Last active
March 11, 2021 14:19
-
-
Save metastable/3215b3693b37f0d51aa3f82e814d24a0 to your computer and use it in GitHub Desktop.
mastodon on AmazonLinux2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| echo "mastodon.example.com" | sudo tee /etc/hostname > /dev/null | |
| sudo localectl set-locale LANG=en_US.UTF-8 | |
| sudo timedatectl set-timezone Asia/Tokyo | |
| sudo tee /etc/sysctl.d/ipv4-tuning.conf << EOF | |
| # Drop it so lack of FIN times out quicker | |
| net.ipv4.tcp_fin_timeout = 30 | |
| # reuse TIME-WAIT sockets | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_tw_recycle = 1 | |
| # Turn off timestamps | |
| # Turn this back on if you're on a gigabit or very busy network | |
| # Having it off is one less thing the IP stack needs to work on | |
| net.ipv4.tcp_timestamps = 0 | |
| # Turn syn-cookie protection on | |
| net.ipv4.tcp_syncookies = 1 | |
| # Enable really big (>65kB) TCP window scaling if we want it. | |
| net.ipv4.tcp_window_scaling = 1 | |
| # allow testing with buffers up to 64MB | |
| net.core.rmem_max = 67108864 | |
| net.core.wmem_max = 67108864 | |
| # increase Linux autotuning TCP buffer limit to 32MB | |
| net.ipv4.tcp_rmem = 4096 87380 33554432 | |
| net.ipv4.tcp_wmem = 4096 65536 33554432 | |
| # Drop keep-alive time | |
| net.ipv4.tcp_keepalive_time = 1800 | |
| # Increase number of incoming connections backlog | |
| net.core.netdev_max_backlog = 1024 | |
| # Increase number of incoming connections backlog | |
| net.core.somaxconn = 512 | |
| # Turn off sack | |
| net.ipv4.tcp_sack = 0 | |
| # Turn off sack/fack | |
| net.ipv4.tcp_fack = 0 | |
| # recommended default congestion control is htcp | |
| # net.ipv4.tcp_congestion_control=htcp | |
| # recommended for hosts with jumbo frames enabled | |
| net.ipv4.tcp_mtu_probing=1 | |
| # recommended for CentOS7+/Debian8+ hosts | |
| net.core.default_qdisc = fq | |
| EOF | |
| sudo sysctl -p | |
| sudo yum -y install deltarpm | |
| sudo yum -y update | |
| sudo yum -y reinstall glibc-common | |
| sudo localedef -v -c -i en_US -f UTF-8 en_US.UTF-8 | |
| sudo yum -y reinstall \* | |
| sudo amazon-linux-extras install epel -y | |
| sudo yum -y install http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm | |
| sudo yum -y makecache fast | |
| sudo yum -y install docker git postfix | |
| sudo usermod -aG docker ec2-user | |
| sudo groupadd -g 991 mastodon | |
| sudo adduser -g mastodon -u 991 mastodon | |
| sudo usermod -aG docker mastodon | |
| sudo yum -y install nginx certbot python2-certbot-nginx | |
| sudo systemctl enable docker | |
| sudo systemctl start docker | |
| sudo curl -L "https://github.com/docker/compose/releases/download/1.25.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose | |
| sudo chmod +x /usr/local/bin/docker-compose | |
| sudo tee /etc/systemd/system/[email protected] << EOF | |
| [Unit] | |
| Description=%i service with docker compose | |
| Requires=docker.service | |
| After=docker.service | |
| [Service] | |
| Restart=always | |
| WorkingDirectory=/etc/docker/compose/%i | |
| # Remove old containers, images and volumes | |
| ExecStartPre=/usr/bin/docker-compose down -v | |
| ExecStartPre=/usr/bin/docker-compose rm -fv | |
| ExecStartPre=-/bin/bash -c 'docker volume ls -qf "name=%i_" | xargs docker volume rm' | |
| ExecStartPre=-/bin/bash -c 'docker network ls -qf "name=%i_" | xargs docker network rm' | |
| ExecStartPre=-/bin/bash -c 'docker ps -aqf "name=%i_*" | xargs docker rm' | |
| # Compose up | |
| ExecStart=/usr/bin/docker-compose up | |
| # Compose down, remove containers and volumes | |
| ExecStop=/usr/bin/docker-compose down -v | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo mkdir -p /etc/docker/compose | |
| sudo systemctl enable postfix | |
| sudo systemctl start postfix | |
| #https://acme-v02.api.letsencrypt.org/directory | |
| sudo tee /etc/nginx/conf.d/mastodon.conf <<- 'EOF' | |
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name mastodon.example.com; | |
| # Useful for Let's Encrypt | |
| location /.well-known/acme-challenge/ { allow all; } | |
| location / { return 301 https://$host$request_uri; } | |
| return 404; # managed by Certbot | |
| } | |
| server { | |
| listen 443 ssl http2; # managed by Certbot | |
| listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot | |
| server_name mastodon.example.com; | |
| ssl_certificate /etc/letsencrypt/live/mastodon.example.com/fullchain.pem; # managed by Certbot | |
| ssl_certificate_key /etc/letsencrypt/live/mastodon.example.com/privkey.pem; # managed by Certbot | |
| include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
| ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
| keepalive_timeout 70; | |
| sendfile on; | |
| client_max_body_size 0; | |
| root /opt/mastodon/public; | |
| gzip on; | |
| gzip_disable "msie6"; | |
| gzip_vary on; | |
| gzip_proxied any; | |
| gzip_comp_level 6; | |
| gzip_buffers 16 8k; | |
| gzip_http_version 1.1; | |
| gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; | |
| add_header Strict-Transport-Security "max-age=31536000"; | |
| location / { | |
| try_files $uri @proxy; | |
| } | |
| location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { | |
| add_header Cache-Control "public, max-age=31536000, immutable"; | |
| try_files $uri @proxy; | |
| } | |
| location /sw.js { | |
| add_header Cache-Control "public, max-age=0"; | |
| try_files $uri @proxy; | |
| } | |
| location @proxy { | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto https; | |
| proxy_set_header Proxy ""; | |
| proxy_pass_header Server; | |
| proxy_pass http://127.0.0.1:3000; | |
| proxy_buffering off; | |
| proxy_redirect off; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| tcp_nodelay on; | |
| } | |
| location /api/v1/streaming { | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto https; | |
| proxy_set_header Proxy ""; | |
| proxy_pass http://127.0.0.1:4000; | |
| proxy_buffering off; | |
| proxy_redirect off; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| tcp_nodelay on; | |
| } | |
| error_page 404 /404.html; | |
| location = /40x.html { | |
| } | |
| error_page 500 501 502 503 504 /50x.html; | |
| location = /50x.html { | |
| } | |
| } | |
| EOF | |
| cd /etc/docker/compose | |
| sudo chown ec2-user:docker . | |
| git clone https://github.com/tootsuite/mastodon.git | |
| cd mastodon | |
| git checkout tags/v3.0.1 | |
| sudo chown -R mastodon:docker . | |
| sudo su | |
| su mastodon | |
| #cp .env.production.sample .env.production | |
| sudo tee /etc/docker/compose/mastodon/.env.production <<- 'EOF' | |
| # Service dependencies | |
| # You may set REDIS_URL instead for more advanced options | |
| # You may also set REDIS_NAMESPACE to share Redis between multiple Mastodon servers | |
| REDIS_HOST=redis | |
| REDIS_PORT=6379 | |
| # You may set DATABASE_URL instead for more advanced options | |
| DB_HOST=db | |
| DB_USER=postgres | |
| DB_NAME=postgres | |
| DB_PASS= | |
| DB_PORT=5432 | |
| # Optional ElasticSearch configuration | |
| # You may also set ES_PREFIX to share the same cluster between multiple Mastodon servers (falls back to REDIS_NAMESPACE if not set) | |
| # ES_ENABLED=true | |
| # ES_HOST=es | |
| # ES_PORT=9200 | |
| # Federation | |
| # Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation. | |
| # LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com. | |
| LOCAL_DOMAIN=mastdon.example.com | |
| # Changing LOCAL_HTTPS in production is no longer supported. (Mastodon will always serve https:// links) | |
| # Use this only if you need to run mastodon on a different domain than the one used for federation. | |
| # You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md | |
| # DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING. | |
| # WEB_DOMAIN=mastodon.example.com | |
| # Use this if you want to have several aliases [email protected] | |
| # [email protected] etc. for the same user. LOCAL_DOMAIN should not | |
| # be added. Comma separated values | |
| # ALTERNATE_DOMAINS=example1.com,example2.com | |
| # Application secrets | |
| # Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose) | |
| SECRET_KEY_BASE= | |
| OTP_SECRET= | |
| # VAPID keys (used for push notifications | |
| # You can generate the keys using the following command (first is the private key, second is the public one) | |
| # You should only generate this once per instance. If you later decide to change it, all push subscription will | |
| # be invalidated, requiring the users to access the website again to resubscribe. | |
| # | |
| # Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose) | |
| # | |
| # For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html | |
| VAPID_PRIVATE_KEY= | |
| VAPID_PUBLIC_KEY= | |
| # Registrations | |
| # Single user mode will disable registrations and redirect frontpage to the first profile | |
| # SINGLE_USER_MODE=true | |
| # Prevent registrations with following e-mail domains | |
| # EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc | |
| # Only allow registrations with the following e-mail domains | |
| # EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc | |
| # Optionally change default language | |
| DEFAULT_LOCALE=ja | |
| # E-mail configuration | |
| # Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers | |
| # If you want to use an SMTP server without authentication (e.g local Postfix relay) | |
| # then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and | |
| # *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough). | |
| SMTP_SERVER=localhost | |
| SMTP_PORT=25 | |
| SMTP_LOGIN= | |
| SMTP_PASSWORD= | |
| [email protected] | |
| #SMTP_REPLY_TO= | |
| #SMTP_DOMAIN= # defaults to LOCAL_DOMAIN | |
| #SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail | |
| #SMTP_AUTH_METHOD=plain | |
| #SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt | |
| #SMTP_OPENSSL_VERIFY_MODE=peer | |
| #SMTP_ENABLE_STARTTLS_AUTO=true | |
| #SMTP_TLS=true | |
| # Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files. | |
| # PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system | |
| # PAPERCLIP_ROOT_URL=/system | |
| # Optional asset host for multi-server setups | |
| # The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN | |
| # if WEB_DOMAIN is not set. For example, the server may have the | |
| # following header field: | |
| # Access-Control-Allow-Origin: https://example.com/ | |
| # CDN_HOST=https://assets.example.com | |
| # S3 (optional) | |
| # The attachment host must allow cross origin request from WEB_DOMAIN or | |
| # LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the | |
| # following header field: | |
| # Access-Control-Allow-Origin: https://192.168.1.123:9000/ | |
| # S3_ENABLED=true | |
| # S3_BUCKET= | |
| # AWS_ACCESS_KEY_ID= | |
| # AWS_SECRET_ACCESS_KEY= | |
| # S3_REGION= | |
| # S3_PROTOCOL=http | |
| # S3_HOSTNAME=192.168.1.123:9000 | |
| # S3 (Minio Config (optional) Please check Minio instance for details) | |
| # The attachment host must allow cross origin request - see the description | |
| # above. | |
| # S3_ENABLED=true | |
| # S3_BUCKET= | |
| # AWS_ACCESS_KEY_ID= | |
| # AWS_SECRET_ACCESS_KEY= | |
| # S3_REGION= | |
| # S3_PROTOCOL=https | |
| # S3_HOSTNAME= | |
| # S3_ENDPOINT= | |
| # S3_SIGNATURE_VERSION= | |
| # Google Cloud Storage (optional) | |
| # Use S3 compatible API. Since GCS does not support Multipart Upload, | |
| # increase the value of S3_MULTIPART_THRESHOLD to disable Multipart Upload. | |
| # The attachment host must allow cross origin request - see the description | |
| # above. | |
| # S3_ENABLED=true | |
| # AWS_ACCESS_KEY_ID= | |
| # AWS_SECRET_ACCESS_KEY= | |
| # S3_REGION= | |
| # S3_PROTOCOL=https | |
| # S3_HOSTNAME=storage.googleapis.com | |
| # S3_ENDPOINT=https://storage.googleapis.com | |
| # S3_MULTIPART_THRESHOLD=52428801 # 50.megabytes | |
| # Swift (optional) | |
| # The attachment host must allow cross origin request - see the description | |
| # above. | |
| # SWIFT_ENABLED=true | |
| # SWIFT_USERNAME= | |
| # For Keystone V3, the value for SWIFT_TENANT should be the project name | |
| # SWIFT_TENANT= | |
| # SWIFT_PASSWORD= | |
| # Some OpenStack V3 providers require PROJECT_ID (optional) | |
| # SWIFT_PROJECT_ID= | |
| # Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid | |
| # issues with token rate-limiting during high load. | |
| # SWIFT_AUTH_URL= | |
| # SWIFT_CONTAINER= | |
| # SWIFT_OBJECT_URL= | |
| # SWIFT_REGION= | |
| # Defaults to 'default' | |
| # SWIFT_DOMAIN_NAME= | |
| # Defaults to 60 seconds. Set to 0 to disable | |
| # SWIFT_CACHE_TTL= | |
| # Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare) | |
| # S3_ALIAS_HOST= | |
| # Streaming API integration | |
| # STREAMING_API_BASE_URL= | |
| # Advanced settings | |
| # If you need to use pgBouncer, you need to disable prepared statements: | |
| # PREPARED_STATEMENTS=false | |
| # Cluster number setting for streaming API server. | |
| # If you comment out following line, cluster number will be `numOfCpuCores - 1`. | |
| STREAMING_CLUSTER_NUM=1 | |
| # Docker mastodon user | |
| # If you use Docker, you may want to assign UID/GID manually. | |
| # UID=1000 | |
| # GID=1000 | |
| # LDAP authentication (optional) | |
| # LDAP_ENABLED=true | |
| # LDAP_HOST=localhost | |
| # LDAP_PORT=389 | |
| # LDAP_METHOD=simple_tls | |
| # LDAP_BASE= | |
| # LDAP_BIND_DN= | |
| # LDAP_PASSWORD= | |
| # LDAP_UID=cn | |
| # LDAP_SEARCH_FILTER=%{uid}=%{email} | |
| # PAM authentication (optional) | |
| # PAM authentication uses for the email generation the "email" pam variable | |
| # and optional as fallback PAM_DEFAULT_SUFFIX | |
| # The pam environment variable "email" is provided by: | |
| # https://github.com/devkral/pam_email_extractor | |
| # PAM_ENABLED=true | |
| # Fallback email domain for email address generation (LOCAL_DOMAIN by default) | |
| # PAM_EMAIL_DOMAIN=example.com | |
| # Name of the pam service (pam "auth" section is evaluated) | |
| # PAM_DEFAULT_SERVICE=rpam | |
| # Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default) | |
| # PAM_CONTROLLED_SERVICE=rpam | |
| # Global OAuth settings (optional) : | |
| # If you have only one strategy, you may want to enable this | |
| # OAUTH_REDIRECT_AT_SIGN_IN=true | |
| # Optional CAS authentication (cf. omniauth-cas) : | |
| # CAS_ENABLED=true | |
| # CAS_URL=https://sso.myserver.com/ | |
| # CAS_HOST=sso.myserver.com/ | |
| # CAS_PORT=443 | |
| # CAS_SSL=true | |
| # CAS_VALIDATE_URL= | |
| # CAS_CALLBACK_URL= | |
| # CAS_LOGOUT_URL= | |
| # CAS_LOGIN_URL= | |
| # CAS_UID_FIELD='user' | |
| # CAS_CA_PATH= | |
| # CAS_DISABLE_SSL_VERIFICATION=false | |
| # CAS_UID_KEY='user' | |
| # CAS_NAME_KEY='name' | |
| # CAS_EMAIL_KEY='email' | |
| # CAS_NICKNAME_KEY='nickname' | |
| # CAS_FIRST_NAME_KEY='firstname' | |
| # CAS_LAST_NAME_KEY='lastname' | |
| # CAS_LOCATION_KEY='location' | |
| # CAS_IMAGE_KEY='image' | |
| # CAS_PHONE_KEY='phone' | |
| # Optional SAML authentication (cf. omniauth-saml) | |
| # SAML_ENABLED=true | |
| # SAML_ACS_URL= | |
| # SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback | |
| # SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO | |
| # SAML_IDP_CERT= | |
| # SAML_IDP_CERT_FINGERPRINT= | |
| # SAML_NAME_IDENTIFIER_FORMAT= | |
| # SAML_CERT= | |
| # SAML_PRIVATE_KEY= | |
| # SAML_SECURITY_WANT_ASSERTION_SIGNED=true | |
| # SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true | |
| # SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true | |
| # SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1" | |
| # SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" | |
| # SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241" | |
| # SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42" | |
| # SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4" | |
| # SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1" | |
| # SAML_ATTRIBUTES_STATEMENTS_VERIFIED= | |
| # SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= | |
| # Use HTTP proxy for outgoing request (optional) | |
| # http_proxy=http://gateway.local:8118 | |
| # Access control for hidden service. | |
| # ALLOW_ACCESS_TO_HIDDEN_SERVICE=true | |
| EOF | |
| docker-compose build | |
| docker-compose run --rm web ./bin/rake db:migrate | |
| docker-compose run --rm web ./bin/rake assets:precompile | |
| sudo systemctl enable docker-compose@mastodon | |
| sudo systemctl start docker-compose@mastodon | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment