0ffa554fdb
Found this seemed to work better in my experience and also allows for easy updating like any other package.
422 lines
13 KiB
Markdown
422 lines
13 KiB
Markdown
Production guide
|
||
================
|
||
|
||
The following HTTP headers are already set internally and should not be set again:
|
||
|
||
```
|
||
'Server' => 'Mastodon',
|
||
'X-Frame-Options' => 'DENY',
|
||
'X-Content-Type-Options' => 'nosniff',
|
||
'X-XSS-Protection' => '1; mode=block',
|
||
```
|
||
|
||
## Nginx
|
||
|
||
Regardless of whether you go with the Docker approach or not, here is an example Nginx server configuration.
|
||
|
||
At a minimum, you'll want to replace any occurrence of `example.com` with your actual hostname, and `/home/mastodon/live/public` with the location of your actual mastodon `public/` directory.
|
||
|
||
```nginx
|
||
map $http_upgrade $connection_upgrade {
|
||
default upgrade;
|
||
'' close;
|
||
}
|
||
|
||
server {
|
||
listen 80;
|
||
listen [::]:80;
|
||
server_name example.com;
|
||
# Useful for Let's Encrypt
|
||
location /.well-known/acme-challenge/ { allow all; }
|
||
location / { return 301 https://$host$request_uri; }
|
||
}
|
||
|
||
server {
|
||
listen 443 ssl http2;
|
||
listen [::]:443 ssl http2;
|
||
server_name example.com;
|
||
|
||
ssl_protocols TLSv1.2;
|
||
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
|
||
ssl_prefer_server_ciphers on;
|
||
ssl_session_cache shared:SSL:10m;
|
||
|
||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
|
||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
|
||
|
||
keepalive_timeout 70;
|
||
sendfile on;
|
||
client_max_body_size 0;
|
||
|
||
root /home/mastodon/live/public;
|
||
|
||
gzip on;
|
||
gzip_disable "msie6";
|
||
gzip_vary on;
|
||
gzip_proxied any;
|
||
gzip_comp_level 6;
|
||
gzip_buffers 16 8k;
|
||
gzip_http_version 1.1;
|
||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||
|
||
add_header Strict-Transport-Security "max-age=31536000";
|
||
|
||
location / {
|
||
try_files $uri @proxy;
|
||
}
|
||
|
||
location ~ ^/(packs|system/media_attachments/files|system/accounts/avatars) {
|
||
add_header Cache-Control "public, max-age=31536000, immutable";
|
||
try_files $uri @proxy;
|
||
}
|
||
|
||
location @proxy {
|
||
proxy_set_header Host $host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto https;
|
||
proxy_set_header Proxy "";
|
||
proxy_pass_header Server;
|
||
|
||
proxy_pass http://127.0.0.1:3000;
|
||
proxy_buffering off;
|
||
proxy_redirect off;
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Upgrade $http_upgrade;
|
||
proxy_set_header Connection $connection_upgrade;
|
||
|
||
tcp_nodelay on;
|
||
}
|
||
|
||
location /api/v1/streaming {
|
||
proxy_set_header Host $host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto https;
|
||
proxy_set_header Proxy "";
|
||
|
||
proxy_pass http://127.0.0.1:4000;
|
||
proxy_buffering off;
|
||
proxy_redirect off;
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Upgrade $http_upgrade;
|
||
proxy_set_header Connection $connection_upgrade;
|
||
|
||
tcp_nodelay on;
|
||
}
|
||
|
||
error_page 500 501 502 503 504 /500.html;
|
||
}
|
||
```
|
||
|
||
## Running in production without Docker
|
||
|
||
It is recommended to create a special user for mastodon on the server (you could call the user `mastodon`), though remember to disable outside login for it. You should only be able to get into that user through `sudo -sHu mastodon`.
|
||
|
||
This command will create the user as needed:
|
||
|
||
sudo useradd --system --user-group --shell /bin/false --create-home --home /home/mastodon mastodon
|
||
|
||
home can be changed as needed
|
||
|
||
|
||
## General dependencies
|
||
|
||
### Ubuntu / Debian
|
||
|
||
sudo apt-get install imagemagick ffmpeg libpq-dev libxml2-dev libxslt1-dev file git curl g++ libprotobuf-dev protobuf-compiler pkg-config
|
||
curl -sL https://deb.nodesource.com/setup_6.x | sudo bash -
|
||
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
|
||
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
|
||
sudo apt-get install nodejs yarn
|
||
|
||
* **NOTE**: On Debian you have to first add the [Debian Backports](https://backports.debian.org/) repository to install `ffmpeg`.
|
||
|
||
### CentOS / RHEL
|
||
|
||
sudo yum install libxml2-devel ImageMagick libxslt-devel git curl file protobuf-compiler protobuf-devel
|
||
sudo yum -y install epel-release
|
||
sudo rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
|
||
sudo rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
|
||
sudo yum -y install ffmpeg ffmpeg-devel
|
||
|
||
sudo yum group install "Development tools"
|
||
curl -sL https://rpm.nodesource.com/setup_6.x | sudo bash -
|
||
sudo wget https://dl.yarnpkg.com/rpm/yarn.repo -O /etc/yum.repos.d/yarn.repo
|
||
sudo yum install nodejs yarn
|
||
|
||
## Redis
|
||
|
||
### Ubuntu / Debian
|
||
|
||
sudo apt-get install redis-server redis-tools
|
||
|
||
### CentOS / RHEL
|
||
|
||
sudo yum install redis rubygem-redis
|
||
|
||
## Postgres
|
||
|
||
### Ubuntu / Debian
|
||
|
||
sudo apt-get install postgresql postgresql-contrib
|
||
|
||
### CentOS / RHEL
|
||
|
||
sudo yum install postgresql-server postgresql postgresql-contrib postgresql-devel
|
||
|
||
Initial Setup postgres:
|
||
|
||
sudo postgresql-setup initdb
|
||
sudo systemctl start postgresql
|
||
sudo systemctl enable postgresql
|
||
|
||
### All Operating Systems:
|
||
|
||
Set up a user and database for Mastodon:
|
||
|
||
sudo -u postgres psql
|
||
|
||
In the prompt:
|
||
|
||
CREATE USER mastodon CREATEDB;
|
||
\q
|
||
|
||
### Ubuntu 16.04
|
||
|
||
Under Ubuntu 16.04, you will need to explicitly enable ident authentication so that local users can connect to the database without a password:
|
||
|
||
```sh
|
||
sudo sed -i '/^local.*postgres.*peer$/a host all all 127.0.0.1/32 ident' /etc/postgresql/9.?/main/pg_hba.conf
|
||
```
|
||
|
||
and install an ident daemon, which does not come installed by default:
|
||
|
||
sudo apt-get install pidentd
|
||
sudo systemctl enable pidentd
|
||
sudo systemctl start pidentd
|
||
sudo systemctl restart postgresql
|
||
|
||
### Debian 8
|
||
|
||
Under Debian 8, the default version of nginx available is too old to work with the above configuration file (as it uses http2). To install a newer version of nginx that supports http2 (v1.9.5+), you have to add the jessie-backports repo to your `sources.list.d`:
|
||
|
||
```bash
|
||
$ echo "deb http://ftp.debian.org/debian/ jessie-backports main" | sudo tee /etc/apt/sources.list.d/backports.list
|
||
$ sudo apt-get update
|
||
$ sudo apt-get install -t jessie-backports nginx
|
||
```
|
||
|
||
## Rbenv
|
||
|
||
It is recommended to use rbenv (exclusively from the `mastodon` user) to install the desired Ruby version. Follow the guides to [install rbenv][1] and [rbenv-build][2] (I recommend checking the [prerequisites][3] for your system on the rbenv-build project and installing them beforehand, obviously outside the unprivileged `mastodon` user)
|
||
|
||
[1]: https://github.com/rbenv/rbenv#installation
|
||
[2]: https://github.com/rbenv/ruby-build#installation
|
||
[3]: https://github.com/rbenv/ruby-build/wiki#suggested-build-environment
|
||
|
||
Then once `rbenv` is ready, install and enable the Ruby version for Mastodon using:
|
||
|
||
```
|
||
rbenv install 2.4.1
|
||
rbenv global 2.4.1
|
||
```
|
||
|
||
## Git
|
||
|
||
You need the `git-core` package installed on your system. If it is so, run the shell from the `mastodon` user:
|
||
|
||
sudo -sHu mastodon
|
||
|
||
And enter the following commands:
|
||
|
||
cd ~
|
||
git clone https://github.com/tootsuite/mastodon.git live
|
||
cd live
|
||
git checkout $(git tag -l | sort -V | tail -n 1)
|
||
|
||
Then you can proceed to install project dependencies:
|
||
|
||
gem install bundler
|
||
bundle install --deployment --without development test
|
||
yarn install --pure-lockfile
|
||
|
||
## Configuration
|
||
|
||
Then you have to configure your instance:
|
||
|
||
cp .env.production.sample .env.production
|
||
nano .env.production
|
||
|
||
Fill in the important data, like host/port of the redis database, host/port/username/password of the postgres database, your domain name, SMTP details (e.g. from Mailgun or equivalent transactional e-mail service, many have free tiers), whether you intend to use SSL, etc. If you need to generate secrets, you can use:
|
||
|
||
RAILS_ENV=production bundle exec rake secret
|
||
|
||
To get a random string. If you are setting up on one single server (most likely), then `REDIS_HOST` is localhost and `DB_HOST` is `/var/run/postgresql`, `DB_USER` is `mastodon` and `DB_NAME` is `mastodon_production` while `DB_PASS` is empty because this setup will use the ident authentication method (system user "mastodon" maps to postgres user "mastodon").
|
||
|
||
Configuring the instance hostname:
|
||
|
||
- `LOCAL_DOMAIN` should be the domain/hostname of your instance. This is **absolutely required** as it is used for generating unique IDs for everything federation-related.
|
||
- `LOCAL_HTTPS` set it to `true` if HTTPS works on your website. This is used to generate canonical URLs, which is also important when generating and parsing federation-related IDs.
|
||
|
||
## Setup
|
||
|
||
And set up the database for the first time, this will create the tables and basic data:
|
||
|
||
RAILS_ENV=production bundle exec rails db:setup
|
||
|
||
Finally, pre-compile all CSS and JavaScript files:
|
||
|
||
RAILS_ENV=production bundle exec rails assets:precompile
|
||
|
||
## Systemd
|
||
|
||
Example systemd configuration for the web workers, to be placed in `/etc/systemd/system/mastodon-web.service`:
|
||
|
||
```systemd
|
||
[Unit]
|
||
Description=mastodon-web
|
||
After=network.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
User=mastodon
|
||
WorkingDirectory=/home/mastodon/live
|
||
Environment="RAILS_ENV=production"
|
||
Environment="PORT=3000"
|
||
ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
|
||
TimeoutSec=15
|
||
Restart=always
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
```
|
||
|
||
Example systemd configuration for the background workers, to be placed in `/etc/systemd/system/mastodon-sidekiq.service`:
|
||
|
||
```systemd
|
||
[Unit]
|
||
Description=mastodon-sidekiq
|
||
After=network.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
User=mastodon
|
||
WorkingDirectory=/home/mastodon/live
|
||
Environment="RAILS_ENV=production"
|
||
Environment="DB_POOL=5"
|
||
ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 5 -q default -q mailers -q pull -q push
|
||
TimeoutSec=15
|
||
Restart=always
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
```
|
||
|
||
Example systemd configuration file for the streaming API, to be placed in `/etc/systemd/system/mastodon-streaming.service`:
|
||
|
||
```systemd
|
||
[Unit]
|
||
Description=mastodon-streaming
|
||
After=network.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
User=mastodon
|
||
WorkingDirectory=/home/mastodon/live
|
||
Environment="NODE_ENV=production"
|
||
Environment="PORT=4000"
|
||
ExecStart=/usr/bin/npm run start
|
||
TimeoutSec=15
|
||
Restart=always
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
```
|
||
|
||
This allows you to `sudo systemctl enable /etc/systemd/system/mastodon-*.service` and `sudo systemctl start mastodon-web.service mastodon-sidekiq.service mastodon-streaming.service` to get things going.
|
||
|
||
## Let's Encrypt
|
||
|
||
This section is only relevant if you are using [Let's Encrypt](https://letsencrypt.org/)
|
||
as your TLS certificate provider.
|
||
|
||
Other assumptions - Ubuntu 16.04, letsencrypt tool installed from distro repositories.
|
||
|
||
### Installation of tool
|
||
|
||
This is how you install the `letsencrypt` package:
|
||
|
||
`sudo apt -y install letsencrypt`
|
||
|
||
### Generation of certificate
|
||
|
||
This is the command you should use to generate a Let's Encrypt certificate.
|
||
Make sure to replace any instances of 'example.com' with your Mastodon instance's domain.
|
||
|
||
Additional note: This command will require that nginx or another web server is correctly
|
||
configured with your Mastodon instance's domain.
|
||
|
||
`letsencrypt certonly --webroot -d example.com -w /home/mastodon/live/public/`
|
||
|
||
### Automated renewal of Let's Encrypt certificate
|
||
|
||
Let's Encrypt certificates have a validity period of 90 days.
|
||
|
||
You need to renew your certificate before the expiration date. Failure to do so will
|
||
result in your users being unable to access your instance and other instances being unable
|
||
to federate with yours.
|
||
|
||
We can do this with a cron job that runs daily:
|
||
|
||
`nano /etc/cron.daily/letsencrypt-renew`
|
||
|
||
Copy and paste this script into that file:
|
||
|
||
```
|
||
#!/usr/bin/env bash
|
||
letsencrypt renew
|
||
systemctl reload nginx
|
||
```
|
||
|
||
Save and exit the file.
|
||
|
||
Make the script executable and restart the cron daemon so that the script runs daily:
|
||
```
|
||
chmod +x /etc/cron.daily/letsencrypt-renew
|
||
systemctl restart cron
|
||
```
|
||
|
||
That is it. Your server will now automatically renew your Let's Encrypt certificate(s).
|
||
|
||
## Things to look out for when upgrading Mastodon
|
||
|
||
If you want a stable release for production use, you should use tagged releases. To checkout the latest available tagged version:
|
||
|
||
```sh
|
||
cd ~mastodon/live/
|
||
git fetch
|
||
git checkout $(git tag -l | sort -V | tail -n 1)
|
||
```
|
||
|
||
As part of your deploy, you may need to run:
|
||
|
||
- `RAILS_ENV=production bundle exec rails db:migrate`
|
||
|
||
if anything in the `/db/` directory has changed, and/or
|
||
|
||
- `yarn install --pure-lockfile`
|
||
- `RAILS_ENV=production bundle exec rails assets:precompile`
|
||
|
||
if anything in the `/app/assets` directory changed.
|
||
|
||
Please read the [**release notes**](https://github.com/tootsuite/mastodon/releases/) when you upgrade,
|
||
they might contain specific instructions about how to update (and they always include information
|
||
about which new features the release has, and which bugs are fixed).
|
||
|
||
Also, Mastodon runs in memory, so you need to restart it before you see any changes (including new
|
||
precompiled assets). If you're using systemd, that would be:
|
||
|
||
```sh
|
||
sudo systemctl restart mastodon-*.service
|
||
```
|