Merge pull request 'Update nginx config and install docs to use certbot's nginx plugin' (#752) from norm/akkoma:docs-nginx-certbot into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/752
This commit is contained in:
commit
06847ca5f8
8 changed files with 155 additions and 229 deletions
|
@ -145,47 +145,13 @@ If you want to open your newly installed instance to the world, you should run n
|
||||||
doas apk add nginx
|
doas apk add nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
doas apk add certbot
|
|
||||||
```
|
|
||||||
|
|
||||||
and then set it up:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
doas mkdir -p /var/lib/letsencrypt/
|
|
||||||
doas certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
|
|
||||||
```
|
|
||||||
|
|
||||||
If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
|
|
||||||
|
|
||||||
* Copy the example nginx configuration to the nginx folder
|
* Copy the example nginx configuration to the nginx folder
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
doas cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.conf
|
doas cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name` and the paths to the certificates. You can use `nano` (install with `apk add nano` if missing).
|
* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name`. You can use `nano` (install with `apk add nano` if missing).
|
||||||
|
|
||||||
```
|
|
||||||
server {
|
|
||||||
server_name your.domain;
|
|
||||||
listen 80;
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
server_name your.domain;
|
|
||||||
listen 443 ssl http2;
|
|
||||||
...
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/your.domain/chain.pem;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/your.domain/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/your.domain/privkey.pem;
|
|
||||||
...
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
* Enable and start nginx:
|
* Enable and start nginx:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
@ -193,10 +159,37 @@ doas rc-update add nginx
|
||||||
doas rc-service nginx start
|
doas rc-service nginx start
|
||||||
```
|
```
|
||||||
|
|
||||||
If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
|
* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
doas certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
|
doas apk add certbot certbot-nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
and then set it up:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
doas mkdir -p /var/lib/letsencrypt/
|
||||||
|
doas certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
|
||||||
|
|
||||||
|
To automatically renew, set up a cron job like so:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
# Enable the crond service
|
||||||
|
doas rc-update add crond
|
||||||
|
doas rc-service crond start
|
||||||
|
|
||||||
|
# Test that renewals work
|
||||||
|
doas certbot renew --cert-name yourinstance.tld --nginx --dry-run
|
||||||
|
|
||||||
|
# Add the renewal task to cron
|
||||||
|
echo '#!/bin/sh
|
||||||
|
certbot renew --cert-name yourinstance.tld --nginx
|
||||||
|
' | doas tee /etc/periodic/daily/renew-akkoma-cert
|
||||||
|
doas chmod +x /etc/periodic/daily/renew-akkoma-cert
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
#### OpenRC service
|
#### OpenRC service
|
||||||
|
|
|
@ -136,16 +136,17 @@ If you want to open your newly installed instance to the world, you should run n
|
||||||
sudo pacman -S nginx
|
sudo pacman -S nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
* Create directories for available and enabled sites:
|
* Copy the example nginx configuration:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
sudo mkdir -p /etc/nginx/sites-{available,enabled}
|
sudo cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
* Append the following line at the end of the `http` block in `/etc/nginx/nginx.conf`:
|
* Before starting nginx edit the configuration and change it to your needs (e.g. change servername, change cert paths)
|
||||||
|
* Enable and start nginx:
|
||||||
|
|
||||||
```Nginx
|
```shell
|
||||||
include sites-enabled/*;
|
sudo systemctl enable --now nginx.service
|
||||||
```
|
```
|
||||||
|
|
||||||
* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
|
* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
|
||||||
|
@ -158,32 +159,18 @@ and then set it up:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
sudo mkdir -p /var/lib/letsencrypt/
|
sudo mkdir -p /var/lib/letsencrypt/
|
||||||
sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
|
sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
|
If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
|
||||||
|
|
||||||
---
|
To make sure renewals work, enable the appropriate systemd timer:
|
||||||
|
|
||||||
* Copy the example nginx configuration and activate it:
|
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
sudo cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/sites-available/akkoma.nginx
|
sudo systemctl enable --now certbot-renew.timer
|
||||||
sudo ln -s /etc/nginx/sites-available/akkoma.nginx /etc/nginx/sites-enabled/akkoma.nginx
|
|
||||||
```
|
```
|
||||||
|
|
||||||
* Before starting nginx edit the configuration and change it to your needs (e.g. change servername, change cert paths)
|
Certificate renewal should be handled automatically by Certbot from now on.
|
||||||
* Enable and start nginx:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
sudo systemctl enable --now nginx.service
|
|
||||||
```
|
|
||||||
|
|
||||||
If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Other webserver/proxies
|
#### Other webserver/proxies
|
||||||
|
|
||||||
|
|
|
@ -155,23 +155,6 @@ If you want to open your newly installed instance to the world, you should run n
|
||||||
sudo apt install nginx
|
sudo apt install nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
sudo apt install certbot
|
|
||||||
```
|
|
||||||
|
|
||||||
and then set it up:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
sudo mkdir -p /var/lib/letsencrypt/
|
|
||||||
sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
|
|
||||||
```
|
|
||||||
|
|
||||||
If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
* Copy the example nginx configuration and activate it:
|
* Copy the example nginx configuration and activate it:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
@ -186,12 +169,23 @@ sudo ln -s /etc/nginx/sites-available/akkoma.nginx /etc/nginx/sites-enabled/akko
|
||||||
sudo systemctl enable --now nginx.service
|
sudo systemctl enable --now nginx.service
|
||||||
```
|
```
|
||||||
|
|
||||||
If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
|
* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
|
sudo apt install certbot python3-certbot-nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
|
and then set it up:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
sudo mkdir -p /var/lib/letsencrypt/
|
||||||
|
sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
|
||||||
|
|
||||||
|
Certificate renewal should be handled automatically by Certbot from now on.
|
||||||
|
|
||||||
#### Other webserver/proxies
|
#### Other webserver/proxies
|
||||||
|
|
||||||
You can find example configurations for them in `/opt/akkoma/installation/`.
|
You can find example configurations for them in `/opt/akkoma/installation/`.
|
||||||
|
|
|
@ -135,23 +135,6 @@ If you want to open your newly installed instance to the world, you should run n
|
||||||
sudo dnf install nginx
|
sudo dnf install nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
sudo dnf install certbot
|
|
||||||
```
|
|
||||||
|
|
||||||
and then set it up:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
sudo mkdir -p /var/lib/letsencrypt/
|
|
||||||
sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
|
|
||||||
```
|
|
||||||
|
|
||||||
If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
* Copy the example nginx configuration and activate it:
|
* Copy the example nginx configuration and activate it:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
@ -165,12 +148,23 @@ sudo cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.con
|
||||||
sudo systemctl enable --now nginx.service
|
sudo systemctl enable --now nginx.service
|
||||||
```
|
```
|
||||||
|
|
||||||
If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
|
* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
|
sudo dnf install certbot python3-certbot-nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
|
and then set it up:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
|
||||||
|
|
||||||
|
Certificate renewal should be handled automatically by Certbot from now on.
|
||||||
|
|
||||||
|
|
||||||
#### Other webserver/proxies
|
#### Other webserver/proxies
|
||||||
|
|
||||||
You can find example configurations for them in `/opt/akkoma/installation/`.
|
You can find example configurations for them in `/opt/akkoma/installation/`.
|
||||||
|
|
|
@ -201,25 +201,6 @@ Assuming you want to open your newly installed federated social network to, well
|
||||||
include sites-enabled/*;
|
include sites-enabled/*;
|
||||||
```
|
```
|
||||||
|
|
||||||
* Setup your SSL cert, using your method of choice or certbot. If using certbot, install it if you haven't already:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
# emerge --ask app-crypt/certbot app-crypt/certbot-nginx
|
|
||||||
```
|
|
||||||
|
|
||||||
and then set it up:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
# mkdir -p /var/lib/letsencrypt/
|
|
||||||
# certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
|
|
||||||
```
|
|
||||||
|
|
||||||
If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again). Often the answer to issues with certbot is to use the `--nginx` flag once you have nginx up and running.
|
|
||||||
|
|
||||||
If you are using any additional subdomains, such as for a media proxy, you can re-run the same command with the subdomain in question. When it comes time to renew later, you will not need to run multiple times for each domain, one renew will handle it.
