From 44d1f2f784c7360b595b943b44096d2a3c434bdd Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sat, 2 Feb 2019 06:18:50 +0100 Subject: [PATCH] Cleanup --- conf/config.exs | 318 ++++++++++++++++++ .../{prod.secret.exs => generated_config.exs} | 23 +- conf/prod.exs | 63 ++++ conf/setup_db.psql | 6 - scripts/install | 17 +- scripts/remove | 5 +- scripts/upgrade | 27 +- 7 files changed, 425 insertions(+), 34 deletions(-) create mode 100644 conf/config.exs rename conf/{prod.secret.exs => generated_config.exs} (85%) create mode 100644 conf/prod.exs delete mode 100644 conf/setup_db.psql diff --git a/conf/config.exs b/conf/config.exs new file mode 100644 index 0000000..73d55b0 --- /dev/null +++ b/conf/config.exs @@ -0,0 +1,318 @@ +# This file is responsible for configuring your application +# and its dependencies with the aid of the Mix.Config module. +# +# This configuration file is loaded before any dependency and +# is restricted to this project. +use Mix.Config + +# General application configuration +config :pleroma, ecto_repos: [Pleroma.Repo] + +config :pleroma, Pleroma.Repo, types: Pleroma.PostgresTypes + +config :pleroma, Pleroma.Captcha, + enabled: false, + seconds_valid: 60, + method: Pleroma.Captcha.Kocaptcha + +config :pleroma, :hackney_pools, + federation: [ + max_connections: 50, + timeout: 150_000 + ], + media: [ + max_connections: 50, + timeout: 150_000 + ], + upload: [ + max_connections: 25, + timeout: 300_000 + ] + +config :pleroma, Pleroma.Captcha.Kocaptcha, endpoint: "https://captcha.kotobank.ch" + +# Upload configuration +config :pleroma, Pleroma.Upload, + uploader: Pleroma.Uploaders.Local, + filters: [], + proxy_remote: false, + proxy_opts: [ + redirect_on_failure: false, + max_body_length: 25 * 1_048_576, + http: [ + follow_redirect: true, + pool: :upload + ] + ] + +config :pleroma, Pleroma.Uploaders.Local, uploads: "uploads" + +config :pleroma, Pleroma.Uploaders.S3, + bucket: nil, + public_endpoint: "https://s3.amazonaws.com" + +config :pleroma, Pleroma.Uploaders.MDII, + cgi: "https://mdii.sakura.ne.jp/mdii-post.cgi", + files: "https://mdii.sakura.ne.jp" + +config :pleroma, :emoji, shortcode_globs: ["/emoji/custom/**/*.png"] + +config :pleroma, :uri_schemes, + valid_schemes: [ + "https", + "http", + "dat", + "dweb", + "gopher", + "ipfs", + "ipns", + "irc", + "ircs", + "magnet", + "mailto", + "mumble", + "ssb", + "xmpp" + ] + +websocket_config = [ + path: "/websocket", + serializer: [ + {Phoenix.Socket.V1.JSONSerializer, "~> 1.0.0"}, + {Phoenix.Socket.V2.JSONSerializer, "~> 2.0.0"} + ], + timeout: 60_000, + transport_log: false, + compress: false +] + +# Configures the endpoint +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "localhost"], + http: [ + dispatch: [ + {:_, + [ + {"/api/v1/streaming", Elixir.Pleroma.Web.MastodonAPI.WebsocketHandler, []}, + {"/socket/websocket", Phoenix.Endpoint.CowboyWebSocket, + {nil, {Pleroma.Web.Endpoint, Pleroma.Web.UserSocket, websocket_config}}}, + {:_, Plug.Adapters.Cowboy.Handler, {Pleroma.Web.Endpoint, []}} + ]} + ] + ], + protocol: "https", + secret_key_base: "aK4Abxf29xU9TTDKre9coZPUgevcVCFQJe/5xP/7Lt4BEif6idBIbjupVbOrbKxl", + signing_salt: "CqaoopA2", + render_errors: [view: Pleroma.Web.ErrorView, accepts: ~w(json)], + pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2], + secure_cookie_flag: true + +# Configures Elixir's Logger +config :logger, :console, + format: "$time $metadata[$level] $message\n", + metadata: [:request_id] + +config :logger, :ex_syslogger, + level: :debug, + ident: "Pleroma", + format: "$date $time $metadata[$level] $message", + metadata: [:request_id] + +config :mime, :types, %{ + "application/xml" => ["xml"], + "application/xrd+xml" => ["xrd+xml"], + "application/jrd+json" => ["jrd+json"], + "application/activity+json" => ["activity+json"], + "application/ld+json" => ["activity+json"] +} + +config :pleroma, :websub, Pleroma.Web.Websub +config :pleroma, :ostatus, Pleroma.Web.OStatus +config :pleroma, :httpoison, Pleroma.HTTP +config :tesla, adapter: Tesla.Adapter.Hackney + +# Configures http settings, upstream proxy etc. +config :pleroma, :http, proxy_url: nil + +config :pleroma, :instance, + name: "Pleroma", + email: "example@example.com", + description: "A Pleroma instance, an alternative fediverse server", + limit: 5_000, + remote_limit: 100_000, + upload_limit: 16_000_000, + avatar_upload_limit: 2_000_000, + background_upload_limit: 4_000_000, + banner_upload_limit: 4_000_000, + registrations_open: true, + federating: true, + federation_reachability_timeout_days: 7, + allow_relay: true, + rewrite_policy: Pleroma.Web.ActivityPub.MRF.NoOpPolicy, + public: true, + quarantined_instances: [], + managed_config: true, + static_dir: "instance/static/", + allowed_post_formats: [ + "text/plain", + "text/html", + "text/markdown" + ], + finmoji_enabled: true, + mrf_transparency: true, + autofollowed_nicknames: [], + max_pinned_statuses: 1, + no_attachment_links: false + +config :pleroma, :markup, + # XXX - unfortunately, inline images must be enabled by default right now, because + # of custom emoji. Issue #275 discusses defanging that somehow. + allow_inline_images: true, + allow_headings: false, + allow_tables: false, + allow_fonts: false, + scrub_policy: [ + Pleroma.HTML.Transform.MediaProxy, + Pleroma.HTML.Scrubber.Default + ] + +config :pleroma, :frontend_configurations, + pleroma_fe: %{ + theme: "pleroma-dark", + logo: "/static/logo.png", + background: "/images/city.jpg", + redirectRootNoLogin: "/main/all", + redirectRootLogin: "/main/friends", + showInstanceSpecificPanel: true, + scopeOptionsEnabled: false, + formattingOptionsEnabled: false, + collapseMessageWithSubject: false, + hidePostStats: false, + hideUserStats: false, + scopeCopy: true, + subjectLineBehavior: "email", + alwaysShowSubjectInput: true + } + +config :pleroma, :activitypub, + accept_blocks: true, + unfollow_blocked: true, + outgoing_blocks: true, + follow_handshake_timeout: 500 + +config :pleroma, :user, deny_follow_blocked: true + +config :pleroma, :mrf_normalize_markup, scrub_policy: Pleroma.HTML.Scrubber.Default + +config :pleroma, :mrf_rejectnonpublic, + allow_followersonly: false, + allow_direct: false + +config :pleroma, :mrf_hellthread, threshold: 10 + +config :pleroma, :mrf_simple, + media_removal: [], + media_nsfw: [], + federated_timeline_removal: [], + reject: [], + accept: [] + +config :pleroma, :rich_media, enabled: true + +config :pleroma, :media_proxy, + enabled: false, + proxy_opts: [ + redirect_on_failure: false, + max_body_length: 25 * 1_048_576, + http: [ + follow_redirect: true, + pool: :media + ] + ] + +config :pleroma, :chat, enabled: true + +config :ecto, json_library: Jason + +config :phoenix, :format_encoders, json: Jason + +config :pleroma, :gopher, + enabled: false, + ip: {0, 0, 0, 0}, + port: 9999 + +config :pleroma, Pleroma.Web.Metadata, providers: [], unfurl_nsfw: false + +config :pleroma, :suggestions, + enabled: false, + third_party_engine: + "http://vinayaka.distsn.org/cgi-bin/vinayaka-user-match-suggestions-api.cgi?{{host}}+{{user}}", + timeout: 300_000, + limit: 23, + web: "https://vinayaka.distsn.org/?{{host}}+{{user}}" + +config :pleroma, :http_security, + enabled: true, + sts: false, + sts_max_age: 31_536_000, + ct_max_age: 2_592_000, + referrer_policy: "same-origin" + +config :cors_plug, + max_age: 86_400, + methods: ["POST", "PUT", "DELETE", "GET", "PATCH", "OPTIONS"], + expose: [ + "Link", + "X-RateLimit-Reset", + "X-RateLimit-Limit", + "X-RateLimit-Remaining", + "X-Request-Id", + "Idempotency-Key" + ], + credentials: true, + headers: ["Authorization", "Content-Type", "Idempotency-Key"] + +config :pleroma, Pleroma.User, + restricted_nicknames: [ + ".well-known", + "~", + "about", + "activities", + "api", + "auth", + "dev", + "friend-requests", + "inbox", + "internal", + "main", + "media", + "nodeinfo", + "notice", + "oauth", + "objects", + "ostatus_subscribe", + "pleroma", + "proxy", + "push", + "registration", + "relay", + "settings", + "status", + "tag", + "user-search", + "users", + "web" + ] + +config :pleroma, Pleroma.Web.Federator, max_jobs: 50 + +config :pleroma, Pleroma.Web.Federator.RetryQueue, + enabled: false, + max_jobs: 20, + initial_timeout: 30, + max_retries: 5 + +# Import environment specific config. This must remain at the bottom +# of this file so it overrides the configuration defined above. +import_config "#{Mix.env()}.exs" + diff --git a/conf/prod.secret.exs b/conf/generated_config.exs similarity index 85% rename from conf/prod.secret.exs rename to conf/generated_config.exs index 708f37c..6b7eebe 100644 --- a/conf/prod.secret.exs +++ b/conf/generated_config.exs @@ -1,10 +1,14 @@ +# Pleroma instance configuration + +# NOTE: This file should not be committed to a repo or otherwise made public +# without removing sensitive information. + use Mix.Config config :pleroma, Pleroma.Web.Endpoint, url: [host: "__DOMAIN__", scheme: "https", port: 443], secret_key_base: "__KEY__", - http: [port: __PORT__], - protocol: "http" + http: [port: __PORT__] config :pleroma, :instance, name: "__INSTANCE_NAME__", @@ -17,11 +21,7 @@ config :pleroma, :media_proxy, enabled: __MEDIA_CACHE__, redirect_on_failure: true #base_url: "https://cache.pleroma.social" - -config :pleroma, :fe, - scope_options_enabled: true -# Configure your database config :pleroma, Pleroma.Repo, adapter: Ecto.Adapters.Postgres, username: "__DB_NAME__", @@ -30,6 +30,10 @@ config :pleroma, Pleroma.Repo, hostname: "localhost", pool_size: 10 +# Enable Strict-Transport-Security once SSL is working: +# config :pleroma, :http_security, +# sts: true + # Configure S3 support if desired. # The public S3 endpoint is different depending on region and provider, # consult your S3 provider's documentation for details on what to use. @@ -51,9 +55,9 @@ config :pleroma, Pleroma.Repo, # Configure Openstack Swift support if desired. -# -# Many openstack deployments are different, so config is left very open with -# no assumptions made on which provider you're using. This should allow very +# +# Many openstack deployments are different, so config is left very open with +# no assumptions made on which provider you're using. This should allow very # wide support without needing separate handlers for OVH, Rackspace, etc. # # config :pleroma, Pleroma.Uploaders.Swift, @@ -66,3 +70,4 @@ config :pleroma, Pleroma.Repo, # object_url: "https://cdn-endpoint.provider.com/" # + diff --git a/conf/prod.exs b/conf/prod.exs new file mode 100644 index 0000000..b38f9bb --- /dev/null +++ b/conf/prod.exs @@ -0,0 +1,63 @@ +use Mix.Config + +# For production, we often load configuration from external +# sources, such as your system environment. For this reason, +# you won't find the :http configuration below, but set inside +# Pleroma.Web.Endpoint.load_from_system_env/1 dynamically. +# Any dynamic configuration should be moved to such function. +# +# Don't forget to configure the url host to something meaningful, +# Phoenix uses this information when generating URLs. +# +# Finally, we also include the path to a cache manifest +# containing the digested version of static files. This +# manifest is generated by the mix phoenix.digest task +# which you typically run after static files are built. +#config :pleroma, Pleroma.Web.Endpoint, + #http: [port: 4000], + #protocol: "http" + +# Do not print debug messages in production +config :logger, level: :info + +# ## SSL Support +# +# To get SSL working, you will need to add the `https` key +# to the previous section and set your `:url` port to 443: +# +# config :pleroma, Pleroma.Web.Endpoint, +# ... +# url: [host: "example.com", port: 443], +# https: [:inet6, +# port: 443, +# keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"), +# certfile: System.get_env("SOME_APP_SSL_CERT_PATH")] +# +# Where those two env variables return an absolute path to +# the key and cert in disk or a relative path inside priv, +# for example "priv/ssl/server.key". +# +# We also recommend setting `force_ssl`, ensuring no data is +# ever sent via http, always redirecting to https: +# +# config :pleroma, Pleroma.Web.Endpoint, +# force_ssl: [hsts: true] +# +# Check `Plug.SSL` for all available options in `force_ssl`. + +# ## Using releases +# +# If you are doing OTP releases, you need to instruct Phoenix +# to start the server for all endpoints: +# +# config :phoenix, :serve_endpoints, true +# +# Alternatively, you can configure exactly which server to +# start per endpoint: +# +# config :pleroma, Pleroma.Web.Endpoint, server: true +# + +# Finally import the config/prod.secret.exs +# which should be versioned separately. +import_config "prod.secret.exs" diff --git a/conf/setup_db.psql b/conf/setup_db.psql deleted file mode 100644 index 93a6984..0000000 --- a/conf/setup_db.psql +++ /dev/null @@ -1,6 +0,0 @@ -CREATE USER __DB_NAME__ WITH ENCRYPTED PASSWORD '__DB_PWD__'; -CREATE DATABASE __DB_NAME__ OWNER __DB_NAME__; -\c __DB_NAME__; ---Extensions made by ecto.migrate that need superuser access -CREATE EXTENSION IF NOT EXISTS citext; -CREATE EXTENSION IF NOT EXISTS pg_trgm; diff --git a/scripts/install b/scripts/install index c22ce3b..9175aee 100755 --- a/scripts/install +++ b/scripts/install @@ -153,6 +153,8 @@ ynh_psql_execute_as_root "\connect $db_name CREATE EXTENSION IF NOT EXISTS unaccent;CREATE EXTENSION IF NOT EXISTS pg_trgm;" ynh_psql_execute_as_root "\connect $db_name CREATE EXTENSION IF NOT EXISTS unaccent;CREATE EXTENSION IF NOT EXISTS citext;" +ynh_psql_execute_as_root "\connect $db_name +CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\";" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -224,8 +226,7 @@ chown -R "$app":"$app" "/var/log/$app" #================================================= # MODIFY A CONFIG FILE #================================================= -cp -f ../conf/prod.secret.exs "$final_path/$app/config/prod.secret.exs" -cp -f ../conf/setup_db.psql "$final_path/$app/config/setup_db.psql" +cp -f ../conf/generated_config.exs "$final_path/$app/config/prod.secret.exs" ynh_replace_string "__DOMAIN__" "$domain" "$final_path/$app/config/prod.secret.exs" ynh_replace_string "__KEY__" "$random_key" "$final_path/$app/config/prod.secret.exs" @@ -234,8 +235,7 @@ ynh_replace_string "__DB_NAME__" "$db_name" "$final_path/$app/co ynh_replace_string "__DB_PWD__" "$db_pwd" "$final_path/$app/config/prod.secret.exs" ynh_replace_string "__ADMIN_EMAIL__" "$admin_email" "$final_path/$app/config/prod.secret.exs" ynh_replace_string "__PORT__" "$port" "$final_path/$app/config/prod.secret.exs" -ynh_replace_string "__DB_NAME__" "$db_name" "$final_path/$app/config/setup_db.psql" -ynh_replace_string "__DB_PWD__" "$db_pwd" "$final_path/$app/config/setup_db.psql" + if [ $cache -eq 1 ] then ynh_replace_string "__MEDIA_CACHE__" "true" "$final_path/$app/config/prod.secret.exs" @@ -251,6 +251,12 @@ else ynh_replace_string "__REG__" "false" "$final_path/$app/config/prod.secret.exs" fi +#Desactivate default frontend +cp -f ../conf/config.exs "$final_path/$app/config/config.exs" + +#Desactivate Pleroma.Web.Endpoint +cp -f ../conf/prod.exs "$final_path/$app/config/prod.exs" + #================================================= # MAKE SETUP #================================================= @@ -275,7 +281,8 @@ pushd $final_path/$app sudo -u "$app" MIX_ENV=prod mix pleroma.user new "$admin" "$admin_email" --password "$password" --moderator --admin -y #Generate key pair - sudo -u "$app" MIX_ENV=prod mix web_push.gen.keypair >> "config/config.exs" + sudo -u "$app" MIX_ENV=prod mix web_push.gen.keypair >> "config/prod.secret.exs" + ynh_replace_string "administrator@example.com" "__ADMIN_EMAIL__" "$final_path/$app/config/prod.secret.exs" popd diff --git a/scripts/remove b/scripts/remove index 7d64ae4..12753d1 100755 --- a/scripts/remove +++ b/scripts/remove @@ -19,7 +19,6 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get $app domain) port=$(ynh_app_setting_get $app port) db_name=$(ynh_app_setting_get "$app" db_name) -db_user=$db_name final_path=$(ynh_app_setting_get $app final_path) cache=$(ynh_app_setting_get "$app" cache) @@ -56,7 +55,7 @@ ynh_psql_remove_db "$db_name" "$app" # Remove metapackage and its dependencies ynh_remove_app_dependencies -rm -f /etc/apt/sources.list.d/erlang-solutions.list +rm -f "/etc/apt/sources.list.d/erlang-solutions.list" #================================================= # REMOVE APP MAIN DIR @@ -71,7 +70,7 @@ ynh_secure_remove "$final_path" # Remove the dedicated nginx config ynh_remove_nginx_config -ynh_secure_remove /etc/nginx/conf.d/$app-cache.conf +ynh_secure_remove "/etc/nginx/conf.d/$app-cache.conf" #================================================= # REMOVE PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index 57f089c..416722b 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -160,9 +160,14 @@ ynh_system_user_create "$app" "$final_path" #================================================= # SPECIFIC UPGRADE #================================================= -# ... +# CONFIGURE #================================================= +#Desactivate default frontend +cp -f ../conf/config.exs "$final_path/$app/config/config.exs" + +#Desactivate Pleroma.Web.Endpoint +cp -f ../conf/prod.exs "$final_path/$app/config/prod.exs" #================================================= # MAKE UPGRADE @@ -170,16 +175,16 @@ ynh_system_user_create "$app" "$final_path" # Give permission to the final_path chown -R "$app":"$app" "$final_path" -( cd $final_path/$app && sudo -u "$app" MIX_ENV=prod mix local.hex --force ) -( cd $final_path/$app && sudo -u "$app" MIX_ENV=prod mix local.rebar --force ) -( cd $final_path/$app && sudo -u "$app" mix deps.get ) -ynh_psql_execute_as_root \ -"ALTER USER $app WITH SUPERUSER;" -( cd $final_path/$app && sudo -u "$app" MIX_ENV=prod mix ecto.migrate --force ) -ynh_psql_execute_as_root \ -"ALTER USER $app WITH NOSUPERUSER;" - - +pushd $final_path/$app + sudo -u "$app" MIX_ENV=prod mix local.hex --force + sudo -u "$app" MIX_ENV=prod mix local.rebar --force + sudo -u "$app" mix deps.get + ynh_psql_execute_as_root \ + "ALTER USER $app WITH SUPERUSER;" + sudo -u "$app" MIX_ENV=prod mix ecto.migrate --force + ynh_psql_execute_as_root \ + "ALTER USER $app WITH NOSUPERUSER;" +popd ### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script. ### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it.