Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into nginx-config-update

installation/freebsd/rc.d/pleroma

@@ -24,4 +24,6 @@ command=/usr/local/bin/elixir
 command_args="--erl \"-detached\" -S /usr/local/bin/mix phx.server"
 procname="*beam.smp"
 
+PATH="${PATH}:/usr/local/sbin:/usr/local/bin"
+
 run_rc_command "$1"

installation/openbsd/httpd.conf

@@ -2,20 +2,21 @@
 # Default httpd.conf file for Pleroma on OpenBSD
 # Simple installation instructions
 # 1. Place file in /etc
-# 2. Replace <IPv4 address> with your public IP address
-# 3. If using IPv6, uncomment IPv6 lines and replace <IPv6 address> with your public IPv6 address
-# 4. Check file using 'doas httpd -n'
-# 5. Enable and start httpd:
+# 2. Replace <ipaddr> with your public IP address
+# 3. If using IPv6, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
+# 4. Replace all occurences of example.tld with your instance's domain name.
+# 5. Check file using 'doas httpd -n'
+# 6. Enable and start httpd:
 #      # doas rcctl enable httpd
 #      # doas rcctl start httpd
 #
 
-ext_inet="<IPv4 address>"
-#ext_inet6="<IPv6 address>"
+ext_inet="<ipaddr>"
+#ext_inet6="<ip6addr>"
 
-server "default" {
+server "example.tld" {
     listen on $ext_inet port 80 # Comment to disable listening on IPv4
-#    listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
+    #listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
     listen on 127.0.0.1 port 80 # Do NOT comment this line
 
     log syslog
@@ -26,10 +27,18 @@ server "default" {
         request strip 2
     }
 
-    location "/robots.txt" { root "/htdocs/local/" }
-    location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }
+    location "/*" { block return 301 "https://$HTTP_HOST$REQUEST_URI" }
 }
 
+# Example of serving a basic static website besides Pleroma using the example configuration in relayd
+#server "site.example.tld" {
+#    listen on 127.0.0.1 port 8080
+#
+#    location "/*" {
+#        root "/website"
+#    }
+#}
+
 types {
     include "/usr/share/misc/mime.types"
 }

installation/openbsd/rc.d/pleroma

@@ -4,15 +4,16 @@
 #
 # Simple installation instructions:
 # 1. Install Pleroma per wiki instructions
-# 2. Place this pleromad file in /etc/rc.d
+# 2. Place this pleroma file in /etc/rc.d
 # 3. Enable and start Pleroma
-#	# doas rcctl enable pleromad
-#	# doas rcctl start pleromad
+#	# doas rcctl enable pleroma
+#	# doas rcctl start pleroma
 #
 
 daemon="/usr/local/bin/elixir"
-daemon_flags="--detached -S /usr/local/bin/mix phx.server"
+daemon_flags="--erl \"-detached\" -S /usr/local/bin/mix phx.server"
 daemon_user="_pleroma"
+daemon_execdir="/home/_pleroma/pleroma"
 
 . /etc/rc.d/rc.subr
 
@@ -23,10 +24,6 @@ rc_check() {
 	pgrep -q -U _pleroma -f "phx.server"
 }
 
-rc_start() {
-	${rcexec} "cd pleroma; ${daemon} ${daemon_flags}"
-}
-
 rc_stop() {
 	pkill -q -U _pleroma -f "phx.server"
 }

installation/openbsd/relayd.conf

@@ -3,9 +3,10 @@
 # Simple installation instructions:
 # 1. Place in /etc
 # 2. Replace <ipaddr> with your public IPv4 address
-# 3. If using IPv6i, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
-# 4. Check file using 'doas relayd -n'
-# 5. Reload/start relayd
+# 3. If using IPv6, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
+# 4. Replace all occurrences of example.tld with your instance's domain
+# 5. Check file using 'doas relayd -n'
+# 6. Reload/start relayd
 #      # doas rcctl enable relayd
 #      # doas rcctl start relayd
 #
@@ -14,31 +15,66 @@ ext_inet="<ipaddr>"
 #ext_inet6="<ip6addr>"
 
 table <pleroma_server> { 127.0.0.1 }
-table <httpd_server> { 127.0.0.1 }
 
-http protocol plerup { # Protocol for upstream pleroma server
+# Uncomment when you want to serve other services than Pleroma.
+# In this example tables are used only as way to differentiate between Pleroma and other services.
+# Feel free to rename "httpd_server" everywhere to fit your setup.
+#table <httpd_server> { 127.0.0.1 }
+
+http protocol pleroma { # Protocol for upstream Pleroma server
     #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
-    tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA0-POLY1305"
-    tls ecdhe secp384r1
+    tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
+    tls ecdhe "X25519,P-256,P-384,secp521r1" # relayd default+secp521r1
 
-    # Forward some paths to the local server (as pleroma won't respond to them as you might want)
-    pass request quick path "/robots.txt" forward to <httpd_server>
+    return error
 
-    # Append a bunch of headers
-    match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictl required by pleroma but adding them won't hurt
-    match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
+    # When serving multiple services with different certificates, specify multiple "tls keypair" keywords
+    # and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations.
+    # The string in quotes must match the fullchain certificate file created by acme-client without the extension.
+    # For example:
+    # tls keypair "pleroma.example.tld"
+    # tls keypair "example.tld"
+    tls keypair "example.tld"
 
+    match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
     match request header append "Connection" value "upgrade"
 
+    # When hosting Pleroma on a subdomain, replace example.tld accordingly (not the base domain).
+    # From the above example, "example.tld" should be replaced with "pleroma.example.tld" instead.
+    pass request quick header "Host" value "example.tld" forward to <pleroma_server>
+
+    # Uncomment when serving media uploads on a different (sub)domain.
+    # Keep media proxy disabled, as it will NOT work under relayd/httpd. If you want to also setup media proxy, use nginx instead.
+    #pass request quick header "Host" value "media.example.tld" forward to <pleroma_server>
+
+    # When serving multiple services, add the forwards here.
+    # Example:
+    #pass request quick header "Host" value "example.tld" forward to <httpd_server>
+
+    block
 }
 
 relay wwwtls {
     listen on $ext_inet port https tls # Comment to disable listening on IPv4
-#    listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
 
-    protocol plerup
+    protocol pleroma
 
-    forward to <pleroma_server> port 4000 check http "/" code 200
-    forward to <httpd_server> port 80 check http "/robots.txt" code 200
+    forward to <pleroma_server> port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems.
+
+    # When serving multiple services, add the forwards here.
+    # Example:
+    #forward to <httpd_server> port 8080
 }
 
+# Uncomment relay block to enable IPv6
+#relay wwwtls6 {
+#    listen on $ext_inet6 port https tls
+
+#    protocol pleroma
+
+#    forward to <pleroma_server> port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems.
+
+#    # When serving multiple services, add the forwards here.
+#    # Example:
+#    #forward to <httpd_server> port 8080
+#}

installation/openldap/pw_self_service.ldif

@@ -0,0 +1,7 @@
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by anonymous auth
+  by * none