Merge branch 'openbsd-docs' into 'develop'
Update OpenBSD documentation and installation files See merge request pleroma/pleroma!4258
This commit is contained in:
commit
f38123ad2d
8 changed files with 384 additions and 231 deletions
0
changelog.d/openbsd-docs-update.skip
Normal file
0
changelog.d/openbsd-docs-update.skip
Normal file
1
changelog.d/openbsd-update-httpd-relayd.change
Normal file
1
changelog.d/openbsd-update-httpd-relayd.change
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Updated relayd/httpd config files to be on par with nginx
|
||||||
1
changelog.d/openbsd-update-rc.fix
Normal file
1
changelog.d/openbsd-update-rc.fix
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
replaced depracated flags and functions, renamed service to fit other service files
|
||||||
|
|
@ -1,25 +1,29 @@
|
||||||
# Installing on OpenBSD
|
# Installing on OpenBSD
|
||||||
|
|
||||||
This guide describes the installation and configuration of pleroma (and the required software to run it) on a single OpenBSD 6.6 server.
|
{! backend/installation/otp_vs_from_source_source.include !}
|
||||||
|
|
||||||
|
This guide describes the installation and configuration of Pleroma (and the required software to run it) on a single OpenBSD 7.7 server.
|
||||||
|
|
||||||
For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command.
|
For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command.
|
||||||
|
|
||||||
{! backend/installation/generic_dependencies.include !}
|
{! backend/installation/generic_dependencies.include !}
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
### Preparing the system
|
### Preparing the system
|
||||||
#### Required software
|
#### Required software
|
||||||
|
|
||||||
To install them, run the following command (with doas or as root):
|
To install required packages, run the following command:
|
||||||
|
|
||||||
```
|
```
|
||||||
pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick libvips
|
# pkg_add elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips
|
||||||
```
|
```
|
||||||
|
|
||||||
Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt.
|
Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd).
|
||||||
|
Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt.
|
||||||
|
|
||||||
#### Optional software
|
#### Optional software
|
||||||
|
|
||||||
Per [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md):
|
|
||||||
* ImageMagick
|
* ImageMagick
|
||||||
* ffmpeg
|
* ffmpeg
|
||||||
* exiftool
|
* exiftool
|
||||||
|
|
@ -27,234 +31,351 @@ Per [`docs/installation/optional/media_graphics_packages.md`](../installation/op
|
||||||
To install the above:
|
To install the above:
|
||||||
|
|
||||||
```
|
```
|
||||||
pkg_add ImageMagick ffmpeg p5-Image-ExifTool
|
# pkg_add ImageMagick ffmpeg p5-Image-ExifTool
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Creating the pleroma user
|
For more information read [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md):
|
||||||
Pleroma will be run by a dedicated user, \_pleroma. Before creating it, insert the following lines in login.conf:
|
|
||||||
|
### PostgreSQL
|
||||||
|
|
||||||
|
Switch to the \_postgresql user and initialize PostgreSQL:
|
||||||
|
|
||||||
|
```
|
||||||
|
# su _postgresql
|
||||||
|
$ initdb -D /var/postgresql/data -U postgres --encoding=utf-8 --lc-collate=C
|
||||||
|
```
|
||||||
|
|
||||||
|
Running PostgreSQL in a different directory than `/var/postgresql/data` requires changing the `daemon_flags` variable in the `/etc/rc.d/postgresql` script.
|
||||||
|
|
||||||
|
For security reasons it is recommended to change the authentication method for `local` and `host` connections with the localhost address to `scram-sha-256`.<br>
|
||||||
|
Do not forget to set a password for the `postgres` user before doing so, otherwise you won't be able to log back in unless you change the authentication method back to `trust`.<br>
|
||||||
|
Changing the password hashing algorithm is not needed.<br>
|
||||||
|
For more information [read](https://www.postgresql.org/docs/16/auth-pg-hba-conf.html) the PostgreSQL documentation.
|
||||||
|
|
||||||
|
Enable and start the postgresql service:
|
||||||
|
|
||||||
|
```
|
||||||
|
# rcctl enable postgresql
|
||||||
|
# rcctl start postgresql
|
||||||
|
```
|
||||||
|
|
||||||
|
To check that PostgreSQL started properly and didn't fail right after starting, run `# rcctl check postgresql` which should return `postgresql(ok)`.
|
||||||
|
|
||||||
|
### Configuring Pleroma
|
||||||
|
|
||||||
|
Pleroma will be run by a dedicated \_pleroma user. Before creating it, insert the following lines in `/etc/login.conf`:
|
||||||
|
|
||||||
```
|
```
|
||||||
pleroma:\
|
pleroma:\
|
||||||
:datasize-max=1536M:\
|
:datasize=1536M:\
|
||||||
:datasize-cur=1536M:\
|
:openfiles-max=4096:\
|
||||||
:openfiles-max=4096
|
:openfiles-cur=1024:\
|
||||||
|
:setenv=LC_ALL=en_US.UTF-8,VIX_COMPILATION_MODE=PLATFORM_PROVIDED_LIBVIPS,MIX_ENV=prod:\
|
||||||
|
:tc=daemon:
|
||||||
```
|
```
|
||||||
This creates a "pleroma" login class and sets higher values than default for datasize and openfiles (see [login.conf(5)](https://man.openbsd.org/login.conf)), this is required to avoid having pleroma crash some time after starting.
