From 20e68b30f08e0e0eae691dcf541968e344efdaae Mon Sep 17 00:00:00 2001 From: Maksim Pechnikov Date: Tue, 14 Jul 2020 07:31:21 +0300 Subject: added generated `pleroma.env` --- installation/pleroma.service | 2 ++ 1 file changed, 2 insertions(+) (limited to 'installation') diff --git a/installation/pleroma.service b/installation/pleroma.service index 5dcbc1387..ee00a3b7a 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -17,6 +17,8 @@ Environment="MIX_ENV=prod" Environment="HOME=/var/lib/pleroma" ; Path to the folder containing the Pleroma installation. WorkingDirectory=/opt/pleroma +; Path to the environment file. the file contains RELEASE_COOKIE and etc +EnvironmentFile=/opt/pleroma/config/pleroma.env ; Path to the Mix binary. ExecStart=/usr/bin/mix phx.server -- cgit v1.2.3 From 14054cd004d91e89644c31d61b08d50ff0df09dd Mon Sep 17 00:00:00 2001 From: Maksim Pechnikov Date: Thu, 16 Jul 2020 08:52:14 +0300 Subject: update task messages --- installation/init.d/pleroma | 1 + 1 file changed, 1 insertion(+) (limited to 'installation') diff --git a/installation/init.d/pleroma b/installation/init.d/pleroma index 384536f7e..e908cda1b 100755 --- a/installation/init.d/pleroma +++ b/installation/init.d/pleroma @@ -8,6 +8,7 @@ pidfile="/var/run/pleroma.pid" directory=/opt/pleroma healthcheck_delay=60 healthcheck_timer=30 +export $(cat /opt/pleroma/config/pleroma.env) : ${pleroma_port:-4000} -- cgit v1.2.3 From e7b0840b88838f9e14bd2b09060d89c4a656966c Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 23 Oct 2020 15:32:32 -0500 Subject: NoNewPrivileges breaks ability to send email via sendmail because it restricts ability to run setuid/setgid binaries --- installation/pleroma.service | 2 -- 1 file changed, 2 deletions(-) (limited to 'installation') diff --git a/installation/pleroma.service b/installation/pleroma.service index ee00a3b7a..63e83ed6e 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -31,8 +31,6 @@ ProtectHome=true ProtectSystem=full ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. PrivateDevices=false -; Ensures that the service process and all its children can never gain new privileges through execve(). -NoNewPrivileges=true ; Drops the sysadmin capability from the daemon. CapabilityBoundingSet=~CAP_SYS_ADMIN -- cgit v1.2.3 From cc45c69fff515cb82c4902b67c8edce6b109c819 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Sat, 7 Nov 2020 22:09:28 +0300 Subject: Remove release_env While taking a final look at instance.gen before releasing I noticed that the release_env task outputs messages in broken english. Upon further inspection it seems to have even more severe issues which, in my opinion, warrant it's at least temporary removal: - We do not explain what it actually does, anywhere. Neither the task docs nor instance.gen, nor installation instructions. - It does not respect FHS on OTP releases (uses /opt/pleroma/config even though we store the config in /etc/pleroma/config.exs). - It doesn't work on OTP releases, which is the main reason it exists. Neither systemd nor openrc service files for OTP include it. - It is not mentioned in install guides other than the ones for Debian and OTP releases. --- installation/init.d/pleroma | 1 - installation/pleroma.service | 2 -- 2 files changed, 3 deletions(-) (limited to 'installation') diff --git a/installation/init.d/pleroma b/installation/init.d/pleroma index e908cda1b..384536f7e 100755 --- a/installation/init.d/pleroma +++ b/installation/init.d/pleroma @@ -8,7 +8,6 @@ pidfile="/var/run/pleroma.pid" directory=/opt/pleroma healthcheck_delay=60 healthcheck_timer=30 -export $(cat /opt/pleroma/config/pleroma.env) : ${pleroma_port:-4000} diff --git a/installation/pleroma.service b/installation/pleroma.service index 63e83ed6e..8338228d8 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -17,8 +17,6 @@ Environment="MIX_ENV=prod" Environment="HOME=/var/lib/pleroma" ; Path to the folder containing the Pleroma installation. WorkingDirectory=/opt/pleroma -; Path to the environment file. the file contains RELEASE_COOKIE and etc -EnvironmentFile=/opt/pleroma/config/pleroma.env ; Path to the Mix binary. ExecStart=/usr/bin/mix phx.server -- cgit v1.2.3 From 2c55f7d7cb25b857265df67c21bc59f7778653ee Mon Sep 17 00:00:00 2001 From: rinpatch Date: Tue, 17 Nov 2020 17:28:30 +0300 Subject: Remove FedSockets Current FedSocket implementation has a bunch of problems. It doesn't have proper error handling (in case of an error the server just doesn't respond until the connection is closed, while the client doesn't match any error messages and just assumes there has been an error after 15s) and the code is full of bad descisions (see: fetch registry which uses uuids for no reason and waits for a response by recursively querying a ets table until the value changes, or double JSON encoding). Sometime ago I almost completed rewriting fedsockets from scrach to adress these issues. However, while doing so, I realized that fedsockets are just too overkill for what they were trying to accomplish, which is reduce the overhead of federation by not signing every message. This could be done without reimplementing failure states and endpoint logic we already have with HTTP by, for example, using TLS cert auth, or switching to a more performant signature algorithm. I opened https://git.pleroma.social/pleroma/pleroma/-/issues/2262 for further discussion on alternatives to fedsockets. From discussions I had with other Pleroma developers it seems like they would approve the descision to remove them as well, therefore I am submitting this patch. --- installation/pleroma.nginx | 5 ----- 1 file changed, 5 deletions(-) (limited to 'installation') diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index d613befd2..9890cb2b1 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -93,9 +93,4 @@ server { chunked_transfer_encoding on; proxy_pass http://phoenix; } - - location /api/fedsocket/v1 { - proxy_request_buffering off; - proxy_pass http://phoenix/api/fedsocket/v1; - } } -- cgit v1.2.3 From 5c75bfc58657e656e19c09670aad44bf6ff6d3dc Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Tue, 8 Dec 2020 23:46:13 +0100 Subject: download-mastofe-build.sh: Proper exit when artifact is missing --- installation/download-mastofe-build.sh | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'installation') diff --git a/installation/download-mastofe-build.sh b/installation/download-mastofe-build.sh index ee9e1c217..b8a021ef3 100755 --- a/installation/download-mastofe-build.sh +++ b/installation/download-mastofe-build.sh @@ -9,29 +9,32 @@ static_dir="instance/static" # project_branch="pleroma" # static_dir="priv/static" -if [[ ! -d "${static_dir}" ]] +if [ ! -d "${static_dir}" ] then echo "Error: ${static_dir} directory is missing, are you sure you are running this script at the root of pleroma’s repository?" exit 1 fi -last_modified="$(curl -s -I 'https://git.pleroma.social/api/v4/projects/'${project_id}'/jobs/artifacts/'${project_branch}'/download?job=build' | grep '^Last-Modified:' | cut -d: -f2-)" +last_modified="$(curl --fail -s -I 'https://git.pleroma.social/api/v4/projects/'${project_id}'/jobs/artifacts/'${project_branch}'/download?job=build' | grep '^Last-Modified:' | cut -d: -f2-)" echo "branch:${project_branch}" echo "Last-Modified:${last_modified}" artifact="mastofe.zip" -if [[ -e mastofe.timestamp ]] && [[ "${last_modified}" != "" ]] +if [ "${last_modified}x" = "x" ] then - if [[ "$(cat mastofe.timestamp)" == "${last_modified}" ]] - then - echo "MastoFE is up-to-date, exiting…" - exit 0 - fi + echo "ERROR: Couldn't get the modification date of the latest build archive, maybe it expired, exiting..." + exit 1 +fi + +if [ -e mastofe.timestamp ] && [ "$(cat mastofe.timestamp)" = "${last_modified}" ] +then + echo "MastoFE is up-to-date, exiting..." + exit 0 fi -curl -c - "https://git.pleroma.social/api/v4/projects/${project_id}/jobs/artifacts/${project_branch}/download?job=build" -o "${artifact}" || exit +curl --fail -c - "https://git.pleroma.social/api/v4/projects/${project_id}/jobs/artifacts/${project_branch}/download?job=build" -o "${artifact}" || exit # TODO: Update the emoji as well rm -fr "${static_dir}/sw.js" "${static_dir}/packs" || exit -- cgit v1.2.3 From c4439c630f46153c9f118d7f7e752d880206d262 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Wed, 13 Jan 2021 07:49:20 +0100 Subject: Bump Copyright to 2021 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors ;' --- installation/download-mastofe-build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'installation') diff --git a/installation/download-mastofe-build.sh b/installation/download-mastofe-build.sh index b8a021ef3..ee353c48c 100755 --- a/installation/download-mastofe-build.sh +++ b/installation/download-mastofe-build.sh @@ -1,6 +1,6 @@ #!/bin/sh # Pleroma: A lightweight social networking server -# Copyright © 2017-2020 Pleroma Authors +# Copyright © 2017-2021 Pleroma Authors # SPDX-License-Identifier: AGPL-3.0-only project_id="74" project_branch="rebase/glitch-soc" -- cgit v1.2.3 From 3078e62488ad1d94d1d3b83faf9f2b070e4aff06 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Thu, 21 Jan 2021 12:25:18 -0600 Subject: Update Apache configuration. This has been tested. --- installation/pleroma-apache.conf | 91 ++++++++++++++++++++++------------------ 1 file changed, 51 insertions(+), 40 deletions(-) (limited to 'installation') diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 0d627f2d7..139abe9e1 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -1,73 +1,84 @@ -# default Apache site config for Pleroma -# -# needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl -# optional modules: cache cache_disk +# Sample Apache config for Pleroma # # Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. This assumes a Debian style Apache config. Copy this file to -# /etc/apache2/sites-available/ and then add a symlink to it in -# /etc/apache2/sites-enabled/ by running 'a2ensite pleroma-apache.conf', then restart Apache. +# 1. Install your TLS certificate. We recommend using Let's Encrypt via Certbot +# 2. Replace 'example.tld' with your instance's domain. +# 3. This assumes a Debian-style Apache config. Copy this file to +# /etc/apache2/sites-available/ and then activate the site by running +# 'a2ensite pleroma-apache.conf', then restart Apache. # # Optional: enable disk-based caching for the media proxy # For details, see https://git.pleroma.social/pleroma/pleroma/wikis/How%20to%20activate%20mediaproxy # -# 1. Create the directory listed below as the CacheRoot, and make sure +# 1. Create a directory as shown below for the CacheRoot and make sure # the Apache user can write to it. # 2. Configure Apache's htcacheclean to clean the directory periodically. -# 3. Run 'a2enmod cache cache_disk' and restart Apache. +# Your OS may provide a service you can enable to do this automatically. Define servername example.tld + + LoadModule proxy_module libexec/apache24/mod_proxy.so + + + LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so + + + LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so + + + LoadModule rewrite_module libexec/apache24/mod_rewrite.so + + + LoadModule ssl_module libexec/apache24/mod_ssl.so + + + LoadModule cache_module libexec/apache24/mod_cache.so + + + LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so + + ServerName ${servername} ServerTokens Prod -ErrorLog ${APACHE_LOG_DIR}/error.log -CustomLog ${APACHE_LOG_DIR}/access.log combined +# If you want Pleroma-specific logs +#ErrorLog /var/log/httpd-pleroma-error.log +#CustomLog /var/log/httpd-pleroma-access.log combined - Redirect permanent / https://${servername} + RewriteEngine on + RewriteCond %{SERVER_NAME} =${servername} + RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] SSLEngine on SSLCertificateFile /etc/letsencrypt/live/${servername}/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/${servername}/privkey.pem + # Make sure you have the certbot-apache module installed + Include /etc/letsencrypt/options-ssl-apache.conf - # Mozilla modern configuration, tweak to your needs - SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 - SSLHonorCipherOrder on - SSLCompression off - SSLSessionTickets off - - # uncomment the following to enable mediaproxy caching on disk - # - # CacheRoot /var/cache/apache2/mod_cache_disk - # CacheDirLevels 1 - # CacheDirLength 2 - # CacheEnable disk /proxy - # CacheLock on - # + # Uncomment the following to enable MediaProxy caching on disk + #CacheRoot /tmp/pleroma-media-cache/ + #CacheDirLevels 1 + #CacheDirLength 2 + #CacheEnable disk /proxy + #CacheLock on + #CacheHeader on + #CacheDetailHeader on + ## 16MB max filesize for caching, configure as desired + #CacheMaxFileSize 16000000 + #CacheDefaultExpire 86400 RewriteEngine On RewriteCond %{HTTP:Connection} Upgrade [NC] RewriteCond %{HTTP:Upgrade} websocket [NC] - RewriteRule /(.*) ws://localhost:4000/$1 [P,L] + RewriteRule /(.*) ws://127.0.0.1:4000/$1 [P,L] + #ProxyRequests must be off or you open your server to abuse as an open proxy ProxyRequests off - # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only - # and `localhost.` resolves to [::0] on some systems: see issue #930 ProxyPass / http://127.0.0.1:4000/ ProxyPassReverse / http://127.0.0.1:4000/ - - RequestHeader set Host ${servername} ProxyPreserveHost On - -# OCSP Stapling, only in httpd 2.3.3 and later -SSLUseStapling on -SSLStaplingResponderTimeout 5 -SSLStaplingReturnResponderErrors off -SSLStaplingCache shmcb:/var/run/ocsp(128000) -- cgit v1.2.3 From 003402df401f2bbf46e47017e3b7a2ec27615ea2 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Thu, 21 Jan 2021 14:20:13 -0600 Subject: Add ability to invalidate cache entries for Apache --- installation/apache-cache-purge.sh.example | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100755 installation/apache-cache-purge.sh.example (limited to 'installation') diff --git a/installation/apache-cache-purge.sh.example b/installation/apache-cache-purge.sh.example new file mode 100755 index 000000000..be1d36841 --- /dev/null +++ b/installation/apache-cache-purge.sh.example @@ -0,0 +1,25 @@ +#!/bin/sh + +# A simple shell script to delete a media from Apache's mod_disk_cache. + +SCRIPTNAME=${0##*/} + +# mod_disk_cache directory +CACHE_DIRECTORY="/tmp/pleroma-media-cache" + +## Removes an item via the htcacheclean utility +## $1 - the filename, can be a pattern . +## $2 - the cache directory. +purge_item() { + htcacheclean -p "${2}" "${1}" +} # purge_item + +purge() { + for url in "$@" + do + echo "$SCRIPTNAME delete \`$url\` from cache ($CACHE_DIRECTORY)" + purge_item "$url" $CACHE_DIRECTORY + done +} + +purge "$@" -- cgit v1.2.3 From 8373cb645b7f357eedbc3a45a2e75a81376e6ef8 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Mon, 25 Jan 2021 18:15:04 -0600 Subject: Add sudo rule, remove quoting that breaks the for loop --- installation/apache-cache-purge.sh.example | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'installation') diff --git a/installation/apache-cache-purge.sh.example b/installation/apache-cache-purge.sh.example index be1d36841..62997038d 100755 --- a/installation/apache-cache-purge.sh.example +++ b/installation/apache-cache-purge.sh.example @@ -1,6 +1,10 @@ #!/bin/sh # A simple shell script to delete a media from Apache's mod_disk_cache. +# You will likely need to setup a sudo rule like the following: +# +# Cmnd_Alias HTCACHECLEAN = /usr/local/sbin/htcacheclean +# pleroma ALL=HTCACHECLEAN, NOPASSWD: HTCACHECLEAN SCRIPTNAME=${0##*/} @@ -11,15 +15,15 @@ CACHE_DIRECTORY="/tmp/pleroma-media-cache" ## $1 - the filename, can be a pattern . ## $2 - the cache directory. purge_item() { - htcacheclean -p "${2}" "${1}" + sudo htcacheclean -v -p "${2}" "${1}" } # purge_item purge() { - for url in "$@" + for url in $@ do echo "$SCRIPTNAME delete \`$url\` from cache ($CACHE_DIRECTORY)" purge_item "$url" $CACHE_DIRECTORY done } -purge "$@" +purge $@ -- cgit v1.2.3 From c6ef87d585b63e9e26b16176b65a67d10e4b706b Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Mon, 25 Jan 2021 18:20:07 -0600 Subject: Note the requirement for the url_format parameter --- installation/apache-cache-purge.sh.example | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'installation') diff --git a/installation/apache-cache-purge.sh.example b/installation/apache-cache-purge.sh.example index 62997038d..7b4262875 100755 --- a/installation/apache-cache-purge.sh.example +++ b/installation/apache-cache-purge.sh.example @@ -5,6 +5,13 @@ # # Cmnd_Alias HTCACHECLEAN = /usr/local/sbin/htcacheclean # pleroma ALL=HTCACHECLEAN, NOPASSWD: HTCACHECLEAN +# +# Please also ensure you have enabled: +# +# config :pleroma, Pleroma.Web.MediaProxy.Invalidation.Script, url_format: :htcacheclean +# +# which will correctly format the URLs passed to this script for the htcacheclean utility. +# SCRIPTNAME=${0##*/} -- cgit v1.2.3 From 1d8f1fe0772736dd71219d244783c9d671dd7223 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 5 Feb 2021 13:32:21 -0600 Subject: Add a default rule to not attempt to cache any files larger than 50MB This fixes connection failures when trying to retrieve large files. It is less common in typical Pleroma usage, but it's possible to encounter this on a cloud instance with lower memory. --- installation/pleroma.vcl | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'installation') diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 13dad784c..4752510ea 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -59,6 +59,13 @@ sub vcl_backend_response { set beresp.http.CR = beresp.http.content-range; } + # Bypass cache for large files + # 50000000 ~ 50MB + if (std.integer(beresp.http.content-length, 0) > 50000000) { + set beresp.uncacheable = true; + return(deliver); + } + # Don't cache objects that require authentication if (beresp.http.Authorization && !beresp.http.Cache-Control ~ "public") { set beresp.uncacheable = true; -- cgit v1.2.3