From b2a716fc913f9777236dd771726068d4ac811e26 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Tue, 10 Sep 2024 21:26:44 +0200 Subject: [PATCH 01/23] openbsd rc: replace deprecated flags, renamed to fit other service files --- installation/openbsd/rc.d/{pleromad => pleroma} | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) rename installation/openbsd/rc.d/{pleromad => pleroma} (61%) diff --git a/installation/openbsd/rc.d/pleromad b/installation/openbsd/rc.d/pleroma similarity index 61% rename from installation/openbsd/rc.d/pleromad rename to installation/openbsd/rc.d/pleroma index 19ac4bb51..9b54d5967 100755 --- a/installation/openbsd/rc.d/pleromad +++ b/installation/openbsd/rc.d/pleroma @@ -4,16 +4,18 @@ # # Simple installation instructions: # 1. Install Pleroma per wiki instructions -# 2. Place this pleromad file in /etc/rc.d +# 2. Place this pleroma file in /etc/rc.d # 3. Enable and start Pleroma -# # doas rcctl enable pleromad -# # doas rcctl start pleromad +# # doas rcctl enable pleroma +# # doas rcctl start pleroma # daemon="/usr/local/bin/elixir" -daemon_flags="--detached -S /usr/local/bin/mix phx.server" +daemon_flags="--erl \"-detached\" -S /usr/local/bin/mix phx.server" daemon_user="_pleroma" +env="MIX_ENV=prod" + . /etc/rc.d/rc.subr rc_reload=NO @@ -24,7 +26,7 @@ rc_check() { } rc_start() { - ${rcexec} "cd pleroma; ${daemon} ${daemon_flags}" + rc_exec "cd pleroma; export ${env}; ${daemon} ${daemon_flags}" } rc_stop() { From 9b71f57e372b5131b85ddceb6caf1e70a5e0de17 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Tue, 10 Sep 2024 21:40:34 +0200 Subject: [PATCH 02/23] docs openbsd: add missing vips and libmagic depends to required software --- docs/installation/openbsd_en.md | 4 ++-- docs/installation/openbsd_fi.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 78bbf399f..4c2f33f42 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -1,6 +1,6 @@ # Installing on OpenBSD -This guide describes the installation and configuration of pleroma (and the required software to run it) on a single OpenBSD 6.6 server. +This guide describes the installation and configuration of pleroma (and the required software to run it) on a single OpenBSD 7.5 server. For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command. @@ -12,7 +12,7 @@ For any additional information regarding commands and configuration files mentio To install them, run the following command (with doas or as root): ``` -pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick libvips +pkg_add elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips ``` Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt. diff --git a/docs/installation/openbsd_fi.md b/docs/installation/openbsd_fi.md index d7c94d8a0..858e64020 100644 --- a/docs/installation/openbsd_fi.md +++ b/docs/installation/openbsd_fi.md @@ -4,7 +4,7 @@ Note: This article is potentially outdated because at this time we may not have Tarvitset: * Oman domainin -* OpenBSD 6.3 -serverin +* OpenBSD 7.5 -serverin * Auttavan ymmärryksen unix-järjestelmistä Komennot, joiden edessä on '#', tulee ajaa käyttäjänä `root`. Tämä on @@ -18,7 +18,7 @@ Matrix-kanava #pleroma:libera.chat ovat hyviä paikkoja löytää apua Asenna tarvittava ohjelmisto: -`# pkg_add git elixir gmake postgresql-server-10.3 postgresql-contrib-10.3 cmake ffmpeg ImageMagick libvips` +`# pkg_add git elixir gmake postgresql-server postgresql-contrib cmake libmagic libvips` #### Optional software From cf0296bfdc8bb6ba935ad9b5362734329fc29fce Mon Sep 17 00:00:00 2001 From: Phantasm Date: Thu, 12 Sep 2024 21:55:29 +0200 Subject: [PATCH 03/23] docs openbsd: Add differences between otp and src, improved formatting and wording httpd/relayd and acme-client parts are untouched --- docs/installation/openbsd_en.md | 161 +++++++++++++++++++++++--------- 1 file changed, 116 insertions(+), 45 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 4c2f33f42..e47f40a87 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -1,25 +1,28 @@ # Installing on OpenBSD -This guide describes the installation and configuration of pleroma (and the required software to run it) on a single OpenBSD 7.5 server. +{! backend/installation/otp_vs_from_source_source.include !} + +This guide describes the installation and configuration of Pleroma (and the required software to run it) on a single OpenBSD 7.5 server. For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command. {! backend/installation/generic_dependencies.include !} +## Installation + ### Preparing the system #### Required software -To install them, run the following command (with doas or as root): +To install required packages, run the following command: ``` -pkg_add elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips +# pkg_add elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips ``` Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt. #### Optional software -Per [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md): * ImageMagick * ffmpeg * exiftool @@ -27,41 +30,97 @@ Per [`docs/installation/optional/media_graphics_packages.md`](../installation/op To install the above: ``` -pkg_add ImageMagick ffmpeg p5-Image-ExifTool +# pkg_add ImageMagick ffmpeg p5-Image-ExifTool ``` -#### Creating the pleroma user -Pleroma will be run by a dedicated user, \_pleroma. Before creating it, insert the following lines in login.conf: +For more information read [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md): + +### PostgreSQL + +Switch to the \_postgresql user and initialize PostgreSQL: + +``` +# su _postgresql +$ initdb -D /var/postgresql/data -U postgres +``` + +Running PostgreSQL in a different directory than `/var/postgresql/data` requires changing the `daemon_flags` variable in the `/etc/rc.d/postgresql` script. + +Enable and start the postgresql service: + +``` +# rcctl enable postgresql +# rcctl start postgresql +``` + +To check that PostgreSQL started properly and didn't fail right after starting, you can run `ps aux | grep postgres`, there should be multiple lines of output. Or alternatively run `# rcctl check postgresql` which should return `postgresql(ok)`. + +### Configuring Pleroma + +Pleroma will be run by a dedicated \_pleroma user. Before creating it, insert the following lines in /etc/login.conf: + ``` pleroma:\ :datasize-max=1536M:\ :datasize-cur=1536M:\ - :openfiles-max=4096 + :openfiles-max=4096:\ + :setenv=LC_ALL=en_US.UTF-8 ``` -This creates a "pleroma" login class and sets higher values than default for datasize and openfiles (see [login.conf(5)](https://man.openbsd.org/login.conf)), this is required to avoid having pleroma crash some time after starting. -Create the \_pleroma user, assign it the pleroma login class and create its home directory (/home/\_pleroma/): `useradd -m -L pleroma _pleroma` +This creates a "pleroma" login class and sets higher values than default for datasize and openfiles (see [login.conf(5)](https://man.openbsd.org/login.conf)), this is required to avoid having Pleroma crash some time after starting. -#### Clone pleroma's directory -Enter a shell as the \_pleroma user. As root, run `su _pleroma -;cd`. Then clone the repository with `git clone -b stable https://git.pleroma.social/pleroma/pleroma.git`. Pleroma is now installed in /home/\_pleroma/pleroma/, it will be configured and started at the end of this guide. - -#### PostgreSQL -Start a shell as the \_postgresql user (as root run `su _postgresql -` then run the `initdb` command to initialize postgresql: -You will need to specify pgdata directory to the default (/var/postgresql/data) with the `-D ` and set the user to postgres with the `-U ` flag. This can be done as follows: +Create the \_pleroma user, assign it the pleroma login class and create its home directory (/home/\_pleroma/): ``` -initdb -D /var/postgresql/data -U postgres +# useradd -m -L pleroma _pleroma +# echo 'export VIX_COMPILATION_MODE=PLATFORM_PROVIDED_LIBVIPS' >> /home/_pleroma/.profile ``` -If you are not using the default directory, you will have to update the `datadir` variable in the /etc/rc.d/postgresql script. -When this is done, enable postgresql so that it starts on boot and start it. As root, run: +Switch to the _pleroma user: + ``` -rcctl enable postgresql -rcctl start postgresql +# su _pleroma ``` -To check that it started properly and didn't fail right after starting, you can run `ps aux | grep postgres`, there should be multiple lines of output. + +Change to the home directory (/home/\_pleroma) and clone the Pleroma repository: + +``` +$ cd +$ git clone -b stable https://git.pleroma.social/pleroma/pleroma.git +$ cd pleroma +``` + +Pleroma is now installed in /home/\_pleroma/pleroma/. To configure it run: + +``` +$ mix deps.get +$ MIX_ENV=prod mix pleroma.instance gen # You will be asked a few questions here. +$ cp config/generated_config.exs config/prod.secret.exs +``` + +Note: Answer yes when asked to install Hex and rebar3. This step might take some time as Pleroma gets compiled first. + +Create the Pleroma database: + +``` +# psql -U postgres -f /home/_pleroma/pleroma/config/setup_db.psql +``` + +Switch back to the \_pleroma user and apply database migrations: + +``` +# su _pleroma +$ cd /home/_pleroma/pleroma +$ MIX_ENV=prod mix ecto.migrate +``` + +Note: You will need to run this step again when updating your instance to a newer version with `git pull` or `git checkout tags/NEW_VERSION`. + +As \_pleroma in /home/\_pleroma/pleroma, you can now run `MIX_ENV=prod mix phx.server` to start your instance. +In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* is correct. #### httpd + httpd will have three functions: * redirect requests trying to reach the instance over http to the https URL @@ -69,6 +128,7 @@ httpd will have three functions: * get Let's Encrypt certificates, with acme-client Insert the following config in httpd.conf: + ``` # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $ @@ -95,18 +155,22 @@ server "default" { types { } ``` + Do not forget to change ** to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first *listen* options. Create the /var/www/htdocs/local/ folder and write the content of your robots.txt in /var/www/htdocs/local/robots.txt. Check the configuration with `httpd -n`, if it is OK enable and start httpd (as root): + ``` -rcctl enable httpd -rcctl start httpd +# rcctl enable httpd +# rcctl start httpd ``` #### acme-client + acme-client is used to get SSL/TLS certificates from Let's Encrypt. Insert the following configuration in /etc/acme-client.conf: + ``` # # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $ @@ -126,19 +190,24 @@ domain { challengedir "/var/www/acme/" } ``` + Replace ** by the domain name you'll use for your instance. As root, run `acme-client -n` to check the config, then `acme-client -ADv ` to create account and domain keys, and request a certificate for the first time. Make acme-client run everyday by adding it in /etc/daily.local. As root, run the following command: `echo "acme-client " >> /etc/daily.local`. Relayd will look for certificates and keys based on the address it listens on (see next part), the easiest way to make them available to relayd is to create a link, as root run: + ``` ln -s /etc/ssl/.fullchain.pem /etc/ssl/.crt ln -s /etc/ssl/private/.key /etc/ssl/private/.key ``` + This will have to be done for each IPv4 and IPv6 address relayd listens on. #### relayd + relayd will be used as the reverse proxy sitting in front of pleroma. Insert the following configuration in /etc/relayd.conf: + ``` # $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $ @@ -188,8 +257,10 @@ relay wwwtls { forward to port 80 check http "/robots.txt" code 200 } ``` + Again, change ** to your server's address(es) and comment one of the two *listen* options if needed. Also change *wss://CHANGEME.tld* to *wss://*. Check the configuration with `relayd -n`, if it is OK enable and start relayd (as root): + ``` rcctl enable relayd rcctl start relayd @@ -225,36 +296,36 @@ pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach par pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh ``` + Replace ** by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the authorized\_ssh\_clients macro by, for example, your home IP address, to avoid SSH connection attempts from bots. Check pf's configuration by running `pfctl -nf /etc/pf.conf`, load it with `pfctl -f /etc/pf.conf` and enable pf at boot with `rcctl enable pf`. -#### Configure and start pleroma -Enter a shell as \_pleroma (as root `su _pleroma -`) and enter pleroma's installation directory (`cd ~/pleroma/`). +### Starting pleroma at boot -Then follow the main installation guide: +Copy the startup script and make sure it's executable: - * run `mix deps.get` - * run `MIX_ENV=prod mix pleroma.instance gen` and enter your instance's information when asked - * copy config/generated\_config.exs to config/prod.secret.exs. The default values should be sufficient but you should edit it and check that everything seems OK. - * exit your current shell back to a root one and run `psql -U postgres -f /home/_pleroma/pleroma/config/setup_db.psql` to setup the database. - * return to a \_pleroma shell into pleroma's installation directory (`su _pleroma -;cd ~/pleroma`) and run `MIX_ENV=prod mix ecto.migrate` - -As \_pleroma in /home/\_pleroma/pleroma, you can now run `LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server` to start your instance. -In another SSH session/tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that *uri*'s value is your instance's domain name. - -##### Starting pleroma at boot -An rc script to automatically start pleroma at boot hasn't been written yet, it can be run in a tmux session (tmux is in base). - - -#### Create administrative user - -If your instance is up and running, you can create your first user with administrative rights with the following command as the \_pleroma user. ``` -LC_ALL=en_US.UTF-8 MIX_ENV=prod mix pleroma.user new --admin +# cp /home/_pleroma/pleroma/installation/openbsd/rc.d/pleroma /etc/rc.d/pleroma +# chmod +x /etc/rc.d/pleroma ``` -#### Further reading +Enable and start the pleroma service: + +``` +# rcctl enable pleroma +# rcctl start pleroma +``` + +### Create administrative user + +If your instance is up and running, you can create your first user with administrative rights with the following command as the \_pleroma user: + +``` +MIX_ENV=prod mix pleroma.user new --admin +``` + +### Further reading {! backend/installation/further_reading.include !