Add configuration for GoToSocial

This adds a basic GoToSocial setup with a default configured administrator, to be used as a small environment for trusted users.
2022-11-27 16:25:53 +00:00 · 2022-11-27 16:25:53 +00:00 · 1b71debe96
parent d452ccec1b
commit 1b71debe96
8 changed files with 234 additions and 0 deletions
--- a/host/virtual/spec.bu
+++ b/host/virtual/spec.bu
@ -25,6 +25,7 @@ ignition:
      - local: service/grafana/spec.ign
      - local: service/gitea/spec.ign
      - local: service/lldap/spec.ign
+      - local: service/gotosocial/spec.ign

 passwd:
  users:
@ -125,6 +126,14 @@ systemd:
            [Service]
            Environment=UPSTREAM_HOST=lldap UPSTREAM_PORT=8080

+    - name: nginx-proxy-http@social.localhost.service
+      enabled: true
+      dropins:
+        - name: gotosocial-upstream.conf
+          contents: |
+            [Service]
+            Environment=UPSTREAM_HOST=gotosocial UPSTREAM_PORT=8080
+
    - name: letsencrypt-dns-register@localhost.service
      enabled: true
      dropins:
--- a/host/virtual/virtual.env
+++ b/host/virtual/virtual.env
@ -64,3 +64,9 @@ LLDAP_ADMIN_PASSWORD=password

 # Configuration for Hugo.
 HUGO_DEPLOY_SECRET=password
+
+# Configuration for GoToSocial.
+GOTOSOCIAL_HOST=social.localhost
+GOTOSOCIAL_ACCOUNT_DOMAIN=localhost
+GOTOSOCIAL_DEFAULT_USERNAME=default
+GOTOSOCIAL_SMTP_FROM=noreply@social.localhost
--- a/service/gotosocial/Containerfile
+++ b/service/gotosocial/Containerfile
@ -0,0 +1,20 @@
+FROM docker.io/debian:bullseye-slim
+ARG VERSION=0.5.2
+
+RUN apt-get update -y && apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends curl ca-certificates gettext gosu
+
+ENV PACKAGE_URL https://github.com/superseriousbusiness/gotosocial/releases/download/v${VERSION}/gotosocial_${VERSION}_linux_amd64.tar.gz
+RUN mkdir -p /opt/gotosocial && curl -L ${PACKAGE_URL} | tar -C /opt/gotosocial --no-same-owner -xvzf - && \
+    mv /opt/gotosocial/gotosocial /bin/gotosocial && chmod +x /bin/gotosocial
+
+RUN apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false curl
+
+RUN addgroup --system --gid 10000 gotosocial
+RUN adduser --system --uid 10000 --ingroup gotosocial --home /var/lib/gotosocial gotosocial
+
+COPY container/config /etc/gotosocial
+COPY container/run-gotosocial /run-gotosocial
+
+EXPOSE 8080
+ENTRYPOINT ["/run-gotosocial"]
--- a/service/gotosocial/container/config/config.yaml.template
+++ b/service/gotosocial/container/config/config.yaml.template
@ -0,0 +1,124 @@
+###########################
+##### GENERAL CONFIG ######
+###########################
+
+# The user that will be shown instead of the landing page. if no user is set, the landing page will be shown.
+landing-page-user: "${GOTOSOCIAL_DEFAULT_USERNAME}"
+
+# Hostname that this server will be reachable at. Defaults to localhost for local testing,
+# but you should *definitely* change this when running for real, or your server won't work at all.
+# DO NOT change this after your server has already run once, or you will break things!
+host: "${GOTOSOCIAL_HOST}"
+
+# Domain to use when federating profiles. This is useful when you want your server to be at
+# eg., "gts.example.org", but you want the domain on accounts to be "example.org" because it looks better
+# or is just shorter/easier to remember.
+#
+# To make this setting work properly, you need to redirect requests at "example.org/.well-known/webfinger"
+# to "gts.example.org/.well-known/webfinger" so that GtS can handle them properly.
+#
+# You should also redirect requests at "example.org/.well-known/nodeinfo" in the same way.
+# An empty string (ie., not set) means that the same value as 'host' will be used.
+#
+# DO NOT change this after your server has already run once, or you will break things!
+#
+# Please read the appropriate section of the installation guide before you go messing around with this setting:
+# https://docs.gotosocial.org/installation_guide/advanced/#can-i-host-my-instance-at-fediexampleorg-but-have-just-exampleorg-in-my-username
+account-domain: "${GOTOSOCIAL_ACCOUNT_DOMAIN}"
+
+# CIDRs or IP addresses of proxies that should be trusted when determining real client IP from behind a reverse proxy.
+# If you're running inside a Docker container behind Traefik or Nginx, for example, add the subnet of your docker network,
+# or the gateway of the docker network, and/or the address of the reverse proxy (if it's not running on the host network).
+trusted-proxies:
+  - "127.0.0.1/32"
+  - "::1"
+  - "10.89.0.0/16"
+
+############################
+##### DATABASE CONFIG ######
+############################
+
+# Database type.
+db-type: "sqlite"
+
+# Database address or parameters.
+#
+# For Sqlite, this should be the path to your sqlite database file. Eg., /opt/gotosocial/sqlite.db.
+# If the file doesn't exist at the specified path, it will be created.
+db-address: "/var/lib/gotosocial/gotosocial.db"
+
+######################
+##### WEB CONFIG #####
+######################
+
+# Directory from which gotosocial will attempt to load html templates (.tmpl files).
+web-template-base-dir: "/opt/gotosocial/web/template/"
+
+# Directory from which gotosocial will attempt to serve static web assets (images, scripts).
+web-asset-base-dir: "/opt/gotosocial/web/assets/"
+
+###########################
+##### ACCOUNTS CONFIG #####
+###########################
+
+# Do we want people to be able to just submit sign up requests, or do we want invite only?
+accounts-registration-open: ${GOTOSOCIAL_ACCOUNT_REGISTRATION_OPEN}
+
+#  Allow accounts on this instance to set custom CSS for their profile pages and statuses.
+# Enabling this setting will allow accounts to upload custom CSS via the /user settings page,
+# which will then be rendered on the web view of the account's profile and statuses.
+#
+# For instances with public sign ups, it is **HIGHLY RECOMMENDED** to leave this setting on 'false',
+# since setting it to true allows malicious accounts to make their profile pages misleading, unusable
+# or even dangerous to visitors. In other words, you should only enable this setting if you trust
+# the users on your instance not to produce harmful CSS.
+#
+# Regardless of what this value is set to, any uploaded CSS will not be federated to other instances,
+# it will only be shown on profiles and statuses on *this* instance.
+accounts-allow-custom-css: true
+
+########################
+##### MEDIA CONFIG #####
+########################
+
+# Maximum allowed image upload size in bytes.
+media-image-max-size: 10485760 # 10MB
+
+# Maximum allowed video upload size in bytes.
+media-video-max-size: 31457280 # 30MB
+
+##########################
+##### STORAGE CONFIG #####
+##########################
+
+# Type of storage backend to use.
+storage-backend: "local"
+
+# Directory to use as a base path for storing files.
+# Make sure whatever user/group gotosocial is running as has permission to access
+# this directory, and create new subdirectories and files within it.
+# Only required when running with the local storage backend.
+storage-local-base-path: "/var/lib/gotosocial/storage"
+
+#######################
+##### SMTP CONFIG #####
+#######################
+
+# The hostname of the smtp server you want to use.
+# If this is not set, smtp will not be used to send emails, and you can ignore the other settings.
+smtp-host: "${GOTOSOCIAL_SMTP_HOST}"
+
+# Port to use to connect to the smtp server.
+smtp-port: ${GOTOSOCIAL_SMTP_PORT}
+
+# Username to use when authenticating with the smtp server.
+# This should have been provided to you by your smtp host.
+# This is often, but not always, an email address.
+smtp-username: "${GOTOSOCIAL_SMTP_USERNAME}"
+
+# Password to use when authenticating with the smtp server.
+# This should have been provided to you by your smtp host.
+smtp-password: "${GOTOSOCIAL_SMTP_PASSWORD}"
+
+# 'From' address for sent emails.
+smtp-from: "${GOTOSOCIAL_SMTP_FROM}"
--- a/service/gotosocial/container/run-gotosocial
+++ b/service/gotosocial/container/run-gotosocial
@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -eu
+
+# Create configuration file from collected templates.
+envsubst < /etc/gotosocial/config.yaml.template > /etc/gotosocial/config.yaml
+
+# Create data directories and correct permissions for data files.
+install --owner gotosocial --group gotosocial --mode 700 --directory /var/lib/gotosocial
+chown -R gotosocial:gotosocial /etc/gotosocial /var/lib/gotosocial
+
+# Initialize default condiguration if needed.
+if ! test -f /var/lib/gotosocial/gotosocial.db; then
+    (
+        password="$(dd if=/dev/urandom | tr -dc '[:alnum:]' | head -c 50)"
+        gosu gotosocial /bin/gotosocial --config-path /etc/gotosocial/config.yaml admin account create \
+                                        --username "$GOTOSOCIAL_DEFAULT_USERNAME" --password "$password" \
+                                        --email "${GOTOSOCIAL_DEFAULT_USERNAME}@${GOTOSOCIAL_ACCOUNT_DOMAIN}"
+        gosu gotosocial /bin/gotosocial --config-path /etc/gotosocial/config.yaml admin account confirm \
+                                        --username "$GOTOSOCIAL_DEFAULT_USERNAME"
+        gosu gotosocial /bin/gotosocial --config-path /etc/gotosocial/config.yaml admin account promote \
+                                        --username "$GOTOSOCIAL_DEFAULT_USERNAME"
+        echo "Created an administrator user with username '$GOTOSOCIAL_DEFAULT_USERNAME' and password '$password'."
+        echo "Make sure to change this immediately after logging in for the first time!"
+    )
+fi
+
+# Run entrypoint under specific user.
+gosu gotosocial /bin/gotosocial --config-path /etc/gotosocial/config.yaml server start "$@"
--- a/service/gotosocial/gotosocial.env.template
+++ b/service/gotosocial/gotosocial.env.template
@ -0,0 +1,14 @@
+# Application settings.
+GOTOSOCIAL_HOST=${GOTOSOCIAL_HOST}
+GOTOSOCIAL_ACCOUNT_DOMAIN=${GOTOSOCIAL_ACCOUNT_DOMAIN}
+
+# User and authentication settings.
+GOTOSOCIAL_DEFAULT_USERNAME=${GOTOSOCIAL_DEFAULT_USERNAME}
+GOTOSOCIAL_ACCOUNT_REGISTRATION_OPEN=false
+
+# SMTP mailer settings.
+GOTOSOCIAL_SMTP_HOST=${POSTFIX_HOST}
+GOTOSOCIAL_SMTP_PORT=587
+GOTOSOCIAL_SMTP_USERNAME=${POSTFIX_LOCAL_SMTP_USERNAME}
+GOTOSOCIAL_SMTP_PASSWORD=${POSTFIX_LOCAL_SMTP_PASSWORD}
+GOTOSOCIAL_SMTP_FROM=${GOTOSOCIAL_SMTP_FROM}
--- a/service/gotosocial/spec.bu
+++ b/service/gotosocial/spec.bu
@ -0,0 +1,12 @@
+variant: fcos
+version: 1.3.0
+storage:
+  trees:
+    - path: /etc/coreos-home-server/gotosocial
+      local: service/gotosocial/
+    - path: /etc/systemd/system
+      local: service/gotosocial/systemd/
+systemd:
+  units:
+    - name: gotosocial.service
+      enabled: true
--- a/service/gotosocial/systemd/gotosocial.service
+++ b/service/gotosocial/systemd/gotosocial.service
@ -0,0 +1,20 @@
+[Unit]
+Description=GoToSocial ActivityPub Server
+Wants=container-build@%N.service container-volume@%N.service
+After=container-build@%N.service container-volume@%N.service
+
+[Service]
+Type=notify
+NotifyAccess=all
+SyslogIdentifier=%N
+Restart=on-failure
+Environment=PODMAN_SYSTEMD_UNIT=%n
+ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
+                          --env-file %E/coreos-home-server/%N/%N.env \
+                          --volume %N:/var/lib/%N:z \
+                          localhost/%N:latest
+ExecStop=/bin/podman stop --ignore --time 10 %N
+ExecStopPost=/bin/podman rm --ignore --force %N
+
+[Install]
+WantedBy=multi-user.target