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
* Copy the example nginx configuration and activate it:
|
* Copy the example nginx configuration and activate it:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
@ -237,9 +218,24 @@ Pay special attention to the line that begins with `ssl_ecdh_curve`. It is stong
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
# rc-update add nginx default
|
# rc-update add nginx default
|
||||||
# /etc/init.d/nginx start
|
# rc-service nginx start
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* Setup your SSL cert, using your method of choice or certbot. If using certbot, install it if you haven't already:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
# emerge --ask app-crypt/certbot app-crypt/certbot-nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
and then set it up:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
# mkdir -p /var/lib/letsencrypt/
|
||||||
|
# certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
|
||||||
|
|
||||||
If you are using certbot, it is HIGHLY recommend you set up a cron job that renews your certificate, and that you install the suggested `certbot-nginx` plugin. If you don't do these things, you only have yourself to blame when your instance breaks suddenly because you forgot about it.
|
If you are using certbot, it is HIGHLY recommend you set up a cron job that renews your certificate, and that you install the suggested `certbot-nginx` plugin. If you don't do these things, you only have yourself to blame when your instance breaks suddenly because you forgot about it.
|
||||||
|
|
||||||
First, ensure that the command you will be installing into your crontab works.
|
First, ensure that the command you will be installing into your crontab works.
|
||||||
|
|
|
@ -9,7 +9,7 @@ This guide covers a installation using an OTP release. To install Akkoma from so
|
||||||
* For installing OTP releases on RedHat-based distros like Fedora and Centos Stream, please follow [this guide](./otp_redhat_en.md) instead.
|
* For installing OTP releases on RedHat-based distros like Fedora and Centos Stream, please follow [this guide](./otp_redhat_en.md) instead.
|
||||||
* A (sub)domain pointed to the machine
|
* A (sub)domain pointed to the machine
|
||||||
|
|
||||||
You will be running commands as root. If you aren't root already, please elevate your priviledges by executing `sudo su`/`su`.
|
You will be running commands as root. If you aren't root already, please elevate your priviledges by executing `sudo -i`/`su`.
|
||||||
|
|
||||||
While in theory OTP releases are possbile to install on any compatible machine, for the sake of simplicity this guide focuses only on Debian/Ubuntu and Alpine.
|
While in theory OTP releases are possbile to install on any compatible machine, for the sake of simplicity this guide focuses only on Debian/Ubuntu and Alpine.
|
||||||
|
|
||||||
|
@ -176,11 +176,6 @@ su akkoma -s $SHELL -lc "./bin/pleroma stop"
|
||||||
|
|
||||||
### Setting up nginx and getting Let's Encrypt SSL certificaties
|
### Setting up nginx and getting Let's Encrypt SSL certificaties
|
||||||
|
|
||||||
#### Get a Let's Encrypt certificate
|
|
||||||
```sh
|
|
||||||
certbot certonly --standalone --preferred-challenges http -d yourinstance.tld
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Copy Akkoma nginx configuration to the nginx folder
|
#### Copy Akkoma nginx configuration to the nginx folder
|
||||||
|
|
||||||
The location of nginx configs is dependent on the distro
|
The location of nginx configs is dependent on the distro
|
||||||
|
@ -209,6 +204,14 @@ $EDITOR path-to-nginx-config
|
||||||
# Verify that the config is valid
|
# Verify that the config is valid
|
||||||
nginx -t
|
nginx -t
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Get a Let's Encrypt certificate
|
||||||
|
```sh
|
||||||
|
certbot --nginx -d yourinstance.tld -d media.yourinstance.tld
|
||||||
|
```
|
||||||
|
|
||||||
|
If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
|
||||||
|
|
||||||
#### Start nginx
|
#### Start nginx
|
||||||
|
|
||||||
=== "Alpine"
|
=== "Alpine"
|
||||||
|
@ -252,32 +255,19 @@ If everything worked, you should see Akkoma-FE when visiting your domain. If tha
|
||||||
## Post installation
|
## Post installation
|
||||||
|
|
||||||
### Setting up auto-renew of the Let's Encrypt certificate
|
### Setting up auto-renew of the Let's Encrypt certificate
|
||||||
```sh
|
|
||||||
# Create the directory for webroot challenges
|
|
||||||
mkdir -p /var/lib/letsencrypt
|
|
||||||
|
|
||||||
# Uncomment the webroot method
|
|
||||||
$EDITOR path-to-nginx-config
|
|
||||||
|
|
||||||
# Verify that the config is valid
|
|
||||||
nginx -t
|
|
||||||
```
|
|
||||||
|
|
||||||
=== "Alpine"
|
=== "Alpine"
|
||||||
```
|
```
|
||||||
# Restart nginx
|
|
||||||
rc-service nginx restart
|
|
||||||
|
|
||||||
# Start the cron daemon and make it start on boot
|
# Start the cron daemon and make it start on boot
|
||||||
rc-service crond start
|
rc-service crond start
|
||||||
rc-update add crond
|
rc-update add crond
|
||||||
|
|
||||||
# Ensure the webroot menthod and post hook is working
|
# Ensure the webroot menthod and post hook is working
|
||||||
certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'rc-service nginx reload'
|
certbot renew --cert-name yourinstance.tld --nginx --dry-run
|
||||||
|
|
||||||
# Add it to the daily cron
|
# Add it to the daily cron
|
||||||
echo '#!/bin/sh
|
echo '#!/bin/sh
|
||||||
certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "rc-service nginx reload"
|
certbot renew --cert-name yourinstance.tld --nginx
|
||||||
' > /etc/periodic/daily/renew-akkoma-cert
|
' > /etc/periodic/daily/renew-akkoma-cert
|
||||||
chmod +x /etc/periodic/daily/renew-akkoma-cert
|
chmod +x /etc/periodic/daily/renew-akkoma-cert
|
||||||
|
|
||||||
|
@ -286,22 +276,7 @@ nginx -t
|
||||||
```
|
```
|
||||||
|
|
||||||
=== "Debian/Ubuntu"
|
=== "Debian/Ubuntu"
|
||||||
```
|
This should be automatically enabled with the `certbot-renew.timer` systemd unit.
|
||||||
# Restart nginx
|
|
||||||
systemctl restart nginx
|
|
||||||
|
|
||||||
# Ensure the webroot menthod and post hook is working
|
|
||||||
certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'systemctl reload nginx'
|
|
||||||
|
|
||||||
# Add it to the daily cron
|
|
||||||
echo '#!/bin/sh
|
|
||||||
certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
|
|
||||||
' > /etc/cron.daily/renew-akkoma-cert
|
|
||||||
chmod +x /etc/cron.daily/renew-akkoma-cert
|
|
||||||
|
|
||||||
# If everything worked the output should contain /etc/cron.daily/renew-akkoma-cert
|
|
||||||
run-parts --test /etc/cron.daily
|
|
||||||
```
|
|
||||||
|
|
||||||
## Create your first user and set as admin
|
## Create your first user and set as admin
|
||||||
```sh
|
```sh
|
||||||
|
|
|
@ -82,6 +82,7 @@ Other than things bundled in the OTP release Akkoma depends on:
|
||||||
* PostgreSQL (also utilizes extensions in postgresql-contrib)
|
* PostgreSQL (also utilizes extensions in postgresql-contrib)
|
||||||
* nginx (could be swapped with another reverse proxy but this guide covers only it)
|
* nginx (could be swapped with another reverse proxy but this guide covers only it)
|
||||||
* certbot (for Let's Encrypt certificates, could be swapped with another ACME client, but this guide covers only it)
|
* certbot (for Let's Encrypt certificates, could be swapped with another ACME client, but this guide covers only it)
|
||||||
|
* If you are using certbot, also install the `python3-certbot-nginx` package for the nginx plugin
|
||||||
* libmagic/file
|
* libmagic/file
|
||||||
|
|
||||||
First, update your system, if not already done:
|
First, update your system, if not already done:
|
||||||
|
@ -169,12 +170,6 @@ sudo -Hu akkoma ./bin/pleroma stop
|
||||||
|
|
||||||
### Setting up nginx and getting Let's Encrypt SSL certificaties
|
### Setting up nginx and getting Let's Encrypt SSL certificaties
|
||||||
|
|
||||||
#### Get a Let's Encrypt certificate
|
|
||||||
|
|
||||||
```shell
|
|
||||||
certbot certonly --standalone --preferred-challenges http -d yourinstance.tld
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Copy Akkoma nginx configuration to the nginx folder
|
#### Copy Akkoma nginx configuration to the nginx folder
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
@ -195,8 +190,15 @@ sudo nginx -t
|
||||||
sudo systemctl start nginx
|
sudo systemctl start nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
At this point if you open your (sub)domain in a browser you should see a 502 error, that's because Akkoma is not started yet.
|
#### Get a Let's Encrypt certificate
|
||||||
|
|
||||||
|
```shell
|
||||||
|
sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
|
||||||
|
|
||||||
|
If you're successful with obtaining the certificates, opening your (sub)domain in a browser will result in a 502 error, since Akkoma hasn't been started yet.
|
||||||
|
|
||||||
### Setting up a system service
|
### Setting up a system service
|
||||||
|
|
||||||
|
@ -239,19 +241,11 @@ sudo nginx -t
|
||||||
# Restart nginx
|
# Restart nginx
|
||||||
sudo systemctl restart nginx
|
sudo systemctl restart nginx
|
||||||
|
|
||||||
# Ensure the webroot menthod and post hook is working
|
# Test that renewals work properly
|
||||||
sudo certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'systemctl reload nginx'
|
sudo certbot renew --cert-name yourinstance.tld --nginx --dry-run
|
||||||
|
|
||||||
# Add it to the daily cron
|
|
||||||
echo '#!/bin/sh
|
|
||||||
certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
|
|
||||||
' > /etc/cron.daily/renew-akkoma-cert
|
|
||||||
sudo chmod +x /etc/cron.daily/renew-akkoma-cert
|
|
||||||
|
|
||||||
# If everything worked the output should contain /etc/cron.daily/renew-akkoma-cert
|
|
||||||
sudo run-parts --test /etc/cron.daily
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Assuming the commands were run successfully, certbot should be able to renew your certificates automatically via the `certbot-renew.timer` systemd unit.
|
||||||
|
|
||||||
## Create your first user and set as admin
|
## Create your first user and set as admin
|
||||||
```shell
|
```shell
|
||||||
|
|
|
@ -1,10 +1,7 @@
|
||||||
# default nginx site config for Akkoma
|
# default nginx site config for Akkoma
|
||||||
#
|
#
|
||||||
# Simple installation instructions:
|
# See the documentation at docs.akkoma.dev for your particular distro/OS for
|
||||||
# 1. Install your TLS certificate, possibly using Let's Encrypt.
|
# installation instructions.
|
||||||
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
|
|
||||||
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
|
|
||||||
# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
|
|
||||||
|
|
||||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g
|
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g
|
||||||
inactive=720m use_temp_path=off;
|
inactive=720m use_temp_path=off;
|
||||||
|
@ -15,25 +12,19 @@ upstream phoenix {
|
||||||
server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
|
server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
# If you are setting up TLS certificates without certbot, uncomment the
|
||||||
server_name example.tld;
|
# following to enable HTTP -> HTTPS redirects. Certbot users don't need to do
|
||||||
|
# this as it will automatically do this for you.
|
||||||
listen 80;
|
# server {
|
||||||
listen [::]:80;
|
# server_name example.tld media.example.tld;
|
||||||
|
#
|
||||||
# Uncomment this if you need to use the 'webroot' method with certbot. Make sure
|
# listen 80;
|
||||||
# that the directory exists and that it is accessible by the webserver. If you followed
|
# listen [::]:80;
|
||||||
# the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
|
#
|
||||||
# You may need to load this file with the ssl server block commented out, run certbot
|
# location / {
|
||||||
# to get the certificate, and then uncomment it.
|
# return 301 https://$server_name$request_uri;
|
||||||
#
|
# }
|
||||||
# location ~ /\.well-known/acme-challenge {
|
# }
|
||||||
# root /var/lib/letsencrypt/;
|
|
||||||
# }
|
|
||||||
location / {
|
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Enable SSL session caching for improved performance
|
# Enable SSL session caching for improved performance
|
||||||
ssl_session_cache shared:ssl_session_cache:10m;
|
ssl_session_cache shared:ssl_session_cache:10m;
|
||||||
|
@ -41,22 +32,29 @@ ssl_session_cache shared:ssl_session_cache:10m;
|
||||||
server {
|
server {
|
||||||
server_name example.tld;
|
server_name example.tld;
|
||||||
|
|
||||||
listen 443 ssl http2;
|
# Once certbot is set up, this will automatically be updated to listen to
|
||||||
listen [::]:443 ssl http2;
|
# port 443 with TLS alongside a redirect from plaintext HTTP.
|
||||||
ssl_session_timeout 1d;
|
listen 80;
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
listen [::]:80;
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/example.tld/chain.pem;
|
# If you are not using Certbot, comment out the above and uncomment/edit the following
|
||||||
ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
# listen 443 ssl http2;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
|
# listen [::]:443 ssl http2;
|
||||||
|
# ssl_session_timeout 1d;
|
||||||
|
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
|
# ssl_session_tickets off;
|
||||||
|
#
|
||||||
|
# ssl_trusted_certificate /etc/letsencrypt/live/example.tld/chain.pem;
|
||||||
|
# ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
||||||
|
# ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
|
||||||
|
#
|
||||||
|
# ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
# ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||||
|
# ssl_prefer_server_ciphers off;
|
||||||
|
# ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
|
||||||
|
# ssl_stapling on;
|
||||||
|
# ssl_stapling_verify on;
|
||||||
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
gzip_vary on;
|
gzip_vary on;
|
||||||
gzip_proxied any;
|
gzip_proxied any;
|
||||||
|
@ -86,27 +84,22 @@ server {
|
||||||
|
|
||||||
# Upload and MediaProxy Subdomain
|
# Upload and MediaProxy Subdomain
|
||||||
# (see main domain setup for more details)
|
# (see main domain setup for more details)
|
||||||
server {
|
|
||||||
server_name media.example.tld;
|
|
||||||
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
server_name media.example.tld;
|
server_name media.example.tld;
|
||||||
|
|
||||||
listen 443 ssl http2;
|
# Same as above, will be updated to HTTPS once certbot is set up.
|
||||||
listen [::]:443 ssl http2;
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/media.example.tld/chain.pem;
|
# If you are not using certbot, comment the above and copy all the ssl
|
||||||
ssl_certificate /etc/letsencrypt/live/media.example.tld/fullchain.pem;
|
# stuff from above into here.
|
||||||
ssl_certificate_key /etc/letsencrypt/live/media.example.tld/privkey.pem;
|
|
||||||
# .. copy all other the ssl_* and gzip_* stuff from main domain
|
gzip_vary on;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_comp_level 6;
|
||||||
|
gzip_buffers 16 8k;
|
||||||
|
gzip_http_version 1.1;
|
||||||
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
||||||
|
|
||||||
# the nginx default is 1m, not enough for large media uploads
|
# the nginx default is 1m, not enough for large media uploads
|
||||||
client_max_body_size 16m;
|
client_max_body_size 16m;
|
||||||
|
|
Loading…
Reference in a new issue