avoid hard-coding 'mastodon' as the non-root user

scripts/backup.sh

@@ -39,7 +39,7 @@ sudo cp "$APP_ROOT/.env.production" "$TEMP_DIR/env.production"
 echo "Compressing..."
 ARCHIVE_DEST="$BACKUPS_ROOT/mastodon-$(date "+%Y.%m.%d-%H.%M.%S").tar.gz"
 sudo tar --owner=0 --group=0 -czvf "$ARCHIVE_DEST" -C "$TEMP_DIR" .
-sudo chown mastodon:mastodon "$ARCHIVE_DEST"
+sudo chown "$MASTODON_USER":"$MASTODON_USER" "$ARCHIVE_DEST"
 
 sudo rm -rf --preserve-root "$TEMP_DIR"
 

scripts/install.sh

@@ -27,7 +27,6 @@ read -p "Server FQDN? " MASTODON_DOMAIN
 read -p "Public domain? (the second part of usernames, usually the same) " MASTODON_USERNAME_DOMAIN
 read -p "Admin username? " MASTODON_ADMIN_USERNAME
 read -p "Admin email? " MASTODON_ADMIN_EMAIL
-read -p "Linode bucket name? " LINODE_BUCKET_NAME
 
 # leave our mark
 INSTALLER_WUZ_HERE="# Generated by mastodon-installer @ $(date)"
@@ -38,8 +37,10 @@ echo -e "\n$INSTALLER_WUZ_HERE
 ::1  localhost $MASTODON_DOMAIN" | sudo tee -a /etc/hosts >/dev/null
 sudo hostnamectl set-hostname "$MASTODON_DOMAIN"
 
-# create non-root mastodon user
-sudo adduser --disabled-login --gecos "Mastodon" mastodon
+# create non-root user named MASTODON_USER (unless it already exists)
+if ! id -u "$MASTODON_USER" >/dev/null 2>&1; then
+  sudo adduser --disabled-login --gecos "Mastodon" "$MASTODON_USER"
+fi
 
 # install latest ubuntu updates
 sudo apt update
@@ -54,7 +55,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends \
 
 # add official postgresql apt repository
 curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo gpg --dearmor -o /usr/share/keyrings/postgresql-archive-keyring.gpg
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/postgresql.list >/dev/null
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/postgresql.list >/dev/null
 
 # add official redis apt repository
 curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
@@ -62,7 +63,7 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/redis
 
 # add official nginx apt repository
 curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu/ $(lsb_release -cs) nginx" | sudo tee /etc/apt/sources.list.d/nginx.list >/dev/null
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/ubuntu/ $(lsb_release -cs) nginx" | sudo tee /etc/apt/sources.list.d/nginx.list >/dev/null
 
 # install prerequisites:
 # https://docs.joinmastodon.org/admin/install/#system-packages
@@ -126,7 +127,7 @@ as_mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install --skip-existing
 as_mastodon rbenv global "$(as_mastodon cat "$APP_ROOT"/.ruby-version)"
 
 # install node & yarn
-as_mastodon bash -c "\. "$NVM_DIR/nvm.sh"; nvm install; nvm use; npm install --global yarn"
+as_mastodon bash -c "\. \"$NVM_DIR/nvm.sh\"; nvm install; nvm use; npm install --global yarn"
 
 # install npm and gem dependencies
 as_mastodon gem install bundler --no-document
@@ -137,7 +138,7 @@ as_mastodon yarn install --pure-lockfile --network-timeout 100000
 
 # set up database w/ random alphanumeric password
 DB_PASSWORD=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c32; echo)
-echo "CREATE USER mastodon WITH PASSWORD '$DB_PASSWORD' CREATEDB" | sudo -u postgres psql -f -
+echo "CREATE USER '$MASTODON_USER' WITH PASSWORD '$DB_PASSWORD' CREATEDB" | sudo -u postgres psql -f -
 
 # populate .env.production config
 echo "$INSTALLER_WUZ_HERE
@@ -146,7 +147,7 @@ LOCAL_DOMAIN=$MASTODON_USERNAME_DOMAIN
 WEB_DOMAIN=$MASTODON_DOMAIN
 
 DB_HOST=localhost
-DB_USER=mastodon
+DB_USER=$MASTODON_USER
 DB_NAME=mastodon_production
 DB_PASS=$DB_PASSWORD
 
@@ -172,15 +173,15 @@ WEB_CONCURRENCY=3
 MAX_THREADS=10
 STREAMING_CLUSTER_NUM=1
 
-# using linode, not brand name S3: https://cloud.linode.com/object-storage/buckets/create
+# uses linode, not brand name S3: https://cloud.linode.com/object-storage/buckets/create
 # AWS_ACCESS_KEY_ID=XXXXXXXX
 # AWS_SECRET_ACCESS_KEY=XXXXXXXX
 # S3_ENABLED=true
-# S3_BUCKET=$LINODE_BUCKET_NAME
+# S3_BUCKET=my-bucket
 # S3_PROTOCOL=https
 # S3_HOSTNAME=us-east-1.linodeobjects.com
 # S3_ENDPOINT=https://us-east-1.linodeobjects.com
-# S3_ALIAS_HOST=$LINODE_BUCKET_NAME.us-east-1.linodeobjects.com
+# S3_ALIAS_HOST=my-bucket.us-east-1.linodeobjects.com
 
