avoid hard-coding 'mastodon' as the non-root user

README.md

@@ -38,12 +38,10 @@ git clone https://github.com/jakejarvis/mastodon-utils.git /home/mastodon/utils
   - **Optional:** To make your life easier, you can also source this script from the `.bashrc` of the `mastodon` user and/or whichever user you regularly SSH in as:
 
 ```sh
-if [ -f /home/mastodon/utils/init.sh ]; then
+[ -s /home/mastodon/utils/init.sh ] && \. /home/mastodon/utils/init.sh >/dev/null 2>&1
-  . /home/mastodon/utils/init.sh
-fi
 ```
 
-- [`version.sh`](scripts/version.sh): Tests `init.sh` by printing Mastodon, Ruby, and rbenv versions.
+- [`version.sh`](scripts/version.sh): Tests `init.sh` by printing version of Mastodon, rbenv, nvm, Ruby, Node, and Yarn.
 
 #### Periodic tasks
 
@@ -56,7 +54,7 @@ fi
 
 **The following scripts are highly opinionated, catastrophically destructive, and very specific to me.** Check them out line-by-line instead of running them.
 
-- [`install.sh`](scripts/install.sh): Assumes an absolutely clean install of Ubuntu 20.04 and installs Mastodon ***with all of the quirks from this repo.*** Configure `MASTODON_ROOT` and other paths in [`init.sh`](init.sh) first if necessary. [Get the far less dangerous version of `install.sh` here instead.](https://github.com/jakejarvis/mastodon-installer/blob/main/install.sh)
+- [`install.sh`](scripts/install.sh): Assumes an absolutely clean install of Ubuntu 20.04 and installs Mastodon ***with all of the quirks from this repo.*** Configure `MASTODON_USER` and other paths in [`init.sh`](init.sh) first if necessary. [Get the far less dangerous version of `install.sh` here instead.](https://github.com/jakejarvis/mastodon-installer/blob/main/install.sh)
 - [`upgrade.sh`](scripts/upgrade.sh): Upgrades Mastodon server (latest version if vanilla Mastodon, latest commit if `glitch-soc`) and ***re-applies every patch*** listed below. [Get the far less dangerous version of `upgrade.sh` here instead.](https://github.com/jakejarvis/mastodon-installer/blob/main/upgrade.sh)
 - [`apply_patches.sh`](scripts/apply_patches.sh): Apply every patch below on top of the currently installed version of Mastodon.
 

etc/nginx/nginx.conf

@@ -1,11 +1,11 @@
-user mastodon; # changed from 'nginx'
+user nginx;
 worker_processes auto;
 pid /run/nginx.pid;
 
 # compiled brotli modules from https://github.com/google/ngx_brotli
 # see: https://github.com/jakejarvis/mastodon-utils/wiki/nginx#brotli-compression
-load_module modules/ngx_http_brotli_filter_module.so;
+# load_module modules/ngx_http_brotli_filter_module.so;
-load_module modules/ngx_http_brotli_static_module.so;
+# load_module modules/ngx_http_brotli_static_module.so;
 
 events {
 	worker_connections 1024;

etc/nginx/sites-available/mastodon.conf

@@ -23,10 +23,10 @@ server {
 
 	root /home/mastodon/live/public;
 
-	ssl_certificate /etc/letsencrypt/live/mastodon.example.com/fullchain.pem; # managed by Certbot
+	ssl_certificate /etc/letsencrypt/live/mastodon.example.com/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/mastodon.example.com/privkey.pem; # managed by Certbot
+	ssl_certificate_key /etc/letsencrypt/live/mastodon.example.com/privkey.pem;
-	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+	include /etc/letsencrypt/options-ssl-nginx.conf;
-	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
 	# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=intermediate&openssl=1.1.1f&guideline=5.6
 	ssl_stapling on;
@@ -53,15 +53,15 @@ server {
 
 	# https://github.com/google/ngx_brotli#sample-configuration
 	# https://github.com/jakejarvis/mastodon-utils/wiki/nginx#brotli-compression
-	brotli on;
+	# brotli on;
-	brotli_comp_level 4;
+	# brotli_comp_level 4;
-	brotli_static on;
+	# brotli_static on;
-	brotli_min_length 256;
+	# brotli_min_length 256;
-	brotli_types	application/atom+xml application/javascript application/json application/rss+xml
+	# brotli_types	application/atom+xml application/javascript application/json application/rss+xml
-			application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
+	# 		application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
-			application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
+	# 		application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
-			font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
+	# 		font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
-			image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
+	# 		image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
 
 	# sends most paths to the backend proxy and ignores the location blocks below, except if
 	# the file exists in /home/mastodon/live
@@ -149,7 +149,6 @@ server {
 		# debugging headers
 		add_header Via "1.1 $proxy_host" always;
 		add_header X-Cache-Status $upstream_cache_status always;
-		add_header X-Got-Milk "2%" always;
 
 		tcp_nodelay on;
 	}
@@ -164,8 +163,8 @@ server {
 	server_name mastodon.example.com;
 
 	if ($host = mastodon.example.com) {
-		return 301 https://$host$request_uri;
+		return 308 https://$host$request_uri;
-	} # managed by Certbot
+	}
 
 	return 403;
 }

init.sh

@@ -1,7 +1,10 @@
 #!/bin/bash
 
+# user running mastodon
+export MASTODON_USER=mastodon
+
 # default paths
-export MASTODON_ROOT=/home/mastodon
+export MASTODON_ROOT="/home/$MASTODON_USER"   # home dir of the user above
 export UTILS_ROOT="$MASTODON_ROOT/utils"      # this repository
 export APP_ROOT="$MASTODON_ROOT/live"         # actual Mastodon files
 export BACKUPS_ROOT="$MASTODON_ROOT/backups"  # backups destination
@@ -33,22 +36,22 @@ fi
 # clone this repo if it doesn't exist in the proper location
 # if [ ! -d "$UTILS_ROOT" ]; then
 #   echo "⚠️ Couldn't find mastodon-utils at '$UTILS_ROOT', cloning it for you..."
-#   sudo -u mastodon git clone https://github.com/jakejarvis/mastodon-utils.git "$UTILS_ROOT"
+#   as_mastodon git clone https://github.com/jakejarvis/mastodon-utils.git "$UTILS_ROOT"
 # fi
 
 # ---
 
-# run a given command as the 'mastodon' user (`as_mastodon whoami`)
+# run a given command as MASTODON_USER (`as_mastodon whoami`)
 as_mastodon() {
   # don't do unnecessary sudo'ing if we're already mastodon
-  if [ "$(whoami)" != "mastodon" ]; then
+  if [ "$(whoami)" != "$MASTODON_USER" ]; then
-    sudo -u mastodon env "PATH=$PATH" "$@"
+    sudo -u "$MASTODON_USER" env "PATH=$PATH" "$@"
   else
     "$@"
   fi
 }
 
-# run 'bin/tootctl' as 'mastodon' in '/home/mastodon/live' from anywhere (`tootctl version`)
+# run 'bin/tootctl' as MASTODON_USER in APP_ROOT from anywhere (`tootctl version`)
 tootctl() {
   ( cd "$APP_ROOT" && as_mastodon RAILS_ENV=production ruby "$APP_ROOT/bin/tootctl" "$@" )
 }

scripts/backup.sh

@@ -39,7 +39,7 @@ sudo cp "$APP_ROOT/.env.production" "$TEMP_DIR/env.production"
 echo "Compressing..."
 ARCHIVE_DEST="$BACKUPS_ROOT/mastodon-$(date "+%Y.%m.%d-%H.%M.%S").tar.gz"
 sudo tar --owner=0 --group=0 -czvf "$ARCHIVE_DEST" -C "$TEMP_DIR" .
-sudo chown mastodon:mastodon "$ARCHIVE_DEST"
+sudo chown "$MASTODON_USER":"$MASTODON_USER" "$ARCHIVE_DEST"
 
 sudo rm -rf --preserve-root "$TEMP_DIR"
 

scripts/install.sh

@@ -27,7 +27,6 @@ read -p "Server FQDN? " MASTODON_DOMAIN
 read -p "Public domain? (the second part of usernames, usually the same) " MASTODON_USERNAME_DOMAIN
 read -p "Admin username? " MASTODON_ADMIN_USERNAME
 read -p "Admin email? " MASTODON_ADMIN_EMAIL
-read -p "Linode bucket name? " LINODE_BUCKET_NAME
 
 # leave our mark
 INSTALLER_WUZ_HERE="# Generated by mastodon-installer @ $(date)"
@@ -38,8 +37,10 @@ echo -e "\n$INSTALLER_WUZ_HERE
 ::1  localhost $MASTODON_DOMAIN" | sudo tee -a /etc/hosts >/dev/null
 sudo hostnamectl set-hostname "$MASTODON_DOMAIN"
 
-# create non-root mastodon user
+# create non-root user named MASTODON_USER (unless it already exists)
-sudo adduser --disabled-login --gecos "Mastodon" mastodon
+if ! id -u "$MASTODON_USER" >/dev/null 2>&1; then
+  sudo adduser --disabled-login --gecos "Mastodon" "$MASTODON_USER"
+fi
 
 # install latest ubuntu updates
 sudo apt update
@@ -54,7 +55,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends \
 
 # add official postgresql apt repository
 curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo gpg --dearmor -o /usr/share/keyrings/postgresql-archive-keyring.gpg
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/postgresql.list >/dev/null
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/postgresql.list >/dev/null
 
 # add official redis apt repository
 curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
@@ -62,7 +63,7 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/redis
 
 # add official nginx apt repository
 curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu/ $(lsb_release -cs) nginx" | sudo tee /etc/apt/sources.list.d/nginx.list >/dev/null
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/ubuntu/ $(lsb_release -cs) nginx" | sudo tee /etc/apt/sources.list.d/nginx.list >/dev/null
 
 # install prerequisites:
 # https://docs.joinmastodon.org/admin/install/#system-packages
@@ -126,7 +127,7 @@ as_mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install --skip-existing
 as_mastodon rbenv global "$(as_mastodon cat "$APP_ROOT"/.ruby-version)"
 
 # install node & yarn
-as_mastodon bash -c "\. "$NVM_DIR/nvm.sh"; nvm install; nvm use; npm install --global yarn"
+as_mastodon bash -c "\. \"$NVM_DIR/nvm.sh\"; nvm install; nvm use; npm install --global yarn"
 
 # install npm and gem dependencies
 as_mastodon gem install bundler --no-document
@@ -137,7 +138,7 @@ as_mastodon yarn install --pure-lockfile --network-timeout 100000
 
 # set up database w/ random alphanumeric password
 DB_PASSWORD=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c32; echo)
-echo "CREATE USER mastodon WITH PASSWORD '$DB_PASSWORD' CREATEDB" | sudo -u postgres psql -f -
+echo "CREATE USER '$MASTODON_USER' WITH PASSWORD '$DB_PASSWORD' CREATEDB" | sudo -u postgres psql -f -
 
 # populate .env.production config
 echo "$INSTALLER_WUZ_HERE
@@ -146,7 +147,7 @@ LOCAL_DOMAIN=$MASTODON_USERNAME_DOMAIN
 WEB_DOMAIN=$MASTODON_DOMAIN
 
 DB_HOST=localhost
-DB_USER=mastodon
+DB_USER=$MASTODON_USER
 DB_NAME=mastodon_production
 DB_PASS=$DB_PASSWORD
 
@@ -172,15 +173,15 @@ WEB_CONCURRENCY=3
 MAX_THREADS=10
 STREAMING_CLUSTER_NUM=1
 
-# using linode, not brand name S3: https://cloud.linode.com/object-storage/buckets/create
+# uses linode, not brand name S3: https://cloud.linode.com/object-storage/buckets/create
 # AWS_ACCESS_KEY_ID=XXXXXXXX
 # AWS_SECRET_ACCESS_KEY=XXXXXXXX
 # S3_ENABLED=true
-# S3_BUCKET=$LINODE_BUCKET_NAME
+# S3_BUCKET=my-bucket
 # S3_PROTOCOL=https
 # S3_HOSTNAME=us-east-1.linodeobjects.com
 # S3_ENDPOINT=https://us-east-1.linodeobjects.com
-# S3_ALIAS_HOST=$LINODE_BUCKET_NAME.us-east-1.linodeobjects.com
+# S3_ALIAS_HOST=my-bucket.us-east-1.linodeobjects.com
 
 # get SES credentials: https://us-east-1.console.aws.amazon.com/ses/home?region=us-east-1#/smtp
 # SMTP_SERVER=email-smtp.us-east-1.amazonaws.com
@@ -227,18 +228,23 @@ sudo certbot certonly \
 # configure nginx: copies conf files from this repo to /etc/nginx
 sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 sudo cp "$UTILS_ROOT"/etc/nginx/nginx.conf /etc/nginx/nginx.conf
-sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/
+sudo sed -i /etc/nginx/nginx.conf -e "s|user nginx;|user $MASTODON_USER;|g"
 sudo cp -f "$UTILS_ROOT"/etc/nginx/sites-available/*.conf /etc/nginx/sites-available/
-sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
-sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf
 sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|mastodon.example.com|$MASTODON_DOMAIN|g"
+sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|/home/mastodon/live|$APP_ROOT|g"
+sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf
+# sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
+sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/
 sudo nginx -t
 
 # configure mastodon systemd services
 sudo cp "$UTILS_ROOT"/etc/systemd/system/mastodon-*.service /etc/systemd/system/
 
-# fix hard-coded /home/mastodon in systemd files (this is the default from init.sh anyways, so it probably won't change)
+# fix hard-coded paths and usernames in systemd files
+# (they already match the defaults from init.sh, so it's likely nothing will change)
+sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon/live|$APP_ROOT|g"
 sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon|$MASTODON_ROOT|g"
+sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|User=mastodon|User=$MASTODON_USER|g"
 
 # start everything up!
 sudo systemctl daemon-reload

scripts/upgrade.sh

@@ -31,12 +31,11 @@ else
 fi
 
 # set new ruby version
-RUBY_VERSION="$(as_mastodon cat "$APP_ROOT"/.ruby-version)"
+as_mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install --skip-existing
-as_mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install --skip-existing "$RUBY_VERSION"
+as_mastodon rbenv global "$(as_mastodon cat "$APP_ROOT"/.ruby-version)"
-as_mastodon rbenv global "$RUBY_VERSION"
 
 # set new node version
-as_mastodon bash -c "\. "$NVM_DIR/nvm.sh"; nvm install; nvm use; npm install --global yarn"
+as_mastodon bash -c "\. \"$NVM_DIR/nvm.sh\"; nvm install; nvm use; npm install --global yarn"
 
 # update dependencies
 as_mastodon bundle install --jobs "$(getconf _NPROCESSORS_ONLN)"
@@ -48,7 +47,8 @@ as_mastodon yarn install --pure-lockfile --network-timeout 100000
 # run migrations:
 # https://docs.joinmastodon.org/admin/upgrading/
 echo "Running pre-deploy database migrations..."
-as_mastodon SKIP_POST_DEPLOYMENT_MIGRATIONS=true RAILS_ENV=production DB_PORT=5432 bundle exec rails db:migrate
+# note: DB_PORT is hard-coded because we need the raw DB, and .env.production might be pointing at pgbouncer
+as_mastodon DB_PORT=5432 SKIP_POST_DEPLOYMENT_MIGRATIONS=true RAILS_ENV=production bundle exec rails db:migrate
 
 # restart mastodon
 echo "Restarting services (round 1/2)..."
@@ -58,7 +58,8 @@ sudo systemctl restart mastodon-web mastodon-sidekiq mastodon-streaming
 echo "Clearing cache..."
 as_mastodon RAILS_ENV=production ruby "$APP_ROOT/bin/tootctl" cache clear
 echo "Running post-deploy database migrations..."
-as_mastodon RAILS_ENV=production DB_PORT=5432 bundle exec rails db:migrate
+# note: DB_PORT is hard-coded because we need the raw DB, and .env.production might be pointing at pgbouncer
+as_mastodon DB_PORT=5432 RAILS_ENV=production bundle exec rails db:migrate
 
 # restart mastodon again
 echo "Restarting services (round 2/2)..."

scripts/version.sh

@@ -6,6 +6,9 @@ set -euo pipefail
 # initialize path
 . "$(dirname "$(realpath "$0")")"/../init.sh
 
-echo "* rbenv version: $(rbenv --version)"
+echo "* rbenv:    $(rbenv --version)"
-echo "* Ruby version: $(ruby --version)"
+echo "* nvm:      $(nvm --version)"
-echo "* Mastodon version: $(tootctl version)"
+echo "* Ruby:     $(ruby --version)"
+echo "* Node.js:  $(node --version)"
+echo "* Yarn:     $(yarn --version)"
+echo "* Mastodon: $(tootctl version)"