/tootctl" "$@" ) + ( cd "$APP_ROOT" && as_mastodon RAILS_ENV=production ruby ./bin/tootctl "$@" ) } diff --git a/scripts/install.sh b/scripts/install.sh index dfc8e76..9203370 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -24,7 +24,7 @@ fi # ask for required info up-front read -p "Server FQDN? " MASTODON_DOMAIN -read -p "Public domain? (the second part of usernames, usually the same) " MASTODON_USERNAME_DOMAIN +read -p "Public domain? (the second part of usernames, usually the same as FQDN) " MASTODON_USERNAME_DOMAIN read -p "Admin username? " MASTODON_ADMIN_USERNAME read -p "Admin email? " MASTODON_ADMIN_EMAIL @@ -39,13 +39,14 @@ sudo hostnamectl set-hostname "$MASTODON_DOMAIN" # create non-root user named MASTODON_USER (unless it already exists) if ! id -u "$MASTODON_USER" >/dev/null 2>&1; then - sudo adduser --disabled-login --gecos "Mastodon" "$MASTODON_USER" + sudo adduser --gecos "Mastodon" --home "$MASTODON_ROOT" --disabled-login "$MASTODON_USER" + echo "[ -s \"$UTILS_ROOT/init.sh\" ] && \. \"$UTILS_ROOT/init.sh\" >/dev/null 2>&1" | sudo tee -a "$MASTODON_ROOT/.bashrc" >/dev/null + sudo chown -R "$MASTODON_USER":"$MASTODON_USER" "$MASTODON_ROOT" fi # install latest ubuntu updates -sudo apt update -sudo DEBIAN_FRONTEND=noninteractive apt upgrade -y -sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends \ +sudo DEBIAN_FRONTEND=noninteractive apt-get update +sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ curl \ wget \ gnupg \ @@ -67,8 +68,8 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nginx # install prerequisites: # https://docs.joinmastodon.org/admin/install/#system-packages -sudo apt update -sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends \ +sudo DEBIAN_FRONTEND=noninteractive apt-get update +sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ git-core \ g++ \ libpq-dev \ @@ -108,42 +109,50 @@ sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends \ # https://github.com/rbenv/ruby-build#clone-as-rbenv-plugin-using-git as_mastodon git clone https://github.com/rbenv/rbenv.git "$RBENV_ROOT" as_mastodon git clone https://github.com/rbenv/ruby-build.git "$RBENV_ROOT/plugins/ruby-build" -eval "$("$RBENV_ROOT"/bin/rbenv init -)" # install nvm # https://github.com/nvm-sh/nvm#manual-install -as_mastodon git clone https://github.com/nvm-sh/nvm.git "$NVM_DIR" && cd "$NVM_DIR" -as_mastodon git checkout "$(as_mastodon git describe --abbrev=0 --tags --match "v[0-9]*" "$(as_mastodon git rev-list --tags --max-count=1)")" -. "$NVM_DIR/nvm.sh" +as_mastodon git clone https://github.com/nvm-sh/nvm.git "$NVM_DIR" # clone vanilla Mastodon & checkout latest version: as_mastodon git clone https://github.com/mastodon/mastodon.git "$APP_ROOT" && cd "$APP_ROOT" -as_mastodon git checkout "$(as_mastodon git describe --abbrev=0 --tags --match "v[0-9]*" "$(as_mastodon git rev-list --tags --max-count=1)")" -# clone glitch-soc & checkout latest commit: -# as_mastodon git clone https://github.com/glitch-soc/mastodon.git "$APP_ROOT" && cd "$APP_ROOT" +as_mastodon git config --global --add safe.directory "$APP_ROOT" +as_mastodon git checkout "$(as_mastodon git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)" +# uncomment to install glitch-soc fork: +# as_mastodon git remote add glitch-soc https://github.com/glitch-soc/mastodon +# as_mastodon git fetch --all +# as_mastodon git checkout glitch-soc/main -# apply custom patches: -as_mastodon git apply --reject --allow-binary-replacement "$UTILS_ROOT"/patches/*.patch -# apply additional glitch-only patches: -# as_mastodon git apply --reject --allow-binary-replacement "$UTILS_ROOT"/patches/glitch/*.patch +# apply custom patches (skips errors): +for PATCH in "$UTILS_ROOT"/patches/*.patch; do + as_mastodon git apply --reject --allow-binary-replacement "$PATCH" || true +done +# apply additional glitch-only patches