From 6159cffc3095255cacd94e744d5801fe8efd846a Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Tue, 13 Apr 2021 11:35:19 +0200 Subject: [PATCH] Add support in release and separate conf files for release/source install Signed-off-by: Thomas Citharel --- mix.exs | 20 +++- support/nginx/mobilizon-release.conf | 98 +++++++++++++++++++ .../{mobilizon.conf => mobilizon-source.conf} | 2 +- support/systemd/mobilizon-release.service | 28 ++++++ ...lizon.service => mobilizon-source.service} | 0 5 files changed, 146 insertions(+), 2 deletions(-) create mode 100644 support/nginx/mobilizon-release.conf rename support/nginx/{mobilizon.conf => mobilizon-source.conf} (99%) create mode 100644 support/systemd/mobilizon-release.service rename support/systemd/{mobilizon.service => mobilizon-source.service} (100%) diff --git a/mix.exs b/mix.exs index 000924be5..cfee10e65 100644 --- a/mix.exs +++ b/mix.exs @@ -33,7 +33,8 @@ defmodule Mobilizon.Mixfile do mobilizon: [ include_executables_for: [:unix], applications: [eldap: :transient], - config_providers: [{Mobilizon.ConfigProvider, "/etc/mobilizon/config.exs"}] + config_providers: [{Mobilizon.ConfigProvider, "/etc/mobilizon/config.exs"}], + steps: [:assemble, ©_files/1, ©_config/1] ] ] ] @@ -49,6 +50,23 @@ defmodule Mobilizon.Mixfile do ] end + def copy_files(%{path: target_path} = release) do + File.cp_r!("./rel/overlays", target_path) + release + end + + def copy_config(%{path: target_path} = release) do + support_path = Path.join([target_path, "support"]) + File.mkdir!(support_path) + + File.cp_r!( + "./support", + support_path + ) + + release + end + # Specifies which paths to compile per environment. defp elixirc_paths(:test), do: ["lib", "test/support"] defp elixirc_paths(:dev), do: ["lib", "test/support/factory.ex"] diff --git a/support/nginx/mobilizon-release.conf b/support/nginx/mobilizon-release.conf new file mode 100644 index 000000000..d6303e0be --- /dev/null +++ b/support/nginx/mobilizon-release.conf @@ -0,0 +1,98 @@ +# default nginx site config for Mobilizon +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it +# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. + +server { + server_name example.tld; + + listen 80; + listen [::]:80; + + # Remove once HTTPS is setup + location ^~ '/.well-known/acme-challenge' { + root /var/www/certbot; + default_type "text/plain"; + } + + # Uncomment once HTTPS is setup + # return 301 https://$server_name$request_uri; +} + +server { + server_name example.tld; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_session_timeout 5m; + + # Uncomment once you get the certificates + # ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; + # ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; + + # Add TLSv1.3 if it's supported by your system + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA'; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve prime256v1; + # ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header Strict-Transport-Security "max-age=31536000"; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + + location / { + proxy_pass http://localhost:4000; + } + + # Let's Encrypt keeps its files here + location ^~ '/.well-known/acme-challenge' { + root /var/www/certbot; + default_type "text/plain"; + } + + location ~ ^/(js|css) { + root /opt/mobilizon/priv/static; + etag off; + access_log off; + add_header Cache-Control "public, max-age=31536000, immutable"; + } + + location ~ ^/(media|proxy) { + etag off; + access_log off; + add_header Cache-Control "public, max-age=31536000, immutable"; + proxy_pass http://localhost:4000; + } + + error_page 500 501 502 503 504 @error; + location @error { + root /opt/mobilizon/priv/errors; + try_files /error.html 502; + } + +} diff --git a/support/nginx/mobilizon.conf b/support/nginx/mobilizon-source.conf similarity index 99% rename from support/nginx/mobilizon.conf rename to support/nginx/mobilizon-source.conf index 544170607..ab6a81f1c 100644 --- a/support/nginx/mobilizon.conf +++ b/support/nginx/mobilizon-source.conf @@ -63,7 +63,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - + location / { proxy_pass http://localhost:4000; diff --git a/support/systemd/mobilizon-release.service b/support/systemd/mobilizon-release.service new file mode 100644 index 000000000..6b731e2ab --- /dev/null +++ b/support/systemd/mobilizon-release.service @@ -0,0 +1,28 @@ +[Unit] +Description=Mobilizon Service +After=network.target postgresql.service + +[Service] +User=mobilizon +WorkingDirectory=/opt/mobilizon +ExecStart=/opt/mobilizon/bin/mobilizon start +ExecStop=/opt/mobilizon/bin/mobilizon stop +KillMode=process +Restart=on-failure +Environment=MIX_ENV=prod + +SyslogIdentifier=mobilizon + +; Some security directives. +; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=true +; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve(). +NoNewPrivileges=true + + +[Install] +WantedBy=multi-user.target diff --git a/support/systemd/mobilizon.service b/support/systemd/mobilizon-source.service similarity index 100% rename from support/systemd/mobilizon.service rename to support/systemd/mobilizon-source.service