} From 1fcf7333540bda5f2957a5eecbb3122621d7b8e8 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Mon, 23 Sep 2024 23:36:18 +0200 Subject: [PATCH 04/23] docs openbsd: Add nginx guide, do not recommend httpd/relayd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD's httpd does not support caching in any way and putting a caching layer between it and Pleroma is pointless when nginx works fine. I also ran into issues with relayd when accessing it from the Tor browser. Federation seems to be unaffected by this as is base Firefox and Chrome. --- docs/installation/openbsd_en.md | 167 ++++++++++++++++++++++++-------- 1 file changed, 128 insertions(+), 39 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index e47f40a87..b732205c2 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -117,7 +117,133 @@ $ MIX_ENV=prod mix ecto.migrate Note: You will need to run this step again when updating your instance to a newer version with `git pull` or `git checkout tags/NEW_VERSION`. As \_pleroma in /home/\_pleroma/pleroma, you can now run `MIX_ENV=prod mix phx.server` to start your instance. -In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* is correct. +In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* are correct. + +### Configuring acme-client + +acme-client is used to get SSL/TLS certificates from Let's Encrypt. +Insert the following configuration in /etc/acme-client.conf and replace `example.tld` with your domain: + +``` +# +# $OpenBSD: acme-client.conf,v 1.5 2023/05/10 07:34:57 tb Exp $ +# + +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +domain example.tld { + # Adds alternative names to the certificate. Useful when serving media on another domain. Comma or space separated list. + # alternative names { } + + domain key "/etc/ssl/private/example.tld.key" + domain certificate "/etc/ssl/example.tld_cert-only.crt" + domain full chain certificate "/etc/ssl/example.tld.crt" + sign with letsencrypt +} +``` + +Check the configuration: + +``` +# acme-client -n +``` + +Add auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain: + +``` +echo "acme-client example.tld >> /etc/weekly.local +``` + +### Configuring the Web server + +Pleroma supports two Web servers: + + * nginx (recommended for most users) + * OpenBSD's httpd and relayd (ONLY for advanced users, media proxy cache is NOT supported and will NOT work properly) + +#### nginx + +Since nginx is not installed by default, install it by running: + +``` +# pkg_add nginx +``` + +Add the following to `/etc/nginx/nginx.conf`, within the `server {}` block listening on port 80 and change `server_name`, as follows: + +``` +http { + ... + + server { + ... + server_name example.tld; # Replace with your domain + + location ~ /.well-known/acme-challenge { + root /var/www/acme; + } + } +} +``` + +Start the nginx service and acquire certificates: + +``` +# rcctl start nginx +# acme-client example.tld +``` + +OpenBSD's default nginx configuration does not contain an include directive, which is typically used for multiple sites. +Therefore, you will need to first create the required directory as follows: + +``` +# mkdir /etc/nginx/sites-available +# mkdir /etc/nginx/sites-enabled +``` + +Next add the `include` directive to `/etc/nginx/nginx.conf`, within the `http {}` block, as follows: + +``` +http { + ... + + server { + ... + } + + include /etc/nginx/sites-enabled/*; +} +``` + +As root, copy `/home/_pleroma/pleroma/installation/pleroma.nginx` to `/etc/nginx/sites-available/pleroma.nginx`. + +Edit default `/etc/nginx/sites-available/pleroma.nginx` settings and replace `example.tld` with your domain: + + * Change `ssl_trusted_certificate` to `/etc/ssl/example.tld_cert-only.crt` + * Change `ssl_certificate` to `/etc/ssl/example.tld.crt` + * Change `ssl_certificate_key` to `/etc/ssl/private/example.tld.key` + +Symlink the Pleroma configuration to the enabled sites: + +``` +# ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled +``` + +Check nginx configuration syntax by running: + +``` +# nginx -t +``` + +If the configuration is correct, you can now enable and reload the nginx service: + +``` +# rcctl enable nginx +# rcctl reload nginx +``` #### httpd @@ -166,43 +292,6 @@ Check the configuration with `httpd -n`, if it is OK enable and start httpd (as # rcctl start httpd ``` -#### acme-client - -acme-client is used to get SSL/TLS certificates from Let's Encrypt. -Insert the following configuration in /etc/acme-client.conf: - -``` -# -# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $ -# - -authority letsencrypt- { - #agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" - api url "https://acme-v02.api.letsencrypt.org/directory" - account key "/etc/acme/letsencrypt-privkey-.pem" -} - -domain { - domain key "/etc/ssl/private/.key" - domain certificate "/etc/ssl/.crt" - domain full chain certificate "/etc/ssl/.fullchain.pem" - sign with letsencrypt- - challengedir "/var/www/acme/" -} -``` - -Replace ** by the domain name you'll use for your instance. As root, run `acme-client -n` to check the config, then `acme-client -ADv ` to create account and domain keys, and request a certificate for the first time. -Make acme-client run everyday by adding it in /etc/daily.local. As root, run the following command: `echo "acme-client " >> /etc/daily.local`. - -Relayd will look for certificates and keys based on the address it listens on (see next part), the easiest way to make them available to relayd is to create a link, as root run: - -``` -ln -s /etc/ssl/.fullchain.pem /etc/ssl/.crt -ln -s /etc/ssl/private/.key /etc/ssl/private/.key -``` - -This will have to be done for each IPv4 and IPv6 address relayd listens on. - #### relayd relayd will be used as the reverse proxy sitting in front of pleroma. @@ -322,7 +411,7 @@ Enable and start the pleroma service: If your instance is up and running, you can create your first user with administrative rights with the following command as the \_pleroma user: ``` -MIX_ENV=prod mix pleroma.user new --admin +$ MIX_ENV=prod mix pleroma.user new --admin ``` ### Further reading From 71c60aa9fe5a58be92b32c1af56cac6ade742264 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Sat, 26 Oct 2024 20:38:43 +0200 Subject: [PATCH 05/23] docs openbsd: specifically install erlang 26 due to a TLSv1.3 bug OTP 25 and earlier versions have a broken TLSv1.3 minimum requirements check that breaks federation for TLSv1.3-only instances. --- docs/installation/openbsd_en.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index b732205c2..1e7a011fc 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -2,7 +2,7 @@ {! backend/installation/otp_vs_from_source_source.include !} -This guide describes the installation and configuration of Pleroma (and the required software to run it) on a single OpenBSD 7.5 server. +This guide describes the installation and configuration of Pleroma (and the required software to run it) on a single OpenBSD 7.6 server. For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command. @@ -16,7 +16,7 @@ For any additional information regarding commands and configuration files mentio To install required packages, run the following command: ``` -# pkg_add elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips +# pkg_add erlang%26 elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips ``` Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt. From 3dc2655f5954fbcd426a67f96cc40b16fedf52eb Mon Sep 17 00:00:00 2001 From: Phantasm Date: Mon, 11 Nov 2024 23:48:33 +0100 Subject: [PATCH 06/23] openbsd: update relayd and httpd configuration files * httpd: use proper server names * httpd: add example of a very basic static website along with Pleroma * httpd: let Pleroma serve robots.txt * relayd: add example of forwarding to a basic httpd website * relayd: remove appended response headers (most of them already served by Pleroma anyway) * relayd: add comments about hosting Pleroma on subdomains * relayd: reject request that don't belong to any forward * relayd: add example of hosting media uploads on subdomain * relayd: change forward timeout check to something sane that actually works --- installation/openbsd/httpd.conf | 17 +++++++--- installation/openbsd/relayd.conf | 56 +++++++++++++++++++++++--------- 2 files changed, 53 insertions(+), 20 deletions(-) diff --git a/installation/openbsd/httpd.conf b/installation/openbsd/httpd.conf index 82f4803fd..912a541af 100644 --- a/installation/openbsd/httpd.conf +++ b/installation/openbsd/httpd.conf @@ -4,8 +4,9 @@ # 1. Place file in /etc # 2. Replace with your public IP address # 3. If using IPv6, uncomment IPv6 lines and replace with your public IPv6 address -# 4. Check file using 'doas httpd -n' -# 5. Enable and start httpd: +# 4. Replace all occurences of example.tld with your instance's domain name. +# 5. Check file using 'doas httpd -n' +# 6. Enable and start httpd: # # doas rcctl enable httpd # # doas rcctl start httpd # @@ -13,7 +14,7 @@ ext_inet="" #ext_inet6="" -server "default" { +server "example.tld" { listen on $ext_inet port 80 # Comment to disable listening on IPv4 # listen on $ext_inet6 port 80 # Comment to disable listening on IPv6 listen on 127.0.0.1 port 80 # Do NOT comment this line @@ -26,10 +27,18 @@ server "default" { request strip 2 } - location "/robots.txt" { root "/htdocs/local/" } location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" } } +# Example of serving a basic static website besides Pleroma using the example configuration in relayd +#server "site.example.tld" { +# listen on 127.0.0.1 port 8080 +# +# location "/*" { +# root "/website" +# } +#} + types { include "/usr/share/misc/mime.types" } diff --git a/installation/openbsd/relayd.conf b/installation/openbsd/relayd.conf index 31c2c1129..816de6de7 100644 --- a/installation/openbsd/relayd.conf +++ b/installation/openbsd/relayd.conf @@ -4,8 +4,9 @@ # 1. Place in /etc # 2. Replace with your public IPv4 address # 3. If using IPv6i, uncomment IPv6 lines and replace with your public IPv6 address -# 4. Check file using 'doas relayd -n' -# 5. Reload/start relayd +# 4. Replace all occurrences of example.tld with your instance's domain +# 5. Check file using 'doas relayd -n' +# 6. Reload/start relayd # # doas rcctl enable relayd # # doas rcctl start relayd # @@ -14,31 +15,54 @@ ext_inet="" #ext_inet6="" table { 127.0.0.1 } -table { 127.0.0.1 } -http protocol plerup { # Protocol for upstream pleroma server +# Uncomment next line when you want to serve other services than Pleroma. +# In this example tables are used only as way to differentiate between Pleroma and other services. +# Feel free to rename "httpd_server" everywhere to fit your setup. +#table { 127.0.0.1 } + +http protocol pleroma { # Protocol for upstream Pleroma server #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit - tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA0-POLY1305" - tls ecdhe secp384r1 + tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + tls ecdhe "X25519,P-256,P-384,secp521r1" # relayd default+secp521r1 - # Forward some paths to the local server (as pleroma won't respond to them as you might want) - pass request quick path "/robots.txt" forward to + return error - # Append a bunch of headers - match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictl required by pleroma but adding them won't hurt - match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + # When serving multiple services with different certificates, specify multiple "tls keypair" keywords + # and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations. + # The string in quotes must match the fullchain certificate file create by acme-client. + # For example: + # tls keypair "pleroma.example.tld" + # tls keypair "example.tld" + tls keypair "example.tld" + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "Connection" value "upgrade" + # When hosting Pleroma on a subdomain, replace example.tld accordingly (not the base domain). + # From the above example, "example.tld" should be replaced with "pleroma.example.tld" instead. + pass request quick header "Host" value "example.tld" forward to + + # Uncomment when serving media uploads on a different (sub)domain. + # Keep media proxy disabled, as it will NOT work under relayd/httpd. If you want to also setup media proxy, use nginx instead. + #pass request quick header "Host" value "media.example.tld" forward to + + # When serving multiple services, add the forwards here. + # Example: + #pass request quick header "Host" value "example.tld" forward to + + block } relay wwwtls { listen on $ext_inet port https tls # Comment to disable listening on IPv4 -# listen on $ext_inet6 port https tls # Comment to disable listening on IPv6 + #listen on $ext_inet6 port https tls # Comment to disable listening on IPv6 - protocol plerup + protocol pleroma - forward to port 4000 check http "/" code 200 - forward to port 80 check http "/robots.txt" code 200 + forward to port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems. + + # When serving multiple services, add the forwards here. + # Example: + #forward to port 8080 } - From 9b39065595ee49dad929c2613bf5ec04413039a7 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Tue, 12 Nov 2024 00:15:07 +0100 Subject: [PATCH 07/23] openbsd: add changelogs --- changelog.d/openbsd-docs-update.skip | 0 changelog.d/openbsd-update-httpd-relayd.change | 1 + changelog.d/openbsd-update-rc.fix | 1 + 3 files changed, 2 insertions(+) create mode 100644 changelog.d/openbsd-docs-update.skip create mode 100644 changelog.d/openbsd-update-httpd-relayd.change create mode 100644 changelog.d/openbsd-update-rc.fix diff --git a/changelog.d/openbsd-docs-update.skip b/changelog.d/openbsd-docs-update.skip new file mode 100644 index 000000000..e69de29bb diff --git a/changelog.d/openbsd-update-httpd-relayd.change b/changelog.d/openbsd-update-httpd-relayd.change new file mode 100644 index 000000000..2ee85c2b0 --- /dev/null +++ b/changelog.d/openbsd-update-httpd-relayd.change @@ -0,0 +1 @@ +Updated relayd/httpd config files to be on par with nginx diff --git a/changelog.d/openbsd-update-rc.fix b/changelog.d/openbsd-update-rc.fix new file mode 100644 index 000000000..2d4263827 --- /dev/null +++ b/changelog.d/openbsd-update-rc.fix @@ -0,0 +1 @@ +replaced depracated flags and functions, renamed service to fit other service files From 427db326032628248b44439d5593f8395b3de428 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Tue, 12 Nov 2024 00:21:33 +0100 Subject: [PATCH 08/23] openbsd relayd: clarify certificate naming --- installation/openbsd/relayd.