Set up an instance of Mastodon for Kosmos

Refs #19

Use new application cookbook, update our cookbooks

site-cookbooks/kosmos-mastodon/templates/default/config-environment-production.rb.erb

@@ -0,0 +1,119 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.cache_classes = true
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+  config.action_controller.asset_host      = ENV['CDN_HOST'] if ENV.key?('CDN_HOST')
+
+  # Disable serving static files from the `/public` folder by default since
+  # Apache or NGINX already handles this.
+  config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
+
+  # Compress JavaScripts and CSS.
+  config.assets.js_compressor = Uglifier.new(mangle: false)
+  # config.assets.css_compressor = :sass
+
+  # Do not fallback to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = false
+
+  # `config.assets.precompile` and `config.assets.version` have moved to config/initializers/assets.rb
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
+  config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
+
+  # Allow to specify public IP of reverse proxy if it's needed
+  config.action_dispatch.trusted_proxies = [IPAddr.new(ENV['TRUSTED_PROXY_IP'])] unless ENV['TRUSTED_PROXY_IP'].blank?
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  config.force_ssl = false
+
+  # Use the lowest log level to ensure availability of diagnostic information
+  # when problems arise.
+  config.log_level = :debug
+
+  # Prepend all log lines with the following tags.
+  config.log_tags = [:request_id]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Parse and split the REDIS_URL if passed (used with hosting platforms such as Heroku).
+  # Set ENV variables because they are used elsewhere.
+  if ENV['REDIS_URL']
+    redis_url = URI.parse(ENV['REDIS_URL'])
+    ENV['REDIS_HOST'] = redis_url.host
+    ENV['REDIS_PORT'] = redis_url.port.to_s
+    ENV['REDIS_PASSWORD'] = redis_url.password
+  end
+
+  # Use a different cache store in production.
+  config.cache_store = :redis_store, {
+    host: ENV.fetch('REDIS_HOST') { 'localhost' },
+    port: ENV.fetch('REDIS_PORT') { 6379 },
+    password: ENV.fetch('REDIS_PASSWORD') { false },
+    db: <%= @redis_db %>,
+    namespace: 'cache',
+    expires_in: 20.minutes,
+  }
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = 'http://assets.example.com'
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation cannot be found).
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners.
+  config.active_support.deprecation = :notify
+
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+
+  # Better log formatting
+  config.lograge.enabled = true
+
+  # Do not dump schema after migrations.
+  config.active_record.dump_schema_after_migration = false
+
+  config.action_mailer.perform_caching = false
+
+  # E-mails
+  config.action_mailer.smtp_settings = {
+    :port           => ENV['SMTP_PORT'],
+    :address        => ENV['SMTP_SERVER'],
+    :user_name      => ENV['SMTP_LOGIN'],
+    :password       => ENV['SMTP_PASSWORD'],
+    :domain         => ENV['SMTP_DOMAIN'] || config.x.local_domain,
+    :authentication => :plain,
+  }
+
+  config.action_mailer.delivery_method = :smtp
+
+  config.react.variant = :production
+
+  config.to_prepare do
+    StatsD.backend = StatsD::Instrument::Backends::NullBackend.new if ENV['STATSD_ADDR'].blank?
+  end
+
+  config.action_dispatch.default_headers = {
+    'Server'                 => 'Mastodon',
+    'X-Frame-Options'        => 'DENY',
+    'X-Content-Type-Options' => 'nosniff',
+    'X-XSS-Protection'       => '1; mode=block',
+  }
+end

site-cookbooks/kosmos-mastodon/templates/default/env.production.erb

@@ -0,0 +1,49 @@
+# Service dependencies
+REDIS_HOST=localhost
+REDIS_PORT=6379
+REDIS_DB=<%= @redis_db %>
+REDIS_ACTIONCABLE_DB=<%= @redis_actioncable_db %>
+DB_HOST=localhost
+DB_USER=postgres
+DB_NAME=mastodon
+DB_PASS=<%= node['postgresql']['password']['postgres'] %>
+DB_PORT=5432
+
+# Federation
+LOCAL_DOMAIN=<%= @domain %>
+LOCAL_HTTPS=true
+
+# Application secrets
+# Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+PAPERCLIP_SECRET=<%= @paperclip_secret %>
+SECRET_KEY_BASE=<%= @secret_key_base %>
+OTP_SECRET=<%= @otp_secret %>
+
+# Registrations
+# Single user mode will disable registrations and redirect frontpage to the first profile
+# SINGLE_USER_MODE=true
+# Prevent registrations with following e-mail domains
+# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
+
+# E-mail configuration
+SMTP_SERVER=smtp.mailgun.org
+SMTP_PORT=587
+SMTP_LOGIN=<%= @smtp_login %>
+SMTP_PASSWORD=<%= @smtp_password %>
+SMTP_FROM_ADDRESS=<%= @smtp_from_address %>
+
+# Optional asset host for multi-server setups
+# CDN_HOST=assets.example.com
+
+# S3 (optional)
+S3_ENABLED=true
+S3_BUCKET=<%= @s3_bucket %>
+AWS_ACCESS_KEY_ID=<%= @aws_access_key_id %>
+AWS_SECRET_ACCESS_KEY=<%= @aws_secret_access_key %>
+S3_REGION=<%= @s3_region %>
+
+# Optional alias for S3 if you want to use Cloudfront or Cloudflare in front
+# S3_CLOUDFRONT_HOST=
+
+# Streaming API integration
+# STREAMING_API_BASE_URL=

site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb

@@ -0,0 +1,17 @@
+[Unit]
+Description=mastodon-sidekiq
+Requires=redis-server.service
+After=redis-server.service
+
+[Service]
+Type=simple
+User=<%= @user %>
+WorkingDirectory=<%= @app_dir %>
+Environment="RAILS_ENV=production"
+Environment="DB_POOL=5"
+ExecStart=/usr/local/bin/bundle exec sidekiq -c 5 -q default -q mailers -q pull -q push
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb

@@ -0,0 +1,15 @@
+Description=mastodon-streaming
+After=network.target
+
+[Service]
+Type=simple
+User=<%= @user %>
+WorkingDirectory=<%= @app_dir %>
+Environment="NODE_ENV=production"
+Environment="PORT=<%= @port %>"
+ExecStart=/usr/local/bin/npm run start
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb

@@ -0,0 +1,19 @@
+[Unit]
+Description=mastodon-web
+Requires=redis-server.service
+After=redis-server.service
+Requires=postgresql@9.4-main.service
+After=postgresql@9.4-main.service
+
+[Service]
+Type=simple
+User=<%= @user %>
+WorkingDirectory=<%= @app_dir %>
+Environment="RAILS_ENV=production"
+Environment="PORT=3000"
+ExecStart=/usr/local/bin/bundle exec puma -C config/puma.rb
+TimeoutSec=15
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -0,0 +1,88 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  listen 80;
+  server_name <%= @server_name %>;
+
+  access_log "/var/log/nginx/mastodon.access.log";
+  error_log "/var/log/nginx/mastodon.error.log";
+
+  location /.well-known {
+    root "/var/www/mastodon";
+  }
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name <%= @server_name %>;
+
+  access_log "/var/log/nginx/mastodon.access.log";
+  error_log "/var/log/nginx/mastodon.error.log";
+
+  ssl_protocols TLSv1.2;
+  ssl_ciphers EECDH+AESGCM:EECDH+AES;
+  ssl_ecdh_curve secp384r1;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+
+  <% if File.exist?(@ssl_cert) &&
+        File.exist?(@ssl_key) -%>
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+  <% end -%>
+
+  keepalive_timeout    70;
+  sendfile             on;
+  client_max_body_size 0;
+  gzip off;
+
+  root <%= @mastodon_path %>/public;
+
+  # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+
+    proxy_pass_header Server;
+
+    proxy_pass http://localhost:<%= @puma_port %>;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  location /api/v1/streaming {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+
+    proxy_pass http://localhost:<%= @streaming_port %>;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
+  error_page 500 501 502 503 504 /500.html;
+}