logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://anongit.hacktivis.me/git/pleroma.git/

openbsd_en.md (12336B)


  1. # Installing on OpenBSD
  2. This guide describes the installation and configuration of pleroma (and the required software to run it) on a single OpenBSD 6.6 server.
  3. For any additional information regarding commands and configuration files mentioned here, check the man pages [online](https://man.openbsd.org/) or directly on your server with the man command.
  4. {! backend/installation/generic_dependencies.include !}
  5. ### Preparing the system
  6. #### Required software
  7. To install them, run the following command (with doas or as root):
  8. ```
  9. pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick libvips
  10. ```
  11. Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt.
  12. #### Optional software
  13. Per [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md):
  14. * ImageMagick
  15. * ffmpeg
  16. * exiftool
  17. To install the above:
  18. ```
  19. pkg_add ImageMagick ffmpeg p5-Image-ExifTool
  20. ```
  21. #### Creating the pleroma user
  22. Pleroma will be run by a dedicated user, \_pleroma. Before creating it, insert the following lines in login.conf:
  23. ```
  24. pleroma:\
  25. :datasize-max=1536M:\
  26. :datasize-cur=1536M:\
  27. :openfiles-max=4096
  28. ```
  29. This creates a "pleroma" login class and sets higher values than default for datasize and openfiles (see [login.conf(5)](https://man.openbsd.org/login.conf)), this is required to avoid having pleroma crash some time after starting.
  30. Create the \_pleroma user, assign it the pleroma login class and create its home directory (/home/\_pleroma/): `useradd -m -L pleroma _pleroma`
  31. #### Clone pleroma's directory
  32. Enter a shell as the \_pleroma user. As root, run `su _pleroma -;cd`. Then clone the repository with `git clone -b stable https://git.pleroma.social/pleroma/pleroma.git`. Pleroma is now installed in /home/\_pleroma/pleroma/, it will be configured and started at the end of this guide.
  33. #### PostgreSQL
  34. Start a shell as the \_postgresql user (as root run `su _postgresql -` then run the `initdb` command to initialize postgresql:
  35. You will need to specify pgdata directory to the default (/var/postgresql/data) with the `-D <path>` and set the user to postgres with the `-U <username>` flag. This can be done as follows:
  36. ```
  37. initdb -D /var/postgresql/data -U postgres
  38. ```
  39. If you are not using the default directory, you will have to update the `datadir` variable in the /etc/rc.d/postgresql script.
  40. When this is done, enable postgresql so that it starts on boot and start it. As root, run:
  41. ```
  42. rcctl enable postgresql
  43. rcctl start postgresql
  44. ```
  45. To check that it started properly and didn't fail right after starting, you can run `ps aux | grep postgres`, there should be multiple lines of output.
  46. #### httpd
  47. httpd will have three functions:
  48. * redirect requests trying to reach the instance over http to the https URL
  49. * serve a robots.txt file
  50. * get Let's Encrypt certificates, with acme-client
  51. Insert the following config in httpd.conf:
  52. ```
  53. # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
  54. ext_inet="<IPv4 address>"
  55. ext_inet6="<IPv6 address>"
  56. server "default" {
  57. listen on $ext_inet port 80 # Comment to disable listening on IPv4
  58. listen on $ext_inet6 port 80 # Comment to disable listening on IPv6
  59. listen on 127.0.0.1 port 80 # Do NOT comment this line
  60. log syslog
  61. directory no index
  62. location "/.well-known/acme-challenge/*" {
  63. root "/acme"
  64. request strip 2
  65. }
  66. location "/robots.txt" { root "/htdocs/local/" }
  67. location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }
  68. }
  69. types {
  70. }
  71. ```
  72. Do not forget to change *<IPv4/6 address\>* to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first *listen* options.
  73. Create the /var/www/htdocs/local/ folder and write the content of your robots.txt in /var/www/htdocs/local/robots.txt.
  74. Check the configuration with `httpd -n`, if it is OK enable and start httpd (as root):
  75. ```
  76. rcctl enable httpd
  77. rcctl start httpd
  78. ```
  79. #### acme-client
  80. acme-client is used to get SSL/TLS certificates from Let's Encrypt.
  81. Insert the following configuration in /etc/acme-client.conf:
  82. ```
  83. #
  84. # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
  85. #
  86. authority letsencrypt-<domain name> {
  87. #agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
  88. api url "https://acme-v02.api.letsencrypt.org/directory"
  89. account key "/etc/acme/letsencrypt-privkey-<domain name>.pem"
  90. }
  91. domain <domain name> {
  92. domain key "/etc/ssl/private/<domain name>.key"
  93. domain certificate "/etc/ssl/<domain name>.crt"
  94. domain full chain certificate "/etc/ssl/<domain name>.fullchain.pem"
  95. sign with letsencrypt-<domain name>
  96. challengedir "/var/www/acme/"
  97. }
  98. ```
  99. Replace *<domain name\>* by the domain name you'll use for your instance. As root, run `acme-client -n` to check the config, then `acme-client -ADv <domain name>` to create account and domain keys, and request a certificate for the first time.
  100. Make acme-client run everyday by adding it in /etc/daily.local. As root, run the following command: `echo "acme-client <domain name>" >> /etc/daily.local`.
  101. Relayd will look for certificates and keys based on the address it listens on (see next part), the easiest way to make them available to relayd is to create a link, as root run:
  102. ```
  103. ln -s /etc/ssl/<domain name>.fullchain.pem /etc/ssl/<IP address>.crt
  104. ln -s /etc/ssl/private/<domain name>.key /etc/ssl/private/<IP address>.key
  105. ```
  106. This will have to be done for each IPv4 and IPv6 address relayd listens on.
  107. #### relayd
  108. relayd will be used as the reverse proxy sitting in front of pleroma.
  109. Insert the following configuration in /etc/relayd.conf:
  110. ```
  111. # $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $
  112. ext_inet="<IPv4 address>"
  113. ext_inet6="<IPv6 address>"
  114. table <pleroma_server> { 127.0.0.1 }
  115. table <httpd_server> { 127.0.0.1 }
  116. http protocol plerup { # Protocol for upstream pleroma server
  117. #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
  118. tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"
  119. tls ecdhe secp384r1
  120. # Forward some paths to the local server (as pleroma won't respond to them as you might want)
  121. pass request quick path "/robots.txt" forward to <httpd_server>
  122. # Append a bunch of headers
  123. match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by pleroma but adding them won't hurt
  124. match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  125. match response header append "X-XSS-Protection" value "1; mode=block"
  126. match response header append "X-Permitted-Cross-Domain-Policies" value "none"
  127. match response header append "X-Frame-Options" value "DENY"
  128. match response header append "X-Content-Type-Options" value "nosniff"
  129. match response header append "Referrer-Policy" value "same-origin"
  130. match response header append "X-Download-Options" value "noopen"
  131. match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
  132. match request header append "Connection" value "upgrade"
  133. #match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working.
  134. # If you do not want remote frontends to be able to access your Pleroma backend server, comment these lines
  135. match response header append "Access-Control-Allow-Origin" value "*"
  136. match response header append "Access-Control-Allow-Methods" value "POST, PUT, DELETE, GET, PATCH, OPTIONS"
  137. match response header append "Access-Control-Allow-Headers" value "Authorization, Content-Type, Idempotency-Key"
  138. match response header append "Access-Control-Expose-Headers" value "Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id"
  139. # Stop commenting lines here
  140. }
  141. relay wwwtls {
  142. listen on $ext_inet port https tls # Comment to disable listening on IPv4
  143. listen on $ext_inet6 port https tls # Comment to disable listening on IPv6
  144. protocol plerup
  145. forward to <pleroma_server> port 4000 check http "/" code 200
  146. forward to <httpd_server> port 80 check http "/robots.txt" code 200
  147. }
  148. ```
  149. Again, change *<IPv4/6 address\>* to your server's address(es) and comment one of the two *listen* options if needed. Also change *wss://CHANGEME.tld* to *wss://<your instance's domain name\>*.
  150. Check the configuration with `relayd -n`, if it is OK enable and start relayd (as root):
  151. ```
  152. rcctl enable relayd
  153. rcctl start relayd
  154. ```
  155. ##### (Strongly recommended) serve media on another domain
  156. Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
  157. #### pf
  158. Enabling and configuring pf is highly recommended.
  159. In /etc/pf.conf, insert the following configuration:
  160. ```
  161. # Macros
  162. if="<network interface>"
  163. authorized_ssh_clients="any"
  164. # Skip traffic on loopback interface
  165. set skip on lo
  166. # Default behavior
  167. set block-policy drop
  168. block in log all
  169. pass out quick
  170. # Security features
  171. match in all scrub (no-df random-id)
  172. block in log from urpf-failed
  173. # Rules
  174. pass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP
  175. pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6
  176. pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd
  177. pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh
  178. ```
  179. Replace *<network interface\>* by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the authorized\_ssh\_clients macro by, for example, your home IP address, to avoid SSH connection attempts from bots.
  180. Check pf's configuration by running `pfctl -nf /etc/pf.conf`, load it with `pfctl -f /etc/pf.conf` and enable pf at boot with `rcctl enable pf`.
  181. #### Configure and start pleroma
  182. Enter a shell as \_pleroma (as root `su _pleroma -`) and enter pleroma's installation directory (`cd ~/pleroma/`).
  183. Then follow the main installation guide:
  184. * run `mix deps.get`
  185. * run `MIX_ENV=prod mix pleroma.instance gen` and enter your instance's information when asked
  186. * copy config/generated\_config.exs to config/prod.secret.exs. The default values should be sufficient but you should edit it and check that everything seems OK.
  187. * exit your current shell back to a root one and run `psql -U postgres -f /home/_pleroma/pleroma/config/setup_db.psql` to setup the database.
  188. * return to a \_pleroma shell into pleroma's installation directory (`su _pleroma -;cd ~/pleroma`) and run `MIX_ENV=prod mix ecto.migrate`
  189. As \_pleroma in /home/\_pleroma/pleroma, you can now run `LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server` to start your instance.
  190. In another SSH session/tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that *uri*'s value is your instance's domain name.
  191. ##### Starting pleroma at boot
  192. An rc script to automatically start pleroma at boot hasn't been written yet, it can be run in a tmux session (tmux is in base).
  193. #### Create administrative user
  194. If your instance is up and running, you can create your first user with administrative rights with the following command as the \_pleroma user.
  195. ```
  196. LC_ALL=en_US.UTF-8 MIX_ENV=prod mix pleroma.user new <username> <your@emailaddress> --admin
  197. ```
  198. #### Further reading
  199. {! backend/installation/further_reading.include !}
  200. ## Questions
  201. Questions about the installation or didn’t it work as it should be, ask in [#pleroma:libera.chat](https://matrix.to/#/#pleroma:libera.chat) via Matrix or **#pleroma** on **libera.chat** via IRC.