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installation/openbsd/relayd.conf b/installation/openbsd/relayd.conf index 816de6de7..b04f122e1 100644 --- a/installation/openbsd/relayd.conf +++ b/installation/openbsd/relayd.conf @@ -16,7 +16,7 @@ ext_inet="" table { 127.0.0.1 } -# Uncomment next line when you want to serve other services than Pleroma. +# Uncomment when you want to serve other services than Pleroma. # In this example tables are used only as way to differentiate between Pleroma and other services. # Feel free to rename "httpd_server" everywhere to fit your setup. #table { 127.0.0.1 } @@ -30,7 +30,7 @@ http protocol pleroma { # Protocol for upstream Pleroma server # When serving multiple services with different certificates, specify multiple "tls keypair" keywords # and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations. - # The string in quotes must match the fullchain certificate file create by acme-client. + # The string in quotes must match the fullchain certificate file created by acme-client without the extension. # For example: # tls keypair "pleroma.example.tld" # tls keypair "example.tld" From d3f2d5919cd426b9cbd6c485ffd513610abc2dd6 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Fri, 22 Nov 2024 19:44:27 +0100 Subject: [PATCH 09/23] docs openbsd: update install instructions for httpd/relayd --- docs/installation/openbsd_en.md | 115 +++++++++----------------------- 1 file changed, 31 insertions(+), 84 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 1e7a011fc..4deed6550 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -247,45 +247,27 @@ If the configuration is correct, you can now enable and reload the nginx service #### httpd -httpd will have three functions: +httpd will have two functions: * redirect requests trying to reach the instance over http to the https URL - * serve a robots.txt file * get Let's Encrypt certificates, with acme-client -Insert the following config in httpd.conf: +As root, copy `/home/_pleroma/pleroma/installation/openbsd/httpd.conf` to `/etc/httpd.conf`, or modify the existing one. +Edit `/etc/httpd.conf` settings and change: + + * `` with your instance's IPv4 address + * All occurances of `example.tld` with your instance's domain name + * When using IPv6 also change: + - Uncomment the `ext_inet6=""` line near the beginning of the file and change `* to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first *listen* options. - -Create the /var/www/htdocs/local/ folder and write the content of your robots.txt in /var/www/htdocs/local/robots.txt. -Check the configuration with `httpd -n`, if it is OK enable and start httpd (as root): +If the configuration is correct, enable and start the `httpd` service: ``` # rcctl enable httpd @@ -295,73 +277,38 @@ Check the configuration with `httpd -n`, if it is OK enable and start httpd (as #### relayd relayd will be used as the reverse proxy sitting in front of pleroma. -Insert the following configuration in /etc/relayd.conf: +As root, copy `/home/_pleroma/pleroma/installation/openbsd/relayd.conf` to `/etc/relayd.conf`, or modify the existing one. + +Edit `/etc/relayd.conf` settings and change: + + * `` with your instance's IPv4 address + * All occurances of `example.tld` with your instance's domain name + * When using IPv6 also change: + - Uncomment the `ext_inet6=""` line near the beginning of the file and change `` to your instance's IPv6 address + - Uncomment the line starting with `listen on $ext_inet6` in the `relay wwwtls` block + +Check the configuration by running: ``` -# $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $ - -ext_inet="" -ext_inet6="" - -table { 127.0.0.1 } -table { 127.0.0.1 } - -http protocol plerup { # Protocol for upstream pleroma server - #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit - tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305" - tls ecdhe secp384r1 - - # Forward some paths to the local server (as pleroma won't respond to them as you might want) - pass request quick path "/robots.txt" forward to - - # Append a bunch of headers - match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by pleroma but adding them won't hurt - match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" - - match response header append "X-XSS-Protection" value "1; mode=block" - match response header append "X-Permitted-Cross-Domain-Policies" value "none" - match response header append "X-Frame-Options" value "DENY" - match response header append "X-Content-Type-Options" value "nosniff" - match response header append "Referrer-Policy" value "same-origin" - match response header append "X-Download-Options" value "noopen" - match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here - match request header append "Connection" value "upgrade" - #match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working. - - # If you do not want remote frontends to be able to access your Pleroma backend server, comment these lines - match response header append "Access-Control-Allow-Origin" value "*" - match response header append "Access-Control-Allow-Methods" value "POST, PUT, DELETE, GET, PATCH, OPTIONS" - match response header append "Access-Control-Allow-Headers" value "Authorization, Content-Type, Idempotency-Key" - match response header append "Access-Control-Expose-Headers" value "Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id" - # Stop commenting lines here -} - -relay wwwtls { - listen on $ext_inet port https tls # Comment to disable listening on IPv4 - listen on $ext_inet6 port https tls # Comment to disable listening on IPv6 - - protocol plerup - - forward to port 4000 check http "/" code 200 - forward to port 80 check http "/robots.txt" code 200 -} +# relayd -n ``` -Again, change ** to your server's address(es) and comment one of the two *listen* options if needed. Also change *wss://CHANGEME.tld* to *wss://*. -Check the configuration with `relayd -n`, if it is OK enable and start relayd (as root): +If the configuration is correct, enable and start the `relayd` service: ``` -rcctl enable relayd -rcctl start relayd +# rcctl enable relayd +# rcctl start relayd ``` -##### (Strongly recommended) serve media on another domain +#### (Strongly recommended) serve media on another domain Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors. + #### pf Enabling and configuring pf is highly recommended. In /etc/pf.conf, insert the following configuration: + ``` # Macros if="" From 0bd21084c42ab6e935c5a53e1ee12aa7bca3b835 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Fri, 22 Nov 2024 19:45:45 +0100 Subject: [PATCH 10/23] docs openbsd: remove firewall configuation from install instructions It isn't in any of the install docs, why should it be here. --- docs/installation/openbsd_en.md | 33 --------------------------------- 1 file changed, 33 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 4deed6550..76b3d69c5 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -304,39 +304,6 @@ If the configuration is correct, enable and start the `relayd` service: Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors. - -#### pf -Enabling and configuring pf is highly recommended. -In /etc/pf.conf, insert the following configuration: - -``` -# Macros -if="" -authorized_ssh_clients="any" - -# Skip traffic on loopback interface -set skip on lo - -# Default behavior -set block-policy drop -block in log all -pass out quick - -# Security features -match in all scrub (no-df random-id) -block in log from urpf-failed - -# Rules -pass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP -pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6 -pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd -pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh -``` - -Replace ** by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the authorized\_ssh\_clients macro by, for example, your home IP address, to avoid SSH connection attempts from bots. - -Check pf's configuration by running `pfctl -nf /etc/pf.conf`, load it with `pfctl -f /etc/pf.conf` and enable pf at boot with `rcctl enable pf`. - ### Starting pleroma at boot Copy the startup script and make sure it's executable: From a21e11f586676f001bb32d1a5786a8ebf7132ba7 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Fri, 22 Nov 2024 19:47:37 +0100 Subject: [PATCH 11/23] openbsd: unify IPvX placeholders in configs --- installation/openbsd/httpd.conf | 10 +++++----- installation/openbsd/relayd.conf | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/installation/openbsd/httpd.conf b/installation/openbsd/httpd.conf index 912a541af..c8ddae629 100644 --- a/installation/openbsd/httpd.conf +++ b/installation/openbsd/httpd.conf @@ -2,8 +2,8 @@ # Default httpd.conf file for Pleroma on OpenBSD # Simple installation instructions # 1. Place file in /etc -# 2. Replace with your public IP address -# 3. If using IPv6, uncomment IPv6 lines and replace with your public IPv6 address +# 2. Replace with your public IP address +# 3. If using IPv6, uncomment IPv6 lines and replace with your public IPv6 address # 4. Replace all occurences of example.tld with your instance's domain name. # 5. Check file using 'doas httpd -n' # 6. Enable and start httpd: @@ -11,12 +11,12 @@ # # doas rcctl start httpd # -ext_inet="" -#ext_inet6="" +ext_inet="" +#ext_inet6="" server "example.tld" { listen on $ext_inet port 80 # Comment to disable listening on IPv4 -# listen on $ext_inet6 port 80 # Comment to disable listening on IPv6 + #listen on $ext_inet6 port 80 # Comment to disable listening on IPv6 listen on 127.0.0.1 port 80 # Do NOT comment this line log syslog diff --git a/installation/openbsd/relayd.conf b/installation/openbsd/relayd.conf index b04f122e1..8b7be4ca6 100644 --- a/installation/openbsd/relayd.conf +++ b/installation/openbsd/relayd.conf @@ -3,7 +3,7 @@ # Simple installation instructions: # 1. Place in /etc # 2. Replace with your public IPv4 address -# 3. If using IPv6i, uncomment IPv6 lines and replace with your public IPv6 address +# 3. If using IPv6, uncomment IPv6 lines and replace with your public IPv6 address # 4. Replace all occurrences of example.tld with your instance's domain # 5. Check file using 'doas relayd -n' # 6. Reload/start relayd From 79c5ca05c9956a3dbbc4faf4c71054f57622b458 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Sun, 24 Nov 2024 16:42:24 +0100 Subject: [PATCH 12/23] docs openbsd: inherit default daemon limits and tweak them su _pleroma commands were also changed in docs to simulate a full login to apply the custom environment from login.conf --- docs/installation/openbsd_en.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 76b3d69c5..f205aa573 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -57,14 +57,15 @@ To check that PostgreSQL started properly and didn't fail right after starting, ### Configuring Pleroma -Pleroma will be run by a dedicated \_pleroma user. Before creating it, insert the following lines in /etc/login.conf: +Pleroma will be run by a dedicated \_pleroma user. Before creating it, insert the following lines in `/etc/login.conf`: ``` pleroma:\ - :datasize-max=1536M:\ - :datasize-cur=1536M:\ + :datasize=1536M:\ :openfiles-max=4096:\ - :setenv=LC_ALL=en_US.UTF-8 + :openfiles-cur=1024:\ + :setenv=LC_ALL=en_US.UTF-8,VIX_COMPILATION_MODE=PLATFORM_PROVIDED_LIBVIPS:\ + :tc=daemon: ``` This creates a "pleroma" login class and sets higher values than default for datasize and openfiles (see [login.conf(5)](https://man.openbsd.org/login.conf)), this is required to avoid having Pleroma crash some time after starting. @@ -73,19 +74,17 @@ Create the \_pleroma user, assign it the pleroma login class and create its home ``` # useradd -m -L pleroma _pleroma -# echo 'export VIX_COMPILATION_MODE=PLATFORM_PROVIDED_LIBVIPS' >> /home/_pleroma/.profile ``` Switch to the _pleroma user: ``` -# su _pleroma +# su -l _pleroma ``` -Change to the home directory (/home/\_pleroma) and clone the Pleroma repository: +Clone the Pleroma repository: ``` -$ cd $ git clone -b stable https://git.pleroma.social/pleroma/pleroma.git $ cd pleroma ``` @@ -109,8 +108,8 @@ Create the Pleroma database: Switch back to the \_pleroma user and apply database migrations: ``` -# su _pleroma -$ cd /home/_pleroma/pleroma +# su -l _pleroma +$ cd pleroma $ MIX_ENV=prod mix ecto.migrate ``` From ee25acea6d87c036d195c69430bd2e92ea56bd52 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Sun, 24 Nov 2024 23:43:55 +0100 Subject: [PATCH 13/23] docs openbsd: Fix nginx acme challenges, automatic certificate renewals in proper places --- docs/installation/openbsd_en.md | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index f205aa573..1194a5f07 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -121,7 +121,7 @@ In another SSH session or a tmux window, check that it is working properly by ru ### Configuring acme-client acme-client is used to get SSL/TLS certificates from Let's Encrypt. -Insert the following configuration in /etc/acme-client.conf and replace `example.tld` with your domain: +Insert the following configuration in `/etc/acme-client.conf` and replace `example.tld` with your domain: ``` # @@ -150,12 +150,6 @@ Check the configuration: # acme-client -n ``` -Add auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain: - -``` -echo "acme-client example.tld >> /etc/weekly.local -``` - ### Configuring the Web server Pleroma supports two Web servers: @@ -181,7 +175,8 @@ http { ... server_name example.tld; # Replace with your domain - location ~ /.well-known/acme-challenge { + location /.well-known/acme-challenge { + rewrite ^/.well-known/acme-challenge/(.*) /$1 break; root /var/www/acme; } } @@ -195,6 +190,12 @@ Start the nginx service and acquire certificates: # acme-client example.tld ``` +Add certificate auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain: + +``` +# echo "acme-client example.tld && rcctl reload nginx" >> /etc/weekly.local +``` + OpenBSD's default nginx configuration does not contain an include directive, which is typically used for multiple sites. Therefore, you will need to first create the required directory as follows: @@ -246,6 +247,8 @@ If the configuration is correct, you can now enable and reload the nginx service #### httpd +***Skip this section when using nginx*** + httpd will have two functions: * redirect requests trying to reach the instance over http to the https URL @@ -275,6 +278,8 @@ If the configuration is correct, enable and start the `httpd` service: #### relayd +***Skip this section when using nginx*** + relayd will be used as the reverse proxy sitting in front of pleroma. As root, copy `/home/_pleroma/pleroma/installation/openbsd/relayd.conf` to `/etc/relayd.conf`, or modify the existing one. @@ -299,6 +304,12 @@ If the configuration is correct, enable and start the `relayd` service: # rcctl start relayd ``` +Add certificate auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain: + +``` +# echo "acme-client example.tld && rcctl reload relayd" >> /etc/weekly.local +``` + #### (Strongly recommended) serve media on another domain Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors. From df492669e576de8feb83a9f83d621533326e3f21 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Sun, 24 Nov 2024 23:45:03 +0100 Subject: [PATCH 14/23] docs openbsd: proper permission for Pleroma service file --- docs/installation/openbsd_en.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 1194a5f07..f0d6b9e93 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -320,7 +320,7 @@ Copy the startup script and make sure it's executable: ``` # cp /home/_pleroma/pleroma/installation/openbsd/rc.d/pleroma /etc/rc.d/pleroma -# chmod +x /etc/rc.d/pleroma +# chmod 555 /etc/rc.d/pleroma ``` Enable and start the pleroma service: From b0721ddbf5c0e32fdab6fda09855b061cc0fb1e1 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Mon, 25 Nov 2024 00:03:04 +0100 Subject: [PATCH 15/23] docs openbsd: recommend changing pgsql auth method, remove redundant service check --- docs/installation/openbsd_en.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index f0d6b9e93..45cd03a9a 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -46,6 +46,11 @@ $ initdb -D /var/postgresql/data -U postgres Running PostgreSQL in a different directory than `/var/postgresql/data` requires changing the `daemon_flags` variable in the `/etc/rc.d/postgresql` script. +For security reasons it is recommended to change the authentication method for `local` and `host` connections with the localhost address to `scram-sha-256`.
+Do not forget to set a password for the `postgres` user before doing so, otherwise you won't be able to log back in unless you change the authentication method back to `trust`.
+Changing the password hashing algorithm is not needed.
+For more information [read](https://www.postgresql.org/docs/16/auth-pg-hba-conf.html) the PostgreSQL documentation. + Enable and start the postgresql service: ``` @@ -53,7 +58,7 @@ Enable and start the postgresql service: # rcctl start postgresql ``` -To check that PostgreSQL started properly and didn't fail right after starting, you can run `ps aux | grep postgres`, there should be multiple lines of output. Or alternatively run `# rcctl check postgresql` which should return `postgresql(ok)`. +To check that PostgreSQL started properly and didn't fail right after starting, run `# rcctl check postgresql` which should return `postgresql(ok)`. ### Configuring Pleroma From e0ba132bce735a5c429fa2280ce90d99fb02ae10 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Tue, 26 Nov 2024 14:53:02 +0100 Subject: [PATCH 16/23] docs openbsd: ensure db has UTF-8 enconding --- docs/installation/openbsd_en.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 45cd03a9a..cf3dee5e3 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -41,7 +41,7 @@ Switch to the \_postgresql user and initialize PostgreSQL: ``` # su _postgresql -$ initdb -D /var/postgresql/data -U postgres +$ initdb -D /var/postgresql/data -U postgres --encoding=utf-8 --lc-collate=C ``` Running PostgreSQL in a different directory than `/var/postgresql/data` requires changing the `daemon_flags` variable in the `/etc/rc.d/postgresql` script. From 3b5b3ba4fc1e714c9d8927bb32f85d56e2f6b3d4 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Wed, 27 Nov 2024 21:40:36 +0100 Subject: [PATCH 17/23] openbsd: properly set daemon workdir, use default rc_start, set MIX_ENV in login.conf Setting the MIX_ENV variable in rc_pre() isn't possible, because the environment doesn't persist between rc_pre and rc_start(). This way we can also ditch the custom rc_start() function in favor of the default one which is just: rc_start() { rc_exec "${daemon} ${daemon_flags} } --- docs/installation/openbsd_en.md | 2 +- installation/openbsd/rc.d/pleroma | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index cf3dee5e3..8aaa6e8de 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -69,7 +69,7 @@ pleroma:\ :datasize=1536M:\ :openfiles-max=4096:\ :openfiles-cur=1024:\ - :setenv=LC_ALL=en_US.UTF-8,VIX_COMPILATION_MODE=PLATFORM_PROVIDED_LIBVIPS:\ + :setenv=LC_ALL=en_US.UTF-8,VIX_COMPILATION_MODE=PLATFORM_PROVIDED_LIBVIPS,MIX_ENV=prod:\ :tc=daemon: ``` diff --git a/installation/openbsd/rc.d/pleroma b/installation/openbsd/rc.d/pleroma index 9b54d5967..6959c20b0 100755 --- a/installation/openbsd/rc.d/pleroma +++ b/installation/openbsd/rc.d/pleroma @@ -13,8 +13,7 @@ daemon="/usr/local/bin/elixir" daemon_flags="--erl \"-detached\" -S /usr/local/bin/mix phx.server" daemon_user="_pleroma" - -env="MIX_ENV=prod" +daemon_execdir="/home/_pleroma/pleroma" . /etc/rc.d/rc.subr @@ -25,10 +24,6 @@ rc_check() { pgrep -q -U _pleroma -f "phx.server" } -rc_start() { - rc_exec "cd pleroma; export ${env}; ${daemon} ${daemon_flags}" -} - rc_stop() { pkill -q -U _pleroma -f "phx.server" } From accdefb8db480066ca06176db94b7c82c74cd6b9 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Wed, 27 Nov 2024 21:46:50 +0100 Subject: [PATCH 18/23] openbsd httpd: use more appropriate HTTP response code for redirect --- installation/openbsd/httpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/openbsd/httpd.conf b/installation/openbsd/httpd.conf index c8ddae629..f37325d91 100644 --- a/installation/openbsd/httpd.conf +++ b/installation/openbsd/httpd.conf @@ -27,7 +27,7 @@ server "example.tld" { request strip 2 } - location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" } + location "/*" { block return 301 "https://$HTTP_HOST$REQUEST_URI" } } # Example of serving a basic static website besides Pleroma using the example configuration in relayd From 49c35f8d95e4fb7e58d62e2b3babc06bb3066429 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Wed, 27 Nov 2024 21:47:13 +0100 Subject: [PATCH 19/23] dosc openbsd: add missing acquire certificate instruction for httpd --- docs/installation/openbsd_en.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 8aaa6e8de..d5df310cc 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -281,6 +281,12 @@ If the configuration is correct, enable and start the `httpd` service: # rcctl start httpd ``` +Acquire certificate: + +``` +# acme-client example.tld +``` + #### relayd ***Skip this section when using nginx*** From a323701c3369650736692e360d95f162d62df71f Mon Sep 17 00:00:00 2001 From: Phantasm Date: Wed, 27 Nov 2024 22:21:00 +0100 Subject: [PATCH 20/23] docs openbsd: spellcheck --- docs/installation/openbsd_en.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index d5df310cc..1135f838c 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -264,7 +264,7 @@ As root, copy `/home/_pleroma/pleroma/installation/openbsd/httpd.conf` to `/etc/ Edit `/etc/httpd.conf` settings and change: * `` with your instance's IPv4 address - * All occurances of `example.tld` with your instance's domain name + * All occurrences of `example.tld` with your instance's domain name * When using IPv6 also change: - Uncomment the `ext_inet6=""` line near the beginning of the file and change `` with your instance's IPv4 address - * All occurances of `example.tld` with your instance's domain name + * All occurrences of `example.tld` with your instance's domain name * When using IPv6 also change: - Uncomment the `ext_inet6=""` line near the beginning of the file and change `` to your instance's IPv6 address - Uncomment the line starting with `listen on $ext_inet6` in the `relay wwwtls` block From 047916445be61d2d86064e22a8acc22b6c017f5b Mon Sep 17 00:00:00 2001 From: Phantasm Date: Fri, 29 Nov 2024 16:00:52 +0100 Subject: [PATCH 21/23] docs openbsd: No need to switch users when creating DB --- docs/installation/openbsd_en.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 1135f838c..a98e6022a 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -107,14 +107,12 @@ Note: Answer yes when asked to install Hex and rebar3. This step might take some Create the Pleroma database: ``` -# psql -U postgres -f /home/_pleroma/pleroma/config/setup_db.psql +$ psql -U postgres -f config/setup_db.psql ``` -Switch back to the \_pleroma user and apply database migrations: +Apply database migrations: ``` -# su -l _pleroma -$ cd pleroma $ MIX_ENV=prod mix ecto.migrate ``` @@ -343,9 +341,10 @@ Enable and start the pleroma service: ### Create administrative user -If your instance is up and running, you can create your first user with administrative rights with the following command as the \_pleroma user: +If your instance is up and running, you can create your first user with administrative rights with the following commands as the \_pleroma user: ``` +$ cd pleroma $ MIX_ENV=prod mix pleroma.user new --admin ``` From 0a34e39569c3731a09968e9b51f5e52ac3d06216 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Wed, 5 Feb 2025 23:23:35 +0100 Subject: [PATCH 22/23] docs openbsd: fix certificate acquisition on nginx --- docs/installation/openbsd_en.md | 35 +++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index a98e6022a..387b0f2ea 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -19,7 +19,8 @@ To install required packages, run the following command: # pkg_add erlang%26 elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips ``` -Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt. +Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). +Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt. #### Optional software @@ -119,7 +120,8 @@ $ MIX_ENV=prod mix ecto.migrate Note: You will need to run this step again when updating your instance to a newer version with `git pull` or `git checkout tags/NEW_VERSION`. As \_pleroma in /home/\_pleroma/pleroma, you can now run `MIX_ENV=prod mix phx.server` to start your instance. -In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* are correct. +In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. +Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* are correct. ### Configuring acme-client @@ -176,10 +178,10 @@ http { server { ... - server_name example.tld; # Replace with your domain + server_name localhost; # Replace with your domain location /.well-known/acme-challenge { - rewrite ^/.well-known/acme-challenge/(.*) /$1 break; + rewrite ^/\.well-known/acme-challenge/(.*) /$1 break; root /var/www/acme; } } @@ -225,10 +227,32 @@ As root, copy `/home/_pleroma/pleroma/installation/pleroma.nginx` to `/etc/nginx Edit default `/etc/nginx/sites-available/pleroma.nginx` settings and replace `example.tld` with your domain: + * Uncomment the location block for `~ /\.well-known/acme-challenge` in the server block listening on port 80 + - add `rewrite ^/\.well-known/acme-challenge/(.*) /$1 break;` above the `root` location + - change the `root` location to `/var/www/acme;` * Change `ssl_trusted_certificate` to `/etc/ssl/example.tld_cert-only.crt` * Change `ssl_certificate` to `/etc/ssl/example.tld.crt` * Change `ssl_certificate_key` to `/etc/ssl/private/example.tld.key` +Remove the following `location {}` block from `/etc/nginx/nginx.conf`, that was previously added for acquiring certificates and change `server_name` back to `localhost`: + +``` +http { + ... + + server { + ... + server_name example.tld; # Change back to localhost + + # Delete this block + location /.well-known/acme-challenge { + rewrite ^/\.well-known/acme-challenge/(.*) /$1 break; + root /var/www/acme; + } + } +} +``` + Symlink the Pleroma configuration to the enabled sites: ``` @@ -241,6 +265,9 @@ Check nginx configuration syntax by running: # nginx -t ``` +Note: If the above command complains about a `conflicting server name`, check again that the `location {}` block for acquiring certificates has been removed from `/etc/nginx/nginx.conf` and that the `server_name` has been reverted back to `localhost`. +After doing so run `# nginx -t` again. + If the configuration is correct, you can now enable and reload the nginx service: ``` From 9386863019b17175d965c202be24568de2651ac3 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Tue, 3 Jun 2025 23:08:51 +0200 Subject: [PATCH 23/23] openbsd: update install docs for 7.7 Explicitely installing OTP 26 is no longer needed. --- docs/installation/openbsd_en.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 387b0f2ea..1de016cdd 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -2,7 +2,7 @@ {! backend/installation/otp_vs_from_source_source.include !} -This guide describes the installation and configuration of Pleroma (and the required software to run it) on a single OpenBSD 7.6 server. +This guide describes the installation and configuration of Pleroma (and the required software to run it) on a single OpenBSD 7.7 server. For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command. @@ -16,7 +16,7 @@ For any additional information regarding commands and configuration files mentio To install required packages, run the following command: ``` -# pkg_add erlang%26 elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips +# pkg_add elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips ``` Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd).