jake/mastodon-utils
1
Fork 0
mirror of https://github.com/jakejarvis/mastodon-utils.git synced 2025-04-26 03:25:22 -04:00
Code Issues Releases Wiki Activity

fix certbot via pip

Browse Source
This commit is contained in:
Jake Jarvis 2023-01-01 09:16:12 -05:00
parent e60498efd2
commit e894dcd6f8
Signed by: jake
GPG Key ID: 2B0C9CF251E69A39
5 changed files with 41 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
etc/nginx/sites-available/default.conf
View File

@ -1,23 +1,23 @@
# catch-all nginx server # catch-all nginx server
server { server {
listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
listen 80 default_server;
server_name _; server_name _;
return 444; return 444;
} }
server { server {
listen 443 default_server;
listen [::]:443 default_server; listen [::]:443 default_server;
listen 443 default_server;
# intentionally cause an SSL error. this requires a snakeoil certificate, see: # intentionally cause an SSL error. this requires a snakeoil certificate, see:
# https://docs.j7k6.org/nginx-default-ssl-site/ # https://docs.j7k6.org/nginx-default-ssl-site/
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_reject_handshake on; ssl_reject_handshake on;
include /etc/letsencrypt/options-ssl-nginx.conf; include snippets/ssl-params.conf;
server_name _; server_name _;
return 444; return 444;

9
etc/nginx/sites-available/mastodon.conf
View File

@ -16,22 +16,21 @@ upstream streaming {
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
server { server {
listen [::]:443 http2 ssl ipv6only=on; listen [::]:443 http2 ssl;
listen 443 http2 ssl; listen 443 http2 ssl;
server_name mastodon.example.com; server_name mastodon.example.com;
root /home/mastodon/live/public; root /home/mastodon/live/public;
# assumes certbot has been run, nginx will not start with this config enabled otherwise
ssl_certificate /etc/letsencrypt/live/mastodon.example.com/fullchain.pem; ssl_certificate /etc/letsencrypt/live/mastodon.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mastodon.example.com/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/mastodon.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; ssl_trusted_certificate /etc/letsencrypt/live/mastodon.example.com/chain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=intermediate&openssl=1.1.1f&guideline=5.6
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/mastodon.example.com/chain.pem; include snippets/ssl-params.conf;
keepalive_timeout 30; keepalive_timeout 30;
sendfile on; sendfile on;

14
etc/nginx/snippets/ssl-params.conf Normal file
View File

@ -0,0 +1,14 @@
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

4
scripts/customize.sh
View File

@ -76,8 +76,8 @@ fi
if [ "$MASTODON_IS_GLITCH" = true ]; then if [ "$MASTODON_IS_GLITCH" = true ]; then
set_default() { set_default() {
as_mastodon sed \ as_mastodon sed \
-e "s/$1\s*:\s*.*/$1: $2, \/\/ updated by customize.sh/g" \ -i "$APP_ROOT/app/javascript/flavours/glitch/reducers/local_settings.js" \
-i "$APP_ROOT/app/javascript/flavours/glitch/reducers/local_settings.js" -e "s/$1\s*:\s*.*/$1: $2, \/\/ updated by customize.sh/g" || true
} }
set_default "show_reply_count" "true" set_default "show_reply_count" "true"

27
scripts/install.sh
View File

@ -45,14 +45,13 @@ if ! id -u "$MASTODON_USER" >/dev/null 2>&1; then
fi fi
# install latest ubuntu updates & basic prerequisites # install latest ubuntu updates & basic prerequisites
sudo DEBIAN_FRONTEND=noninteractive apt-get update sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
curl \ curl \
wget \ wget \
gnupg \ gnupg \
apt-transport-https \ apt-transport-https \
lsb-release \ lsb-release \
git \
ca-certificates ca-certificates
# add official postgresql apt repository # add official postgresql apt repository
@ -69,7 +68,7 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nginx
# install prerequisites: # install prerequisites:
# https://docs.joinmastodon.org/admin/install/#system-packages # https://docs.joinmastodon.org/admin/install/#system-packages
sudo DEBIAN_FRONTEND=noninteractive apt-get update sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
autoconf \ autoconf \
bison \ bison \
@ -78,6 +77,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
file \ file \
g++ \ g++ \
gcc \ gcc \
git \
imagemagick \ imagemagick \
libaugeas-dev \ libaugeas-dev \
libffi-dev \ libffi-dev \
@ -99,6 +99,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
postgresql-contrib \ postgresql-contrib \
protobuf-compiler \ protobuf-compiler \
python3 \ python3 \
python3-psycopg2 \
python3-venv \ python3-venv \
redis-server \ redis-server \
redis-tools \ redis-tools \
@ -218,7 +219,7 @@ as_mastodon RAILS_ENV=production bundle exec rails assets:precompile
sudo python3 -m venv /opt/certbot/ sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-nginx sudo /opt/certbot/bin/pip install certbot certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot sudo ln -s /opt/certbot/bin/certbot /usr/local/bin/certbot
# ensure nginx hasn't started itself # ensure nginx hasn't started itself
sudo systemctl stop nginx sudo systemctl stop nginx
@ -238,8 +239,10 @@ sudo cp "$UTILS_ROOT"/etc/nginx/nginx.conf /etc/nginx/nginx.conf
sudo sed -i /etc/nginx/nginx.conf -e "s|user nginx;|user $MASTODON_USER;|g" sudo sed -i /etc/nginx/nginx.conf -e "s|user nginx;|user $MASTODON_USER;|g"
sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled
sudo cp -f "$UTILS_ROOT"/etc/nginx/sites-available/*.conf /etc/nginx/sites-available/ sudo cp -f "$UTILS_ROOT"/etc/nginx/sites-available/*.conf /etc/nginx/sites-available/
sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|mastodon.example.com|$MASTODON_DOMAIN|g" sudo sed \
sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|/home/mastodon/live|$APP_ROOT|g" -i /etc/nginx/sites-available/mastodon.conf \
-e "s|mastodon.example.com|$MASTODON_DOMAIN|g" \
-e "s|/home/mastodon/live|$APP_ROOT|g"
sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf
# sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf # sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/ sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/
@ -250,9 +253,11 @@ sudo cp "$UTILS_ROOT"/etc/systemd/system/mastodon-*.service /etc/systemd/system/
# fix hard-coded paths and usernames in systemd files # fix hard-coded paths and usernames in systemd files
# (they already match the defaults from init.sh, so it's likely nothing will change) # (they already match the defaults from init.sh, so it's likely nothing will change)
sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon/live|$APP_ROOT|g" sudo sed \
sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon|$MASTODON_ROOT|g" -i /etc/systemd/system/mastodon-*.service \
sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|User=mastodon|User=$MASTODON_USER|g" -e "s|/home/mastodon/live|$APP_ROOT|g" \
-e "s|/home/mastodon|$MASTODON_ROOT|g" \
-e "s|User=mastodon|User=$MASTODON_USER|g"
# start everything up! # start everything up!
sudo systemctl daemon-reload sudo systemctl daemon-reload
@ -278,6 +283,10 @@ as_mastodon touch "$LOGS_ROOT"/cron.log
(sudo crontab -l; echo -e "\n$INSTALLER_WUZ_HERE (sudo crontab -l; echo -e "\n$INSTALLER_WUZ_HERE
@weekly bash -c \"$UTILS_ROOT/scripts/weekly_cleanup.sh >> $LOGS_ROOT/cron.log 2>&1\" @weekly bash -c \"$UTILS_ROOT/scripts/weekly_cleanup.sh >> $LOGS_ROOT/cron.log 2>&1\"
@weekly bash -c \"$UTILS_ROOT/scripts/backup.sh >> $LOGS_ROOT/cron.log 2>&1\" @weekly bash -c \"$UTILS_ROOT/scripts/backup.sh >> $LOGS_ROOT/cron.log 2>&1\"
# automatically renew Let's Encrypt certificates
# https://certbot.eff.org/instructions?ws=nginx&os=pip
0 0,12 * * * root /opt/certbot/bin/python -c \"import random; import time; time.sleep(random.random() * 3600)\" && certbot renew -q
") | sudo crontab - ") | sudo crontab -
echo "🎉 done! don't forget to fill in .env.production with optional credentials" echo "🎉 done! don't forget to fill in .env.production with optional credentials"