if applicable: +if [ -d "$APP_ROOT/app/javascript/flavours/glitch" ]; then + for PATCH in "$UTILS_ROOT"/patches/glitch/*.patch; do + as_mastodon git apply --reject --allow-binary-replacement "$PATCH" || true + done +fi # install ruby as_mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install --skip-existing as_mastodon rbenv global "$(as_mastodon cat "$APP_ROOT"/.ruby-version)" # install node & yarn -as_mastodon bash -c "\. \"$NVM_DIR/nvm.sh\"; nvm install; nvm use; npm install --global yarn" +as_mastodon nvm install +as_mastodon nvm use +as_mastodon npm install --global yarn # install npm and gem dependencies as_mastodon gem install bundler --no-document as_mastodon bundle config deployment "true" as_mastodon bundle config without "development test" as_mastodon bundle install --jobs "$(getconf _NPROCESSORS_ONLN)" -as_mastodon yarn install --pure-lockfile --network-timeout 100000 +as_mastodon yarn install --pure-lockfile # set up database w/ random alphanumeric password DB_PASSWORD=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c32; echo) -echo "CREATE USER '$MASTODON_USER' WITH PASSWORD '$DB_PASSWORD' CREATEDB" | sudo -u postgres psql -f - +echo "CREATE USER $MASTODON_USER WITH PASSWORD '$DB_PASSWORD' CREATEDB" | sudo -u postgres psql -f - # populate .env.production config echo "$INSTALLER_WUZ_HERE @@ -234,6 +243,7 @@ sudo certbot certonly \ sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak sudo cp "$UTILS_ROOT"/etc/nginx/nginx.conf /etc/nginx/nginx.conf sudo sed -i /etc/nginx/nginx.conf -e "s|user nginx;|user $MASTODON_USER;|g" +sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled sudo cp -f "$UTILS_ROOT"/etc/nginx/sites-available/*.conf /etc/nginx/sites-available/ sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|mastodon.example.com|$MASTODON_DOMAIN|g" sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|/home/mastodon/live|$APP_ROOT|g" @@ -272,5 +282,5 @@ tootctl accounts create \ @weekly bash -c \"$UTILS_ROOT/scripts/weekly_cleanup.sh >> $LOGS_ROOT/cron.log 2>&1\" ") | sudo crontab - -echo "๐ŸŽ‰ done! don't forget to fill in .env.production with credentials" +echo "๐ŸŽ‰ done! don't forget to fill in .env.production with optional credentials" echo "https://$MASTODON_DOMAIN/auth/sign_in" diff --git a/scripts/upgrade.sh b/scripts/upgrade.sh index cd748e0..ee146e9 100755 --- a/scripts/upgrade.sh +++ b/scripts/upgrade.sh @@ -30,11 +30,15 @@ else as_mastodon git checkout "$(as_mastodon git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)" fi -# apply custom patches -as_mastodon git apply --reject --allow-binary-replacement "$UTILS_ROOT"/patches/*.patch +# apply custom patches (skips errors): +for PATCH in "$UTILS_ROOT"/patches/*.patch; do + as_mastodon git apply --reject --allow-binary-replacement "$PATCH" || true +done +# apply additional glitch-only patches if applicable: if [ -d "$APP_ROOT/app/javascript/flavours/glitch" ]; then - # apply additional glitch-only patches: - as_mastodon git apply --reject --allow-binary-replacement "$UTILS_ROOT"/patches/glitch/*.patch + for PATCH in "$UTILS_ROOT"/patches/glitch/*.patch; do + as_mastodon git apply --reject --allow-binary-replacement "$PATCH" || true + done fi # set new ruby version @@ -42,11 +46,13 @@ as_mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install --skip-existing as_mastodon rbenv global "$(as_mastodon cat "$APP_ROOT"/.ruby-version)" # set new node version -as_mastodon bash -c "\. \"$NVM_DIR/nvm.sh\"; nvm install; nvm use; npm install --global yarn" +as_mastodon nvm install +as_mastodon nvm use +as_mastodon npm install --global yarn # update dependencies as_mastodon bundle install --jobs "$(getconf _NPROCESSORS_ONLN)" -as_mastodon yarn install --pure-lockfile --network-timeout 100000 +as_mastodon yarn install --pure-lockfile # compile new assets echo "Compiling new assets..."