5 files changed, 104 insertions, 50 deletions

diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example
index e0f9dc917..03ff000b6 100644
--- a/installation/caddyfile-pleroma.example
+++ b/installation/caddyfile-pleroma.example
@@ -1,18 +1,31 @@
-social.domain.tld  {
-  tls user@domain.tld
+# default Caddyfile config for Pleroma
+#
+# Simple installation instructions:
+# 1. Replace 'example.tld' with your instance's domain wherever it appears.
+# 2. Copy this section into your Caddyfile and restart Caddy.
 
-  log /var/log/caddy/pleroma.log
+example.tld  {
+  log /var/log/caddy/pleroma_access.log
+  errors /var/log/caddy/pleroma_error.log
 
-  cors / {
-    origin https://halcyon.domain.tld
-    origin https://pinafore.domain.tld
-    methods POST,PUT,DELETE,GET,PATCH,OPTIONS
-    allowed_headers Authorization,Content-Type,Idempotency-Key
-    exposed_headers Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id
-  }
+  gzip
 
   proxy / localhost:4000 {
     websocket
     transparent
   }
+
+  tls {
+    # Remove the rest of the lines in here, if you want to support older devices
+    key_type p256
+    ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256
+  }
+
+  # If you do not want to use the mediaproxy function, remove these lines.
+  # To use this directive, you need the http.cache plugin for Caddy.
+  cache {
+    match_path /proxy
+    default_max_age 720m
+  }
+  # Stop removing lines here.
 }
diff --git a/installation/init.d/pleroma b/installation/init.d/pleroma
new file mode 100755
index 000000000..9582d65d4
--- /dev/null
+++ b/installation/init.d/pleroma
@@ -0,0 +1,21 @@
+#!/sbin/openrc-run
+
+# Requires OpenRC >= 0.35
+directory=~pleroma/pleroma
+
+command=/usr/bin/mix
+command_args="phx.server"
+command_user=pleroma:pleroma
+command_background=1
+
+export PORT=4000
+export MIX_ENV=prod
+
+# Ask process to terminate within 30 seconds, otherwise kill it
+retry="SIGTERM/30 SIGKILL/5"
+
+pidfile="/var/run/pleroma.pid"
+
+depend() {
+    need nginx postgresql
+}
\ No newline at end of file
diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf
index bb6d32587..d5e75044f 100644
--- a/installation/pleroma-apache.conf
+++ b/installation/pleroma-apache.conf
@@ -1,26 +1,54 @@
+# default Apache site config for Pleroma
+#
+# needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl
+#
+# Simple installation instructions:
+# 1. Install your TLS certificate, possibly using Let's Encrypt.
+# 2. Replace 'example.tld' with your instance's domain wherever it appears.
+# 3. This assumes a Debian style Apache config. Copy this file to
+#    /etc/apache2/sites-available/ and then add a symlink to it in
+#    /etc/apache2/sites-enabled/ by running 'a2ensite pleroma-apache.conf', then restart Apache.
+
+Define servername example.tld
+
+ServerName ${servername}
+ServerTokens Prod
+
+ErrorLog ${APACHE_LOG_DIR}/error.log
+CustomLog ${APACHE_LOG_DIR}/access.log combined
+
 <VirtualHost *:80>
-    #Example configuration for when Apache httpd and Pleroma are on the same host.
-    #Needed modules: proxy proxy_http proxy_wstunnel rewrite
-    #This assumes a Debian style Apache config. Put this in /etc/apache2/sites-available
-    #Doesn't include SSL, just run certbot and let it take care of that.
-    
-    
-    #Change this:
-    ServerName pleroma.example.com
-    
+    Redirect permanent / https://${servername}
+</VirtualHost>
+
+<VirtualHost *:443>
+    SSLEngine on
+    SSLCertificateFile      /etc/letsencrypt/live/${servername}/cert.pem
+    SSLCertificateKeyFile   /etc/letsencrypt/live/${servername}/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/${servername}/fullchain.pem
+
+    # Mozilla modern configuration, tweak to your needs
+    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+    SSLHonorCipherOrder     on
+    SSLCompression          off
+    SSLSessionTickets       off
+
     RewriteEngine On
     RewriteCond %{HTTP:Connection} Upgrade [NC]
     RewriteCond %{HTTP:Upgrade} websocket [NC]
     RewriteRule /(.*) ws://localhost:4000/$1 [P,L]
-    
+
     ProxyRequests off
     ProxyPass / http://localhost:4000/
     ProxyPassReverse / http://localhost:4000/
-    
-    #Change this too:
-    RequestHeader set Host "pleroma.example.com"
+
+    RequestHeader set Host ${servername}
     ProxyPreserveHost On
-    
-    ErrorLog ${APACHE_LOG_DIR}/error.log
-    CustomLog ${APACHE_LOG_DIR}/access.log combined
 </VirtualHost>
+
+# OCSP Stapling, only in httpd 2.3.3 and later
+SSLUseStapling          on
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache        shmcb:/var/run/ocsp(128000)
diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx
index 78327594f..e1184fe77 100644
--- a/installation/pleroma.nginx
+++ b/installation/pleroma.nginx
@@ -10,8 +10,8 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac
                  inactive=720m use_temp_path=off;
 
 server {
-    listen         80;
     server_name    example.tld;
+    listen         80;
     return         301 https://$server_name$request_uri;
 
     # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
@@ -46,7 +46,7 @@ server {
     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
     ssl_stapling on;
     ssl_stapling_verify on;
-    
+
     server_name example.tld;
 
     gzip_vary on;
@@ -60,27 +60,6 @@ server {
     client_max_body_size 16m;
 
     location / {
-        # if you do not want remote frontends to be able to access your Pleroma backend
-        # server, remove these lines.
-        add_header 'Access-Control-Allow-Origin' '*' always;
-        add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
-        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
-        add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
-        if ($request_method = OPTIONS) {
-            return 204;
-        }
-        # stop removing lines here.
-
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Permitted-Cross-Domain-Policies none;
-        add_header X-Frame-Options DENY;
-        add_header X-Content-Type-Options nosniff;
-        add_header Referrer-Policy same-origin;
-        add_header X-Download-Options noopen;
-        
-        # Uncomment this only after you get HTTPS working.
-        # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
-
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -91,10 +70,12 @@ server {
         client_max_body_size 16m;
     }
 
-    location /proxy {
+    location ~ ^/(media|proxy) {
         proxy_cache pleroma_media_cache;
         proxy_cache_lock on;
         proxy_ignore_client_abort on;
+        proxy_buffering off;
+        chunked_transfer_encoding on;
         proxy_pass http://localhost:4000;
     }
 }
diff --git a/installation/pleroma.service b/installation/pleroma.service
index fd4180985..6955e5cc6 100644
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -6,10 +6,21 @@ After=network.target postgresql.service
 User=pleroma
 WorkingDirectory=/home/pleroma/pleroma
 Environment="HOME=/home/pleroma"
+Environment="MIX_ENV=prod"
 ExecStart=/usr/local/bin/mix phx.server
 ExecReload=/bin/kill $MAINPID
 KillMode=process
 Restart=on-failure
 
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
+PrivateTmp=true
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new privileges through execve().
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target