diff --git a/etc/nginx/sites-available/default.conf b/etc/nginx/sites-available/default.conf index d63d439..0f2b4da 100644 --- a/etc/nginx/sites-available/default.conf +++ b/etc/nginx/sites-available/default.conf @@ -1,23 +1,23 @@ # catch-all nginx server server { - listen 80 default_server; listen [::]:80 default_server; + listen 80 default_server; server_name _; return 444; } server { - listen 443 default_server; listen [::]:443 default_server; + listen 443 default_server; # intentionally cause an SSL error. this requires a snakeoil certificate, see: # https://docs.j7k6.org/nginx-default-ssl-site/ ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_reject_handshake on; - include /etc/letsencrypt/options-ssl-nginx.conf; + include snippets/ssl-params.conf; server_name _; return 444; diff --git a/etc/nginx/sites-available/mastodon.conf b/etc/nginx/sites-available/mastodon.conf index 4ac9819..703c3d8 100644 --- a/etc/nginx/sites-available/mastodon.conf +++ b/etc/nginx/sites-available/mastodon.conf @@ -16,22 +16,21 @@ upstream streaming { proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; server { - listen [::]:443 http2 ssl ipv6only=on; + listen [::]:443 http2 ssl; listen 443 http2 ssl; server_name mastodon.example.com; root /home/mastodon/live/public; + # assumes certbot has been run, nginx will not start with this config enabled otherwise ssl_certificate /etc/letsencrypt/live/mastodon.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mastodon.example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_trusted_certificate /etc/letsencrypt/live/mastodon.example.com/chain.pem; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - # https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=intermediate&openssl=1.1.1f&guideline=5.6 ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate /etc/letsencrypt/live/mastodon.example.com/chain.pem; + include snippets/ssl-params.conf; keepalive_timeout 30; sendfile on; diff --git a/etc/nginx/snippets/ssl-params.conf b/etc/nginx/snippets/ssl-params.conf new file mode 100644 index 0000000..978e6e8 --- /dev/null +++ b/etc/nginx/snippets/ssl-params.conf @@ -0,0 +1,14 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/scripts/customize.sh b/scripts/customize.sh index 9a78240..051db5f 100755 --- a/scripts/customize.sh +++ b/scripts/customize.sh @@ -76,8 +76,8 @@ fi if [ "$MASTODON_IS_GLITCH" = true ]; then set_default() { as_mastodon sed \ - -e "s/$1\s*:\s*.*/$1: $2, \/\/ updated by customize.sh/g" \ - -i "$APP_ROOT/app/javascript/flavours/glitch/reducers/local_settings.js" + -i "$APP_ROOT/app/javascript/flavours/glitch/reducers/local_settings.js" \ + -e "s/$1\s*:\s*.*/$1: $2, \/\/ updated by customize.sh/g" || true } set_default "show_reply_count" "true" diff --git a/scripts/install.sh b/scripts/install.sh index 358ec2a..30efd81 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -45,14 +45,13 @@ if ! id -u "$MASTODON_USER" >/dev/null 2>&1; then fi # install latest ubuntu updates & basic prerequisites -sudo DEBIAN_FRONTEND=noninteractive apt-get update +sudo apt-get update sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ curl \ wget \ gnupg \ apt-transport-https \ lsb-release \ - git \ ca-certificates # add official postgresql apt repository @@ -69,7 +68,7 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nginx # install prerequisites: # https://docs.joinmastodon.org/admin/install/#system-packages -sudo DEBIAN_FRONTEND=noninteractive apt-get update +sudo apt-get update sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ autoconf \ bison \ @@ -78,6 +77,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ file \ g++ \ gcc \ + git \ imagemagick \ libaugeas-dev \ libffi-dev \ @@ -99,6 +99,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ postgresql-contrib \ protobuf-compiler \ python3 \ + python3-psycopg2 \ python3-venv \ redis-server \ redis-tools \ @@ -218,7 +219,7 @@ as_mastodon RAILS_ENV=production bundle exec rails assets:precompile sudo python3 -m venv /opt/certbot/ sudo /opt/certbot/bin/pip install --upgrade pip sudo /opt/certbot/bin/pip install certbot certbot-nginx -sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot +sudo ln -s /opt/certbot/bin/certbot /usr/local/bin/certbot # ensure nginx hasn't started itself sudo systemctl stop nginx @@ -238,8 +239,10 @@ sudo cp "$UTILS_ROOT"/etc/nginx/nginx.conf /etc/nginx/nginx.conf sudo sed -i /etc/nginx/nginx.conf -e "s|user nginx;|user $MASTODON_USER;|g" sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled sudo cp -f "$UTILS_ROOT"/etc/nginx/sites-available/*.conf /etc/nginx/sites-available/ -sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|mastodon.example.com|$MASTODON_DOMAIN|g" -sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|/home/mastodon/live|$APP_ROOT|g" +sudo sed \ + -i /etc/nginx/sites-available/mastodon.conf \ + -e "s|mastodon.example.com|$MASTODON_DOMAIN|g" \ + -e "s|/home/mastodon/live|$APP_ROOT|g" sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf # sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/ @@ -250,9 +253,11 @@ sudo cp "$UTILS_ROOT"/etc/systemd/system/mastodon-*.service /etc/systemd/system/ # fix hard-coded paths and usernames in systemd files # (they already match the defaults from init.sh, so it's likely nothing will change) -sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon/live|$APP_ROOT|g" -sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon|$MASTODON_ROOT|g" -sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|User=mastodon|User=$MASTODON_USER|g" +sudo sed \ + -i /etc/systemd/system/mastodon-*.service \ + -e "s|/home/mastodon/live|$APP_ROOT|g" \ + -e "s|/home/mastodon|$MASTODON_ROOT|g" \ + -e "s|User=mastodon|User=$MASTODON_USER|g" # start everything up! sudo systemctl daemon-reload @@ -278,6 +283,10 @@ as_mastodon touch "$LOGS_ROOT"/cron.log (sudo crontab -l; echo -e "\n$INSTALLER_WUZ_HERE @weekly bash -c \"$UTILS_ROOT/scripts/weekly_cleanup.sh >> $LOGS_ROOT/cron.log 2>&1\" @weekly bash -c \"$UTILS_ROOT/scripts/backup.sh >> $LOGS_ROOT/cron.log 2>&1\" + +# automatically renew Let's Encrypt certificates +# https://certbot.eff.org/instructions?ws=nginx&os=pip +0 0,12 * * * root /opt/certbot/bin/python -c \"import random; import time; time.sleep(random.random() * 3600)\" && certbot renew -q ") | sudo crontab - echo "🎉 done! don't forget to fill in .env.production with optional credentials"