La machine a été installée en repectant les procédures d'installations de VM.

Installation inspirée de ce tuto.

Configuration APT :

• /etc/apt/sources.list.d/nodejs.list (stretch pas encore dispo, mais fonctionnel avec paquet jessie)

deb https://deb.nodesource.com/node_6.x jessie main
deb-src https://deb.nodesource.com/node_6.x jessie main

Installation des dépendances :

apt update
apt install imagemagick ffmpeg libpq-dev libxml2-dev libxslt1-dev file git curl
#laisser les configurations par défaut dans les boites de dialogue
apt install nodejs

npm install -g yarn
apt install redis-server redis-tools
apt-get install postgresql postgresql-contrib

Création de la base postgres :

su - postgres
psql
CREATE USER mastodon CREATEDB;
\q
exit

Installation des dépendances Ruby :

apt install autoconf bison build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm3 libgdbm-dev rbenv bundler

Configuration de l'environnement Ruby :

su - mastodon
echo 'export PATH="$HOME/.rbenv/bin:/usr/sbin:$PATH"' >> ~/.bash_profile
echo 'eval "$(rbenv init -)"' >> ~/.bash_profile
exit

On a besoin de Ruby 2.4.1 (au moins), d'après la doc, cette version n'est présente dans aucun dépot Debian… installation manuelle :

su - mastodon
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
rbenv install 2.4.1

Clonage de Mastodon :

cd ~
git clone https://github.com/tootsuite/mastodon.git live
cd live
#positionnement sur la dernière branche stable :
git checkout v1.4.1
git checkout -b stable
bundle install --deployment --without development test
yarn install

Configuration de Mastodon :

cp .env.production.sample .env.production
vim .env.production
# modifier ces champs :
REDIS_HOST=127.0.0.1
REDIS_PORT=6379
DB_HOST=/var/run/postgresql
DB_USER=mastodon
DB_NAME=mastodon-production
DB_PASS=
DB_PORT=5432
LOCAL_DOMAIN=pouet.chapril.org
LOCAL_HTTPS=true
# générer trois chaines aléatoires pour ces champs avec la commande "bundle exec rake secret :
#PAPERCLIP_SECRET=
#SECRET_KEY_BASE=
#OTP_SECRET=
DEFAULT_LOCALE=fr
SMTP_SERVER=localhost
SMTP_PORT=25
SMTP_FROM_ADDRESS=mastodon@chapril.org
SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
SMTP_AUTH_METHOD=none
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_ENABLE_STARTTLS_AUTO=false

La configuration a été déplacée dans /etc pour pouvoir la suivre avec etckeeper.

cp /home/mastodon/live/.env.production /etc/mastodon.conf
ln -sf /etc/mastodon.conf /home/mastodon/live/.env.production

Configuration de la base de donnée pgsql :

RAILS_ENV=production bundle exec rails db:setup

Préparation des js et css :

RAILS_ENV=production bundle exec rails assets:precompile

Configuration des services systemd :

• Web : /etc/systemd/system/mastodon-web.service

[Unit]
 Description=mastodon-web
 After=network.target

[Service]
 Type=simple
 User=mastodon
 WorkingDirectory=/home/mastodon/live
 Environment="RAILS_ENV=production"
 Environment="PORT=3000"
 ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
 TimeoutSec=15
 Restart=always

[Install]
 WantedBy=multi-user.target

• Backend : /etc/systemd/system/mastodon-sidekiq.service

[Unit]
 Description=mastodon-sidekiq
 After=network.target

[Service]
 Type=simple
 User=mastodon
 WorkingDirectory=/home/mastodon/live
 Environment="RAILS_ENV=production"
 Environment="DB_POOL=20"
 ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 20 -q default -q mailers -q pull -q push
 TimeoutSec=15
 Restart=always

[Install]
 WantedBy=multi-user.target

• API : /etc/systemd/system/mastodon-streaming.service

[Unit]
 Description=mastodon-streaming
 After=network.target

[Service]
 Type=simple
 User=mastodon
 WorkingDirectory=/home/mastodon/live
 Environment="NODE_ENV=production"
 Environment="PORT=4000"
 ExecStart=/usr/bin/npm run start
 TimeoutSec=15
 Restart=always

[Install]
 WantedBy=multi-user.target

Activation des services :

systemctl enable /etc/systemd/system/mastodon-*.service

Nous avons besoin d'écouter sur 0.0.0.0, nous avons donc du patcher le code :

mastodon@pouet:~/live$ git diff 8963f8c3c2630bfcc377a5ca0513eef5a6b2a4bc
diff --git a/streaming/index.js b/streaming/index.js
index 52b5ccce..e9e77804 100644
--- a/streaming/index.js
+++ b/streaming/index.js
@@ -404,7 +404,7 @@ const startWorker = (workerId) => {
     });
   }, 30000);
 
-  server.listen(process.env.PORT || 4000, () => {
+  server.listen(process.env.PORT || 4000, '0.0.0.0', () => {
     log.info(`Worker ${workerId} now listening on ${server.address().address}:${server.address().port}`);
   });

Les démons de Mastodon ne servent pas les éléments statiques (avatar, js, css, png etc), il faut les servir avec un démon HTTP. Un nginx a été configuré sur pouet avec la configuration suivante :

server {
    listen 80 default_server;
    listen [::]:80 default_server;

        root /home/mastodon/live/public;

        server_name pouet.chapril.org _;

        location / {
                try_files $uri $uri/;
        }
}

La vm bastion redirige le traffic vers la vm sur les ports 3000 et 4000, avec quelques éléments statiques. La configuration nginx sur bastion est la suivante :

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}

server {
        listen 80;

        server_name pouet.chapril.org;
        # On redirige tout en HTTPS
        return 301 https://pouet.chapril.org$request_uri;

        access_log /var/log/nginx/pouet.chapril.org-access.log;
        error_log /var/log/nginx/pouet.chapril.org-error.log;
}

server {
        listen 443 ssl;
        server_name pouet.chapril.org;

        access_log /var/log/nginx/pouet.chapril.org-access.log;
        error_log /var/log/nginx/pouet.chapril.org-error.log;

        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Content-Security-Policy "default-src 'none'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:; connect-src 'self' wss://pouet.chapril.org; frame-ancestors 'none';";

        # HTTPS
        ssl_certificate     /var/lib/dehydrated/certs/pouet.chapril.org/fullchain.pem;
        ssl_certificate_key /var/lib/dehydrated/certs/pouet.chapril.org/privkey.pem;
        ssl_protocols TLSv1.2;
        ssl_ecdh_curve prime256v1;
        ssl_ciphers EECDH+AESGCM:EECDH+AES;
        ssl_prefer_server_ciphers on;
        
        location / {
                add_header Referrer-Policy "strict-origin-when-cross-origin";
                add_header Content-Security-Policy "default-src 'none'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:; connect-src 'self' wss://pouet.chapril.org; frame-ancestors 'none';";
                try_files $uri @proxy_static @proxy;
        }

        location ~ ^/(packs|assets|system/media_attachments/files|system/accounts/avatars|avatars|emoji|headers|sounds) {
                add_header Cache-Control "public, max-age=31536000, immutable";
                add_header Referrer-Policy "strict-origin-when-cross-origin";
                add_header Content-Security-Policy "default-src 'none'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:; connect-src 'self' wss://pouet.chapril.org; frame-ancestors 'none';";
                try_files $uri @proxy_static;
        }  

        location @proxy_static {
                add_header Referrer-Policy "strict-origin-when-cross-origin";
                add_header Content-Security-Policy "default-src 'none'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:; connect-src 'self' wss://pouet.chapril.org; frame-ancestors 'none';";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
                proxy_pass_header Server;
                proxy_pass http://192.168.1.194:80;
                proxy_buffering off;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }

        location @proxy {
                add_header Referrer-Policy "strict-origin-when-cross-origin";
                add_header Content-Security-Policy "default-src 'none'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:; connect-src 'self' wss://pouet.chapril.org; frame-ancestors 'none';";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
                proxy_pass_header Server;
                proxy_pass http://192.168.1.194:3000;
                proxy_buffering off;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }

        location /api/v1/streaming {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
                proxy_pass http://192.168.1.194:4000;
                proxy_buffering off;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }
        error_page 500 501 502 503 504 /500.html;
}