diff --git a/etc/nginx/sites-available/mastodon.conf b/etc/nginx/sites-available/mastodon.conf index 703c3d8..0e8e8ef 100644 --- a/etc/nginx/sites-available/mastodon.conf +++ b/etc/nginx/sites-available/mastodon.conf @@ -161,6 +161,12 @@ server { server_name mastodon.example.com; + # ensure LE's HTTP challenge is always accessible + location ^~ /.well-known/acme-challenge/ { + allow all; + } + + # HTTP -> HTTPS if ($host = mastodon.example.com) { return 308 https://$host$request_uri; } diff --git a/init.sh b/init.sh index fd87c0f..64f634b 100755 --- a/init.sh +++ b/init.sh @@ -81,4 +81,4 @@ tootctl() { # --- # keep track of whether this file has already been run -export MASTODON_INIT_RUN=true +export MASTODON_INIT_RUN=1 diff --git a/scripts/backup.sh b/scripts/backup.sh index eef168b..5edd6dd 100755 --- a/scripts/backup.sh +++ b/scripts/backup.sh @@ -9,8 +9,8 @@ set -euo pipefail echo -e "\n===== backup.sh: started at $(date '+%Y-%m-%d %H:%M:%S') =====\n" -# initialize path -. "$(dirname "$(realpath "$0")")"/../init.sh +# initialize paths +. "$(dirname "${BASH_SOURCE[0]}")"/../init.sh if [ "$(systemctl is-active mastodon-web.service)" = "active" ]; then echo "⚠️ Mastodon is currently running." diff --git a/scripts/customize.sh b/scripts/customize.sh index 051db5f..cd397ff 100755 --- a/scripts/customize.sh +++ b/scripts/customize.sh @@ -3,10 +3,8 @@ # exit when any step fails set -euo pipefail -# initialize path (only if needed) -if [ "${MASTODON_INIT_RUN:=}" != true ]; then - . "$(dirname "$(realpath "$0")")"/../init.sh -fi +# initialize paths +. "$(dirname "${BASH_SOURCE[0]}")"/../init.sh # re-detect glitch-soc MASTODON_IS_GLITCH="$(test -d "$APP_ROOT/app/javascript/flavours/glitch" && echo true || echo false)" @@ -15,13 +13,13 @@ MASTODON_IS_GLITCH="$(test -d "$APP_ROOT/app/javascript/flavours/glitch" && echo # apply custom patches (skips errors) for f in "$UTILS_ROOT"/patches/*.patch; do - as_mastodon git apply --reject --allow-binary-replacement "$f" || true + as_mastodon git apply --reject --allow-binary-replacement "$f" || : done # apply additional glitch-only patches if applicable if [ "$MASTODON_IS_GLITCH" = true ]; then for f in "$UTILS_ROOT"/patches/glitch/*.patch; do - as_mastodon git apply --reject --allow-binary-replacement "$f" || true + as_mastodon git apply --reject --allow-binary-replacement "$f" || : done fi @@ -77,7 +75,7 @@ if [ "$MASTODON_IS_GLITCH" = true ]; then set_default() { as_mastodon sed \ -i "$APP_ROOT/app/javascript/flavours/glitch/reducers/local_settings.js" \ - -e "s/$1\s*:\s*.*/$1: $2, \/\/ updated by customize.sh/g" || true + -e "s/$1\s*:\s*.