 # get SES credentials: https://us-east-1.console.aws.amazon.com/ses/home?region=us-east-1#/smtp
 # SMTP_SERVER=email-smtp.us-east-1.amazonaws.com
@@ -227,18 +228,23 @@ sudo certbot certonly \
 # configure nginx: copies conf files from this repo to /etc/nginx
 sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 sudo cp "$UTILS_ROOT"/etc/nginx/nginx.conf /etc/nginx/nginx.conf
-sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/
+sudo sed -i /etc/nginx/nginx.conf -e "s|user nginx;|user $MASTODON_USER;|g"
 sudo cp -f "$UTILS_ROOT"/etc/nginx/sites-available/*.conf /etc/nginx/sites-available/
-sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
-sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf
 sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|mastodon.example.com|$MASTODON_DOMAIN|g"
+sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|/home/mastodon/live|$APP_ROOT|g"
+sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf
+# sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
+sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/
 sudo nginx -t
 
 # configure mastodon systemd services
 sudo cp "$UTILS_ROOT"/etc/systemd/system/mastodon-*.service /etc/systemd/system/
 
-# fix hard-coded /home/mastodon in systemd files (this is the default from init.sh anyways, so it probably won't change)
+# fix hard-coded paths and usernames in systemd files
+# (they already match the defaults from init.sh, so it's likely nothing will change)
+sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon/live|$APP_ROOT|g"
 sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon|$MASTODON_ROOT|g"
+sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|User=mastodon|User=$MASTODON_USER|g"
 
 # start everything up!
 sudo systemctl daemon-reload

scripts/upgrade.sh

@@ -31,12 +31,11 @@ else
 fi
 
 # set new ruby version
-RUBY_VERSION="$(as_mastodon cat "$APP_ROOT"/.ruby-version)"
-as_mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install --skip-existing "$RUBY_VERSION"
-as_mastodon rbenv global "$RUBY_VERSION"
+as_mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install --skip-existing
+as_mastodon rbenv global "$(as_mastodon cat "$APP_ROOT"/.ruby-version)"
 
 # set new node version
-as_mastodon bash -c "\. "$NVM_DIR/nvm.sh"; nvm install; nvm use; npm install --global yarn"
+as_mastodon bash -c "\. \"$NVM_DIR/nvm.sh\"; nvm install; nvm use; npm install --global yarn"
 
 # update dependencies
 as_mastodon bundle install --jobs "$(getconf _NPROCESSORS_ONLN)"
@@ -48,7 +47,8 @@ as_mastodon yarn install --pure-lockfile --network-timeout 100000
 # run migrations:
 # https://docs.joinmastodon.org/admin/upgrading/
 echo "Running pre-deploy database migrations..."
-as_mastodon SKIP_POST_DEPLOYMENT_MIGRATIONS=true RAILS_ENV=production DB_PORT=5432 bundle exec rails db:migrate
+# note: DB_PORT is hard-coded because we need the raw DB, and .env.production might be pointing at pgbouncer
+as_mastodon DB_PORT=5432 SKIP_POST_DEPLOYMENT_MIGRATIONS=true RAILS_ENV=production bundle exec rails db:migrate
 
 # restart mastodon
 echo "Restarting services (round 1/2)..."
@@ -58,7 +58,8 @@ sudo systemctl restart mastodon-web mastodon-sidekiq mastodon-streaming
 echo "Clearing cache..."
 as_mastodon RAILS_ENV=production ruby "$APP_ROOT/bin/tootctl" cache clear
 echo "Running post-deploy database migrations..."
-as_mastodon RAILS_ENV=production DB_PORT=5432 bundle exec rails db:migrate
+# note: DB_PORT is hard-coded because we need the raw DB, and .env.production might be pointing at pgbouncer
+as_mastodon DB_PORT=5432 RAILS_ENV=production bundle exec rails db:migrate
 
 # restart mastodon again
 echo "Restarting services (round 2/2)..."

scripts/version.sh

@@ -6,6 +6,9 @@ set -euo pipefail
 # initialize path
 . "$(dirname "$(realpath "$0")")"/../init.sh
 
-echo "* rbenv version: $(rbenv --version)"
-echo "* Ruby version: $(ruby --version)"
-echo "* Mastodon version: $(tootctl version)"
+echo "* rbenv:    $(rbenv --version)"
+echo "* nvm:      $(nvm --version)"
+echo "* Ruby:     $(ruby --version)"
+echo "* Node.js:  $(node --version)"
+echo "* Yarn:     $(yarn --version)"
+echo "* Mastodon: $(tootctl version)"