|
|
||||||
|
|
||||||
Create the \_pleroma user, assign it the pleroma login class and create its home directory (/home/\_pleroma/): `useradd -m -L pleroma _pleroma`
|
This creates a "pleroma" login class and sets higher values than default for datasize and openfiles (see [login.conf(5)](https://man.openbsd.org/login.conf)), this is required to avoid having Pleroma crash some time after starting.
|
||||||
|
|
||||||
#### Clone pleroma's directory
|
Create the \_pleroma user, assign it the pleroma login class and create its home directory (/home/\_pleroma/):
|
||||||
Enter a shell as the \_pleroma user. As root, run `su _pleroma -;cd`. Then clone the repository with `git clone -b stable https://git.pleroma.social/pleroma/pleroma.git`. Pleroma is now installed in /home/\_pleroma/pleroma/, it will be configured and started at the end of this guide.
|
|
||||||
|
|
||||||
#### PostgreSQL
|
|
||||||
Start a shell as the \_postgresql user (as root run `su _postgresql -` then run the `initdb` command to initialize postgresql:
|
|
||||||
You will need to specify pgdata directory to the default (/var/postgresql/data) with the `-D <path>` and set the user to postgres with the `-U <username>` flag. This can be done as follows:
|
|
||||||
|
|
||||||
```
|
```
|
||||||
initdb -D /var/postgresql/data -U postgres
|
# useradd -m -L pleroma _pleroma
|
||||||
```
|
```
|
||||||
If you are not using the default directory, you will have to update the `datadir` variable in the /etc/rc.d/postgresql script.
|
|
||||||
|
|
||||||
When this is done, enable postgresql so that it starts on boot and start it. As root, run:
|
Switch to the _pleroma user:
|
||||||
|
|
||||||
```
|
```
|
||||||
rcctl enable postgresql
|
# su -l _pleroma
|
||||||
rcctl start postgresql
|
```
|
||||||
|
|
||||||
|
Clone the Pleroma repository:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ git clone -b stable https://git.pleroma.social/pleroma/pleroma.git
|
||||||
|
$ cd pleroma
|
||||||
|
```
|
||||||
|
|
||||||
|
Pleroma is now installed in /home/\_pleroma/pleroma/. To configure it run:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ mix deps.get
|
||||||
|
$ MIX_ENV=prod mix pleroma.instance gen # You will be asked a few questions here.
|
||||||
|
$ cp config/generated_config.exs config/prod.secret.exs
|
||||||
|
```
|
||||||
|
|
||||||
|
Note: Answer yes when asked to install Hex and rebar3. This step might take some time as Pleroma gets compiled first.
|
||||||
|
|
||||||
|
Create the Pleroma database:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ psql -U postgres -f config/setup_db.psql
|
||||||
|
```
|
||||||
|
|
||||||
|
Apply database migrations:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ MIX_ENV=prod mix ecto.migrate
|
||||||
|
```
|
||||||
|
|
||||||
|
Note: You will need to run this step again when updating your instance to a newer version with `git pull` or `git checkout tags/NEW_VERSION`.
|
||||||
|
|
||||||
|
As \_pleroma in /home/\_pleroma/pleroma, you can now run `MIX_ENV=prod mix phx.server` to start your instance.
|
||||||
|
In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output.
|
||||||
|
Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* are correct.
|
||||||
|
|
||||||
|
### Configuring acme-client
|
||||||
|
|
||||||
|
acme-client is used to get SSL/TLS certificates from Let's Encrypt.
|
||||||
|
Insert the following configuration in `/etc/acme-client.conf` and replace `example.tld` with your domain:
|
||||||
|
|
||||||
|
```
|
||||||
|
#
|
||||||
|
# $OpenBSD: acme-client.conf,v 1.5 2023/05/10 07:34:57 tb Exp $
|
||||||
|
#
|
||||||
|
|
||||||
|
authority letsencrypt {
|
||||||
|
api url "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
account key "/etc/acme/letsencrypt-privkey.pem"
|
||||||
|
}
|
||||||
|
|
||||||
|
domain example.tld {
|
||||||
|
# Adds alternative names to the certificate. Useful when serving media on another domain. Comma or space separated list.
|
||||||
|
# alternative names { }
|
||||||
|
|
||||||
|
domain key "/etc/ssl/private/example.tld.key"
|
||||||
|
domain certificate "/etc/ssl/example.tld_cert-only.crt"
|
||||||
|
domain full chain certificate "/etc/ssl/example.tld.crt"
|
||||||
|
sign with letsencrypt
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Check the configuration:
|
||||||
|
|
||||||
|
```
|
||||||
|
# acme-client -n
|
||||||
|
```
|
||||||
|
|
||||||
|
### Configuring the Web server
|
||||||
|
|
||||||
|
Pleroma supports two Web servers:
|
||||||
|
|
||||||
|
* nginx (recommended for most users)
|
||||||
|
* OpenBSD's httpd and relayd (ONLY for advanced users, media proxy cache is NOT supported and will NOT work properly)
|
||||||
|
|
||||||
|
#### nginx
|
||||||
|
|
||||||
|
Since nginx is not installed by default, install it by running:
|
||||||
|
|
||||||
|
```
|
||||||
|
# pkg_add nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
Add the following to `/etc/nginx/nginx.conf`, within the `server {}` block listening on port 80 and change `server_name`, as follows:
|
||||||
|
|
||||||
|
```
|
||||||
|
http {
|
||||||
|
...
|
||||||
|
|
||||||
|
server {
|
||||||
|
...
|
||||||
|
server_name localhost; # Replace with your domain
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
rewrite ^/\.well-known/acme-challenge/(.*) /$1 break;
|
||||||
|
root /var/www/acme;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Start the nginx service and acquire certificates:
|
||||||
|
|
||||||
|
```
|
||||||
|
# rcctl start nginx
|
||||||
|
# acme-client example.tld
|
||||||
|
```
|
||||||
|
|
||||||
|
Add certificate auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain:
|
||||||
|
|
||||||
|
```
|
||||||
|
# echo "acme-client example.tld && rcctl reload nginx" >> /etc/weekly.local
|
||||||
|
```
|
||||||
|
|
||||||
|
OpenBSD's default nginx configuration does not contain an include directive, which is typically used for multiple sites.
|
||||||
|
Therefore, you will need to first create the required directory as follows:
|
||||||
|
|
||||||
|
```
|
||||||
|
# mkdir /etc/nginx/sites-available
|
||||||
|
# mkdir /etc/nginx/sites-enabled
|
||||||
|
```
|
||||||
|
|
||||||
|
Next add the `include` directive to `/etc/nginx/nginx.conf`, within the `http {}` block, as follows:
|
||||||
|
|
||||||
|
```
|
||||||
|
http {
|
||||||
|
...
|
||||||
|
|
||||||
|
server {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
As root, copy `/home/_pleroma/pleroma/installation/pleroma.nginx` to `/etc/nginx/sites-available/pleroma.nginx`.
|
||||||
|
|
||||||
|
Edit default `/etc/nginx/sites-available/pleroma.nginx` settings and replace `example.tld` with your domain:
|
||||||
|
|
||||||
|
* Uncomment the location block for `~ /\.well-known/acme-challenge` in the server block listening on port 80
|
||||||
|
- add `rewrite ^/\.well-known/acme-challenge/(.*) /$1 break;` above the `root` location
|
||||||
|
- change the `root` location to `/var/www/acme;`
|
||||||
|
* Change `ssl_trusted_certificate` to `/etc/ssl/example.tld_cert-only.crt`
|
||||||
|
* Change `ssl_certificate` to `/etc/ssl/example.tld.crt`
|
||||||
|
* Change `ssl_certificate_key` to `/etc/ssl/private/example.tld.key`
|
||||||
|
|
||||||
|
Remove the following `location {}` block from `/etc/nginx/nginx.conf`, that was previously added for acquiring certificates and change `server_name` back to `localhost`:
|
||||||
|
|
||||||
|
```
|
||||||
|
http {
|
||||||
|
...
|
||||||
|
|
||||||
|
server {
|
||||||
|
...
|
||||||
|
server_name example.tld; # Change back to localhost
|
||||||
|
|
||||||
|
# Delete this block
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
rewrite ^/\.well-known/acme-challenge/(.*) /$1 break;
|
||||||
|
root /var/www/acme;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Symlink the Pleroma configuration to the enabled sites:
|
||||||
|
|
||||||
|
```
|
||||||
|
# ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled
|
||||||
|
```
|
||||||
|
|
||||||
|
Check nginx configuration syntax by running:
|
||||||
|
|
||||||
|
```
|
||||||
|
# nginx -t
|
||||||
|
```
|
||||||
|
|
||||||
|
Note: If the above command complains about a `conflicting server name`, check again that the `location {}` block for acquiring certificates has been removed from `/etc/nginx/nginx.conf` and that the `server_name` has been reverted back to `localhost`.
|
||||||
|
After doing so run `# nginx -t` again.
|
||||||
|
|
||||||
|
If the configuration is correct, you can now enable and reload the nginx service:
|
||||||
|
|
||||||
|
```
|
||||||
|
# rcctl enable nginx
|
||||||
|
# rcctl reload nginx
|
||||||
```
|
```
|
||||||
To check that it started properly and didn't fail right after starting, you can run `ps aux | grep postgres`, there should be multiple lines of output.
|
|
||||||
|
|
||||||
#### httpd
|
#### httpd
|
||||||
httpd will have three functions:
|
|
||||||
|
***Skip this section when using nginx***
|
||||||
|
|
||||||
|
httpd will have two functions:
|
||||||
|
|
||||||
* redirect requests trying to reach the instance over http to the https URL
|
* redirect requests trying to reach the instance over http to the https URL
|
||||||
* serve a robots.txt file
|
|
||||||
* get Let's Encrypt certificates, with acme-client
|
* get Let's Encrypt certificates, with acme-client
|
||||||
|
|
||||||
Insert the following config in httpd.conf:
|
As root, copy `/home/_pleroma/pleroma/installation/openbsd/httpd.conf` to `/etc/httpd.conf`, or modify the existing one.
|
||||||
|
|
||||||
|
Edit `/etc/httpd.conf` settings and change:
|
||||||
|
|
||||||
|
* `<ipaddr>` with your instance's IPv4 address
|
||||||
|
* All occurrences of `example.tld` with your instance's domain name
|
||||||
|
* When using IPv6 also change:
|
||||||
|
- Uncomment the `ext_inet6="<ip6addr>"` line near the beginning of the file and change `<ip6addr` to your instance's IPv6 address
|
||||||
|
- Uncomment the line starting with `listen on $ext_inet6` in the `server` block
|
||||||
|
|
||||||
|
Check the configuration by running:
|
||||||
```
|
```
|
||||||
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
|
# httpd -n
|
||||||
|
|
||||||
ext_inet="<IPv4 address>"
|
|
||||||
ext_inet6="<IPv6 address>"
|
|
||||||
|
|
||||||
server "default" {
|
|
||||||
listen on $ext_inet port 80 # Comment to disable listening on IPv4
|
|
||||||
listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
|
|
||||||
listen on 127.0.0.1 port 80 # Do NOT comment this line
|
|
||||||
|
|
||||||
log syslog
|
|
||||||
directory no index
|
|
||||||
|
|
||||||
location "/.well-known/acme-challenge/*" {
|
|
||||||
root "/acme"
|
|
||||||
request strip 2
|
|
||||||
}
|
|
||||||
|
|
||||||
location "/robots.txt" { root "/htdocs/local/" }
|
|
||||||
location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }
|
|
||||||
}
|
|
||||||
|
|
||||||
types {
|
|
||||||
}
|
|
||||||
```
|
|
||||||
Do not forget to change *<IPv4/6 address\>* to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first *listen* options.
|
|
||||||
|
|
||||||
Create the /var/www/htdocs/local/ folder and write the content of your robots.txt in /var/www/htdocs/local/robots.txt.
|
|
||||||
Check the configuration with `httpd -n`, if it is OK enable and start httpd (as root):
|
|
||||||
```
|
|
||||||
rcctl enable httpd
|
|
||||||
rcctl start httpd
|
|
||||||
```
|
```
|
||||||
|
|
||||||
#### acme-client
|
If the configuration is correct, enable and start the `httpd` service:
|
||||||
acme-client is used to get SSL/TLS certificates from Let's Encrypt.
|
|
||||||
Insert the following configuration in /etc/acme-client.conf:
|
|
||||||
```
|
|
||||||
#
|
|
||||||
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
|
|
||||||
#
|
|
||||||
|
|
||||||
authority letsencrypt-<domain name> {
|
```
|
||||||
#agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
|
# rcctl enable httpd
|
||||||
api url "https://acme-v02.api.letsencrypt.org/directory"
|
# rcctl start httpd
|
||||||
account key "/etc/acme/letsencrypt-privkey-<domain name>.pem"
|
```
|
||||||
}
|
|
||||||
|
|
||||||
domain <domain name> {
|
Acquire certificate:
|
||||||
domain key "/etc/ssl/private/<domain name>.key"
|
|
||||||
domain certificate "/etc/ssl/<domain name>.crt"
|
|
||||||
domain full chain certificate "/etc/ssl/<domain name>.fullchain.pem"
|
|
||||||
sign with letsencrypt-<domain name>
|
|
||||||
challengedir "/var/www/acme/"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
Replace *<domain name\>* by the domain name you'll use for your instance. As root, run `acme-client -n` to check the config, then `acme-client -ADv <domain name>` to create account and domain keys, and request a certificate for the first time.
|
|
||||||
Make acme-client run everyday by adding it in /etc/daily.local. As root, run the following command: `echo "acme-client <domain name>" >> /etc/daily.local`.
|
|
||||||
|
|
||||||
Relayd will look for certificates and keys based on the address it listens on (see next part), the easiest way to make them available to relayd is to create a link, as root run:
|
|
||||||
```
|
```
|
||||||
ln -s /etc/ssl/<domain name>.fullchain.pem /etc/ssl/<IP address>.crt
|
# acme-client example.tld
|
||||||
ln -s /etc/ssl/private/<domain name>.key /etc/ssl/private/<IP address>.key
|
|
||||||
```
|
```
|
||||||
This will have to be done for each IPv4 and IPv6 address relayd listens on.
|
|
||||||
|
|
||||||
#### relayd
|
#### relayd
|
||||||
|
|
||||||
|
***Skip this section when using nginx***
|
||||||
|
|
||||||
relayd will be used as the reverse proxy sitting in front of pleroma.
|
relayd will be used as the reverse proxy sitting in front of pleroma.
|
||||||
Insert the following configuration in /etc/relayd.conf:
|
|
||||||
|
As root, copy `/home/_pleroma/pleroma/installation/openbsd/relayd.conf` to `/etc/relayd.conf`, or modify the existing one.
|
||||||
|
|
||||||
|
Edit `/etc/relayd.conf` settings and change:
|
||||||
|
|
||||||
|
* `<ipaddr>` with your instance's IPv4 address
|
||||||
|
* All occurrences of `example.tld` with your instance's domain name
|
||||||
|
* When using IPv6 also change:
|
||||||
|
- Uncomment the `ext_inet6="<ip6addr>"` line near the beginning of the file and change `<ip6addr>` to your instance's IPv6 address
|
||||||
|
- Uncomment the line starting with `listen on $ext_inet6` in the `relay wwwtls` block
|
||||||
|
|
||||||
|
Check the configuration by running:
|
||||||
```
|
```
|
||||||
# $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $
|
# relayd -n
|
||||||
|
|
||||||
ext_inet="<IPv4 address>"
|
|
||||||
ext_inet6="<IPv6 address>"
|
|
||||||
|
|
||||||
table <pleroma_server> { 127.0.0.1 }
|
|
||||||
table <httpd_server> { 127.0.0.1 }
|
|
||||||
|
|
||||||
http protocol plerup { # Protocol for upstream pleroma server
|
|
||||||
#tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
|
|
||||||
tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"
|
|
||||||
tls ecdhe secp384r1
|
|
||||||
|
|
||||||
# Forward some paths to the local server (as pleroma won't respond to them as you might want)
|
|
||||||
pass request quick path "/robots.txt" forward to <httpd_server>
|
|
||||||
|
|
||||||
# Append a bunch of headers
|
|
||||||
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by pleroma but adding them won't hurt
|
|
||||||
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
|
|
||||||
|
|
||||||
match response header append "X-XSS-Protection" value "1; mode=block"
|
|
||||||
match response header append "X-Permitted-Cross-Domain-Policies" value "none"
|
|
||||||
match response header append "X-Frame-Options" value "DENY"
|
|
||||||
match response header append "X-Content-Type-Options" value "nosniff"
|
|
||||||
match response header append "Referrer-Policy" value "same-origin"
|
|
||||||
match response header append "X-Download-Options" value "noopen"
|
|
||||||
match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
|
|
||||||
match request header append "Connection" value "upgrade"
|
|
||||||
#match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working.
|
|
||||||
|
|
||||||
# If you do not want remote frontends to be able to access your Pleroma backend server, comment these lines
|
|
||||||
match response header append "Access-Control-Allow-Origin" value "*"
|
|
||||||
match response header append "Access-Control-Allow-Methods" value "POST, PUT, DELETE, GET, PATCH, OPTIONS"
|
|
||||||
match response header append "Access-Control-Allow-Headers" value "Authorization, Content-Type, Idempotency-Key"
|
|
||||||
match response header append "Access-Control-Expose-Headers" value "Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id"
|
|
||||||
# Stop commenting lines here
|
|
||||||
}
|
|
||||||
|
|
||||||
relay wwwtls {
|
|
||||||
listen on $ext_inet port https tls # Comment to disable listening on IPv4
|
|
||||||
listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
|
|
||||||
|
|
||||||
protocol plerup
|
|
||||||
|
|
||||||
forward to <pleroma_server> port 4000 check http "/" code 200
|
|
||||||
forward to <httpd_server> port 80 check http "/robots.txt" code 200
|
|
||||||
}
|
|
||||||
```
|
|
||||||
Again, change *<IPv4/6 address\>* to your server's address(es) and comment one of the two *listen* options if needed. Also change *wss://CHANGEME.tld* to *wss://<your instance's domain name\>*.
|
|
||||||
Check the configuration with `relayd -n`, if it is OK enable and start relayd (as root):
|
|
||||||
```
|
|
||||||
rcctl enable relayd
|
|
||||||
rcctl start relayd
|
|
||||||
```
|
```
|
||||||
|
|
||||||
##### (Strongly recommended) serve media on another domain
|
If the configuration is correct, enable and start the `relayd` service:
|
||||||
|
|
||||||
|
```
|
||||||
|
# rcctl enable relayd
|
||||||
|
# rcctl start relayd
|
||||||
|
```
|
||||||
|
|
||||||
|
Add certificate auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain:
|
||||||
|
|
||||||
|
```
|
||||||
|
# echo "acme-client example.tld && rcctl reload relayd" >> /etc/weekly.local
|
||||||
|
```
|
||||||
|
|
||||||
|
#### (Strongly recommended) serve media on another domain
|
||||||
|
|
||||||
Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
|
Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
|
||||||
|
|
||||||
#### pf
|
### Starting pleroma at boot
|
||||||
Enabling and configuring pf is highly recommended.
|
|
||||||
In /etc/pf.conf, insert the following configuration:
|
Copy the startup script and make sure it's executable:
|
||||||
|
|
||||||
```
|
```
|
||||||
# Macros
|
# cp /home/_pleroma/pleroma/installation/openbsd/rc.d/pleroma /etc/rc.d/pleroma
|
||||||
if="<network interface>"
|
# chmod 555 /etc/rc.d/pleroma
|
||||||
authorized_ssh_clients="any"
|
|
||||||
|
|
||||||
# Skip traffic on loopback interface
|
|
||||||
set skip on lo
|
|
||||||
|
|
||||||
# Default behavior
|
|
||||||
set block-policy drop
|
|
||||||
block in log all
|
|
||||||
pass out quick
|
|
||||||
|
|
||||||
# Security features
|
|
||||||
match in all scrub (no-df random-id)
|
|
||||||
block in log from urpf-failed
|
|
||||||
|
|
||||||
# Rules
|
|
||||||
pass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP
|
|
||||||
pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6
|
|
||||||
pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd
|
|
||||||
pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh
|
|
||||||
```
|
|
||||||
Replace *<network interface\>* by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the authorized\_ssh\_clients macro by, for example, your home IP address, to avoid SSH connection attempts from bots.
|
|
||||||
|
|
||||||
Check pf's configuration by running `pfctl -nf /etc/pf.conf`, load it with `pfctl -f /etc/pf.conf` and enable pf at boot with `rcctl enable pf`.
|
|
||||||
|
|
||||||
#### Configure and start pleroma
|
|
||||||
Enter a shell as \_pleroma (as root `su _pleroma -`) and enter pleroma's installation directory (`cd ~/pleroma/`).
|
|
||||||
|
|
||||||
Then follow the main installation guide:
|
|
||||||
|
|
||||||
* run `mix deps.get`
|
|
||||||
* run `MIX_ENV=prod mix pleroma.instance gen` and enter your instance's information when asked
|
|
||||||
* copy config/generated\_config.exs to config/prod.secret.exs. The default values should be sufficient but you should edit it and check that everything seems OK.
|
|
||||||
* exit your current shell back to a root one and run `psql -U postgres -f /home/_pleroma/pleroma/config/setup_db.psql` to setup the database.
|
|
||||||
* return to a \_pleroma shell into pleroma's installation directory (`su _pleroma -;cd ~/pleroma`) and run `MIX_ENV=prod mix ecto.migrate`
|
|
||||||
|
|
||||||
As \_pleroma in /home/\_pleroma/pleroma, you can now run `LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server` to start your instance.
|
|
||||||
In another SSH session/tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that *uri*'s value is your instance's domain name.
|
|
||||||
|
|
||||||
##### Starting pleroma at boot
|
|
||||||
An rc script to automatically start pleroma at boot hasn't been written yet, it can be run in a tmux session (tmux is in base).
|
|
||||||
|
|
||||||
|
|
||||||
#### Create administrative user
|
|
||||||
|
|
||||||
If your instance is up and running, you can create your first user with administrative rights with the following command as the \_pleroma user.
|
|
||||||
```
|
|
||||||
LC_ALL=en_US.UTF-8 MIX_ENV=prod mix pleroma.user new <username> <your@emailaddress> --admin
|
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Further reading
|
Enable and start the pleroma service:
|
||||||
|
|
||||||
|
```
|
||||||
|
# rcctl enable pleroma
|
||||||
|
# rcctl start pleroma
|
||||||
|
```
|
||||||
|
|
||||||
|
### Create administrative user
|
||||||
|
|
||||||
|
If your instance is up and running, you can create your first user with administrative rights with the following commands as the \_pleroma user:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ cd pleroma
|
||||||
|
$ MIX_ENV=prod mix pleroma.user new <username> <your@emailaddress> --admin
|
||||||
|
```
|
||||||
|
|
||||||
|
### Further reading
|
||||||
|
|
||||||
{! backend/installation/further_reading.include !}
|
{! backend/installation/further_reading.include !}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@ Note: This article is potentially outdated because at this time we may not have
|
||||||
|
|
||||||
Tarvitset:
|
Tarvitset:
|
||||||
* Oman domainin
|
* Oman domainin
|
||||||
* OpenBSD 6.3 -serverin
|
* OpenBSD 7.5 -serverin
|
||||||
* Auttavan ymmärryksen unix-järjestelmistä
|
* Auttavan ymmärryksen unix-järjestelmistä
|
||||||
|
|
||||||
Komennot, joiden edessä on '#', tulee ajaa käyttäjänä `root`. Tämä on
|
Komennot, joiden edessä on '#', tulee ajaa käyttäjänä `root`. Tämä on
|
||||||
|
|
@ -18,7 +18,7 @@ Matrix-kanava #pleroma:libera.chat ovat hyviä paikkoja löytää apua
|
||||||
|
|
||||||
Asenna tarvittava ohjelmisto:
|
Asenna tarvittava ohjelmisto:
|
||||||
|
|
||||||
`# pkg_add git elixir gmake postgresql-server-10.3 postgresql-contrib-10.3 cmake ffmpeg ImageMagick libvips`
|
`# pkg_add git elixir gmake postgresql-server postgresql-contrib cmake libmagic libvips`
|
||||||
|
|
||||||
#### Optional software
|
#### Optional software
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,20 +2,21 @@
|
||||||
# Default httpd.conf file for Pleroma on OpenBSD
|
# Default httpd.conf file for Pleroma on OpenBSD
|
||||||
# Simple installation instructions
|
# Simple installation instructions
|
||||||
# 1. Place file in /etc
|
# 1. Place file in /etc
|
||||||
# 2. Replace <IPv4 address> with your public IP address
|
# 2. Replace <ipaddr> with your public IP address
|
||||||
# 3. If using IPv6, uncomment IPv6 lines and replace <IPv6 address> with your public IPv6 address
|
# 3. If using IPv6, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
|
||||||
# 4. Check file using 'doas httpd -n'
|
# 4. Replace all occurences of example.tld with your instance's domain name.
|
||||||
# 5. Enable and start httpd:
|
# 5. Check file using 'doas httpd -n'
|
||||||
|
# 6. Enable and start httpd:
|
||||||
# # doas rcctl enable httpd
|
# # doas rcctl enable httpd
|
||||||
# # doas rcctl start httpd
|
# # doas rcctl start httpd
|
||||||
#
|
#
|
||||||
|
|
||||||
ext_inet="<IPv4 address>"
|
ext_inet="<ipaddr>"
|
||||||
#ext_inet6="<IPv6 address>"
|
#ext_inet6="<ip6addr>"
|
||||||
|
|
||||||
server "default" {
|
server "example.tld" {
|
||||||
listen on $ext_inet port 80 # Comment to disable listening on IPv4
|
listen on $ext_inet port 80 # Comment to disable listening on IPv4
|
||||||
# listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
|
#listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
|
||||||
listen on 127.0.0.1 port 80 # Do NOT comment this line
|
listen on 127.0.0.1 port 80 # Do NOT comment this line
|
||||||
|
|
||||||
log syslog
|
log syslog
|
||||||
|
|
@ -26,10 +27,18 @@ server "default" {
|
||||||
request strip 2
|
request strip 2
|
||||||
}
|
}
|
||||||
|
|
||||||
location "/robots.txt" { root "/htdocs/local/" }
|
location "/*" { block return 301 "https://$HTTP_HOST$REQUEST_URI" }
|
||||||
location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Example of serving a basic static website besides Pleroma using the example configuration in relayd
|
||||||
|
#server "site.example.tld" {
|
||||||
|
# listen on 127.0.0.1 port 8080
|
||||||
|
#
|
||||||
|
# location "/*" {
|
||||||
|
# root "/website"
|
||||||
|
# }
|
||||||
|
#}
|
||||||
|
|
||||||
types {
|
types {
|
||||||
include "/usr/share/misc/mime.types"
|
include "/usr/share/misc/mime.types"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,15 +4,16 @@
|
||||||
#
|
#
|
||||||
# Simple installation instructions:
|
# Simple installation instructions:
|
||||||
# 1. Install Pleroma per wiki instructions
|
# 1. Install Pleroma per wiki instructions
|
||||||
# 2. Place this pleromad file in /etc/rc.d
|
# 2. Place this pleroma file in /etc/rc.d
|
||||||
# 3. Enable and start Pleroma
|
# 3. Enable and start Pleroma
|
||||||
# # doas rcctl enable pleromad
|
# # doas rcctl enable pleroma
|
||||||
# # doas rcctl start pleromad
|
# # doas rcctl start pleroma
|
||||||
#
|
#
|
||||||
|
|
||||||
daemon="/usr/local/bin/elixir"
|
daemon="/usr/local/bin/elixir"
|
||||||
daemon_flags="--detached -S /usr/local/bin/mix phx.server"
|
daemon_flags="--erl \"-detached\" -S /usr/local/bin/mix phx.server"
|
||||||
daemon_user="_pleroma"
|
daemon_user="_pleroma"
|
||||||
|
daemon_execdir="/home/_pleroma/pleroma"
|
||||||
|
|
||||||
. /etc/rc.d/rc.subr
|
. /etc/rc.d/rc.subr
|
||||||
|
|
||||||
|
|
@ -23,10 +24,6 @@ rc_check() {
|
||||||
pgrep -q -U _pleroma -f "phx.server"
|
pgrep -q -U _pleroma -f "phx.server"
|
||||||
}
|
}
|
||||||
|
|
||||||
rc_start() {
|
|
||||||
${rcexec} "cd pleroma; ${daemon} ${daemon_flags}"
|
|
||||||
}
|
|
||||||
|
|
||||||
rc_stop() {
|
rc_stop() {
|
||||||
pkill -q -U _pleroma -f "phx.server"
|
pkill -q -U _pleroma -f "phx.server"
|
||||||
}
|
}
|
||||||
|
|
@ -3,9 +3,10 @@
|
||||||
# Simple installation instructions:
|
# Simple installation instructions:
|
||||||
# 1. Place in /etc
|
# 1. Place in /etc
|
||||||
# 2. Replace <ipaddr> with your public IPv4 address
|
# 2. Replace <ipaddr> with your public IPv4 address
|
||||||
# 3. If using IPv6i, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
|
# 3. If using IPv6, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
|
||||||
# 4. Check file using 'doas relayd -n'
|
# 4. Replace all occurrences of example.tld with your instance's domain
|
||||||
# 5. Reload/start relayd
|
# 5. Check file using 'doas relayd -n'
|
||||||
|
# 6. Reload/start relayd
|
||||||
# # doas rcctl enable relayd
|
# # doas rcctl enable relayd
|
||||||
# # doas rcctl start relayd
|
# # doas rcctl start relayd
|
||||||
#
|
#
|
||||||
|
|
@ -14,31 +15,54 @@ ext_inet="<ipaddr>"
|
||||||
#ext_inet6="<ip6addr>"
|
#ext_inet6="<ip6addr>"
|
||||||
|
|
||||||
table <pleroma_server> { 127.0.0.1 }
|
table <pleroma_server> { 127.0.0.1 }
|
||||||
table <httpd_server> { 127.0.0.1 }
|
|
||||||
|
|
||||||
http protocol plerup { # Protocol for upstream pleroma server
|
# Uncomment when you want to serve other services than Pleroma.
|
||||||
|
# In this example tables are used only as way to differentiate between Pleroma and other services.
|
||||||
|
# Feel free to rename "httpd_server" everywhere to fit your setup.
|
||||||
|
#table <httpd_server> { 127.0.0.1 }
|
||||||
|
|
||||||
|
http protocol pleroma { # Protocol for upstream Pleroma server
|
||||||
#tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
|
#tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
|
||||||
tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA0-POLY1305"
|
tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
|
||||||
tls ecdhe secp384r1
|
tls ecdhe "X25519,P-256,P-384,secp521r1" # relayd default+secp521r1
|
||||||
|
|
||||||
# Forward some paths to the local server (as pleroma won't respond to them as you might want)
|
return error
|
||||||
pass request quick path "/robots.txt" forward to <httpd_server>
|
|
||||||
|
|
||||||
# Append a bunch of headers
|
# When serving multiple services with different certificates, specify multiple "tls keypair" keywords
|
||||||
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictl required by pleroma but adding them won't hurt
|
# and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations.
|
||||||
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
|
# The string in quotes must match the fullchain certificate file created by acme-client without the extension.
|
||||||
|
# For example:
|
||||||
|
# tls keypair "pleroma.example.tld"
|
||||||
|
# tls keypair "example.tld"
|
||||||
|
tls keypair "example.tld"
|
||||||
|
|
||||||
|
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
|
||||||
match request header append "Connection" value "upgrade"
|
match request header append "Connection" value "upgrade"
|
||||||
|
|
||||||
|
# When hosting Pleroma on a subdomain, replace example.tld accordingly (not the base domain).
|
||||||
|
# From the above example, "example.tld" should be replaced with "pleroma.example.tld" instead.
|
||||||
|
pass request quick header "Host" value "example.tld" forward to <pleroma_server>
|
||||||
|
|
||||||
|
# Uncomment when serving media uploads on a different (sub)domain.
|
||||||
|
# Keep media proxy disabled, as it will NOT work under relayd/httpd. If you want to also setup media proxy, use nginx instead.
|
||||||
|
#pass request quick header "Host" value "media.example.tld" forward to <pleroma_server>
|
||||||
|
|
||||||
|
# When serving multiple services, add the forwards here.
|
||||||
|
# Example:
|
||||||
|
#pass request quick header "Host" value "example.tld" forward to <httpd_server>
|
||||||
|
|
||||||
|
block
|
||||||
}
|
}
|
||||||
|
|
||||||
relay wwwtls {
|
relay wwwtls {
|
||||||
listen on $ext_inet port https tls # Comment to disable listening on IPv4
|
listen on $ext_inet port https tls # Comment to disable listening on IPv4
|
||||||
# listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
|
#listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
|
||||||
|
|
||||||
protocol plerup
|
protocol pleroma
|
||||||
|
|
||||||
forward to <pleroma_server> port 4000 check http "/" code 200
|
forward to <pleroma_server> port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems.
|
||||||
forward to <httpd_server> port 80 check http "/robots.txt" code 200
|
|
||||||
|
# When serving multiple services, add the forwards here.
|
||||||
|
# Example:
|
||||||
|
#forward to <httpd_server> port 8080
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue