Blame
Date:
Mon Jan 23 05:00:25 2023 UTC
Message:
Daily backup
001
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
002
2023-01-22
jrmu
agent=Mozilla/5.0 (Linux; Android 8.1.0; vivo 1820 Build/O11019) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.141 Mobile Safari/537.36
003
2023-01-22
jrmu
author=Yonle
004
2023-01-22
jrmu
charset=UTF-8
005
2023-01-22
jrmu
csum=
006
2023-01-22
jrmu
ctime=1669393923
007
2023-01-22
jrmu
host=182.1.43.26
008
2023-01-22
jrmu
name=Akkoma.Install
009
2023-01-22
jrmu
rev=32
010
2023-01-22
jrmu
targets=
011
2023-01-22
jrmu
text=(:title Akkoma:)%0aAkkoma is a fork of Pleroma project with additional features added.%0a%0aThis guide describes the installation and configuration of akkoma (and the required software to run it) on a single OpenBSD 7.2 server.%0a%0a!! Installation%0aFirst, We need to install the required dependencies%0a[@%0a# pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick p5-Image-ExifTool libmagic erlang-wx%0a@]%0a%0aPick the latest version of @@erlang-wx@@ when asked.%0a%0aCreate @@akkoma@@ user to be run in dedicated user. Before creating it, Edit @@/etc/login.conf@@:%0a[@%0aakkoma:\%0a :datasize-max=1536M:\%0a :datasize-cur=1536M:\%0a :openfiles-max=4096%0a@]%0a%0aThis creates a "akkoma" login class and sets higher values than default for datasize and openfiles (see login.conf(5)), this is required to avoid having akkoma crash some time after starting.%0a%0aCreate the @@_akkoma@@ user, assign it the akkoma login class and create its home directory (/home/_akkoma/):%0a[@%0a# useradd -m -L akkoma _akkoma%0a@]%0a%0aEnter a shell as the _akkoma user. As root, run%0a[@%0a# su -l _akkoma%0a@]%0a%0aBecause we're running in a VM, Disable time correction to prevent interruption during compilation, And disable Busy-waiting feature to improve performance a bit. Edit @@~/.vm.args@@, insert:%0a%0a[@%0a+c false%0a+sbwt none%0a+sbwtdcpu none%0a+sbwtdio none%0a@]%0a%0aThen save it.%0a%0aEdit @@~/.profile@@, Then add this to the bottom of file:%0a%0a[@%0aexport LC_ALL=en_US.UTF-8%0aalias mix="elixir --erl \"-args_file $HOME/.vm.args\" -S $(command -v mix)"%0a@]%0a%0aThen save it.%0a%0aThen clone the repository by doing:%0a[@%0a$ git clone https://akkoma.dev/AkkomaGang/akkoma.git%0a@]%0a%0aAkkoma is now installed in @@/home/_akkoma/akkoma/@@, it will be configured and started at the end of this guide.%0a%0a!! Setting up the database: postgresql%0aStart a shell as the _postgresql user. As root, run%0a[@%0a# su -l _postgresql%0a@]%0a%0aThen run the initdb command to initialize postgresql. You will need to specify pgdata directory to the default (@@/var/postgresql/data@@) with the @@-D %3cpath>@@ and set the user to postgres with the @@-U %3cusername>@@ flag. This can be done as follows:%0a%0a[@%0a# initdb -D /var/postgresql/data -U postgres%0a@]%0a%0aIf you are not using the default directory, you will have to update the @@datadir@@ variable in the @@/etc/rc.d/postgresql@@ script.%0a%0a%0aWhen this is done, enable postgresql so that it starts on boot and start it. As root, run:%0a[@%0a# rcctl enable postgresql%0a# rcctl start postgresql%0a@]%0a%0aTo check that it started properly and didn't fail right after starting, you can run @@ps aux | grep postgres@@, there should be multiple lines of output.%0a%0a!! Configuring httpd%0ahttpd will have three fuctions:%0a%0a# Redirect requests trying to reach the instance over http to the https URL%0a# Serve a robots.txt file%0a# Get Let's Encrypt certificates, with acme-client%0a%0aInsert the following config in httpd.conf:%0a%0a[@%0a# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $%0a%0aext_inet="%3cIPv4 address>"%0aext_inet6="%3cIPv6 address>"%0a%0aserver "default" {%0a listen on $ext_inet port 80 # Comment to disable listening on IPv4%0a listen on $ext_inet6 port 80 # Comment to disable listening on IPv6%0a listen on 127.0.0.1 port 80 # Do NOT comment this line%0a%0a log syslog%0a directory no index%0a%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a%0a location "/robots.txt" { root "/htdocs/" }%0a location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }%0a}%0a@]%0a%0aDo not forget to change @@%3cIPv4/6 address>@@ to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first listen options.%0a%0aWrite the content of your @@robots.txt@@ in @@/var/www/htdocs/robots.txt@@:%0a[@%0aUser-Agent: *%0aDisallow:%0a@]%0a%0aCheck the httpd configuration%0a[@%0a# httpd -n%0a@]%0a%0aIf it's OK, enable and start httpd%0a[@%0a# rcctl enable httpd%0a# rcctl start httpd%0a@]%0a%0a!! acme-client%0aSee https://wiki.ircnow.org/index.php?n=Acme-client.Configure%0a%0a!! Configuring relayd%0arelayd will be used as the reverse proxy sitting in front of akkoma. Insert the following configuration in @@/etc/relayd.conf@@:%0a%0a[@%0a# $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $%0a%0aext_inet="%3cIPv4 address>"%0aext_inet6="%3cIPv6 address>"%0a%0atable %3cakkoma_server> { 127.0.0.1 }%0atable %3chttpd_server> { 127.0.0.1 }%0a%0ahttp protocol plerup { # Protocol for upstream akkoma server%0a #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit%0a tls { keypair fedi.example.com }%0a%0a # Forward some paths to the local server (as akkoma won't respond to them as you might want)%0a pass request quick path "/robots.txt" forward to %3chttpd_server>%0a%0a # Append a bunch of headers%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt%0a match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"%0a%0a match request header append "Connection" value "upgrade"%0a}%0a%0arelay www {%0a listen on $ext_inet port https tls # Comment to disable listening on IPv4%0a%0a protocol plerup%0a%0a forward to %3cakkoma_server> port 4000%0a}%0a%0arelay www6 {%0a listen on $ext_inet6 port https tls # Comment to disable listening on IPv6%0a%0a protocol plerup%0a%0a forward to %3cakkoma_server> port 4000%0a}%0a@]%0a%0aChange @@fedi.example.com@@ with your instance domain.%0a%0aAgain, change @@%3cIPv4 address>@@ and @@%3cIPv6 address>@@ to your server's address(es) and comment one of the two listen options if needed.%0a%0aCheck the configuration with @@relayd -n@@, if it is OK enable and start relayd (as root):%0a[@%0a# rcctl enable relayd%0a# rcctl start relayd%0a@]%0a%0a!! Configuring pf%0aEnabling and configuring pf is highly recommended. In @@/etc/pf.conf@@, insert the following configuration:%0a%0a[@%0a# Macros%0aif="%3cnetwork interface>"%0aauthorized_ssh_clients="any"%0a%0a# Skip traffic on loopback interface%0aset skip on lo%0a%0a# Default behavior%0aset block-policy drop%0ablock in log all%0apass out quick%0a%0a# Security features%0amatch in all scrub (no-df random-id)%0ablock in log from urpf-failed%0a%0a# Rules%0apass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP%0apass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6%0apass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd%0apass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh%0a@]%0a%0aReplace @@%3cnetwork interface>@@ by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the @@authorized_ssh_clients@@ macro by, for example, your home IP address, to avoid SSH connection attempts from bots.%0a%0aCheck pf's configuration by running @@pfctl -nf /etc/pf.conf@@, load it with @@pfctl -f /etc/pf.conf@@ and enable pf at boot with @@rcctl enable pf@@.%0a%0a%0a!! Configuring and starting akkoma%0aEnter a shell as _akkoma (as root do @@su -l _akkoma@@) and enter akkoma's installation directory:%0a[@%0a$ cd ~/akkoma%0a@]%0a%0a%0aNow, Run the following command:%0a[@%0a$ mix deps.get%0a@]%0a%0aWhen asked to install Hex dependencies, Press @@Y@@ then @@RETURN@@/Enter.%0a%0aOnce dependencies succesfully retrieved, Run%0a[@%0a$ MIX_PROD=prod mix pleroma.instance gen%0a@]%0a%0aWhen asked to install @@rebar3@@, Press @@Y@@ then @@RETURN@@/Enter, and enter your instance information when asked.%0a%0a%0aCopy @@config/generated_config.exs@@ to @@config/prod.secret.exs@@. The default values should be sufficient but you should edit it and check that everything seems OK.%0a[@%0a$ cp config/generated_config.exs config/prod.secret.exs%0a@]%0a%0aExit your current shell back to root one and run the following command to set up database:%0a[@%0a# psql -U postgres -f /home/_akkoma/akkoma/config/setup_db.psql%0a@]%0a%0aReturn to _akkoma shell into akkoma's installation directory (@@su -l _akkoma;cd ~/akkoma@@) and run%0a[@%0a$ MIX_ENV=prod mix ecto.migrate%0a@]%0a%0a%0aAs @@_akkoma@@ in @@/home/_akkoma/akkoma@@, You can now run the following command to start your instance:%0a[@%0a$ MIX_ENV=prod mix phx.server%0a@]%0a%0aIn another SSH session/tmux window, check that it is working properly by running @@ftp -MVo - http://127.0.0.1:4000/api/v1/instance@@, you should get json output. Double-check that uri's value is your instance's domain name.%0a%0a!! Starting akkoma at boot%0aAs @@_akkoma@@, Edit crontab by doing this:%0a[@%0a$ crontab -e%0a@]%0a%0aThen insert this:%0a[@%0a@reboot tmux new -d "source ~/.profile; cd ~/akkoma; while true; do LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server; done"%0a@]%0a%0a!! Create administrative user%0aIf your instance is up and running, you can create your first user with administrative rights with the following command as the @@_akkoma@@ user.%0a%0a[@%0a$ MIX_ENV=prod mix pleroma.user new %3cusername> %3cyour@emailaddress> --admin%0a@]%0a%0a!! Installing Frontends%0aOnce your backend server is functional, you'll also want to probably install frontends.%0a%0aThese are no longer bundled with the distribution and need an extra command to install.%0a%0aFor most installations, the following will suffice:%0a[@%0a$ export MIX_ENV=prod%0a$ mix pleroma.frontend install pleroma-fe --ref stable%0a$ mix pleroma.frontend install admin-fe --ref stable%0a@]
012
2023-01-22
jrmu
time=1670765044
013
2023-01-22
jrmu
title=Akkoma
014
2023-01-22
jrmu
author:1670765044=Yonle
015
2023-01-22
jrmu
diff:1670765044:1670764998:=14c14%0a%3c Create @@akkoma@@ user to be run in dedicated user. Before creating it, Edit @@/etc/login.conf@@:%0a---%0a> Then create @@akkoma@@ user to be run in dedicated user. Before creating it, Edit @@/etc/login.conf@@:%0a
016
2023-01-22
jrmu
host:1670765044=182.1.43.26
017
2023-01-22
jrmu
author:1670764998=Yonle
018
2023-01-22
jrmu
csum:1670764998=Tell user to pick the latest erlang-wx version.
019
2023-01-22
jrmu
diff:1670764998:1670000202:=9c9%0a%3c # pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick p5-Image-ExifTool libmagic erlang-wx%0a---%0a> # pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick p5-Image-ExifTool libmagic erlang-wx-25.0.4%0a12c12,15%0a%3c Pick the latest version of @@erlang-wx@@ when asked.%0a---%0a> Symlink @@/usr/local/bin/escript25@@ to @@/usr/local/bin/escript@@%0a> [@%0a> # ln -s /usr/local/bin/escript25 /usr/local/bin/escript%0a> @]%0a
020
2023-01-22
jrmu
host:1670764998=182.1.43.26
021
2023-01-22
jrmu
author:1670000202=Yonle
022
2023-01-22
jrmu
diff:1670000202:1669951301:=59c59%0a%3c $ git clone https://akkoma.dev/AkkomaGang/akkoma.git%0a---%0a> $ git clone -b stable https://akkoma.dev/AkkomaGang/akkoma.git%0a
023
2023-01-22
jrmu
host:1670000202=182.1.63.240
024
2023-01-22
jrmu
author:1669951301=Yonle
025
2023-01-22
jrmu
csum:1669951301=cronjob: Load .profile
026
2023-01-22
jrmu
diff:1669951301:1669950528:=280c280%0a%3c @reboot tmux new -d "source ~/.profile; cd ~/akkoma; while true; do LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server; done"%0a---%0a> @reboot tmux new -d "cd ~/akkoma; while true; do LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server; done"%0a
027
2023-01-22
jrmu
host:1669951301=114.125.20.101
028
2023-01-22
jrmu
author:1669950528=Yonle
029
2023-01-22
jrmu
diff:1669950528:1669950351:=280c280%0a%3c @reboot tmux new -d "cd ~/akkoma; while true; do LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server; done"%0a---%0a> @reboot tmux new -d "cd ~/akkoma; while true; do LC_ALL=en_US.UTF-8 MIX_ENV=prod elixir --erl \"-args_file $HOME/.vm.args\" -S $(command -v mix) phx.server; done"%0a
030
2023-01-22
jrmu
host:1669950528=114.125.20.101
031
2023-01-22
jrmu
author:1669950351=Yonle
032
2023-01-22
jrmu
csum:1669950351=Cronjob doesn't affiliate aliases. So put the whole command in our own.
033
2023-01-22
jrmu
diff:1669950351:1669827493:=280c280%0a%3c @reboot tmux new -d "cd ~/akkoma; while true; do LC_ALL=en_US.UTF-8 MIX_ENV=prod elixir --erl \"-args_file $HOME/.vm.args\" -S $(command -v mix) phx.server; done"%0a---%0a> @reboot tmux new -d "cd ~/akkoma; while true; do LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server; done"%0a
034
2023-01-22
jrmu
host:1669950351=114.125.20.101
035
2023-01-22
jrmu
author:1669827493=Yonle
036
2023-01-22
jrmu
csum:1669827493=-
037
2023-01-22
jrmu
diff:1669827493:1669826972:=37,38c37,38%0a%3c Because we're running in a VM, Disable time correction to prevent interruption during compilation, And disable Busy-waiting feature to improve performance a bit. Edit @@~/.vm.args@@, insert:%0a%3c %0a---%0a> Because we're running in a VM, Disable time correction to prevent interruption during compilation. Edit @@~/.vm.args@@, insert:%0a> %0a41,43d40%0a%3c +sbwt none%0a%3c +sbwtdcpu none%0a%3c +sbwtdio none%0a
038
2023-01-22
jrmu
host:1669827493=51.159.99.217
039
2023-01-22
jrmu
author:1669826972=Yonle
040
2023-01-22
jrmu
csum:1669826972=Performance is way matter than speed.
041
2023-01-22
jrmu
diff:1669826972:1669826265:=37,38c37,38%0a%3c Because we're running in a VM, Disable time correction to prevent interruption during compilation. Edit @@~/.vm.args@@, insert:%0a%3c %0a---%0a> Because we're running in a VM, Disable time correction to prevent interruption during compilation, And disable Busy-waiting feature to improve performance a bit. Edit @@~/.vm.args@@, insert:%0a> %0a40a41,43%0a> +sbwt none%0a> +sbwtdcpu none%0a> +sbwtdio none%0a
042
2023-01-22
jrmu
host:1669826972=51.159.99.217
043
2023-01-22
jrmu
author:1669826265=Yonle
044
2023-01-22
jrmu
csum:1669826265=relayd.conf: Remove unnecessary headers that don't need to set.
045
2023-01-22
jrmu
diff:1669826265:1669825703:=164a165,171%0a> match response header append "X-XSS-Protection" value "1; mode=block"%0a> match response header append "X-Permitted-Cross-Domain-Policies" value "none"%0a> match response header append "X-Frame-Options" value "DENY"%0a> match response header append "X-Content-Type-Options" value "nosniff"%0a> match response header append "Referrer-Policy" value "same-origin"%0a> match response header append "X-Download-Options" value "noopen"%0a> match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here%0a165a173,180%0a> #match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working.%0a> %0a> # If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines%0a> match response header append "Access-Control-Allow-Origin" value "*"%0a> match response header append "Access-Control-Allow-Methods" value "POST, PUT, DELETE, GET, PATCH, OPTIONS"%0a> match response header append "Access-Control-Allow-Headers" value "Authorization, Content-Type, Idempotency-Key"%0a> match response header append "Access-Control-Expose-Headers" value "Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id"%0a> # Stop commenting lines here%0a187c202%0a%3c Again, change @@%3cIPv4 address>@@ and @@%3cIPv6 address>@@ to your server's address(es) and comment one of the two listen options if needed.%0a---%0a> Again, change @@%3cIPv4 address>@@ and @@%3cIPv6 address>@@ to your server's address(es) and comment one of the two listen options if needed. Also change @@wss://CHANGEME.tld@@ to @@wss://%3cyour instance's domain name>@@.%0a
046
2023-01-22
jrmu
host:1669826265=51.159.99.217
047
2023-01-22
jrmu
author:1669825703=Yonle
048
2023-01-22
jrmu
diff:1669825703:1669647755:=37,38c37,38%0a%3c Because we're running in a VM, Disable time correction to prevent interruption during compilation, And disable Busy-waiting feature to improve performance a bit. Edit @@~/.vm.args@@, insert:%0a%3c %0a---%0a> Because we're running in a VM, Disable time correction for BEAM. Edit @@~/.vm.args@@, insert:%0a> %0a41,43d40%0a%3c +sbwt none%0a%3c +sbwtdcpu none%0a%3c +sbwtdio none%0a
049
2023-01-22
jrmu
host:1669825703=51.159.99.217
050
2023-01-22
jrmu
author:1669647755=Yonle
051
2023-01-22
jrmu
csum:1669647755=No need to check. Sometime it's also fail even though it actualy works.
052
2023-01-22
jrmu
diff:1669647755:1669643608:=185c185,186%0a%3c forward to %3cakkoma_server> port 4000%0a---%0a> forward to %3cakkoma_server> port 4000 check http "/" code 200%0a> forward to %3chttpd_server> port 80 check http "/robots.txt" code 200%0a193c194,195%0a%3c forward to %3cakkoma_server> port 4000%0a---%0a> forward to %3cakkoma_server> port 4000 check http "/" code 200%0a> forward to %3chttpd_server> port 80 check http "/robots.txt" code 200%0a
053
2023-01-22
jrmu
host:1669647755=182.1.52.184
054
2023-01-22
jrmu
author:1669643608=Yonle
055
2023-01-22
jrmu
csum:1669643608=Use stable branch
056
2023-01-22
jrmu
diff:1669643608:1669573545:=56c56%0a%3c $ git clone -b stable https://akkoma.dev/AkkomaGang/akkoma.git%0a---%0a> $ git clone https://akkoma.dev/AkkomaGang/akkoma.git%0a
057
2023-01-22
jrmu
host:1669643608=51.159.105.252
058
2023-01-22
jrmu
author:1669573545=Yonle
059
2023-01-22
jrmu
csum:1669573545=Just let the busy waiting alive.
060
2023-01-22
jrmu
diff:1669573545:1669573172:=37,38c37,38%0a%3c Because we're running in a VM, Disable time correction for BEAM. Edit @@~/.vm.args@@, insert:%0a%3c %0a---%0a> Because we're running in a VM, Disable busy-waiting and time correction. Edit @@~/.vm.args@@, insert:%0a> %0a40a41,43%0a> +sbwt none%0a> +sbwtdcpu none%0a> +sbwtdio none%0a
061
2023-01-22
jrmu
host:1669573545=182.1.1.33
062
2023-01-22
jrmu
author:1669573172=Yonle
063
2023-01-22
jrmu
diff:1669573172:1669573141:=38d37%0a%3c %0a45d43%0a%3c %0a49d46%0a%3c %0a54d50%0a%3c %0a
064
2023-01-22
jrmu
host:1669573172=182.1.1.33
065
2023-01-22
jrmu
author:1669573141=Yonle
066
2023-01-22
jrmu
diff:1669573141:1669573099:=44,45c44%0a%3c Then save it.%0a%3c %0a---%0a> %0a51d49%0a%3c Then save it.%0a
067
2023-01-22
jrmu
host:1669573141=182.1.1.33
068
2023-01-22
jrmu
author:1669573099=Yonle
069
2023-01-22
jrmu
diff:1669573099:1669572853:=37c37%0a%3c Because we're running in a VM, Disable busy-waiting and time correction. Edit @@~/.vm.args@@, insert:%0a---%0a> Then clone the repository by doing:%0a39,42c39%0a%3c +c false%0a%3c +sbwt none%0a%3c +sbwtdcpu none%0a%3c +sbwtdio none%0a---%0a> $ git clone https://akkoma.dev/AkkomaGang/akkoma.git%0a45c42,45%0a%3c Edit @@~/.profile@@, Then add this to the bottom of file:%0a---%0a> Akkoma is now installed in @@/home/_akkoma/akkoma/@@, it will be configured and started at the end of this guide.%0a> %0a> !! Setting up the database: postgresql%0a> Start a shell as the _postgresql user. As root, run%0a47,48c47%0a%3c export LC_ALL=en_US.UTF-8%0a%3c alias mix="elixir --erl \"-args_file $HOME/.vm.args\" -S $(command -v mix)"%0a---%0a> # su -l _postgresql%0a51c50,51%0a%3c Then clone the repository by doing:%0a---%0a> Then run the initdb command to initialize postgresql. You will need to specify pgdata directory to the default (@@/var/postgresql/data@@) with the @@-D %3cpath>@@ and set the user to postgres with the @@-U %3cusername>@@ flag. This can be done as follows:%0a> %0a53c53%0a%3c $ git clone https://akkoma.dev/AkkomaGang/akkoma.git%0a---%0a> # initdb -D /var/postgresql/data -U postgres%0a56,59c56,59%0a%3c Akkoma is now installed in @@/home/_akkoma/akkoma/@@, it will be configured and started at the end of this guide.%0a%3c %0a%3c !! Setting up the database: postgresql%0a%3c Start a shell as the _postgresql user. As root, run%0a---%0a> If you are not using the default directory, you will have to update the @@datadir@@ variable in the @@/etc/rc.d/postgresql@@ script.%0a> %0a> %0a> When this is done, enable postgresql so that it starts on boot and start it. As root, run:%0a61c61,62%0a%3c # su -l _postgresql%0a---%0a> # rcctl enable postgresql%0a> # rcctl start postgresql%0a64,65c65,75%0a%3c Then run the initdb command to initialize postgresql. You will need to specify pgdata directory to the default (@@/var/postgresql/data@@) with the @@-D %3cpath>@@ and set the user to postgres with the @@-U %3cusername>@@ flag. This can be done as follows:%0a%3c %0a---%0a> To check that it started properly and didn't fail right after starting, you can run @@ps aux | grep postgres@@, there should be multiple lines of output.%0a> %0a> !! Configuring httpd%0a> httpd will have three fuctions:%0a> %0a> # Redirect requests trying to reach the instance over http to the https URL%0a> # Serve a robots.txt file%0a> # Get Let's Encrypt certificates, with acme-client%0a> %0a> Insert the following config in httpd.conf:%0a> %0a67c77,97%0a%3c # initdb -D /var/postgresql/data -U postgres%0a---%0a> # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $%0a> %0a> ext_inet="%3cIPv4 address>"%0a> ext_inet6="%3cIPv6 address>"%0a> %0a> server "default" {%0a> listen on $ext_inet port 80 # Comment to disable listening on IPv4%0a> listen on $ext_inet6 port 80 # Comment to disable listening on IPv6%0a> listen on 127.0.0.1 port 80 # Do NOT comment this line%0a> %0a> log syslog%0a> directory no index%0a> %0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> %0a> location "/robots.txt" { root "/htdocs/" }%0a> location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }%0a> }%0a70,73c100,102%0a%3c If you are not using the default directory, you will have to update the @@datadir@@ variable in the @@/etc/rc.d/postgresql@@ script.%0a%3c %0a%3c %0a%3c When this is done, enable postgresql so that it starts on boot and start it. As root, run:%0a---%0a> Do not forget to change @@%3cIPv4/6 address>@@ to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first listen options.%0a> %0a> Write the content of your @@robots.txt@@ in @@/var/www/htdocs/robots.txt@@:%0a75,76c104,105%0a%3c # rcctl enable postgresql%0a%3c # rcctl start postgresql%0a---%0a> User-Agent: *%0a> Disallow:%0a79,89c108%0a%3c To check that it started properly and didn't fail right after starting, you can run @@ps aux | grep postgres@@, there should be multiple lines of output.%0a%3c %0a%3c !! Configuring httpd%0a%3c httpd will have three fuctions:%0a%3c %0a%3c # Redirect requests trying to reach the instance over http to the https URL%0a%3c # Serve a robots.txt file%0a%3c # Get Let's Encrypt certificates, with acme-client%0a%3c %0a%3c Insert the following config in httpd.conf:%0a%3c %0a---%0a> Check the httpd configuration%0a91,92c110,127%0a%3c # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $%0a%3c %0a---%0a> # httpd -n%0a> @]%0a> %0a> If it's OK, enable and start httpd%0a> [@%0a> # rcctl enable httpd%0a> # rcctl start httpd%0a> @]%0a> %0a> !! acme-client%0a> See https://wiki.ircnow.org/index.php?n=Acme-client.Configure%0a> %0a> !! Configuring relayd%0a> relayd will be used as the reverse proxy sitting in front of akkoma. Insert the following configuration in @@/etc/relayd.conf@@:%0a> %0a> [@%0a> # $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $%0a> %0a96,110c131,160%0a%3c server "default" {%0a%3c listen on $ext_inet port 80 # Comment to disable listening on IPv4%0a%3c listen on $ext_inet6 port 80 # Comment to disable listening on IPv6%0a%3c listen on 127.0.0.1 port 80 # Do NOT comment this line%0a%3c %0a%3c log syslog%0a%3c directory no index%0a%3c %0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c %0a%3c location "/robots.txt" { root "/htdocs/" }%0a%3c location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }%0a---%0a> table %3cakkoma_server> { 127.0.0.1 }%0a> table %3chttpd_server> { 127.0.0.1 }%0a> %0a> http protocol plerup { # Protocol for upstream akkoma server%0a> #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit%0a> tls { keypair fedi.example.com }%0a> %0a> # Forward some paths to the local server (as akkoma won't respond to them as you might want)%0a> pass request quick path "/robots.txt" forward to %3chttpd_server>%0a> %0a> # Append a bunch of headers%0a> match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt%0a> match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"%0a> %0a> match response header append "X-XSS-Protection" value "1; mode=block"%0a> match response header append "X-Permitted-Cross-Domain-Policies" value "none"%0a> match response header append "X-Frame-Options" value "DENY"%0a> match response header append "X-Content-Type-Options" value "nosniff"%0a> match response header append "Referrer-Policy" value "same-origin"%0a> match response header append "X-Download-Options" value "noopen"%0a> match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here%0a> match request header append "Connection" value "upgrade"%0a> #match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working.%0a> %0a> # If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines%0a> match response header append "Access-Control-Allow-Origin" value "*"%0a> match response header append "Access-Control-Allow-Methods" value "POST, PUT, DELETE, GET, PATCH, OPTIONS"%0a> match response header append "Access-Control-Allow-Headers" value "Authorization, Content-Type, Idempotency-Key"%0a> match response header append "Access-Control-Expose-Headers" value "Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id"%0a> # Stop commenting lines here%0a111a162,179%0a> %0a> relay www {%0a> listen on $ext_inet port https tls # Comment to disable listening on IPv4%0a> %0a> protocol plerup%0a> %0a> forward to %3cakkoma_server> port 4000 check http "/" code 200%0a> forward to %3chttpd_server> port 80 check http "/robots.txt" code 200%0a> }%0a> %0a> relay www6 {%0a> listen on $ext_inet6 port https tls # Comment to disable listening on IPv6%0a> %0a> protocol plerup%0a> %0a> forward to %3cakkoma_server> port 4000 check http "/" code 200%0a> forward to %3chttpd_server> port 80 check http "/robots.txt" code 200%0a> }%0a114,116c182,186%0a%3c Do not forget to change @@%3cIPv4/6 address>@@ to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first listen options.%0a%3c %0a%3c Write the content of your @@robots.txt@@ in @@/var/www/htdocs/robots.txt@@:%0a---%0a> Change @@fedi.example.com@@ with your instance domain.%0a> %0a> Again, change @@%3cIPv4 address>@@ and @@%3cIPv6 address>@@ to your server's address(es) and comment one of the two listen options if needed. Also change @@wss://CHANGEME.tld@@ to @@wss://%3cyour instance's domain name>@@.%0a> %0a> Check the configuration with @@relayd -n@@, if it is OK enable and start relayd (as root):%0a118,119c188,189%0a%3c User-Agent: *%0a%3c Disallow:%0a---%0a> # rcctl enable relayd%0a> # rcctl start relayd%0a122c192,194%0a%3c Check the httpd configuration%0a---%0a> !! Configuring pf%0a> Enabling and configuring pf is highly recommended. In @@/etc/pf.conf@@, insert the following configuration:%0a> %0a124c196,216%0a%3c # httpd -n%0a---%0a> # Macros%0a> if="%3cnetwork interface>"%0a> authorized_ssh_clients="any"%0a> %0a> # Skip traffic on loopback interface%0a> set skip on lo%0a> %0a> # Default behavior%0a> set block-policy drop%0a> block in log all%0a> pass out quick%0a> %0a> # Security features%0a> match in all scrub (no-df random-id)%0a> block in log from urpf-failed%0a> %0a> # Rules%0a> pass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP%0a> pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6%0a> pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd%0a> pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh%0a127c219,225%0a%3c If it's OK, enable and start httpd%0a---%0a> Replace @@%3cnetwork interface>@@ by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the @@authorized_ssh_clients@@ macro by, for example, your home IP address, to avoid SSH connection attempts from bots.%0a> %0a> Check pf's configuration by running @@pfctl -nf /etc/pf.conf@@, load it with @@pfctl -f /etc/pf.conf@@ and enable pf at boot with @@rcctl enable pf@@.%0a> %0a> %0a> !! Configuring and starting akkoma%0a> Enter a shell as _akkoma (as root do @@su -l _akkoma@@) and enter akkoma's installation directory:%0a129,130c227%0a%3c # rcctl enable httpd%0a%3c # rcctl start httpd%0a---%0a> $ cd ~/akkoma%0a133,138c230%0a%3c !! acme-client%0a%3c See https://wiki.ircnow.org/index.php?n=Acme-client.Configure%0a%3c %0a%3c !! Configuring relayd%0a%3c relayd will be used as the reverse proxy sitting in front of akkoma. Insert the following configuration in @@/etc/relayd.conf@@:%0a%3c %0a---%0a> Because we're running in a VM, Disable busy-waiting and time correction. Edit @@config/vm.args@@, insert:%0a140,193c232,235%0a%3c # $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $%0a%3c %0a%3c ext_inet="%3cIPv4 address>"%0a%3c ext_inet6="%3cIPv6 address>"%0a%3c %0a%3c table %3cakkoma_server> { 127.0.0.1 }%0a%3c table %3chttpd_server> { 127.0.0.1 }%0a%3c %0a%3c http protocol plerup { # Protocol for upstream akkoma server%0a%3c #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit%0a%3c tls { keypair fedi.example.com }%0a%3c %0a%3c # Forward some paths to the local server (as akkoma won't respond to them as you might want)%0a%3c pass request quick path "/robots.txt" forward to %3chttpd_server>%0a%3c %0a%3c # Append a bunch of headers%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt%0a%3c match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"%0a%3c %0a%3c match response header append "X-XSS-Protection" value "1; mode=block"%0a%3c match response header append "X-Permitted-Cross-Domain-Policies" value "none"%0a%3c match response header append "X-Frame-Options" value "DENY"%0a%3c match response header append "X-Content-Type-Options" value "nosniff"%0a%3c match response header append "Referrer-Policy" value "same-origin"%0a%3c match response header append "X-Download-Options" value "noopen"%0a%3c match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here%0a%3c match request header append "Connection" value "upgrade"%0a%3c #match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working.%0a%3c %0a%3c # If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines%0a%3c match response header append "Access-Control-Allow-Origin" value "*"%0a%3c match response header append "Access-Control-Allow-Methods" value "POST, PUT, DELETE, GET, PATCH, OPTIONS"%0a%3c match response header append "Access-Control-Allow-Headers" value "Authorization, Content-Type, Idempotency-Key"%0a%3c match response header append "Access-Control-Expose-Headers" value "Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id"%0a%3c # Stop commenting lines here%0a%3c }%0a%3c %0a%3c relay www {%0a%3c listen on $ext_inet port https tls # Comment to disable listening on IPv4%0a%3c %0a%3c protocol plerup%0a%3c %0a%3c forward to %3cakkoma_server> port 4000 check http "/" code 200%0a%3c forward to %3chttpd_server> port 80 check http "/robots.txt" code 200%0a%3c }%0a%3c %0a%3c relay www6 {%0a%3c listen on $ext_inet6 port https tls # Comment to disable listening on IPv6%0a%3c %0a%3c protocol plerup%0a%3c %0a%3c forward to %3cakkoma_server> port 4000 check http "/" code 200%0a%3c forward to %3chttpd_server> port 80 check http "/robots.txt" code 200%0a%3c }%0a---%0a> +c false%0a> +sbwt none%0a> +sbwtdcpu none%0a> +sbwtdio none%0a196,200c238%0a%3c Change @@fedi.example.com@@ with your instance domain.%0a%3c %0a%3c Again, change @@%3cIPv4 address>@@ and @@%3cIPv6 address>@@ to your server's address(es) and comment one of the two listen options if needed. Also change @@wss://CHANGEME.tld@@ to @@wss://%3cyour instance's domain name>@@.%0a%3c %0a%3c Check the configuration with @@relayd -n@@, if it is OK enable and start relayd (as root):%0a---%0a> Then set alias:%0a202,203c240%0a%3c # rcctl enable relayd%0a%3c # rcctl start relayd%0a---%0a> $ alias mix="elixir --erl \"-args_file $HOME/akkoma/config/vm.args\" -S $(command -v mix)"%0a206,208c243%0a%3c !! Configuring pf%0a%3c Enabling and configuring pf is highly recommended. In @@/etc/pf.conf@@, insert the following configuration:%0a%3c %0a---%0a> You may need to set this alias everytime you login. Edit @@~/.profile@@, Then add this to the bottom of file:%0a210,230c245%0a%3c # Macros%0a%3c if="%3cnetwork interface>"%0a%3c authorized_ssh_clients="any"%0a%3c %0a%3c # Skip traffic on loopback interface%0a%3c set skip on lo%0a%3c %0a%3c # Default behavior%0a%3c set block-policy drop%0a%3c block in log all%0a%3c pass out quick%0a%3c %0a%3c # Security features%0a%3c match in all scrub (no-df random-id)%0a%3c block in log from urpf-failed%0a%3c %0a%3c # Rules%0a%3c pass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP%0a%3c pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6%0a%3c pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd%0a%3c pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh%0a---%0a> alias mix="elixir --erl \"-args_file $HOME/akkoma/config/vm.args\" -S $(command -v mix)"%0a233,239c248%0a%3c Replace @@%3cnetwork interface>@@ by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the @@authorized_ssh_clients@@ macro by, for example, your home IP address, to avoid SSH connection attempts from bots.%0a%3c %0a%3c Check pf's configuration by running @@pfctl -nf /etc/pf.conf@@, load it with @@pfctl -f /etc/pf.conf@@ and enable pf at boot with @@rcctl enable pf@@.%0a%3c %0a%3c %0a%3c !! Configuring and starting akkoma%0a%3c Enter a shell as _akkoma (as root do @@su -l _akkoma@@) and enter akkoma's installation directory:%0a---%0a> Set localization as UTF by doing this:%0a241c250%0a%3c $ cd ~/akkoma%0a---%0a> $ export LC_ALL=en_US.UTF-8%0a243a253,256%0a> You may also need to set @@LC_ALL@@ everytime you login.%0a> [@%0a> $ echo "export LC_ALL=en_US.UTF-8" >> ~/.profile%0a> @]%0a
070
2023-01-22
jrmu
host:1669573099=182.1.1.33
071
2023-01-22
jrmu
author:1669572853=Yonle
072
2023-01-22
jrmu
diff:1669572853:1669572811:=238,239c238,239%0a%3c Then set alias:%0a%3c [@%0a---%0a> Then set alias.%0a> ```%0a241c241%0a%3c @]%0a---%0a> ```%0a
073
2023-01-22
jrmu
host:1669572853=182.1.1.33
074
2023-01-22
jrmu
author:1669572811=Yonle
075
2023-01-22
jrmu
csum:1669572811=Prevent time correction.
076
2023-01-22
jrmu
diff:1669572811:1669572291:=238,243c238%0a%3c Then set alias.%0a%3c ```%0a%3c $ alias mix="elixir --erl \"-args_file $HOME/akkoma/config/vm.args\" -S $(command -v mix)"%0a%3c ```%0a%3c %0a%3c You may need to set this alias everytime you login. Edit @@~/.profile@@, Then add this to the bottom of file:%0a---%0a> Set localization as UTF by doing this:%0a245c240%0a%3c alias mix="elixir --erl \"-args_file $HOME/akkoma/config/vm.args\" -S $(command -v mix)"%0a---%0a> $ export LC_ALL=en_US.UTF-8%0a248c243%0a%3c Set localization as UTF by doing this:%0a---%0a> You may need to set @@LC_ALL@@ everytime you login.%0a250c245%0a%3c $ export LC_ALL=en_US.UTF-8%0a---%0a> $ echo "export LC_ALL=en_US.UTF-8" >> ~/.profile%0a253c248%0a%3c You may also need to set @@LC_ALL@@ everytime you login.%0a---%0a> Now, Run the following command:%0a255c250%0a%3c $ echo "export LC_ALL=en_US.UTF-8" >> ~/.profile%0a---%0a> $ mix deps.get%0a258c253,255%0a%3c Now, Run the following command:%0a---%0a> When asked to install Hex dependencies, Press @@Y@@ then @@RETURN@@/Enter.%0a> %0a> Once dependencies succesfully retrieved, Run%0a260c257%0a%3c $ mix deps.get%0a---%0a> $ MIX_PROD=prod mix pleroma.instance gen%0a263,265c260,262%0a%3c When asked to install Hex dependencies, Press @@Y@@ then @@RETURN@@/Enter.%0a%3c %0a%3c Once dependencies succesfully retrieved, Run%0a---%0a> When asked to install @@rebar3@@, Press @@Y@@ then @@RETURN@@/Enter.%0a> %0a> In the middle of compilation, You may get this:%0a267c264,267%0a%3c $ MIX_PROD=prod mix pleroma.instance gen%0a---%0a> Monotonic time stepped backwards!%0a> Previous time: 26452xxxxx%0a> Current time : 26472xxxxx%0a> Abort trap (core dumped)%0a270,273c270%0a%3c When asked to install @@rebar3@@, Press @@Y@@ then @@RETURN@@/Enter, and enter your instance information when asked.%0a%3c %0a%3c %0a%3c Copy @@config/generated_config.exs@@ to @@config/prod.secret.exs@@. The default values should be sufficient but you should edit it and check that everything seems OK.%0a---%0a> To fix this, Just reexecute the same command multiple times until some dependencies succesfully compiled by doing this:%0a275c272%0a%3c $ cp config/generated_config.exs config/prod.secret.exs%0a---%0a> $ while [ "$?" != "0" ]; do MIX_PROD=prod mix pleroma.instance gen; done%0a278c275,278%0a%3c Exit your current shell back to root one and run the following command to set up database:%0a---%0a> And enter your instance's information when asked.%0a> %0a> %0a> Copy @@config/generated_config.exs@@ to @@config/prod.secret.exs@@. The default values should be sufficient but you should edit it and check that everything seems OK.%0a280c280%0a%3c # psql -U postgres -f /home/_akkoma/akkoma/config/setup_db.psql%0a---%0a> $ cp config/generated_config.exs config/prod.secret.exs%0a283c283%0a%3c Return to _akkoma shell into akkoma's installation directory (@@su -l _akkoma;cd ~/akkoma@@) and run%0a---%0a> Exit your current shell back to root one and run the following command to set up database:%0a285c285%0a%3c $ MIX_ENV=prod mix ecto.migrate%0a---%0a> # psql -U postgres -f /home/_akkoma/akkoma/config/setup_db.psql%0a287a288,304%0a> Return to _akkoma shell into akkoma's installation directory (@@su -l _akkoma;cd ~/akkoma@@) and run%0a> [@%0a> $ MIX_ENV=prod mix ecto.migrate%0a> @]%0a> %0a> Again, In the middle of compilation, You may get this again:%0a> [@%0a> Monotonic time stepped backwards!%0a> Previous time: 26452xxxxx%0a> Current time : 26472xxxxx%0a> Abort trap (core dumped)%0a> @]%0a> %0a> To fix this, Just reexecute the same command multiple times until some dependencies succesfully compiled by doing this:%0a> [@%0a> $ while [ "$?" != "0" ]; do MIX_PROD=prod mix ecto.migrate; done%0a> @]%0a
077
2023-01-22
jrmu
host:1669572811=182.1.1.33
078
2023-01-22
jrmu
author:1669572291=Yonle
079
2023-01-22
jrmu
diff:1669572291:1669570818:=230c230%0a%3c Because we're running in a VM, Disable busy-waiting and time correction. Edit @@config/vm.args@@, insert:%0a---%0a> Because we're running in a VM, Disable busy-waiting. Edit @@config/vm.args@@, insert:%0a232d231%0a%3c +c false%0a
080
2023-01-22
jrmu
host:1669572291=182.1.1.33
081
2023-01-22
jrmu
author:1669570818=Yonle
082
2023-01-22
jrmu
diff:1669570818:1669449925:=223,224c223%0a%3c %0a%3c !! Configuring and starting akkoma%0a---%0a> !! Configuring and starting Akkoma%0a230c229%0a%3c Because we're running in a VM, Disable busy-waiting. Edit @@config/vm.args@@, insert:%0a---%0a> Set localization as UTF by doing this:%0a232,234c231%0a%3c +sbwt none%0a%3c +sbwtdcpu none%0a%3c +sbwtdio none%0a---%0a> $ export LC_ALL=en_US.UTF-8%0a237c234%0a%3c Set localization as UTF by doing this:%0a---%0a> You may need to set @@LC_ALL@@ everytime you login.%0a239c236%0a%3c $ export LC_ALL=en_US.UTF-8%0a---%0a> $ echo "export LC_ALL=en_US.UTF-8" >> ~/.profile%0a242,245d238%0a%3c You may need to set @@LC_ALL@@ everytime you login.%0a%3c [@%0a%3c $ echo "export LC_ALL=en_US.UTF-8" >> ~/.profile%0a%3c @]%0a
083
2023-01-22
jrmu
host:1669570818=103.180.125.250
084
2023-01-22
jrmu
author:1669449925=Yonle
085
2023-01-22
jrmu
diff:1669449925:1669449867:=1c1%0a%3c (:title Akkoma:)%0a---%0a> (:title Akkoma)%0a
086
2023-01-22
jrmu
host:1669449925=51.159.105.252
087
2023-01-22
jrmu
author:1669449867=Yonle
088
2023-01-22
jrmu
diff:1669449867:1669446282:=1d0%0a%3c (:title Akkoma)%0a
089
2023-01-22
jrmu
host:1669449867=51.159.105.252
090
2023-01-22
jrmu
author:1669446282=Yonle
091
2023-01-22
jrmu
diff:1669446282:1669433252:=8c8%0a%3c # pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick p5-Image-ExifTool libmagic erlang-wx-25.0.4%0a---%0a> # pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick libmagic erlang-wx-25.0.4%0a
092
2023-01-22
jrmu
host:1669446282=114.125.13.81
093
2023-01-22
jrmu
author:1669433252=Yonle
094
2023-01-22
jrmu
diff:1669433252:1669433144:=279c279%0a%3c Return to _akkoma shell into akkoma's installation directory (@@su -l _akkoma;cd ~/akkoma@@) and run%0a---%0a> Return to a _akkoma shell into akkoma's installation directory (@@su -l _akkoma;cd ~/akkoma@@) and run%0a
095
2023-01-22
jrmu
host:1669433252=51.159.107.181
096
2023-01-22
jrmu
author:1669433144=Yonle
097
2023-01-22
jrmu
diff:1669433144:1669433068:=222c222%0a%3c !! Configuring and starting Akkoma%0a---%0a> !! Configuring Akkoma and start akkoma%0a
098
2023-01-22
jrmu
host:1669433144=51.159.107.181
099
2023-01-22
jrmu
author:1669433068=Yonle
100
2023-01-22
jrmu
diff:1669433068:1669423429:=101c101%0a%3c Write the content of your @@robots.txt@@ in @@/var/www/htdocs/robots.txt@@:%0a---%0a> Write the content of your @@robots.txt@@ in @@/var/www/htdocs/local/robots.txt@@:%0a
101
2023-01-22
jrmu
host:1669433068=51.159.107.181
102
2023-01-22
jrmu
author:1669423429=Yonle
103
2023-01-22
jrmu
diff:1669423429:1669422770:=9,13d8%0a%3c @]%0a%3c %0a%3c Symlink @@/usr/local/bin/escript25@@ to @@/usr/local/bin/escript@@%0a%3c [@%0a%3c # ln -s /usr/local/bin/escript25 /usr/local/bin/escript%0a
104
2023-01-22
jrmu
host:1669423429=51.159.107.181
105
2023-01-22
jrmu
author:1669422770=Yonle
106
2023-01-22
jrmu
diff:1669422770:1669422530:=308,326d307%0a%3c @]%0a%3c %0a%3c !! Create administrative user%0a%3c If your instance is up and running, you can create your first user with administrative rights with the following command as the @@_akkoma@@ user.%0a%3c %0a%3c [@%0a%3c $ MIX_ENV=prod mix pleroma.user new %3cusername> %3cyour@emailaddress> --admin%0a%3c @]%0a%3c %0a%3c !! Installing Frontends%0a%3c Once your backend server is functional, you'll also want to probably install frontends.%0a%3c %0a%3c These are no longer bundled with the distribution and need an extra command to install.%0a%3c %0a%3c For most installations, the following will suffice:%0a%3c [@%0a%3c $ export MIX_ENV=prod%0a%3c $ mix pleroma.frontend install pleroma-fe --ref stable%0a%3c $ mix pleroma.frontend install admin-fe --ref stable%0a
107
2023-01-22
jrmu
host:1669422770=182.1.45.201
108
2023-01-22
jrmu
author:1669422530=Yonle
109
2023-01-22
jrmu
diff:1669422530:1669420885:=176,177d175%0a%3c Change @@fedi.example.com@@ with your instance domain.%0a%3c %0a215,308c213%0a%3c Check pf's configuration by running @@pfctl -nf /etc/pf.conf@@, load it with @@pfctl -f /etc/pf.conf@@ and enable pf at boot with @@rcctl enable pf@@.%0a%3c %0a%3c !! Configuring Akkoma and start akkoma%0a%3c Enter a shell as _akkoma (as root do @@su -l _akkoma@@) and enter akkoma's installation directory:%0a%3c [@%0a%3c $ cd ~/akkoma%0a%3c @]%0a%3c %0a%3c Set localization as UTF by doing this:%0a%3c [@%0a%3c $ export LC_ALL=en_US.UTF-8%0a%3c @]%0a%3c %0a%3c You may need to set @@LC_ALL@@ everytime you login.%0a%3c [@%0a%3c $ echo "export LC_ALL=en_US.UTF-8" >> ~/.profile%0a%3c @]%0a%3c %0a%3c %0a%3c Now, Run the following command:%0a%3c [@%0a%3c $ mix deps.get%0a%3c @]%0a%3c %0a%3c When asked to install Hex dependencies, Press @@Y@@ then @@RETURN@@/Enter.%0a%3c %0a%3c Once dependencies succesfully retrieved, Run%0a%3c [@%0a%3c $ MIX_PROD=prod mix pleroma.instance gen%0a%3c @]%0a%3c %0a%3c When asked to install @@rebar3@@, Press @@Y@@ then @@RETURN@@/Enter.%0a%3c %0a%3c In the middle of compilation, You may get this:%0a%3c [@%0a%3c Monotonic time stepped backwards!%0a%3c Previous time: 26452xxxxx%0a%3c Current time : 26472xxxxx%0a%3c Abort trap (core dumped)%0a%3c @]%0a%3c %0a%3c To fix this, Just reexecute the same command multiple times until some dependencies succesfully compiled by doing this:%0a%3c [@%0a%3c $ while [ "$?" != "0" ]; do MIX_PROD=prod mix pleroma.instance gen; done%0a%3c @]%0a%3c %0a%3c And enter your instance's information when asked.%0a%3c %0a%3c %0a%3c Copy @@config/generated_config.exs@@ to @@config/prod.secret.exs@@. The default values should be sufficient but you should edit it and check that everything seems OK.%0a%3c [@%0a%3c $ cp config/generated_config.exs config/prod.secret.exs%0a%3c @]%0a%3c %0a%3c Exit your current shell back to root one and run the following command to set up database:%0a%3c [@%0a%3c # psql -U postgres -f /home/_akkoma/akkoma/config/setup_db.psql%0a%3c @]%0a%3c %0a%3c Return to a _akkoma shell into akkoma's installation directory (@@su -l _akkoma;cd ~/akkoma@@) and run%0a%3c [@%0a%3c $ MIX_ENV=prod mix ecto.migrate%0a%3c @]%0a%3c %0a%3c Again, In the middle of compilation, You may get this again:%0a%3c [@%0a%3c Monotonic time stepped backwards!%0a%3c Previous time: 26452xxxxx%0a%3c Current time : 26472xxxxx%0a%3c Abort trap (core dumped)%0a%3c @]%0a%3c %0a%3c To fix this, Just reexecute the same command multiple times until some dependencies succesfully compiled by doing this:%0a%3c [@%0a%3c $ while [ "$?" != "0" ]; do MIX_PROD=prod mix ecto.migrate; done%0a%3c @]%0a%3c %0a%3c As @@_akkoma@@ in @@/home/_akkoma/akkoma@@, You can now run the following command to start your instance:%0a%3c [@%0a%3c $ MIX_ENV=prod mix phx.server%0a%3c @]%0a%3c %0a%3c In another SSH session/tmux window, check that it is working properly by running @@ftp -MVo - http://127.0.0.1:4000/api/v1/instance@@, you should get json output. Double-check that uri's value is your instance's domain name.%0a%3c %0a%3c !! Starting akkoma at boot%0a%3c As @@_akkoma@@, Edit crontab by doing this:%0a%3c [@%0a%3c $ crontab -e%0a%3c @]%0a%3c %0a%3c Then insert this:%0a%3c [@%0a%3c @reboot tmux new -d "cd ~/akkoma; while true; do LC_ALL=en_US.UTF-8 MIX_ENV=prod mix phx.server; done"%0a%3c @]%0a\ No newline at end of file%0a---%0a> Check pf's configuration by running @@pfctl -nf /etc/pf.conf@@, load it with @@pfctl -f /etc/pf.conf@@ and enable pf at boot with @@rcctl enable pf@@.%0a\ No newline at end of file%0a
110
2023-01-22
jrmu
host:1669422530=182.1.45.201
111
2023-01-22
jrmu
author:1669420885=Yonle
112
2023-01-22
jrmu
diff:1669420885:1669419596:=157c157%0a%3c relay www {%0a---%0a> relay wwwtls {%0a159c159,160%0a%3c %0a---%0a> listen on $ext_inet6 port https tls # Comment to disable listening on IPv6%0a> %0a165,173d165%0a%3c %0a%3c relay www6 {%0a%3c listen on $ext_inet6 port https tls # Comment to disable listening on IPv6%0a%3c %0a%3c protocol plerup%0a%3c %0a%3c forward to %3cakkoma_server> port 4000 check http "/" code 200%0a%3c forward to %3chttpd_server> port 80 check http "/robots.txt" code 200%0a%3c }%0a176,213c168%0a%3c Again, change @@%3cIPv4 address>@@ and @@%3cIPv6 address>@@ to your server's address(es) and comment one of the two listen options if needed. Also change @@wss://CHANGEME.tld@@ to @@wss://%3cyour instance's domain name>@@.%0a%3c %0a%3c Check the configuration with @@relayd -n@@, if it is OK enable and start relayd (as root):%0a%3c [@%0a%3c # rcctl enable relayd%0a%3c # rcctl start relayd%0a%3c @]%0a%3c %0a%3c !! Configuring pf%0a%3c Enabling and configuring pf is highly recommended. In @@/etc/pf.conf@@, insert the following configuration:%0a%3c %0a%3c [@%0a%3c # Macros%0a%3c if="%3cnetwork interface>"%0a%3c authorized_ssh_clients="any"%0a%3c %0a%3c # Skip traffic on loopback interface%0a%3c set skip on lo%0a%3c %0a%3c # Default behavior%0a%3c set block-policy drop%0a%3c block in log all%0a%3c pass out quick%0a%3c %0a%3c # Security features%0a%3c match in all scrub (no-df random-id)%0a%3c block in log from urpf-failed%0a%3c %0a%3c # Rules%0a%3c pass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP%0a%3c pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6%0a%3c pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd%0a%3c pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh%0a%3c @]%0a%3c %0a%3c Replace @@%3cnetwork interface>@@ by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the @@authorized_ssh_clients@@ macro by, for example, your home IP address, to avoid SSH connection attempts from bots.%0a%3c %0a%3c Check pf's configuration by running @@pfctl -nf /etc/pf.conf@@, load it with @@pfctl -f /etc/pf.conf@@ and enable pf at boot with @@rcctl enable pf@@.%0a\ No newline at end of file%0a---%0a> Again, change @@%3cIPv4 address>@@ and @@%3cIPv6 address>@@ to your server's address(es) and comment one of the two listen options if needed. Also change wss://CHANGEME.tld to wss://%3cyour instance's domain name>. Check the configuration with relayd -n, if it is OK enable and start relayd (as root):%0a\ No newline at end of file%0a
113
2023-01-22
jrmu
host:1669420885=182.1.45.201
114
2023-01-22
jrmu
author:1669419596=Yonle
115
2023-01-22
jrmu
diff:1669419596:1669393923:=25a26%0a> !! Setting up%0a61,168d61%0a%3c !! Configuring httpd%0a%3c httpd will have three fuctions:%0a%3c %0a%3c # Redirect requests trying to reach the instance over http to the https URL%0a%3c # Serve a robots.txt file%0a%3c # Get Let's Encrypt certificates, with acme-client%0a%3c %0a%3c Insert the following config in httpd.conf:%0a%3c %0a%3c [@%0a%3c # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $%0a%3c %0a%3c ext_inet="%3cIPv4 address>"%0a%3c ext_inet6="%3cIPv6 address>"%0a%3c %0a%3c server "default" {%0a%3c listen on $ext_inet port 80 # Comment to disable listening on IPv4%0a%3c listen on $ext_inet6 port 80 # Comment to disable listening on IPv6%0a%3c listen on 127.0.0.1 port 80 # Do NOT comment this line%0a%3c %0a%3c log syslog%0a%3c directory no index%0a%3c %0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c %0a%3c location "/robots.txt" { root "/htdocs/" }%0a%3c location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" }%0a%3c }%0a%3c @]%0a%3c %0a%3c Do not forget to change @@%3cIPv4/6 address>@@ to your server's address(es). If httpd should only listen on one protocol family, comment one of the two first listen options.%0a%3c %0a%3c Write the content of your @@robots.txt@@ in @@/var/www/htdocs/local/robots.txt@@:%0a%3c [@%0a%3c User-Agent: *%0a%3c Disallow:%0a%3c @]%0a%3c %0a%3c Check the httpd configuration%0a%3c [@%0a%3c # httpd -n%0a%3c @]%0a%3c %0a%3c If it's OK, enable and start httpd%0a%3c [@%0a%3c # rcctl enable httpd%0a%3c # rcctl start httpd%0a%3c @]%0a%3c %0a%3c !! acme-client%0a%3c See https://wiki.ircnow.org/index.php?n=Acme-client.Configure%0a%3c %0a%3c !! Configuring relayd%0a%3c relayd will be used as the reverse proxy sitting in front of akkoma. Insert the following configuration in @@/etc/relayd.conf@@:%0a%3c %0a%3c [@%0a%3c # $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $%0a%3c %0a%3c ext_inet="%3cIPv4 address>"%0a%3c ext_inet6="%3cIPv6 address>"%0a%3c %0a%3c table %3cakkoma_server> { 127.0.0.1 }%0a%3c table %3chttpd_server> { 127.0.0.1 }%0a%3c %0a%3c http protocol plerup { # Protocol for upstream akkoma server%0a%3c #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit%0a%3c tls { keypair fedi.example.com }%0a%3c %0a%3c # Forward some paths to the local server (as akkoma won't respond to them as you might want)%0a%3c pass request quick path "/robots.txt" forward to %3chttpd_server>%0a%3c %0a%3c # Append a bunch of headers%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt%0a%3c match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"%0a%3c %0a%3c match response header append "X-XSS-Protection" value "1; mode=block"%0a%3c match response header append "X-Permitted-Cross-Domain-Policies" value "none"%0a%3c match response header append "X-Frame-Options" value "DENY"%0a%3c match response header append "X-Content-Type-Options" value "nosniff"%0a%3c match response header append "Referrer-Policy" value "same-origin"%0a%3c match response header append "X-Download-Options" value "noopen"%0a%3c match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here%0a%3c match request header append "Connection" value "upgrade"%0a%3c #match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working.%0a%3c %0a%3c # If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines%0a%3c match response header append "Access-Control-Allow-Origin" value "*"%0a%3c match response header append "Access-Control-Allow-Methods" value "POST, PUT, DELETE, GET, PATCH, OPTIONS"%0a%3c match response header append "Access-Control-Allow-Headers" value "Authorization, Content-Type, Idempotency-Key"%0a%3c match response header append "Access-Control-Expose-Headers" value "Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id"%0a%3c # Stop commenting lines here%0a%3c }%0a%3c %0a%3c relay wwwtls {%0a%3c listen on $ext_inet port https tls # Comment to disable listening on IPv4%0a%3c listen on $ext_inet6 port https tls # Comment to disable listening on IPv6%0a%3c %0a%3c protocol plerup%0a%3c %0a%3c forward to %3cakkoma_server> port 4000 check http "/" code 200%0a%3c forward to %3chttpd_server> port 80 check http "/robots.txt" code 200%0a%3c }%0a%3c @]%0a%3c %0a%3c Again, change @@%3cIPv4 address>@@ and @@%3cIPv6 address>@@ to your server's address(es) and comment one of the two listen options if needed. Also change wss://CHANGEME.tld to wss://%3cyour instance's domain name>. Check the configuration with relayd -n, if it is OK enable and start relayd (as root):%0a\ No newline at end of file%0a
116
2023-01-22
jrmu
host:1669419596=182.1.45.201
117
2023-01-22
jrmu
author:1669393923=Yonle
118
2023-01-22
jrmu
diff:1669393923:1669393923:=1,61d0%0a%3c Akkoma is a fork of Pleroma project with additional features added.%0a%3c %0a%3c This guide describes the installation and configuration of akkoma (and the required software to run it) on a single OpenBSD 7.2 server.%0a%3c %0a%3c !! Installation%0a%3c First, We need to install the required dependencies%0a%3c [@%0a%3c # pkg_add elixir gmake git postgresql-server postgresql-contrib cmake ffmpeg ImageMagick libmagic erlang-wx-25.0.4%0a%3c @]%0a%3c %0a%3c Then create @@akkoma@@ user to be run in dedicated user. Before creating it, Edit @@/etc/login.conf@@:%0a%3c [@%0a%3c akkoma:\%0a%3c :datasize-max=1536M:\%0a%3c :datasize-cur=1536M:\%0a%3c :openfiles-max=4096%0a%3c @]%0a%3c %0a%3c This creates a "akkoma" login class and sets higher values than default for datasize and openfiles (see login.conf(5)), this is required to avoid having akkoma crash some time after starting.%0a%3c %0a%3c Create the @@_akkoma@@ user, assign it the akkoma login class and create its home directory (/home/_akkoma/):%0a%3c [@%0a%3c # useradd -m -L akkoma _akkoma%0a%3c @]%0a%3c %0a%3c !! Setting up%0a%3c Enter a shell as the _akkoma user. As root, run%0a%3c [@%0a%3c # su -l _akkoma%0a%3c @]%0a%3c %0a%3c Then clone the repository by doing:%0a%3c [@%0a%3c $ git clone https://akkoma.dev/AkkomaGang/akkoma.git%0a%3c @]%0a%3c %0a%3c Akkoma is now installed in @@/home/_akkoma/akkoma/@@, it will be configured and started at the end of this guide.%0a%3c %0a%3c !! Setting up the database: postgresql%0a%3c Start a shell as the _postgresql user. As root, run%0a%3c [@%0a%3c # su -l _postgresql%0a%3c @]%0a%3c %0a%3c Then run the initdb command to initialize postgresql. You will need to specify pgdata directory to the default (@@/var/postgresql/data@@) with the @@-D %3cpath>@@ and set the user to postgres with the @@-U %3cusername>@@ flag. This can be done as follows:%0a%3c %0a%3c [@%0a%3c # initdb -D /var/postgresql/data -U postgres%0a%3c @]%0a%3c %0a%3c If you are not using the default directory, you will have to update the @@datadir@@ variable in the @@/etc/rc.d/postgresql@@ script.%0a%3c %0a%3c %0a%3c When this is done, enable postgresql so that it starts on boot and start it. As root, run:%0a%3c [@%0a%3c # rcctl enable postgresql%0a%3c # rcctl start postgresql%0a%3c @]%0a%3c %0a%3c To check that it started properly and didn't fail right after starting, you can run @@ps aux | grep postgres@@, there should be multiple lines of output.%0a%3c %0a
119
2023-01-22
jrmu
host:1669393923=51.159.107.181
IRCNow