*/$1: $2, \/\/ updated by customize.sh/g" || : } set_default "show_reply_count" "true" diff --git a/scripts/install.sh b/scripts/install.sh index 30efd81..2613def 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -13,8 +13,8 @@ if [ "$MY_NAME_IS_JAKE_JARVIS" != "pinky promise" ]; then exit 69 fi -# initialize path (and silence warnings about things not existing yet because that's why we're running the installer...) -. "$(dirname "$(realpath "$0")")"/../init.sh >/dev/null 2>&1 +# initialize paths (and silence warnings about things not existing yet because that's why we're running the installer.) +. "$(dirname "${BASH_SOURCE[0]}")"/../init.sh >/dev/null # check for existing installation if [ -d "$APP_ROOT" ]; then @@ -39,7 +39,7 @@ sudo hostnamectl set-hostname "$MASTODON_DOMAIN" # create non-root user named MASTODON_USER (unless it already exists) if ! id -u "$MASTODON_USER" >/dev/null 2>&1; then - sudo adduser --gecos "Mastodon" --home "$MASTODON_ROOT" --disabled-login "$MASTODON_USER" + sudo adduser --gecos "" --home "$MASTODON_ROOT" --disabled-login "$MASTODON_USER" || : echo "[ -s \"$UTILS_ROOT/init.sh\" ] && \. \"$UTILS_ROOT/init.sh\" >/dev/null 2>&1" | sudo tee -a "$MASTODON_ROOT/.bashrc" >/dev/null sudo chown -R "$MASTODON_USER":"$MASTODON_USER" "$MASTODON_ROOT" fi @@ -52,7 +52,8 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ gnupg \ apt-transport-https \ lsb-release \ - ca-certificates + ca-certificates \ + tzdata # add official postgresql apt repository curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo gpg --dearmor -o /usr/share/keyrings/postgresql-archive-keyring.gpg @@ -153,12 +154,17 @@ echo "$INSTALLER_WUZ_HERE LOCAL_DOMAIN=$MASTODON_USERNAME_DOMAIN WEB_DOMAIN=$MASTODON_DOMAIN +SINGLE_USER_MODE=false + +WEB_CONCURRENCY=3 +MAX_THREADS=10 +STREAMING_CLUSTER_NUM=1 +RAILS_LOG_LEVEL=warn DB_HOST=localhost DB_USER=$MASTODON_USER DB_NAME=mastodon_production DB_PASS=$DB_PASSWORD - # without pgbouncer: DB_PORT=5432 # with pgbouncer: https://github.com/jakejarvis/mastodon-utils/wiki/Postgres-&-PgBouncer#pgbouncer @@ -168,18 +174,13 @@ DB_PORT=5432 REDIS_HOST=localhost REDIS_PORT=6379 -SECRET_KEY_BASE=$(as_mastodon RAILS_ENV=production bundle exec rake secret) -OTP_SECRET=$(as_mastodon RAILS_ENV=production bundle exec rake secret) -$(as_mastodon RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key) - -SINGLE_USER_MODE=false -IP_RETENTION_PERIOD=31556952 -SESSION_RETENTION_PERIOD=31556952 -RAILS_LOG_LEVEL=warn - -WEB_CONCURRENCY=3 -MAX_THREADS=10 -STREAMING_CLUSTER_NUM=1 +# get SES credentials: https://us-east-1.console.aws.amazon.com/ses/home?region=us-east-1#/smtp +# ...or use SendGrid, MailGun, AWS SES, etc... +# SMTP_SERVER=email-smtp.us-east-1.amazonaws.com +# SMTP_PORT=587 +# SMTP_FROM_ADDRESS=\"Mastodon \" +# SMTP_LOGIN=XXXXXXXX +# SMTP_PASSWORD=XXXXXXXX # uses linode, not brand name S3: https://cloud.linode.com/object-storage/buckets/create # AWS_ACCESS_KEY_ID=XXXXXXXX @@ -191,22 +192,23 @@ STREAMING_CLUSTER_NUM=1 # S3_ENDPOINT=https://us-east-1.linodeobjects.com # S3_ALIAS_HOST=my-bucket.us-east-1.linodeobjects.com -# get SES credentials: https://us-east-1.console.aws.amazon.com/ses/home?region=us-east-1#/smtp -# SMTP_SERVER=email-smtp.us-east-1.amazonaws.com -# SMTP_PORT=587 -# SMTP_FROM_ADDRESS=\"Mastodon \" -# SMTP_LOGIN=XXXXXXXX -# SMTP_PASSWORD=XXXXXXXX - # https://github.com/jakejarvis/mastodon-utils/wiki/ElasticSearch # ES_ENABLED=true # ES_HOST=localhost # ES_PORT=9200 -# ES_USER=optional -# ES_PASS=optional +# optional, not enabled by default: +# ES_USER= +# ES_PASS= # https://github.com/jakejarvis/mastodon-utils/wiki/Prometheus-&-Grafana -# STATSD_ADDR=localhost:9125" | as_mastodon tee "$APP_ROOT/.env.production" >/dev/null +# STATSD_ADDR=localhost:9125 + +IP_RETENTION_PERIOD=31556952 +SESSION_RETENTION_PERIOD=31556952 + +SECRET_KEY_BASE=$(as_mastodon RAILS_ENV=production bundle exec rake secret) +OTP_SECRET=$(as_mastodon RAILS_ENV=production bundle exec rake secret) +$(as_mastodon RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key)" | as_mastodon tee "$APP_ROOT/.env.production" >/dev/null # manually setup db as_mastodon RAILS_ENV=production SAFETY_ASSURED=1 bundle exec rails db:setup @@ -237,7 +239,7 @@ sudo certbot certonly \ sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak sudo cp "$UTILS_ROOT"/etc/nginx/nginx.conf /etc/nginx/nginx.conf sudo sed -i /etc/nginx/nginx.conf -e "s|user nginx;|user $MASTODON_USER;|g" -sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled +sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled /etc/nginx/snippets sudo cp -f "$UTILS_ROOT"/etc/nginx/sites-available/*.conf /etc/nginx/sites-available/ sudo sed \ -i /etc/nginx/sites-available/mastodon.conf \ @@ -245,7 +247,8 @@ sudo sed \ -e "s|/home/mastodon/live|$APP_ROOT|g" sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf # sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf -sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/ +sudo cp -f "$UTILS_ROOT"/etc/nginx/snippets/*.conf /etc/nginx/snippets/ +sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/*.so /usr/lib/nginx/modules/ sudo nginx -t # configure mastodon systemd services diff --git a/scripts/upgrade.sh b/scripts/upgrade.sh index 8f02a4b..e514880 100755 --- a/scripts/upgrade.sh +++ b/scripts/upgrade.sh @@ -13,8 +13,8 @@ if [ "$MY_NAME_IS_JAKE_JARVIS" != "pinky promise" ]; then exit 69 fi -# initialize path -. "$(dirname "$(realpath "$0")")"/../init.sh +# initialize paths +. "$(dirname "${BASH_SOURCE[0]}")"/../init.sh # pull latest mastodon source cd "$APP_ROOT" diff --git a/scripts/version.sh b/scripts/version.sh index ef987ee..30879d9 100755 --- a/scripts/version.sh +++ b/scripts/version.sh @@ -3,8 +3,8 @@ # exit when any step fails set -euo pipefail -# initialize path -. "$(dirname "$(realpath "$0")")"/../init.sh +# initialize paths +. "$(dirname "${BASH_SOURCE[0]}")"/../init.sh echo "* rbenv: $(rbenv --version)" echo "* nvm: $(nvm --version)" diff --git a/scripts/weekly_cleanup.sh b/scripts/weekly_cleanup.sh index 9d190a3..6f8af6c 100755 --- a/scripts/weekly_cleanup.sh +++ b/scripts/weekly_cleanup.sh @@ -9,8 +9,8 @@ set -o pipefail echo -e "\n===== weekly_cleanup.sh: started at $(date '+%Y-%m-%d %H:%M:%S') =====\n" -# initialize path -. "$(dirname "$(realpath "$0")")"/../init.sh +# initialize paths +. "$(dirname "${BASH_SOURCE[0]}")"/../init.sh tootctl media remove --days 14 tootctl media remove --prune-profiles --days 90