From b8eb5119dac8b5db2be54fe8d1a1122711d0e5f2 Mon Sep 17 00:00:00 2001 From: Luna Date: Thu, 17 Nov 2022 12:21:21 -0300 Subject: [PATCH 1/3] create aliases to containers step 1 towards working federation --- docker-compose.yaml | 36 +++++++----------------------------- 1 file changed, 7 insertions(+), 29 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index f256422..790f461 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -3,8 +3,6 @@ services: pleroma_db: image: postgres:15 - networks: - - pleroma_internal_network healthcheck: test: ['CMD', 'pg_isready', '-U', 'postgres'] volumes: @@ -20,8 +18,9 @@ services: pleroma_web: image: pleroma_selfbuilt networks: - - pleroma_internal_network - - pleroma_external_network + default: + aliases: + - pleroma.pubtester.local healthcheck: test: [ @@ -59,8 +58,6 @@ services: mastodon_db: image: postgres:15 shm_size: 256mb - networks: - - internal_network healthcheck: test: ['CMD', 'pg_isready', '-U', 'postgres'] volumes: @@ -73,8 +70,6 @@ services: mastodon_redis: restart: always image: redis:7-alpine - networks: - - internal_network healthcheck: test: ['CMD', 'redis-cli', 'ping'] volumes: @@ -85,8 +80,10 @@ services: env_file: .env.mastodon command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" networks: - - external_network - - internal_network + default: + aliases: + - mastodon.pubtester.local + healthcheck: # prettier-ignore test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1'] @@ -102,9 +99,6 @@ services: restart: always env_file: .env.mastodon command: node ./streaming - networks: - - external_network - - internal_network healthcheck: # prettier-ignore test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1'] @@ -121,9 +115,6 @@ services: depends_on: - mastodon_db - mastodon_redis - networks: - - external_network - - internal_network volumes: - ./data/mastodon/public/system:/mastodon/public/system healthcheck: @@ -132,11 +123,6 @@ services: # nginx reverse proxy configured for all instances nginx: image: nginx:1.23.1-alpine - networks: - - external_network - - internal_network - - pleroma_external_network - - pleroma_internal_network volumes: - ./files/nginx.conf:/etc/nginx/nginx.conf:ro ports: @@ -145,11 +131,3 @@ services: - mastodon_web - mastodon_streaming - pleroma_web - -networks: - external_network: - internal_network: - internal: true - pleroma_external_network: - pleroma_internal_network: - internal: true From 330786ea2782b3ecf0c6442c077b4b5b02a9fd86 Mon Sep 17 00:00:00 2001 From: Luna Date: Fri, 18 Nov 2022 13:15:04 -0300 Subject: [PATCH 2/3] federate two pleroma instances instead --- Dockerfile.pleroma | 6 ++++ docker-compose.yaml | 77 ++++++++++++++++++++++++++++++++--------- files/nginx.conf | 84 ++++++++++++++++++++++++++++++--------------- files/pleroma.exs | 4 ++- mastodon_setup.sh | 2 ++ pleroma_setup.sh | 5 +++ 6 files changed, 133 insertions(+), 45 deletions(-) diff --git a/Dockerfile.pleroma b/Dockerfile.pleroma index 779e0b0..ca4cdc0 100644 --- a/Dockerfile.pleroma +++ b/Dockerfile.pleroma @@ -26,6 +26,12 @@ WORKDIR /pleroma RUN git clone -b develop https://git.pleroma.social/pleroma/pleroma.git /pleroma \ && git checkout ${PLEROMA_VER} +USER root +COPY ./minica.pem /usr/local/share/ca-certificates/minica.crt +RUN update-ca-certificates + +USER pleroma + RUN echo "import Mix.Config" > config/prod.secret.exs \ && mix local.hex --force \ && mix local.rebar --force \ diff --git a/docker-compose.yaml b/docker-compose.yaml index 790f461..349e9ef 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -17,10 +17,6 @@ services: pleroma_web: image: pleroma_selfbuilt - networks: - default: - aliases: - - pleroma.pubtester.local healthcheck: test: [ @@ -54,6 +50,52 @@ services: depends_on: - pleroma_db + pleroma2_db: + image: postgres:15 + healthcheck: + test: ['CMD', 'pg_isready', '-U', 'postgres'] + volumes: + - ./data/pleroma2/postgres14:/var/lib/postgresql/data + environment: + - 'POSTGRES_HOST_AUTH_METHOD=trust' + - 'POSTGRES_USER=pleroma' + - 'POSTGRES_PASSWORD=very_secure_pleroma_password' + - 'POSTGRES_DB=pleroma' + pleroma2_web: + image: pleroma_selfbuilt + healthcheck: + test: + [ + "CMD-SHELL", + "wget -q --spider --proxy=off localhost:4000 || exit 1", + ] + restart: always + ports: + - '127.0.0.1:20710:4000' + build: + context: . + # Feel free to remove or override this section + # See 'Build-time variables' in README.md + args: + - "UID=1000" + - "GID=1000" + - "PLEROMA_VER=v2.4.2" + volumes: + - ./data/pleroma2/uploads:/var/lib/pleroma/uploads + - ./data/pleroma2/static:/var/lib/pleroma/static + - ./files/pleroma.exs:/etc/pleroma/config.exs:ro + environment: + DOMAIN: pleroma2.pubtester.local + INSTANCE_NAME: Pleroma/pubtester2 + ADMIN_EMAIL: admin@example.com + NOTIFY_EMAIL: notify@example.com + DB_HOST: pleroma2_db + DB_USER: pleroma + DB_PASS: very_secure_pleroma_password + DB_NAME: pleroma + depends_on: + - pleroma2_db + # mastodon config mastodon_db: image: postgres:15 @@ -75,15 +117,10 @@ services: volumes: - ./data/mastodon/redis:/data mastodon_web: - image: tootsuite/mastodon:v4.0.2 + image: mastodon_selfbuilt restart: always env_file: .env.mastodon - command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" - networks: - default: - aliases: - - mastodon.pubtester.local - + command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000 -b 0.0.0.0" healthcheck: # prettier-ignore test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1'] @@ -95,7 +132,7 @@ services: volumes: - ./data/mastodon/public/system:/mastodon/public/system mastodon_streaming: - image: tootsuite/mastodon:v4.0.2 + image: mastodon_selfbuilt restart: always env_file: .env.mastodon command: node ./streaming @@ -108,7 +145,7 @@ services: - mastodon_db - mastodon_redis mastodon_sidekiq: - image: tootsuite/mastodon + image: mastodon_selfbuilt restart: always env_file: .env.mastodon command: bundle exec sidekiq @@ -123,11 +160,19 @@ services: # nginx reverse proxy configured for all instances nginx: image: nginx:1.23.1-alpine + networks: + default: + aliases: + - pleroma.pubtester.local + - pleroma2.pubtester.local volumes: - ./files/nginx.conf:/etc/nginx/nginx.conf:ro + - ./pubtester.local/cert.pem:/etc/nginx/cert.pem:ro + - ./pubtester.local/key.pem:/etc/nginx/key.pem:ro ports: - - '127.0.0.1:20000:80' + - '127.0.0.1:20000:443' depends_on: - - mastodon_web - - mastodon_streaming + #- mastodon_web + #- mastodon_streaming - pleroma_web + - pleroma2_web diff --git a/files/nginx.conf b/files/nginx.conf index 2b2d4d4..e935995 100644 --- a/files/nginx.conf +++ b/files/nginx.conf @@ -30,43 +30,46 @@ http { #gzip on; - server { - listen 80; - listen [::]:80; - root /mnt/none; - index index.html index.htm; + #server { + # listen 80; + # listen [::]:80; + # root /mnt/none; + # index index.html index.htm; - server_name mastodon.pubtester.local; + # server_name mastodon.pubtester.local; - absolute_redirect off; - server_name_in_redirect off; + # absolute_redirect off; + # server_name_in_redirect off; - error_page 404 /404.html; - error_page 410 /410.html; + # error_page 404 /404.html; + # error_page 410 /410.html; - location / { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto https; + # location / { + # proxy_set_header Host $http_host; + # proxy_set_header X-Forwarded-Proto https; - proxy_pass http://mastodon_web:3000; - } + # proxy_pass http://mastodon_web:3000; + # } - location ^~ /api/v1/streaming { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto https; + # location ^~ /api/v1/streaming { + # proxy_set_header Host $http_host; + # proxy_set_header X-Forwarded-Proto https; - proxy_pass http://mastodon_streaming:4000; + # proxy_pass http://mastodon_streaming:4000; + + # proxy_buffering off; + # proxy_redirect off; + # proxy_http_version 1.1; + # tcp_nodelay on; + # } + #} - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - tcp_nodelay on; - } - } server { listen 80; listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; root /mnt/none; index index.html index.htm; @@ -74,9 +77,8 @@ http { absolute_redirect off; server_name_in_redirect off; - - error_page 404 /404.html; - error_page 410 /410.html; + ssl_certificate /etc/nginx/cert.pem; + ssl_certificate_key /etc/nginx/key.pem; location / { proxy_set_header Host $http_host; @@ -86,4 +88,30 @@ http { proxy_pass http://pleroma_web:4000; } } + + + server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + root /mnt/none; + index index.html index.htm; + + server_name pleroma2.pubtester.local; + + absolute_redirect off; + server_name_in_redirect off; + ssl_certificate /etc/nginx/cert.pem; + ssl_certificate_key /etc/nginx/key.pem; + + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://pleroma2_web:4000; + } + } + } diff --git a/files/pleroma.exs b/files/pleroma.exs index 487ef6b..943c557 100644 --- a/files/pleroma.exs +++ b/files/pleroma.exs @@ -1,7 +1,7 @@ import Config config :pleroma, Pleroma.Web.Endpoint, - url: [host: System.get_env("DOMAIN", "localhost"), scheme: "http", port: 80], + url: [host: System.get_env("DOMAIN", "localhost"), scheme: "https", port: 443], http: [ip: {0, 0, 0, 0}, port: 4000] config :pleroma, :instance, @@ -33,6 +33,8 @@ config :pleroma, :database, rum_enabled: false config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" +config :tesla, adapter: {Tesla.Adapter.Hackney, [ssl_options: [cacertfile: "/etc/ssl/cert.pem"]]} + # We can't store the secrets in this file, since this is baked into the docker image if not File.exists?("/var/lib/pleroma/secret.exs") do secret = :crypto.strong_rand_bytes(64) |> Base.encode64() |> binary_part(0, 64) diff --git a/mastodon_setup.sh b/mastodon_setup.sh index f30d6e6..3b613eb 100755 --- a/mastodon_setup.sh +++ b/mastodon_setup.sh @@ -4,4 +4,6 @@ set -eux +docker buildx build -t mastodon_selfbuilt -f ./Dockerfile.mastodon . docker-compose run --rm mastodon_web rails db:migrate + diff --git a/pleroma_setup.sh b/pleroma_setup.sh index 6cf503d..870a43b 100755 --- a/pleroma_setup.sh +++ b/pleroma_setup.sh @@ -3,9 +3,14 @@ # setup pleroma db docker-compose up -d pleroma_db +docker-compose up -d pleroma2_db +sleep 10 docker-compose exec -i pleroma_db psql -U pleroma -c "CREATE EXTENSION IF NOT EXISTS citext;" docker-compose exec -i pleroma_db psql -U pleroma -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;" docker-compose exec -i pleroma_db psql -U pleroma -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";' +docker-compose exec -i pleroma2_db psql -U pleroma -c "CREATE EXTENSION IF NOT EXISTS citext;" +docker-compose exec -i pleroma2_db psql -U pleroma -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;" +docker-compose exec -i pleroma2_db psql -U pleroma -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";' docker-compose down docker buildx build -t pleroma_selfbuilt -f ./Dockerfile.pleroma . From 94e6350660a6444e644a6cdc0f4d0f769af9b41f Mon Sep 17 00:00:00 2001 From: Luna Date: Fri, 18 Nov 2022 13:15:36 -0300 Subject: [PATCH 3/3] add selfsigned certificates --- minica.pem | 20 ++++++++++++++++++++ pubtester.local/cert.pem | 20 ++++++++++++++++++++ pubtester.local/key.pem | 27 +++++++++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 minica.pem create mode 100644 pubtester.local/cert.pem create mode 100644 pubtester.local/key.pem diff --git a/minica.pem b/minica.pem new file mode 100644 index 0000000..fac3285 --- /dev/null +++ b/minica.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIIL2v+ZtzVhRgwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMmY2YmZlMCAXDTIyMTExODAxNDcxMFoYDzIxMjIx +MTE4MDE0NzEwWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAyZjZiZmUwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsOnHPWJUopkZ7s22wtcVH+eoC +XJEckoCCsgThSdcQMOiG4sM/1nEcnTbfh9/cUYG4/035pnrIhp0iw1PrEzny7pLG +qONXMZB0hO44BB3F10OK6si02vId7+wHI5/bLfmyIBtOIXtCRfc3/tWwi4CwkvRA +sAozz/drAClQlUksK9ZHsznZzJskSSG72V5CVNoE8bqS8DvsBglHp62XSBwRPytg +RwggH/hT5sxOQhjDOjEMEuOYqgipLCVJvKmNjiS/t6JM6bxgqfKg2xxWyR/E5CxN +CIw4rp48DxY3YVHwDNvzD25b76uo4shtxCA08C2lSNTxb+dIhYFwNtak+E3fAgMB +AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQ2y5zeB44/l7zu +osGq/xzWcnHuhzAfBgNVHSMEGDAWgBQ2y5zeB44/l7zuosGq/xzWcnHuhzANBgkq +hkiG9w0BAQsFAAOCAQEAN7PZoWJ3gU1r+5R3P03ebGMv5nsBqbeuJnJ7IYutMPOS +wZYWOltKsz2aTgTr7HcNYm+1bS47IBTVEVIbVDHtgOF9oUdskqQ7VFYZP+oes8eC +0IwbcLatl9yvs5qJJR8I7W343JWc5j2iJHjk7tMkwu+7oeAHM/ispIz7HusLA9Va +EtLOZANLTXf5J/ZH7hPWGHqNcONQkBt+H/O+4rLpuVl8XUMfii+Xtg6vG833vxrA +pbBHFDVyIMlTsbdJAn3VpnbdSTjJ29OxnUVimEvpnXTCPekU03VQRLeSxo5ATJk0 +xqxWv0bHQ61CBc8X6qTX9J5USgli2i/juXQz9rlVPA== +-----END CERTIFICATE----- diff --git a/pubtester.local/cert.pem b/pubtester.local/cert.pem new file mode 100644 index 0000000..a61f35b --- /dev/null +++ b/pubtester.local/cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTTCCAjWgAwIBAgIIUk6jHQE1FngwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMmY2YmZlMB4XDTIyMTExODAxNDcxMFoXDTI0MTIx +ODAxNDcxMFowGjEYMBYGA1UEAxMPcHVidGVzdGVyLmxvY2FsMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAomuWEMqE1Z7Up2zsLfWPBA1kSJcpMSCFw+PH +v6XBrcs1vpnCaLfruGzjS8eN7wJCGkHKhE6RuZQl29VnNREezMUzwS6EazTG46Av +cJsGi0jjhp7rJfEXzoRdQr7tn9eE2vF4WxboOnzuCSe9j25eMPxJYDYWEs6JhToD +sqMYYfADeUN5be77UGY2JSggv40XeIW+JGVY1sN0Aiy209caN69pekJL7kF4YUvg +yWqOxNeGKIPUIiXRFWdlApVFZlr1b7yMJiWNkkBwlG6Eixr0yuJN8y1SmvUjtIWs +TRWthwYMQ/ixyTtW6t+g0bFWLYyBsO1gNKW1ru9T1+E2JnEWMQIDAQABo4GQMIGN +MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw +DAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQ2y5zeB44/l7zuosGq/xzWcnHuhzAt +BgNVHREEJjAkgg9wdWJ0ZXN0ZXIubG9jYWyCESoucHVidGVzdGVyLmxvY2FsMA0G +CSqGSIb3DQEBCwUAA4IBAQAE/FFsMgSn79dx6QbT59fmuAZctyVQ5LzIVoRCXmtJ +wcVanjZXJSDRn1R1wIV+hxpD3yCbPQP3zdo9Lhs1HWau9dyFDPXXN6K0I7aDZarY +hcJCiyMq1+VzXj9o7wFOgGareIuvdI5uEFgc/Bts8x04PZQ60/oYUwnmaTpm3S5b +Ri0GwzOiHU/LcwaNBJbKDPIhX0iydBAP5AylN3xsMeyPqmQ2up9qeWQwCoxMABA8 +QFzigsM/mN8MA7cXdsSuojP1NCGkXupEKHEW2ucPBPHm7+LP67OXxhAjART44SYi +9Q2H5w5xat64yAy2TfyI4tPDDDmydGJbPFyRbkx61YfA +-----END CERTIFICATE----- diff --git a/pubtester.local/key.pem b/pubtester.local/key.pem new file mode 100644 index 0000000..1fd4f20 --- /dev/null +++ b/pubtester.local/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAomuWEMqE1Z7Up2zsLfWPBA1kSJcpMSCFw+PHv6XBrcs1vpnC +aLfruGzjS8eN7wJCGkHKhE6RuZQl29VnNREezMUzwS6EazTG46AvcJsGi0jjhp7r +JfEXzoRdQr7tn9eE2vF4WxboOnzuCSe9j25eMPxJYDYWEs6JhToDsqMYYfADeUN5 +be77UGY2JSggv40XeIW+JGVY1sN0Aiy209caN69pekJL7kF4YUvgyWqOxNeGKIPU +IiXRFWdlApVFZlr1b7yMJiWNkkBwlG6Eixr0yuJN8y1SmvUjtIWsTRWthwYMQ/ix +yTtW6t+g0bFWLYyBsO1gNKW1ru9T1+E2JnEWMQIDAQABAoIBAG43pfElDPlNvC8V +ajxR68grMkdUVL6ivENPOkiiOgku4fzCqLuZO5u+QIw3EekEVkktJjmce6U8lGhW +q5/GS2lX1SQd5fw+J01mcWrvuIQiZUwAYcAwmCArkIHvwJ78iIpu3Gar59Fw37NU +xX0kv0Rsn3prmZUPlSDUWpgJt00Vlp4bv5F78ONXaHAzr2Vas75ckE0toUWQYlPe +f1La/oBNEquj0HeWByNvsMbAzljaES+72POkE2EnemYaB+O+Jr4Hl+8mCdpCoV8N +VBEVv8jdgKlVq4lOUyudupU/xMDXOrM+LBQegbQgT290k3McHiIPmEzARp6c9Gkq +ir/9wtUCgYEAwgBRSOYW8hMg+7865U4fAoGDxbd+udCVVnMFQrcnKLs9fMRJUkV1 +3aOOh/I8wZSGGixPAkNBsaEA1xwSVSGjjDQ/fmOst4Hk1mSGDB2Z4t+d2WIqlHEw +/cSvWlc5H1iSqgrdikHL7P7xloBXT8kcyjy7b72TCg9ymxHSVAZmREMCgYEA1lOO +iFd4g42pRh7HMO0Un2XWd1pzyrmQ1LY0tBXnjwLort3lPfSgQV28rZaIRFidk9TZ +rSSE6GN6V14eg6ATENxP1pTLwXXbHLxzLej43vL9nvrVKM9u8M/ypsqIJpZo3SJ5 +GGw+rRmJdQv1meBX4N0a8NlLjsvLv/leva9I7nsCgYA8umK3giceofRKOeNS0nCM +lURNiRInUm7c/+ZeqvycGHi37K3TDiFGPyOn1KFGK5sK6GHXIHyZAQBFVek7MuuC +QPy7MLJpQ0UCA7eeZUm9pihAWyVfEEu4tG/7xKAB+vT2O657z/ro9ilj5kruk9Lq +T7aQ1PQJSyqh9iMz4Ej1BwKBgQDAXpkVKSWjNlhT9rYk5PbYpyhbUlWSBQLI2Y3u +gaaoRx0gL0xeUp4wbXk3eWBvr/YnxSln7dpZV0hs+K58yAW04XnLiRxlVWpInaDn ++S6/tewMcOk4Sw8xmAQczrZrpB8VNKbqU+XhqoUlCIn2BlX6H5rZyL+3uJX1hlcR +/C2C1wKBgHCAyRCL6hY8Sy+M51eiCD7siIY/qb3B/TB6P1kQLKhSFWOnsJeMgPhK +J1bPD+FpnI/xoky/62vAUKHekXhP6XTKSZBWf6bptyJj98bQ6H9VW/Qlx5jCybwX +4gOq8ElvTBSrMjYbfMx+uaGWki2csJ+Pbl7h+AkX0I4IINL6HsVJ +-----END RSA PRIVATE KEY-----