Cleanup

conf/config.exs

@@ -0,0 +1,318 @@
+# This file is responsible for configuring your application
+# and its dependencies with the aid of the Mix.Config module.
+#
+# This configuration file is loaded before any dependency and
+# is restricted to this project.
+use Mix.Config
+
+# General application configuration
+config :pleroma, ecto_repos: [Pleroma.Repo]
+
+config :pleroma, Pleroma.Repo, types: Pleroma.PostgresTypes
+
+config :pleroma, Pleroma.Captcha,
+  enabled: false,
+  seconds_valid: 60,
+  method: Pleroma.Captcha.Kocaptcha
+
+config :pleroma, :hackney_pools,
+  federation: [
+    max_connections: 50,
+    timeout: 150_000
+  ],
+  media: [
+    max_connections: 50,
+    timeout: 150_000
+  ],
+  upload: [
+    max_connections: 25,
+    timeout: 300_000
+  ]
+
+config :pleroma, Pleroma.Captcha.Kocaptcha, endpoint: "https://captcha.kotobank.ch"
+
+# Upload configuration
+config :pleroma, Pleroma.Upload,
+  uploader: Pleroma.Uploaders.Local,
+  filters: [],
+  proxy_remote: false,
+  proxy_opts: [
+    redirect_on_failure: false,
+    max_body_length: 25 * 1_048_576,
+    http: [
+      follow_redirect: true,
+      pool: :upload
+    ]
+  ]
+
+config :pleroma, Pleroma.Uploaders.Local, uploads: "uploads"
+
+config :pleroma, Pleroma.Uploaders.S3,
+  bucket: nil,
+  public_endpoint: "https://s3.amazonaws.com"
+
+config :pleroma, Pleroma.Uploaders.MDII,
+  cgi: "https://mdii.sakura.ne.jp/mdii-post.cgi",
+  files: "https://mdii.sakura.ne.jp"
+
+config :pleroma, :emoji, shortcode_globs: ["/emoji/custom/**/*.png"]
+
+config :pleroma, :uri_schemes,
+  valid_schemes: [
+    "https",
+    "http",
+    "dat",
+    "dweb",
+    "gopher",
+    "ipfs",
+    "ipns",
+    "irc",
+    "ircs",
+    "magnet",
+    "mailto",
+    "mumble",
+    "ssb",
+    "xmpp"
+  ]
+
+websocket_config = [
+  path: "/websocket",
+  serializer: [
+    {Phoenix.Socket.V1.JSONSerializer, "~> 1.0.0"},
+    {Phoenix.Socket.V2.JSONSerializer, "~> 2.0.0"}
+  ],
+  timeout: 60_000,
+  transport_log: false,
+  compress: false
+]
+
+# Configures the endpoint
+config :pleroma, Pleroma.Web.Endpoint,
+  url: [host: "localhost"],
+  http: [
+    dispatch: [
+      {:_,
+       [
+         {"/api/v1/streaming", Elixir.Pleroma.Web.MastodonAPI.WebsocketHandler, []},
+         {"/socket/websocket", Phoenix.Endpoint.CowboyWebSocket,
+          {nil, {Pleroma.Web.Endpoint, Pleroma.Web.UserSocket, websocket_config}}},
+         {:_, Plug.Adapters.Cowboy.Handler, {Pleroma.Web.Endpoint, []}}
+       ]}
+    ]
+  ],
+  protocol: "https",
+  secret_key_base: "aK4Abxf29xU9TTDKre9coZPUgevcVCFQJe/5xP/7Lt4BEif6idBIbjupVbOrbKxl",
+  signing_salt: "CqaoopA2",
+  render_errors: [view: Pleroma.Web.ErrorView, accepts: ~w(json)],
+  pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2],
+  secure_cookie_flag: true
+
+# Configures Elixir's Logger
+config :logger, :console,
+  format: "$time $metadata[$level] $message\n",
+  metadata: [:request_id]
+
+config :logger, :ex_syslogger,
+  level: :debug,
+  ident: "Pleroma",
+  format: "$date $time $metadata[$level] $message",
+  metadata: [:request_id]
+
+config :mime, :types, %{
+  "application/xml" => ["xml"],
+  "application/xrd+xml" => ["xrd+xml"],
+  "application/jrd+json" => ["jrd+json"],
+  "application/activity+json" => ["activity+json"],
+  "application/ld+json" => ["activity+json"]
+}
+
+config :pleroma, :websub, Pleroma.Web.Websub
+config :pleroma, :ostatus, Pleroma.Web.OStatus
+config :pleroma, :httpoison, Pleroma.HTTP
+config :tesla, adapter: Tesla.Adapter.Hackney
+
+# Configures http settings, upstream proxy etc.
+config :pleroma, :http, proxy_url: nil
+
+config :pleroma, :instance,
+  name: "Pleroma",
+  email: "example@example.com",
+  description: "A Pleroma instance, an alternative fediverse server",
+  limit: 5_000,
+  remote_limit: 100_000,
+  upload_limit: 16_000_000,
+  avatar_upload_limit: 2_000_000,
+  background_upload_limit: 4_000_000,
+  banner_upload_limit: 4_000_000,
+  registrations_open: true,
+  federating: true,
+  federation_reachability_timeout_days: 7,
+  allow_relay: true,
+  rewrite_policy: Pleroma.Web.ActivityPub.MRF.NoOpPolicy,
+  public: true,
+  quarantined_instances: [],
+  managed_config: true,
+  static_dir: "instance/static/",
+  allowed_post_formats: [
+    "text/plain",
+    "text/html",
+    "text/markdown"
+  ],
+  finmoji_enabled: true,
+  mrf_transparency: true,
+  autofollowed_nicknames: [],
+  max_pinned_statuses: 1,
+  no_attachment_links: false
+
+config :pleroma, :markup,
+  # XXX - unfortunately, inline images must be enabled by default right now, because
+  # of custom emoji.  Issue #275 discusses defanging that somehow.
+  allow_inline_images: true,
+  allow_headings: false,
+  allow_tables: false,
+  allow_fonts: false,
+  scrub_policy: [
+    Pleroma.HTML.Transform.MediaProxy,
+    Pleroma.HTML.Scrubber.Default
+  ]
+
+config :pleroma, :frontend_configurations,
+  pleroma_fe: %{
+    theme: "pleroma-dark",
+    logo: "/static/logo.png",
+    background: "/images/city.jpg",
+    redirectRootNoLogin: "/main/all",
+    redirectRootLogin: "/main/friends",
+    showInstanceSpecificPanel: true,
+    scopeOptionsEnabled: false,
+    formattingOptionsEnabled: false,
+    collapseMessageWithSubject: false,
+    hidePostStats: false,
+    hideUserStats: false,
+    scopeCopy: true,
+    subjectLineBehavior: "email",
+    alwaysShowSubjectInput: true
+  }
+
+config :pleroma, :activitypub,
+  accept_blocks: true,
+  unfollow_blocked: true,
+  outgoing_blocks: true,
+  follow_handshake_timeout: 500
+
+config :pleroma, :user, deny_follow_blocked: true
+
+config :pleroma, :mrf_normalize_markup, scrub_policy: Pleroma.HTML.Scrubber.Default
+
+config :pleroma, :mrf_rejectnonpublic,
+  allow_followersonly: false,
+  allow_direct: false
+
+config :pleroma, :mrf_hellthread, threshold: 10
+
+config :pleroma, :mrf_simple,
+  media_removal: [],
+  media_nsfw: [],
+  federated_timeline_removal: [],
+  reject: [],
+  accept: []
+
+config :pleroma, :rich_media, enabled: true
+
+config :pleroma, :media_proxy,
+  enabled: false,
+  proxy_opts: [
+    redirect_on_failure: false,
+    max_body_length: 25 * 1_048_576,
+    http: [
+      follow_redirect: true,
+      pool: :media
+    ]
+  ]
+
+config :pleroma, :chat, enabled: true
+
+config :ecto, json_library: Jason
+
+config :phoenix, :format_encoders, json: Jason
+
+config :pleroma, :gopher,
+  enabled: false,
+  ip: {0, 0, 0, 0},
+  port: 9999
+
+config :pleroma, Pleroma.Web.Metadata, providers: [], unfurl_nsfw: false
+
+config :pleroma, :suggestions,
+  enabled: false,
+  third_party_engine:
+    "http://vinayaka.distsn.org/cgi-bin/vinayaka-user-match-suggestions-api.cgi?{{host}}+{{user}}",
+  timeout: 300_000,
+  limit: 23,
+  web: "https://vinayaka.distsn.org/?{{host}}+{{user}}"
+
+config :pleroma, :http_security,
+  enabled: true,
+  sts: false,
+  sts_max_age: 31_536_000,
+  ct_max_age: 2_592_000,
+  referrer_policy: "same-origin"
+
+config :cors_plug,
+  max_age: 86_400,
+  methods: ["POST", "PUT", "DELETE", "GET", "PATCH", "OPTIONS"],
+  expose: [
+    "Link",
+    "X-RateLimit-Reset",
+    "X-RateLimit-Limit",
+    "X-RateLimit-Remaining",
+    "X-Request-Id",
+    "Idempotency-Key"
+  ],
+  credentials: true,
+  headers: ["Authorization", "Content-Type", "Idempotency-Key"]
+
+config :pleroma, Pleroma.User,
+  restricted_nicknames: [
+    ".well-known",
+    "~",
+    "about",
+    "activities",
+    "api",
+    "auth",
+    "dev",
+    "friend-requests",
+    "inbox",
+    "internal",
+    "main",
+    "media",
+    "nodeinfo",
+    "notice",
+    "oauth",
+    "objects",
+    "ostatus_subscribe",
+    "pleroma",
+    "proxy",
+    "push",
+    "registration",
+    "relay",
+    "settings",
+    "status",
+    "tag",
+    "user-search",
+    "users",
+    "web"
+  ]
+
+config :pleroma, Pleroma.Web.Federator, max_jobs: 50
+
+config :pleroma, Pleroma.Web.Federator.RetryQueue,
+  enabled: false,
+  max_jobs: 20,
+  initial_timeout: 30,
+  max_retries: 5
+
+# Import environment specific config. This must remain at the bottom
+# of this file so it overrides the configuration defined above.
+import_config "#{Mix.env()}.exs"
+

conf/generated_config.exs

@@ -1,10 +1,14 @@
+# Pleroma instance configuration
+
+# NOTE: This file should not be committed to a repo or otherwise made public
+# without removing sensitive information.
+
 use Mix.Config
 
 config :pleroma, Pleroma.Web.Endpoint,
    url: [host: "__DOMAIN__", scheme: "https", port: 443],
    secret_key_base: "__KEY__",
-   http: [port: __PORT__],
-   protocol: "http"
+   http: [port: __PORT__]
 
 config :pleroma, :instance,
   name: "__INSTANCE_NAME__",
@@ -17,11 +21,7 @@ config :pleroma, :media_proxy,
   enabled: __MEDIA_CACHE__,
   redirect_on_failure: true
   #base_url: "https://cache.pleroma.social"
- 
-config :pleroma, :fe,
-  scope_options_enabled: true
 
-# Configure your database
 config :pleroma, Pleroma.Repo,
   adapter: Ecto.Adapters.Postgres,
   username: "__DB_NAME__",
@@ -30,6 +30,10 @@ config :pleroma, Pleroma.Repo,
   hostname: "localhost",
   pool_size: 10
 
+# Enable Strict-Transport-Security once SSL is working:
+# config :pleroma, :http_security,
+#   sts: true
+
 # Configure S3 support if desired.
 # The public S3 endpoint is different depending on region and provider,
 # consult your S3 provider's documentation for details on what to use.
@@ -51,9 +55,9 @@ config :pleroma, Pleroma.Repo,
 
 
 # Configure Openstack Swift support if desired.
-# 
-# Many openstack deployments are different, so config is left very open with 
-# no assumptions made on which provider you're using. This should allow very 
+#
+# Many openstack deployments are different, so config is left very open with
+# no assumptions made on which provider you're using. This should allow very
 # wide support without needing separate handlers for OVH, Rackspace, etc.
 #
 # config :pleroma, Pleroma.Uploaders.Swift,
@@ -66,3 +70,4 @@ config :pleroma, Pleroma.Repo,
 #  object_url: "https://cdn-endpoint.provider.com/<container>"
 #
 
+

conf/prod.exs

@@ -0,0 +1,63 @@
+use Mix.Config
+
+# For production, we often load configuration from external
+# sources, such as your system environment. For this reason,
+# you won't find the :http configuration below, but set inside
+# Pleroma.Web.Endpoint.load_from_system_env/1 dynamically.
+# Any dynamic configuration should be moved to such function.
+#
+# Don't forget to configure the url host to something meaningful,
+# Phoenix uses this information when generating URLs.
+#
+# Finally, we also include the path to a cache manifest
+# containing the digested version of static files. This
+# manifest is generated by the mix phoenix.digest task
+# which you typically run after static files are built.
+#config :pleroma, Pleroma.Web.Endpoint,
+  #http: [port: 4000],
+  #protocol: "http"
+
+# Do not print debug messages in production
+config :logger, level: :info
+
+# ## SSL Support
+#
+# To get SSL working, you will need to add the `https` key
+# to the previous section and set your `:url` port to 443:
+#
+#     config :pleroma, Pleroma.Web.Endpoint,
+#       ...
+#       url: [host: "example.com", port: 443],
+#       https: [:inet6,
+#               port: 443,
+#               keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"),
+#               certfile: System.get_env("SOME_APP_SSL_CERT_PATH")]
+#
+# Where those two env variables return an absolute path to
+# the key and cert in disk or a relative path inside priv,
+# for example "priv/ssl/server.key".
+#
+# We also recommend setting `force_ssl`, ensuring no data is
+# ever sent via http, always redirecting to https:
+#
+#     config :pleroma, Pleroma.Web.Endpoint,
+#       force_ssl: [hsts: true]
+#
+# Check `Plug.SSL` for all available options in `force_ssl`.
+
+# ## Using releases
+#
+# If you are doing OTP releases, you need to instruct Phoenix
+# to start the server for all endpoints:
+#
+#     config :phoenix, :serve_endpoints, true
+#
+# Alternatively, you can configure exactly which server to
+# start per endpoint:
+#
+#     config :pleroma, Pleroma.Web.Endpoint, server: true
+#
+
+# Finally import the config/prod.secret.exs
+# which should be versioned separately.
+import_config "prod.secret.exs"

conf/setup_db.psql

@@ -1,6 +0,0 @@
-CREATE USER __DB_NAME__ WITH ENCRYPTED PASSWORD '__DB_PWD__';
-CREATE DATABASE __DB_NAME__ OWNER __DB_NAME__;
-\c __DB_NAME__;
---Extensions made by ecto.migrate that need superuser access
-CREATE EXTENSION IF NOT EXISTS citext;
-CREATE EXTENSION IF NOT EXISTS pg_trgm;

scripts/install

@@ -153,6 +153,8 @@ ynh_psql_execute_as_root "\connect $db_name
 CREATE EXTENSION IF NOT EXISTS unaccent;CREATE EXTENSION IF NOT EXISTS pg_trgm;"
 ynh_psql_execute_as_root "\connect $db_name 
 CREATE EXTENSION IF NOT EXISTS unaccent;CREATE EXTENSION IF NOT EXISTS citext;"
+ynh_psql_execute_as_root "\connect $db_name 
+CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\";"
 
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@@ -224,8 +226,7 @@ chown -R "$app":"$app" "/var/log/$app"
 #=================================================
 # MODIFY A CONFIG FILE
 #=================================================
-cp -f ../conf/prod.secret.exs "$final_path/$app/config/prod.secret.exs"
-cp -f ../conf/setup_db.psql "$final_path/$app/config/setup_db.psql"
+cp -f ../conf/generated_config.exs "$final_path/$app/config/prod.secret.exs"
 
 ynh_replace_string "__DOMAIN__"        "$domain"        "$final_path/$app/config/prod.secret.exs"
 ynh_replace_string "__KEY__"           "$random_key"    "$final_path/$app/config/prod.secret.exs"
@@ -234,8 +235,7 @@ ynh_replace_string "__DB_NAME__"       "$db_name"           "$final_path/$app/co
 ynh_replace_string "__DB_PWD__"        "$db_pwd"        "$final_path/$app/config/prod.secret.exs"
 ynh_replace_string "__ADMIN_EMAIL__"   "$admin_email"   "$final_path/$app/config/prod.secret.exs"
 ynh_replace_string "__PORT__"          "$port"          "$final_path/$app/config/prod.secret.exs"
-ynh_replace_string "__DB_NAME__"       "$db_name"           "$final_path/$app/config/setup_db.psql"
-ynh_replace_string "__DB_PWD__"        "$db_pwd"        "$final_path/$app/config/setup_db.psql"
+
 if [ $cache -eq 1 ]
 then
 	ynh_replace_string "__MEDIA_CACHE__"    "true"        "$final_path/$app/config/prod.secret.exs"
@@ -251,6 +251,12 @@ else
  ynh_replace_string "__REG__" "false" "$final_path/$app/config/prod.secret.exs"
 fi
 
+#Desactivate default frontend 
+cp -f ../conf/config.exs "$final_path/$app/config/config.exs"
+
+#Desactivate Pleroma.Web.Endpoint
+cp -f ../conf/prod.exs "$final_path/$app/config/prod.exs"
+
 #=================================================
 # MAKE SETUP
 #=================================================
@@ -275,7 +281,8 @@ pushd $final_path/$app
     sudo -u "$app" MIX_ENV=prod mix pleroma.user new "$admin" "$admin_email" --password "$password" --moderator --admin -y
 
 	#Generate key pair
-    sudo -u "$app" MIX_ENV=prod mix web_push.gen.keypair >> "config/config.exs"
+    sudo -u "$app" MIX_ENV=prod mix web_push.gen.keypair >> "config/prod.secret.exs"
+	ynh_replace_string "administrator@example.com" "__ADMIN_EMAIL__" "$final_path/$app/config/prod.secret.exs" 
 popd
 
 

scripts/remove

@@ -19,7 +19,6 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get $app domain)
 port=$(ynh_app_setting_get $app port)
 db_name=$(ynh_app_setting_get "$app" db_name)
-db_user=$db_name
 final_path=$(ynh_app_setting_get $app final_path)
 cache=$(ynh_app_setting_get "$app" cache)
 
@@ -56,7 +55,7 @@ ynh_psql_remove_db "$db_name" "$app"
 
 # Remove metapackage and its dependencies
 ynh_remove_app_dependencies
-rm -f  /etc/apt/sources.list.d/erlang-solutions.list
+rm -f "/etc/apt/sources.list.d/erlang-solutions.list"
 
 #=================================================
 # REMOVE APP MAIN DIR
@@ -71,7 +70,7 @@ ynh_secure_remove "$final_path"
 
 # Remove the dedicated nginx config
 ynh_remove_nginx_config
-ynh_secure_remove /etc/nginx/conf.d/$app-cache.conf
+ynh_secure_remove "/etc/nginx/conf.d/$app-cache.conf"
 
 #=================================================
 # REMOVE PHP-FPM CONFIGURATION

scripts/upgrade

@@ -160,9 +160,14 @@ ynh_system_user_create "$app" "$final_path"
 #=================================================
 # SPECIFIC UPGRADE
 #=================================================
-# ...
+# CONFIGURE
 #=================================================
 
+#Desactivate default frontend 
+cp -f ../conf/config.exs "$final_path/$app/config/config.exs"
+
+#Desactivate Pleroma.Web.Endpoint
+cp -f ../conf/prod.exs "$final_path/$app/config/prod.exs"
 
 #=================================================
 # MAKE UPGRADE
@@ -170,16 +175,16 @@ ynh_system_user_create "$app" "$final_path"
 
 # Give permission to the final_path
 chown -R "$app":"$app" "$final_path"
-( cd $final_path/$app && sudo -u "$app" MIX_ENV=prod mix local.hex --force )
-( cd $final_path/$app && sudo -u "$app" MIX_ENV=prod mix local.rebar --force )
-( cd $final_path/$app && sudo -u "$app" mix deps.get )
-ynh_psql_execute_as_root \
-"ALTER USER $app WITH SUPERUSER;"
-( cd $final_path/$app && sudo -u "$app" MIX_ENV=prod mix ecto.migrate --force )
-ynh_psql_execute_as_root \
-"ALTER USER $app WITH NOSUPERUSER;"
-
-
+pushd $final_path/$app
+    sudo -u "$app" MIX_ENV=prod mix local.hex --force
+    sudo -u "$app" MIX_ENV=prod mix local.rebar --force
+    sudo -u "$app" mix deps.get
+    ynh_psql_execute_as_root \
+    "ALTER USER $app WITH SUPERUSER;"
+    sudo -u "$app" MIX_ENV=prod mix ecto.migrate --force
+    ynh_psql_execute_as_root \
+    "ALTER USER $app WITH NOSUPERUSER;"
+popd
 
 ### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script.
 ### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it.