Merge branch 'openbsd-docs' into 'develop'

Update OpenBSD documentation and installation files

See merge request pleroma/pleroma!4258
This commit is contained in:
feld 2025-06-06 00:59:58 +00:00
commit f38123ad2d
8 changed files with 384 additions and 231 deletions

View file

View file

@ -0,0 +1 @@
Updated relayd/httpd config files to be on par with nginx

View file

@ -0,0 +1 @@
replaced depracated flags and functions, renamed service to fit other service files

View file

@ -1,25 +1,29 @@
# Installing on OpenBSD # Installing on OpenBSD
This guide describes the installation and configuration of pleroma (and the required software to run it) on a single OpenBSD 6.6 server. {! backend/installation/otp_vs_from_source_source.include !}
This guide describes the installation and configuration of Pleroma (and the required software to run it) on a single OpenBSD 7.7 server.
For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command. For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command.
{! backend/installation/generic_dependencies.include !} {! backend/installation/generic_dependencies.include !}
## Installation
### Preparing the system ### Preparing the system
#### Required software #### Required software
To install them, run the following command (with doas or as root): To install required packages, run the following command:
``` ```
pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick libvips # pkg_add elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips
``` ```
Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt. Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd).
Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt.
#### Optional software #### Optional software
Per [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md):
* ImageMagick * ImageMagick
* ffmpeg * ffmpeg
* exiftool * exiftool
@ -27,234 +31,351 @@ Per [`docs/installation/optional/media_graphics_packages.md`](../installation/op
To install the above: To install the above:
``` ```
pkg_add ImageMagick ffmpeg p5-Image-ExifTool # pkg_add ImageMagick ffmpeg p5-Image-ExifTool
``` ```
#### Creating the pleroma user For more information read [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md):
Pleroma will be run by a dedicated user, \_pleroma. Before creating it, insert the following lines in login.conf:
### PostgreSQL
Switch to the \_postgresql user and initialize PostgreSQL:
```
# su _postgresql
$ initdb -D /var/postgresql/data -U postgres --encoding=utf-8 --lc-collate=C
```
Running PostgreSQL in a different directory than `/var/postgresql/data` requires changing the `daemon_flags` variable in the `/etc/rc.d/postgresql` script.
For security reasons it is recommended to change the authentication method for `local` and `host` connections with the localhost address to `scram-sha-256`.<br>
Do not forget to set a password for the `postgres` user before doing so, otherwise you won't be able to log back in unless you change the authentication method back to `trust`.<br>
Changing the password hashing algorithm is not needed.<br>
For more information [read](https://www.postgresql.org/docs/16/auth-pg-hba-conf.html) the PostgreSQL documentation.
Enable and start the postgresql service:
```
# rcctl enable postgresql
# rcctl start postgresql
```
To check that PostgreSQL started properly and didn't fail right after starting, run `# rcctl check postgresql` which should return `postgresql(ok)`.
### Configuring Pleroma
Pleroma will be run by a dedicated \_pleroma user. Before creating it, insert the following lines in `/etc/login.conf`:
``` ```
pleroma:\ pleroma:\
:datasize-max=1536M:\ :datasize=1536M:\
:datasize-cur=1536M:\ :openfiles-max=4096:\
:openfiles-max=4096 :openfiles-cur=1024:\
:setenv=LC_ALL=en_US.UTF-8,VIX_COMPILATION_MODE=PLATFORM_PROVIDED_LIBVIPS,MIX_ENV=prod:\
:tc=daemon:
``` ```
This creates a "pleroma" login class and sets higher values than default for datasize and openfiles (see [login.conf(5)](https://man.openbsd.org/login.conf)), this is required to avoid having pleroma crash some time after starting.
Create the \_pleroma user, assign it the pleroma login class and create its home directory (/home/\_pleroma/): `useradd -m -L pleroma _pleroma` This creates a "pleroma" login class and sets higher values than default for datasize and openfiles (see [login.conf(5)](https://man.openbsd.org/login.conf)), this is required to avoid having Pleroma crash some time after starting.
#### Clone pleroma's directory Create the \_pleroma user, assign it the pleroma login class and create its home directory (/home/\_pleroma/):
Enter a shell as the \_pleroma user. As root, run `su _pleroma -;cd`. Then clone the repository with `git clone -b stable https://git.pleroma.social/pleroma/pleroma.git`. Pleroma is now installed in /home/\_pleroma/pleroma/, it will be configured and started at the end of this guide.
#### PostgreSQL
Start a shell as the \_postgresql user (as root run `su _postgresql -` then run the `initdb` command to initialize postgresql:
You will need to specify pgdata directory to the default (/var/postgresql/data) with the `-D <path>` and set the user to postgres with the `-U <username>` flag. This can be done as follows:
``` ```
initdb -D /var/postgresql/data -U postgres # useradd -m -L pleroma _pleroma
``` ```
If you are not using the default directory, you will have to update the `datadir` variable in the /etc/rc.d/postgresql script.
When this is done, enable postgresql so that it starts on boot and start it. As root, run: Switch to the _pleroma user:
``` ```
rcctl enable postgresql # su -l _pleroma
rcctl start postgresql ```
Clone the Pleroma repository:
```
$ git clone -b stable https://git.pleroma.social/pleroma/pleroma.git
$ cd pleroma
```
Pleroma is now installed in /home/\_pleroma/pleroma/. To configure it run:
```
$ mix deps.get
$ MIX_ENV=prod mix pleroma.instance gen # You will be asked a few questions here.
$ cp config/generated_config.exs config/prod.secret.exs
```
Note: Answer yes when asked to install Hex and rebar3. This step might take some time as Pleroma gets compiled first.
Create the Pleroma database:
```
$ psql -U postgres -f config/setup_db.psql
```
Apply database migrations:
```
$ MIX_ENV=prod mix ecto.migrate
```
Note: You will need to run this step again when updating your instance to a newer version with `git pull` or `git checkout tags/NEW_VERSION`.
As \_pleroma in /home/\_pleroma/pleroma, you can now run `MIX_ENV=prod mix phx.server` to start your instance.
In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output.
Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* are correct.
### Configuring acme-client
acme-client is used to get SSL/TLS certificates from Let's Encrypt.
Insert the following configuration in `/etc/acme-client.conf` and replace `example.tld` with your domain:
```
#
# $OpenBSD: acme-client.conf,v 1.5 2023/05/10 07:34:57 tb Exp $
#
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
domain example.tld {
# Adds alternative names to the certificate. Useful when serving media on another domain. Comma or space separated list.
# alternative names { }
domain key "/etc/ssl/private/example.tld.key"
domain certificate "/etc/ssl/example.tld_cert-only.crt"
domain full chain certificate "/etc/ssl/example.tld.crt"
sign with letsencrypt
}
```
Check the configuration:
```
# acme-client -n
```
### Configuring the Web server
Pleroma supports two Web servers:
* nginx (recommended for most users)
* OpenBSD's httpd and relayd (ONLY for advanced users, media proxy cache is NOT supported and will NOT work properly)
#### nginx
Since nginx is not installed by default, install it by running:
```
# pkg_add nginx
```
Add the following to `/etc/nginx/nginx.conf`, within the `server {}` block listening on port 80 and change `server_name`, as follows:
```
http {
...
server {
...
server_name localhost; # Replace with your domain
location /.well-known/acme-challenge {
rewrite ^/\.well-known/acme-challenge/(.*) /$1 break;
root /var/www/acme;
}
}
}
```
Start the nginx service and acquire certificates:
```
# rcctl start nginx
# acme-client example.tld
```
Add certificate auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain:
```
# echo "acme-client example.tld && rcctl reload nginx" >> /etc/weekly.local
```
OpenBSD's default nginx configuration does not contain an include directive, which is typically used for multiple sites.
Therefore, you will need to first create the required directory as follows:
```
# mkdir /etc/nginx/sites-available
# mkdir /etc/nginx/sites-enabled
```
Next add the `include` directive to `/etc/nginx/nginx.conf`, within the `http {}` block, as follows:
```
http {
...
server {
...
}
include /etc/nginx/sites-enabled/*;
}
```
As root, copy `/home/_pleroma/pleroma/installation/pleroma.nginx` to `/etc/nginx/sites-available/pleroma.nginx`.
Edit default `/etc/nginx/sites-available/pleroma.nginx` settings and replace `example.tld` with your domain:
* Uncomment the location block for `~ /\.well-known/acme-challenge` in the server block listening on port 80
- add `rewrite ^/\.well-known/acme-challenge/(.*) /$1 break;` above the `root` location
- change the `root` location to `/var/www/acme;`
* Change `ssl_trusted_certificate` to `/etc/ssl/example.tld_cert-only.crt`
* Change `ssl_certificate` to `/etc/ssl/example.tld.crt`
* Change `ssl_certificate_key` to `/etc/ssl/private/example.tld.key`
Remove the following `location {}` block from `/etc/nginx/nginx.conf`, that was previously added for acquiring certificates and change `server_name` back to `localhost`:
```
http {
...
server {
...
server_name example.tld; # Change back to localhost
# Delete this block
location /.well-known/acme-challenge {
rewrite ^/\.well-known/acme-challenge/(.*) /$1 break;
root /var/www/acme;
}
}
}
```
Symlink the Pleroma configuration to the enabled sites:
```
# ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled
```
Check nginx configuration syntax by running:
```
# nginx -t
```
Note: If the above command complains about a `conflicting server name`, check again that the `location {}` block for acquiring certificates has been removed from `/etc/nginx/nginx.conf` and that the `server_name` has been reverted back to `localhost`.
After doing so run `# nginx -t` again.
If the configuration is correct, you can now enable and reload the nginx service:
```
# rcctl enable nginx
# rcctl reload nginx
``` ```
To check that it started properly and didn't fail right after starting, you can run `ps aux | grep postgres`, there should be multiple lines of output.
#### httpd #### httpd
httpd will have three functions:
***Skip this section when using nginx***
httpd will have two functions:
* redirect requests trying to reach the instance over http to the https URL * redirect requests trying to reach the instance over http to the https URL
* serve a robots.txt file
* get Let's Encrypt certificates, with acme-client * get Let's Encrypt certificates, with acme-client
Insert the following config in httpd.conf: As root, copy `/home/_pleroma/pleroma/installation/openbsd/httpd.conf` to `/etc/httpd.conf`, or modify the existing one.
Edit `/etc/httpd.conf` settings and change:
* `<ipaddr>` with your instance's IPv4 address
* All occurrences of `example.tld` with your instance's domain name
* When using IPv6 also change:
- Uncomment the `ext_inet6="<ip6addr>"` line near the beginning of the file and change `<ip6addr` to your instance's IPv6 address
- Uncomment the line starting with `listen on $ext_inet6` in the `server` block
Check the configuration by running:
``` ```
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $ # httpd -n
ext_inet="<IPv4 address>"
ext_inet6="<IPv6 address>"
server "default" {
listen on $ext_inet port 80 # Comment to disable listening on IPv4
listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
listen on 127.0.0.1 port 80 # Do NOT comment this line
log syslog
directory no index
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "/robots.txt" { root "/htdocs/local/" }
location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }
}
types {
}
```
Do not forget to change *<IPv4/6 address\>* to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first *listen* options.
Create the /var/www/htdocs/local/ folder and write the content of your robots.txt in /var/www/htdocs/local/robots.txt.
Check the configuration with `httpd -n`, if it is OK enable and start httpd (as root):
```
rcctl enable httpd
rcctl start httpd
``` ```
#### acme-client If the configuration is correct, enable and start the `httpd` service:
acme-client is used to get SSL/TLS certificates from Let's Encrypt.
Insert the following configuration in /etc/acme-client.conf:
```
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
#
authority letsencrypt-<domain name> { ```
#agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" # rcctl enable httpd
api url "https://acme-v02.api.letsencrypt.org/directory" # rcctl start httpd
account key "/etc/acme/letsencrypt-privkey-<domain name>.pem" ```
}
domain <domain name> { Acquire certificate:
domain key "/etc/ssl/private/<domain name>.key"
domain certificate "/etc/ssl/<domain name>.crt"
domain full chain certificate "/etc/ssl/<domain name>.fullchain.pem"
sign with letsencrypt-<domain name>
challengedir "/var/www/acme/"
}
```
Replace *<domain name\>* by the domain name you'll use for your instance. As root, run `acme-client -n` to check the config, then `acme-client -ADv <domain name>` to create account and domain keys, and request a certificate for the first time.
Make acme-client run everyday by adding it in /etc/daily.local. As root, run the following command: `echo "acme-client <domain name>" >> /etc/daily.local`.
Relayd will look for certificates and keys based on the address it listens on (see next part), the easiest way to make them available to relayd is to create a link, as root run:
``` ```
ln -s /etc/ssl/<domain name>.fullchain.pem /etc/ssl/<IP address>.crt # acme-client example.tld
ln -s /etc/ssl/private/<domain name>.key /etc/ssl/private/<IP address>.key
``` ```
This will have to be done for each IPv4 and IPv6 address relayd listens on.
#### relayd #### relayd
***Skip this section when using nginx***
relayd will be used as the reverse proxy sitting in front of pleroma. relayd will be used as the reverse proxy sitting in front of pleroma.
Insert the following configuration in /etc/relayd.conf:
As root, copy `/home/_pleroma/pleroma/installation/openbsd/relayd.conf` to `/etc/relayd.conf`, or modify the existing one.
Edit `/etc/relayd.conf` settings and change:
* `<ipaddr>` with your instance's IPv4 address
* All occurrences of `example.tld` with your instance's domain name
* When using IPv6 also change:
- Uncomment the `ext_inet6="<ip6addr>"` line near the beginning of the file and change `<ip6addr>` to your instance's IPv6 address
- Uncomment the line starting with `listen on $ext_inet6` in the `relay wwwtls` block
Check the configuration by running:
``` ```
# $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $ # relayd -n
ext_inet="<IPv4 address>"
ext_inet6="<IPv6 address>"
table <pleroma_server> { 127.0.0.1 }
table <httpd_server> { 127.0.0.1 }
http protocol plerup { # Protocol for upstream pleroma server
#tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"
tls ecdhe secp384r1
# Forward some paths to the local server (as pleroma won't respond to them as you might want)
pass request quick path "/robots.txt" forward to <httpd_server>
# Append a bunch of headers
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by pleroma but adding them won't hurt
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match response header append "X-XSS-Protection" value "1; mode=block"
match response header append "X-Permitted-Cross-Domain-Policies" value "none"
match response header append "X-Frame-Options" value "DENY"
match response header append "X-Content-Type-Options" value "nosniff"
match response header append "Referrer-Policy" value "same-origin"
match response header append "X-Download-Options" value "noopen"
match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
match request header append "Connection" value "upgrade"
#match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working.
# If you do not want remote frontends to be able to access your Pleroma backend server, comment these lines
match response header append "Access-Control-Allow-Origin" value "*"
match response header append "Access-Control-Allow-Methods" value "POST, PUT, DELETE, GET, PATCH, OPTIONS"
match response header append "Access-Control-Allow-Headers" value "Authorization, Content-Type, Idempotency-Key"
match response header append "Access-Control-Expose-Headers" value "Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id"
# Stop commenting lines here
}
relay wwwtls {
listen on $ext_inet port https tls # Comment to disable listening on IPv4
listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
protocol plerup
forward to <pleroma_server> port 4000 check http "/" code 200
forward to <httpd_server> port 80 check http "/robots.txt" code 200
}
```
Again, change *<IPv4/6 address\>* to your server's address(es) and comment one of the two *listen* options if needed. Also change *wss://CHANGEME.tld* to *wss://<your instance's domain name\>*.
Check the configuration with `relayd -n`, if it is OK enable and start relayd (as root):
```
rcctl enable relayd
rcctl start relayd
``` ```
##### (Strongly recommended) serve media on another domain If the configuration is correct, enable and start the `relayd` service:
```
# rcctl enable relayd
# rcctl start relayd
```
Add certificate auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain:
```
# echo "acme-client example.tld && rcctl reload relayd" >> /etc/weekly.local
```
#### (Strongly recommended) serve media on another domain
Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors. Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
#### pf ### Starting pleroma at boot
Enabling and configuring pf is highly recommended.
In /etc/pf.conf, insert the following configuration: Copy the startup script and make sure it's executable:
``` ```
# Macros # cp /home/_pleroma/pleroma/installation/openbsd/rc.d/pleroma /etc/rc.d/pleroma
if="<network interface>" # chmod 555 /etc/rc.d/pleroma
authorized_ssh_clients="any"
# Skip traffic on loopback interface
set skip on lo
# Default behavior
set block-policy drop
block in log all
pass out quick
# Security features
match in all scrub (no-df random-id)
block in log from urpf-failed
# Rules
pass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP
pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6
pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd
pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh
```
Replace *<network interface\>* by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the authorized\_ssh\_clients macro by, for example, your home IP address, to avoid SSH connection attempts from bots.
Check pf's configuration by running `pfctl -nf /etc/pf.conf`, load it with `pfctl -f /etc/pf.conf` and enable pf at boot with `rcctl enable pf`.
#### Configure and start pleroma
Enter a shell as \_pleroma (as root `su _pleroma -`) and enter pleroma's installation directory (`cd ~/pleroma/`).
Then follow the main installation guide:
* run `mix deps.get`
* run `MIX_ENV=prod mix pleroma.instance gen` and enter your instance's information when asked
* copy config/generated\_config.exs to config/prod.secret.exs. The default values should be sufficient but you should edit it and check that everything seems OK.
* exit your current shell back to a root one and run `psql -U postgres -f /home/_pleroma/pleroma/config/setup_db.psql` to setup the database.
* return to a \_pleroma shell into pleroma's installation directory (`su _pleroma -;cd ~/pleroma`) and run `MIX_ENV=prod mix ecto.migrate`
As \_pleroma in /home/\_pleroma/pleroma, you can now run `LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server` to start your instance.
In another SSH session/tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that *uri*'s value is your instance's domain name.
##### Starting pleroma at boot
An rc script to automatically start pleroma at boot hasn't been written yet, it can be run in a tmux session (tmux is in base).
#### Create administrative user
If your instance is up and running, you can create your first user with administrative rights with the following command as the \_pleroma user.
```
LC_ALL=en_US.UTF-8 MIX_ENV=prod mix pleroma.user new <username> <your@emailaddress> --admin
``` ```
#### Further reading Enable and start the pleroma service:
```
# rcctl enable pleroma
# rcctl start pleroma
```
### Create administrative user
If your instance is up and running, you can create your first user with administrative rights with the following commands as the \_pleroma user:
```
$ cd pleroma
$ MIX_ENV=prod mix pleroma.user new <username> <your@emailaddress> --admin
```
### Further reading
{! backend/installation/further_reading.include !} {! backend/installation/further_reading.include !}

View file

@ -4,7 +4,7 @@ Note: This article is potentially outdated because at this time we may not have
Tarvitset: Tarvitset:
* Oman domainin * Oman domainin
* OpenBSD 6.3 -serverin * OpenBSD 7.5 -serverin
* Auttavan ymmärryksen unix-järjestelmistä * Auttavan ymmärryksen unix-järjestelmistä
Komennot, joiden edessä on '#', tulee ajaa käyttäjänä `root`. Tämä on Komennot, joiden edessä on '#', tulee ajaa käyttäjänä `root`. Tämä on
@ -18,7 +18,7 @@ Matrix-kanava #pleroma:libera.chat ovat hyviä paikkoja löytää apua
Asenna tarvittava ohjelmisto: Asenna tarvittava ohjelmisto:
`# pkg_add git elixir gmake postgresql-server-10.3 postgresql-contrib-10.3 cmake ffmpeg ImageMagick libvips` `# pkg_add git elixir gmake postgresql-server postgresql-contrib cmake libmagic libvips`
#### Optional software #### Optional software

View file

@ -2,20 +2,21 @@
# Default httpd.conf file for Pleroma on OpenBSD # Default httpd.conf file for Pleroma on OpenBSD
# Simple installation instructions # Simple installation instructions
# 1. Place file in /etc # 1. Place file in /etc
# 2. Replace <IPv4 address> with your public IP address # 2. Replace <ipaddr> with your public IP address
# 3. If using IPv6, uncomment IPv6 lines and replace <IPv6 address> with your public IPv6 address # 3. If using IPv6, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
# 4. Check file using 'doas httpd -n' # 4. Replace all occurences of example.tld with your instance's domain name.
# 5. Enable and start httpd: # 5. Check file using 'doas httpd -n'
# 6. Enable and start httpd:
# # doas rcctl enable httpd # # doas rcctl enable httpd
# # doas rcctl start httpd # # doas rcctl start httpd
# #
ext_inet="<IPv4 address>" ext_inet="<ipaddr>"
#ext_inet6="<IPv6 address>" #ext_inet6="<ip6addr>"
server "default" { server "example.tld" {
listen on $ext_inet port 80 # Comment to disable listening on IPv4 listen on $ext_inet port 80 # Comment to disable listening on IPv4
# listen on $ext_inet6 port 80 # Comment to disable listening on IPv6 #listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
listen on 127.0.0.1 port 80 # Do NOT comment this line listen on 127.0.0.1 port 80 # Do NOT comment this line
log syslog log syslog
@ -26,10 +27,18 @@ server "default" {
request strip 2 request strip 2
} }
location "/robots.txt" { root "/htdocs/local/" } location "/*" { block return 301 "https://$HTTP_HOST$REQUEST_URI" }
location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }
} }
# Example of serving a basic static website besides Pleroma using the example configuration in relayd
#server "site.example.tld" {
# listen on 127.0.0.1 port 8080
#
# location "/*" {
# root "/website"
# }
#}
types { types {
include "/usr/share/misc/mime.types" include "/usr/share/misc/mime.types"
} }

View file

@ -4,15 +4,16 @@
# #
# Simple installation instructions: # Simple installation instructions:
# 1. Install Pleroma per wiki instructions # 1. Install Pleroma per wiki instructions
# 2. Place this pleromad file in /etc/rc.d # 2. Place this pleroma file in /etc/rc.d
# 3. Enable and start Pleroma # 3. Enable and start Pleroma
# # doas rcctl enable pleromad # # doas rcctl enable pleroma
# # doas rcctl start pleromad # # doas rcctl start pleroma
# #
daemon="/usr/local/bin/elixir" daemon="/usr/local/bin/elixir"
daemon_flags="--detached -S /usr/local/bin/mix phx.server" daemon_flags="--erl \"-detached\" -S /usr/local/bin/mix phx.server"
daemon_user="_pleroma" daemon_user="_pleroma"
daemon_execdir="/home/_pleroma/pleroma"
. /etc/rc.d/rc.subr . /etc/rc.d/rc.subr
@ -23,10 +24,6 @@ rc_check() {
pgrep -q -U _pleroma -f "phx.server" pgrep -q -U _pleroma -f "phx.server"
} }
rc_start() {
${rcexec} "cd pleroma; ${daemon} ${daemon_flags}"
}
rc_stop() { rc_stop() {
pkill -q -U _pleroma -f "phx.server" pkill -q -U _pleroma -f "phx.server"
} }

View file

@ -3,9 +3,10 @@
# Simple installation instructions: # Simple installation instructions:
# 1. Place in /etc # 1. Place in /etc
# 2. Replace <ipaddr> with your public IPv4 address # 2. Replace <ipaddr> with your public IPv4 address
# 3. If using IPv6i, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address # 3. If using IPv6, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
# 4. Check file using 'doas relayd -n' # 4. Replace all occurrences of example.tld with your instance's domain
# 5. Reload/start relayd # 5. Check file using 'doas relayd -n'
# 6. Reload/start relayd
# # doas rcctl enable relayd # # doas rcctl enable relayd
# # doas rcctl start relayd # # doas rcctl start relayd
# #
@ -14,31 +15,54 @@ ext_inet="<ipaddr>"
#ext_inet6="<ip6addr>" #ext_inet6="<ip6addr>"
table <pleroma_server> { 127.0.0.1 } table <pleroma_server> { 127.0.0.1 }
table <httpd_server> { 127.0.0.1 }
http protocol plerup { # Protocol for upstream pleroma server # Uncomment when you want to serve other services than Pleroma.
# In this example tables are used only as way to differentiate between Pleroma and other services.
# Feel free to rename "httpd_server" everywhere to fit your setup.
#table <httpd_server> { 127.0.0.1 }
http protocol pleroma { # Protocol for upstream Pleroma server
#tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA0-POLY1305" tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
tls ecdhe secp384r1 tls ecdhe "X25519,P-256,P-384,secp521r1" # relayd default+secp521r1
# Forward some paths to the local server (as pleroma won't respond to them as you might want) return error
pass request quick path "/robots.txt" forward to <httpd_server>
# Append a bunch of headers # When serving multiple services with different certificates, specify multiple "tls keypair" keywords
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictl required by pleroma but adding them won't hurt # and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations.
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" # The string in quotes must match the fullchain certificate file created by acme-client without the extension.
# For example:
# tls keypair "pleroma.example.tld"
# tls keypair "example.tld"
tls keypair "example.tld"
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "Connection" value "upgrade" match request header append "Connection" value "upgrade"
# When hosting Pleroma on a subdomain, replace example.tld accordingly (not the base domain).
# From the above example, "example.tld" should be replaced with "pleroma.example.tld" instead.
pass request quick header "Host" value "example.tld" forward to <pleroma_server>
# Uncomment when serving media uploads on a different (sub)domain.
# Keep media proxy disabled, as it will NOT work under relayd/httpd. If you want to also setup media proxy, use nginx instead.
#pass request quick header "Host" value "media.example.tld" forward to <pleroma_server>
# When serving multiple services, add the forwards here.
# Example:
#pass request quick header "Host" value "example.tld" forward to <httpd_server>
block
} }
relay wwwtls { relay wwwtls {
listen on $ext_inet port https tls # Comment to disable listening on IPv4 listen on $ext_inet port https tls # Comment to disable listening on IPv4
# listen on $ext_inet6 port https tls # Comment to disable listening on IPv6 #listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
protocol plerup protocol pleroma
forward to <pleroma_server> port 4000 check http "/" code 200 forward to <pleroma_server> port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems.
forward to <httpd_server> port 80 check http "/robots.txt" code 200
# When serving multiple services, add the forwards here.
# Example:
#forward to <httpd_server> port 8080
} }