• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    公众号

alevchuk/pi-mastodon: Mastodon on a Pi via Tor

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

alevchuk/pi-mastodon

开源软件地址(OpenSource Url):

https://github.com/alevchuk/pi-mastodon

开源编程语言(OpenSource Language):


开源软件介绍(OpenSource Introduction):

pi-mastodon

Mastodon on a Pi via Tor

img2

Based on official Mastodon instructions - yet more paranoid, setup on Raspberry Pi, and made to work over Tor without SSL. This runbook will get you to a working instance, yet some work remains for this runbook:

  1. systemd scripts - so you don't have to restart Mastodon processes manually after rebooting the Pi;
  2. Torify all outgoing connections for additional privacy for your instance;
  3. SD card image (a la mynode) for those who don't have time to learn linux system administration.

Known bugs:

  1. Following external clearnet users seems to be broken. No errors when trying to follow. Yet the number "Followed" on the profile does not change. For one of the users I'm gettting the following warning error in the sidekiq service (this seems to be the only error or warning on the backend):
2021-02-06T16:25:51.361Z pid=9301 tid=3r35 WARN: {"context":"Job raised exception","job":{"retry":16,"queue":"push","dead":false,"class":"ActivityPub::DeliveryWorker","args":["{\"@context\":\"https://www.w3.org/ns/activitystreams\",\"id\":\"http://3vih3yegheqftg4pavy3v3vhf734zevwi3qbragl3uuc26cre7hk5hyd.onion/456fd875-c446-4990-949f-114c74165609\",\"type\":\"Follow\",\"actor\":\"http://3vih3yegheqftg4pavy3v3vhf734zevwi3qbragl3uuc26cre7hk5hyd.onion/users/admin4\",\"object\":\"https://x0f.org/users/orionwl\"}",4,"https://x0f.org/users/orionwl/inbox"],"jid":"e3e4f111f4763a56c3d126d3","created_at":1612627346.7334015,"enqueued_at":1612628750.4727335,"error_message":"https://x0f.org/users/orionwl/inbox returned code 401","error_class":"Mastodon::UnexpectedResponseError","failed_at":1612627347.4861543,"retry_count":5,"retried_at":1612627942.162155},"jobstr":"{\"retry\":16,\"queue\":\"push\",\"dead\":false,\"class\":\"ActivityPub::DeliveryWorker\",\"args\":[\"{\\\"@context\\\":\\\"https://www.w3.org/ns/activitystreams\\\",\\\"id\\\":\\\"http://3vih3yegheqftg4pavy3v3vhf734zevwi3qbragl3uuc26cre7hk5hyd.onion/456fd875-c446-4990-949f-114c74165609\\\",\\\"type\\\":\\\"Follow\\\",\\\"actor\\\":\\\"http://3vih3yegheqftg4pavy3v3vhf734zevwi3qbragl3uuc26cre7hk5hyd.onion/users/admin4\\\",\\\"object\\\":\\\"https://x0f.org/users/orionwl\\\"}\",4,\"https://x0f.org/users/orionwl/inbox\"],\"jid\":\"e3e4f111f4763a56c3d126d3\",\"created_at\":1612627346.7334015,\"enqueued_at\":1612628750.4727335,\"error_message\":\"https://x0f.org/users/orionwl/inbox returned code 401\",\"error_class\":\"Mastodon::UnexpectedResponseError\",\"failed_at\":1612627347.4861543,\"retry_count\":5,\"retried_at\":1612627942.162155}"}

Community announcement https://bitcoinhackers.org/web/statuses/105606424919493898

Uodates:

Table of contents

1. Get hardware

Total 91 USD as of 2021-01-19

If you want a Raid mirror for data protection follow https://github.com/alevchuk/minibank/blob/first/README.md#hardware

2. Install operating system and check temperature

External links to minibank wiki:

  1. Operating System
  2. First time login
  3. Heat
  4. Netwrok
  5. Convenience Stuff - to make it comfortable

3. Setup 64-bit capability

For Mast to work you'll need 64-bit dependency binaries so lets setup a 64-bit Kernel and schroot (if you need to know what this does, read https://medium.com/for-linux-users/how-to-make-your-raspberry-pi-4-faster-with-a-64-bit-kernel-77028c47d653):

  1. Update the kernel and enable 64 bit mode:

First check if you aleady have this step done, run:

uname -a  # if you see "aarch64 GNU/Linux" then this step is done and you can skip this setep, and go to intalling debootstrap

Run:

sudo rpi-update  # there will be interactive prompt, press "y" to proceed

Reboot #1:

sudo reboot

Edit kernel parameters (use vi or if unfamiliar, use nano):

sudo vi /boot/config.txt

In the [pi4] section add:

arm_64bit=1

Reboot #2:

sudo reboot

Check:

uname -a  # you should you see "aarch64 GNU/Linux" at the end of the line
  1. Install debootstrap and schroot
sudo apt install -y debootstrap schroot
  1. Create mastodon user:
sudo adduser --disabled-password mastodon  # when prompted press and hold Enter
  1. Form "admin" account (that has sudo) run:
sudo mkdir /mnt/mastodon
sudo chown -R mastodon /mnt/mastodon

cat << EOF | sudo tee /etc/schroot/chroot.d/mastodon64
[mastodon64]
description=builds that need 64-bit environment
type=directory
directory=/mnt/mastodon/pi64
users=mastodon
root-groups=root
profile=desktop
personality=linux
preserve-environment=true
EOF

sudo debootstrap --arch arm64 buster /mnt/mastodon/pi64

sudo schroot -c mastodon64 -- apt update
sudo schroot -c mastodon64 -- apt upgrade -y

sudo mkdir -p /mnt/mastodon/pi64/mnt/mastodon
sudo mkdir /mnt/mastodon/pi64/mnt/mastodon/src
sudo mkdir /mnt/mastodon/pi64/mnt/mastodon/gocode
sudo mkdir /mnt/mastodon/pi64/mnt/mastodon/bin
sudo mkdir /mnt/mastodon/pi64/mnt/mastodon/live

sudo chown -R mastodon /mnt/mastodon/pi64/mnt/mastodon

4. Get a Tor .onion address

  1. Install Tor
sudo apt install -y tor
  1. Edit /etc/tor/torrc (use vi if familiary, otherwise nano):
sudo vi /etc/tor/torrc
  • at the end of the file add:
HiddenServiceDir /var/lib/tor/hidden_service_tmp/
HiddenServicePort 80 127.0.0.1:80
  1. Run the following, you can run it multiple times - until you see an address that you like:
sudo rm -rf /var/lib/tor/hidden_service_tmp/ &&  sudo service tor restart && sleep 4 && sudo cat /var/lib/tor/hidden_service_tmp/hostname

Other options:

  1. Persist
sudo mv /var/lib/tor/hidden_service_tmp /var/lib/tor/hidden_service_mastodon

  1. Change tor config to use the persisted version:
sudo vi /etc/tor/torrc
  • at the end of the file change:
HiddenServiceDir /var/lib/tor/hidden_service_tmp/
  • to:
HiddenServiceDir /var/lib/tor/hidden_service_mastodon/
  1. Restart Tor and print your new hostname
sudo service tor restart

sudo service tor status  # check that it's running
sudo cat /var/lib/tor/hidden_service_mastodon/hostname  # print your .onion address

5. Install Mastodon dependencies inside schroot

  1. From "admin" account run
sudo schroot -c mastodon64 -- apt install -y imagemagick ffmpeg libpq-dev libxml2-dev libxslt1-dev file git \
  g++ libprotobuf-dev protobuf-compiler pkg-config gcc autoconf \
  bison build-essential libssl-dev libyaml-dev libreadline6-dev \
  zlib1g-dev libncurses5-dev libffi-dev libgdbm-dev \
  redis-tools \
  certbot python-certbot-nginx yarn libidn11-dev libicu-dev libjemalloc-dev \
  python3.7 python3-distutils \
  curl
  1. Setup symlinks
sudo su -l mastodon
schroot -c mastodon64

ln -s /mnt/mastodon/src ~/src
ln -s /mnt/mastodon/gocode ~/gocode
ln -s /mnt/mastodon/bin ~/bin
ln -s /mnt/mastodon/live ~/live
  1. Setup convenience

We already did convenience in the admin account (host operating system), now it's time to do the same inside the schroot

sudo schroot -c mastodon64

and go thru Convenience Stuff - to make it comfortable inside the schroot. Yet:

  • Skip "Name your Pi" and "Timezone"
  • Don't include sudo in the commands

6. Build node.js and yarn

  • Prerequisit: you need to be logged in as "mastodon" followed by going into schroot:
sudo su -l mastodon
schroot -c mastodon64
  1. Build node.js (includes NPM)
git clone https://github.com/nodejs/node.git ~/src/node
cd ~/src/node
git fetch
git checkout $(git tag | grep v12 | sort -V | grep -v  rc | tail -n1)  # latest minor version of 12
./configure --prefix $HOME/bin
make  # negtive (-): this will take all day; postitive (+): building from source has transparency advantages
make install

  1. Add the following to ~/.profile
export PATH=$HOME/bin/bin:$PATH

Load ~/.profile

. ~/.profile

  1. Install Yarn:
npm install -g yarn

7. Install Ruby and Bundler

  1. Install rbenv and rbenv-build:
git clone https://github.com/rbenv/rbenv.git ~/.rbenv
cd ~/.rbenv && src/configure && make -C src
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.profile
echo 'eval "$(rbenv init -)"' >> ~/.profile
. ~/.profile
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
  1. Install ruby
RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install 2.7.2
rbenv global 2.7.2
  1. Install bundler
gem install bundler --no-document
  1. Exist out of schroot
exit  # or press Ctrl-d
  1. Return to admin user:
exit  # or press Ctrl-d

8. Install PostgreSQL

  1. On "admin" account (not inside schroot), install default PostgreSQL version 11:
sudo apt install -y postgresql postgresql-contrib
  1. Get PGTune parameters for you're RAM / Cores https://pgtune.leopard.in.ua/#/
  • put PG Version 11
  • 2 GB RAM (if you bought what's linked above)
  • 4 CPU cores (if you bought what's linked above)
  1. Add the tune parameters at the end of:
sudo vi /etc/postgresql/11/main/postgresql.conf
  1. Restart PstgreSQL
sudo systemctl restart postgresql
  1. Generate a random DB_PASSWORD:
openssl rand -base64 32 | sed 's/+//g' | tr '[A-Z]' '[a-z]' | tr -cd '[0-9a-z\n]'
  1. Add DB user:
sudo -u postgres psql

and when prompted, paste the following line-by-line:

  • replace DB_PASSWORD with the password you generated in setp 5
CREATE USER mastodon CREATEDB;
ALTER USER mastodon PASSWORD 'DB_PASSWORD';
\q

9. Install Redis

  1. On "admin" account (not inside schroot), install default system Redis:
sudo apt install -y redis-server

10. Setup Mastodon

  • Prerequisit: you need to be logged in as "mastodon" followed by going into schroot:
sudo su -l mastodon
schroot -c mastodon64
  1. Get Mastodon source code:
git clone https://github.com/tootsuite/mastodon.git ~/live
cd ~/live
git fetch
git checkout $(git tag | grep v3.3 | sort -V | tail -n1)  # latest minor version of v3.3
  1. Install Ruby and JavaScript dependencies
cd ~/live

bundle config deployment 'true'
bundle config without 'development test'
bundle install -j$(getconf _NPROCESSORS_ONLN) 
yarn install --pure-lockfile
  1. Run the setup wizard
  • this will take a long time and interactively ask questions
RAILS_ENV=production bundle exec rake mastodon:setup  # if you are re-running this command AND want to destory current data and create an empty database, add DISABLE_DATABASE_ENVIRONMENT_CHECK=1

  • Domain name: put your onion address from earlier step
  • Single user mode: No
  • Docker: No
  • PostgreSQL host: localhost
  • Port: Enter (uses the default)
  • Name of PostgreSQL database: press Enter
  • Name of PostgreSQL user: press Enter
  • Password of PostgreSQL user: DB_PASSWORD from earlier step (password does not echo back, so just pasted it and press Enter)
  • Redis host: press Enter
  • Redis port: 6379
  • Redis password: press Enter
  • Do you want to store uploaded files on the cloud?: press Enter
  • Do you want to send e-mails from localhost? press Enter
  • press Enter for many email related questions
  • Send a test e-mail with this configuration right now? no
  • press Enter for the rest of the questions
  1. Write down your admin E-mail and password. Ok if you loose it - it's easy to re-create like this:
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
RAILS_ENV=production ./bin/tootctl accounts create admin2 --role admin --email [email protected]

  1. Update mastodon config:
vi ~/.env.production

on top add:

HTTPS_KEY=off
SERVER_PROTOCOL=http
PORT=3001
BIND=127.0.0.1

LOCAL_DOMAIN=ONION_SITE_GOES_HERE
STREAMING_API_BASE_URL=http://ONION_SITE_GOES_HERE
CDN_HOST=http://ONION_SITE_GOES_HERE

  • replace ONION_SITE_GOES_HERE with the onion address you generated earlier (e.g. a1b2c3.onion)
  1. Start 3 mastodon services. Later, we'll setup these as systemd services that get restarted automatically if they crash. Yet, at this stage you'll need to learn how to use multiple virtual windowns in Screen and run all 3 services in parallel:
# in screen window 1
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
PORT=3001 RAILS_ENV=production bundle exec rails s

# in sceen window 2
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
RAILS_ENV=production DB_POOL=25 MALLOC_ARENA_MAX=2 /home/mastodon/.rbenv/shims/bundle exec sidekiq -c 25

# in screen window 3
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
NODE_ENV=production PORT=4000 /home/mastodon/bin/bin/node ./streaming

11. Setup Nginx

  1. On "admin" account (not inside schroot), install nginx
sudo apt install -y nginx

  1. Create new config
sudo vi /etc/nginx/sites-available/mastodon

Paste the following, yet replace ONION_SITE_GOES_HERE with your .onion address generated at an earlier step (e.g. a1b2c3.onion)

upstream backend {
    server 127.0.0.1:3001 fail_timeout=0;
}

upstream streaming {
    server 127.0.0.1:4000 fail_timeout=0;
}

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  listen [::]:80;
  server_name ONION_SITE_GOES_HERE;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;

  root /mnt/mastodon/pi64/mnt/mastodon/live/public;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  add_header X-Frame-Options "DENY";

  add_header Content-Security-Policy "default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self'; img-src 'self' data: blob: http://ONION_SITE_GOES_HERE; media-src 'self' data: http://ONION_SITE_GOES_HERE; frame-src 'none'; font-src 'self' data: http://ONION_SITE_GOES_HERE; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; connect-src 'self' blob: wss://ONION_SITE_GOES_HERE";

  location / {
    try_files $uri @proxy;
  }
  
  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    try_files $uri @proxy;
  }

  location /sw.js {
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto http;
    proxy_set_header Proxy "";

    proxy_pass http://streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }
  
  error_page 500 501 502 503 504 /500.html;
  access_log /var/log/nginx/mastodon_access.log;
  error_log /var/log/nginx/mastodon_error.log warn;
}
  1. Edit top-level config:
sudo vi /etc/nginx/nginx.conf

Add:

    server_names_hash_bucket_size 65;
    

And comment out all setting that start with "ssl":


    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    #ssl_prefer_server_ciphers on;
  1. Enable config:
sudo ln -s /etc/nginx/sites-available/mastodon /etc/nginx/sites-enabled/mastodon

  1. Restart nginx:
sudo systemctl restart nginx

12. Remove HTTPS from Mastodon

Tor does not need HTTPS. Moreover it does damage, signing SSL Certrficates is costly and cetralized (most authorities will not even sign a .onion address). Self-singned cettificated generate warnings that are very hard to bypass and get users acistomed to ignoring warnings that are imporatnt on clearnet.

Yet Mastadon is hardcoded to use HTTPS. So lets de-hardcode it.

  1. Check that everything was installed correctly:
cd ~/live
git log -n1 # should say "commit 444b21b55ff5768e4cbbaf7cfa8285c65a4b54f9 (HEAD, tag: v3.3.0rc3)"

git status  # should say "nothing to commit, working tree clean"

sha256sum vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/redirecting.rb
# shuld say "da60d1e6315e4ef7e88ebb08a30b283cfcea588c0df3f610cd898f6b5fbd7ad9"

sha256sum vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb
# should say "cccb04f6a65890672fffc1b7a6fd7f9d55367e7e0bfc55521a2e5f334db7b06d"
  1. If step 1 does not produce the correct hashes then the following step is probably not going to work. I encoruage you to reach out to me on @[email protected], send by the hashes you get, and I'll help you debug.

Copy the following lage command (all the way to, and including "EOF"), and run it:

sudo su -l mastodon
schroot -c mastodon64
cd ~/live

patch --ignore-whitespace -p1 << 'EOF'
From cb5188b1c5146eb5cacd6b99a695c006b0fa7381 Mon Sep 17 00:00:00 2001
From: Your Name <[email protected]>
Date: Sat, 23 Jan 2021 14:21:59 +0000
Subject: [PATCH] HTTP patch

---
 app/controllers/accounts_controller.rb                      | 6 ++++++
 app/controllers/api/web/base_controller.rb                  | 2 +-
 app/controllers/application_controller.rb                   | 2 +-
 app/controllers/auth/sessions_controller.rb                 | 3 +++
 app/controllers/settings/sessions_controller.rb             | 3 ---
 app/models/user.rb                                          | 3 ++-
 config/environments/development.rb                          | 3 +++
 config/environments/production.rb                           | 2 ++
 config/initializers/1_hosts.rb                              | 2 +-
 config/initializers/devise.rb                               | 4 ++--
 config/initializers/session_store.rb                        | 2 +-
 config/navigation.rb                                        | 2 +-
 .../lib/action_controller/metal/redirecting.rb              | 2 +-
 .../gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb | 2 +-
 14 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index b902ada09..4d9c1e2ae 100644
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -1,6 +1,12 @@
 # frozen_string_literal: true

 class AccountsController < ApplicationController
+  force_ssl if: :ssl_configured?
+
+  def ssl_configured?
+    false
+  end
+
   PAGE_SIZE     = 20
   PAGE_SIZE_MAX = 200

diff --git a/app/controllers/api/web/base_controller.rb b/app/controllers/api/web/base_controller.rb
index 8da549b3a..6bb80f857 100644
--- a/app/controllers/api/web/base_controller.rb
+++ b/app/controllers/api/web/base_controller.rb
@@ -2,7 +2,7 @@

 class Api::Web::BaseController < Api::BaseController
   protect_from_forgery with: :exception
-
+
   rescue_from ActionController::InvalidAuthenticityToken do
     render json: { error: "Can't verify CSRF token authenticity." }, status: 422
   end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 44616d6e5..38865c16b 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base
   private

   def https_enabled?
-    Rails.env.production? && !request.path.start_with?('/health')
 
                       
                    
                    

鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
上一篇:
mastodon-sc/mastodon-graph发布时间:2022-08-18
下一篇:
shioko/mastodon-strawberry: 草莓象主题重置版发布时间:2022-08-18
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap