== LURK specific settings ==

Tinc is currently installed to connect nodes in the lurk network

agnesbaxter = 10.0.1.3
skattkista = 10.0.1.2 (currently dead)
vrijdagmiddagborrel = 10.0.1.4 (gone)
manis = 10.0.1.5
poplar = 10.0.1.6 (gone)
stuff = 10.0.1.7
tilia = 10.0.1.8
larix = 10.0.1.9

all clients that connect via server agnesbaxter

[[Category: VPN]]

Off-site Backup with Backupninja

2026-02-16T11:52:43Z

Rra:

Welcome to post.lurk.org

2025-06-17T10:45:43Z

Rra:

This page is for new users of post.lurk.org. Here we have compiled some information that can help you with the software we use, including resources that explain what the Fediverse is about. If some links are dead, please let us know so we can update this page!

== Micro-blogging on the Fediverse ==
=== What is an instance? ===
In brief: the Fediverse is a is an ensemble of interconnected servers that are used for all sort of services (micro-blogging, file hosting, video sharing, etc). An instance is the name given to the server, and sometimes by extension the community, around a particular server that runs software to offer a service as part of an interconnected network of other servers and services available through the Fediverse. https://post.lurk.org is an instance for the LURK community. It runs a modified version of the Mastodon software, which is a FLOSS micro-blogging platform. Generally speaking, users on our instance can interact/follow other users from other instances.

[[File:Fedi-local.png|640px]]

=== Discovering content and people ===
The Fediverse and Mastodon are not super intuitive. The most difficult thing is to discover content and people you find interesting. For that there are generally two strategies:
* First, you can post and subscribe to hashtags. This is currently the best way to find particular conversations. For example you could look at or post to #fediverse to find others interested in that topic. Most commonly #introductions is used to describe briefly what you are interested in, that way people can follow you. We recommend that you write such an #introductions post so that some of us can boost you for visibility.
* The second strategy is to make use of both the 'Local' and 'Federated'/'Global' timelines. The local one shows all posts written by people on post.lurk.org. The 'Global' timeline shows all posts by people followed by people on post.lurk.org but who are themselves on a different part of the network.
* The third strategy is to make use of external tools. One such option is [https://streetpass.social/ Street Pass], a browser extension that automatically collects profiles of fediverse users as you browse the web. Another option is to use [https://fedidevs.com/starter-packs/ Starter Packs], which are collections of accounts that you can automatically follow.

=== Post visibility ===
Mastodon has quite granular visibility settings for your posts, you find them in the message compose field. Here is how they work:

[[File:Cas-post-privacy.png|640px]]

'''In addition to those we have another option (the chain link) which makes your posts not federate, meaning they are only visible on post.lurk.org. Only people registered and logged in post.lurk.org will see a local, non-federated, post.''' This is specific to the modified version of Mastodon that we run. This is not a feature that you will find in the vast majority of other Mastodon instances. We think this is an interesting feature because we believe that not all conversations/posts should be broadcasted to the whole network. It helps develop the local subculture within LURK, get to know and trust each other, and provide a safer space for private jokes or difficult conversations.

== Account Settings ==
* It is possible to switch to different colour themes and even a multi-column layout in your preferences: https://post.lurk.org/settings/preferences/appearance
* If you want to move to another instance, no problem! You can migrate your social graph here: https://post.lurk.org/settings/profile
* If you know of other people who could feel at home on post.lurk.org, that you trust, and can clearly identify to the [https://post.lurk.org/about/more#is-this-for-you "Is this for you?"] section of post.lurk.org, then please invite them by generating an invite code. https://post.lurk.org/invites . Make sure you also send them here when you do so!

== post.lurg.org is part of LURK ==
=== Terms of Service and Server Rules ===
Super important, if you did not read them yet, please check our terms and rules. https://post.lurk.org/about/more

=== Staying in touch ===
In case the instance is down, or if you have a problem, you can get in touch via email (see https://lurk.org) or chat by using https://partyline.lurk.org

Due to a recent changes in Mastodon, new users do not follow automatically the admins of the instance by default. This is a an issue for a small community like ours as we were using this feature to keep track of users activity (including boosting some of your initial posts so you can get more visibility across the network at first), and also use our own personal account to communicate about server maintenance and general LURK news. Therefore please do follow our shared admin account [https://post.lurk.org/@lurk @lurk]. From time to time we also run a server side command to make sure all users are still following this account, so no, there's no escape :)

Please send us a direct message to [https://post.lurk.org/@lurk @lurk] if you have any questions or issues that you'd like to address, if you are feeling unsafe and/or if you think there might be a breach of the terms of service and you'd like to discuss this with us before taking action.

Of course you can also follow our personal accounts, if what we post is relevant to your insterests: [https://post.lurk.org/@320x200 @320x200], [https://post.lurk.org/@lidia_p @lidia_p], and [https://post.lurk.org/@rra @rra].

=== Support the infrastructure! ===
<span style="color:#FFFFFF; background:#0000FF">'''Last but not least, LURK can only run such services thanks to its community. If you are in a privileged enough position in which you can afford supporting us financially, please consider chipping in to make LURK sustainable in the long run! We need to break the free-as-in-beer culture of surveillance capitalism.'''</span>
https://opencollective.com/lurk

== Further Reading ==
If you wanna do some serious reading on what else is possible, and perspectives on the Fediverse, here are some pointers:
* https://github.com/joyeusenoelle/GuideToMastodon
* https://monoskop.org/images/c/cc/Mansoux_Aymeric_Abbing_Roel_Roscam_2020_Seven_Theses_on_the_Fediverse_and_the_Becoming_of_FLOSS.pdf

[[Category: Fediverse]]

Mastodon

2025-02-04T10:01:59Z

Rra: /* script for pruning remote cache */

https://post.lurk.org is a mastodon service. [https://joinmastodon.org/ Mastodon] is a federated microblogging software that speaks both [http://www.activitypub.rocks/ ActivityPub] and [https://en.wikipedia.org/wiki/OStatus OStatus] and can thus communicate with other microblogging softwares like [https://gnu.io/ GnuSocial], [https://pleroma.social/ Pleroma], [https://github.com/pump-io/pump.io Pump.io] etc.

== admin resources ==

=== Useful pages from the mastodon documentation ===

* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Production-guide.md Installing Mastodon] the guide is meant for Ubuntu 16.04 but it worked flawlessly on Debian Stretch
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Tuning.md Tuning mastodon performance] TODO
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/List-of-Rake-tasks.md Mastodon admin commands from ruby terminal]
* [https://github.com/tootsuite/documentation/blob/master/Maintaining-Mastodon/Backups-Guide.md What and how to back up in Mastodon]
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Updating-Mastodon-Guide.md Updating to newer versions]

=== Admin community / help ===

* [https://discourse.joinmastodon.org/ Mastodon forum] some discussions happen here
* [https://github.com/tootsuite/mastodon/issues Mastodon git issues] some happen there

== Installation ==

post.lurk.org followed the mastodon install almost literally since it was one-to-one applicable on debian stretch. Quite boring really.

This means that mastodon runs as the user mastodon. All the mastodon files live in:
/home/mastodon/live/

Differences are:
* When running the interactive set up during install, the smtp address is set as localhost and the [[Postfix_Relay|postfix relay]] takes care of the rest.
* Mastodon-web runs on port 3001 instead of 3000, the changes to this are reflected in the systemd service files and in the nginx virtualhost config

== Maintenance ==

Mastodon can be (re)started by:
systemctl stop mastodon-*.service
systemctl start mastodon-web.service
systemctl start mastodon-sidekiq.service
systemctl start mastodon-streaming.service

Sometimes, specially when disk is full, postgresql may have crashed, and mastodon-streaming service will start *but* internally enter a loop of complaining that it cannot connect to the db (super annoying because to see that you need to examine the status of the service), anyway:

service postgresql restart

=== reduce disk space usage by cleaning out old versions of ruby, yarn etc after upgrades ===

rm the cache of yarn (nodejs package manager):

yarn cache clean

rm old versions of ruby you no longer need:

rbenv uninstall 2.5.3

source:
https://toot.cafe/@nolan/101450836285521185

=== script for pruning remote cache ===

#!/bin/bash
export PATH="$HOME/.rbenv/bin:$PATH"
eval "$(rbenv init -)"
export RAILS_ENV=production
LD_PRELOAD=libjemalloc.so

echo -n "Start: "
date
BEFORE=`df -h /dev/xvda1`
BEFORE_DISK2=`df -h /dev/xvdb1`
# This one might be causing people to lose followers etc
#ionice -c 3 /home/mastodon/live/bin/tootctl accounts cull | awk '/The following domains were not available during the check/,0' > ~/crawl-domains-sorted.txt
ionice -c 3 /home/mastodon/live/bin/tootctl statuses remove --days=20
ionice -c 3 /home/mastodon/live/bin/tootctl media remove --days=2 --concurrency=8
ionice -c 3 /home/mastodon/live/bin/tootctl media remove --days=14 --prune-profiles --concurrency=8
ionice -c 3 /home/mastodon/live/bin/tootctl preview_cards remove --days=2 --concurrency=8
ionice -c 3 /home/mastodon/live/bin/tootctl media remove-orphans
#ionice -c 3 /home/mastodon/live/bin/tootctl cache clear
ionice -c 3 /home/mastodon/live/bin/tootctl media usage
echo -n "End: "
date
echo "Disk usage before and after:"
echo $BEFORE
df -h /dev/xvda1
echo $BEFORE_DISK2
df -h /dev/xvdb1

=== deleting remote inactive account and their associated avatars and headers ===

Deleting media attachments is not enough! Since Mastodon builds a local copy of every account it knows in the fediverse you will see the folders <code>/home/mastodon/live/public/system</code> balloon over time. Many instance admins [https://discourse.joinmastodon.org/t/clean-instance-unused-accounts-older-media/1182/6 are] [https://discourse.joinmastodon.org/t/ballooning-avatars-and-headers-folders/2049/4 dealing] [https://github.com/tootsuite/mastodon/issues/9567 with] [https://mathstodon.xyz/@christianp/102655520448724916 this issue] and the prevailing attitude to solving it is to get more storage, which is bs.

So here is an interim solution based on [https://discourse.joinmastodon.org/t/ballooning-avatars-and-headers-folders/2049/5 this]:

First query the <code>mastodon_production</code> database to find out which accounts haven't been active for 6 months or more:

sudo -i -u postgres /bin/bash -l -c "psql -A -d mastodon_production -c \"SELECT username||'@'||domain FROM public.accounts WHERE last_webfingered_at < (CURRENT_TIMESTAMP - interval '6 months') AND id NOT IN (SELECT target_account_id FROM public.follows)\"" | tail -n +2 | head -n -1 > stale.txt

Once you have that list use a scripting language to parse it. The below example is in python. Its suuuuuper slow so probably not the best way to do it. Calling rails like this is not so smart I guess. But hey it works. It went from 11.5GB worth of headers and avatars to 7.5GB.

mastodon@server:~$ cat del_stale_users.py

#get the output from:
#sudo -i -u postgres /bin/bash -l -c "psql -A -d mastodon_production -c \"SELECT username||'@'||domain FROM public.accounts WHERE last_webfingered_at < (CURRENT_TIMESTAMP - interval '12 months') AND id NOT IN (SELECT target_account_id FROM public.follows)\"" | tail -n +2 | head -n -1 > stale.txt
#and delete them

import os

stale_users=open('stale.txt').read().split('\n')

os.chdir('/home/mastodon/live')

command = """RAILS_ENV=production bundle exec rails r '
begin
a = Account.find_by(username: "{}", domain: "{}")
a.destroy
rescue => err
end'
"""

for user in stale_users:
if user:
username, domain = user.split('@')
os.system(command.format(username,domain))
print('deleted', user)

=== linkdump of bespoke maintenance scripts ===

https://mastodon.zombocloud.com/@staticsafe/103121989384729357

=== Make all the accounts force follow one specific account ===
Assuming you want everyone to follow <code>@lurk@post.lurk.org</code> then you would do the following:
su mastodon
cd ~/live
RAILS_ENV=production bin/tootctl accounts follow lurk --verbose

Notes:
* It can be ran live while the instance is up and running
* It takes a while for the command to get going, and it may spit a few warnings, then after that it's '''very''' quick and the <code>--verbose</code> flag helps to keep track of progress
* At time of writing, there's no way to specify which account(s) will be affected, everyone will be processed

== Performance tweaks ==

=== Increasing character limit on posts ===
Search and replace '500' by whatever you want in these two files:

modified: app/javascript/mastodon/features/compose/components/compose_form.js
modified: app/validators/status_length_validator.rb

Next, we probably want to let the world know, too. Currently there’s no official way to include your character length in the API, but unofficially, you’ll need to set the <code>max_toot_chars</code> attribute in your instance’s API response.

in <code>app/serializers/rest/instance_serializer.rb</code>

Change line 8 from <code>:languages, :registrations, :approval_required</code> to <code>:languages, :registrations, :approval_required, :max_toot_chars</code> (don’t forget the comma).

Change line 65, after the <code>approval_required</code> block, and add a definition for <code>max_toot_chars</code>

def max_toot_chars
1500
end

from https://indented.space/2019/07/28/change-max-character-limit-for-mastodon-instance/

Make sure you recompile the web assets afterwards:
RAILS_ENV=production bundle exec rails assets:precompile

=== Getting high scores on ssl comparison sites ===

[https://instances.social instances.social] automatically rates each fediverse instance using two different SSL testing sites:
* [https://tls.imirhil.fr/https/post.lurk.org https://tls.imirhil.fr/https/post.lurk.org]
* [https://observatory.mozilla.org/analyze.html?host=post.lurk.org https://observatory.mozilla.org/analyze.html?host=post.lurk.org].

At the time of writing we got A and B (untweaked mastodon config). We are good boys and want to get A+ grades.

==== weak DH primes ====
The first is the weak Diffie-Hellman key primes described [https://weakdh.org/sysadmin.html here] and [https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#Forward_Secrecy_&_Diffie_Hellman_Ephemeral_Parameters here].

Generate like so (this take a looong time):
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

in the post.lurk.org nginx config we point to this new prime by adding this line:
ssl_dhparam /etc/ssl/certs/dhparam.pem;

==== content security policy, xss etc ====
In order to get A+ one hast to set explicit policies the sources and origins of where post.lurk.org gets loaded. The [https://observatory.mozilla.org/analyze.html?host=post.lurk.org mozilla observatory] has a lot of documentation on these topics. Because it is unclear how mastodon loads all of its resources it was a bit of fiddling to find out how strict we could be without breaking the site. This is done by adding headers in the nginx config:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options "DENY";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self'; img-src 'self' data: https: blob:; media-src 'self'; frame-src 'none'; font-src 'self' data: https://post.lurk.org; upgrade-insecure-requests; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; connect-src 'self' blob: wss://post.lurk.org *.lurk.org";

= Backups =

the Mastodon project [https://github.com/tootsuite/documentation/blob/master/Maintaining-Mastodon/Backups-Guide.md advises] to back up the following things:
* Postgres database
* Assets (avatars, uploaded files etc)
* Application secrets

We do so using the following shell script:

today=(`date +"%F"`)
expiry=(`date +'%F' -d "-3 days"`)

/bin/mkdir /var/backups/mastodon/${today}/
/usr/bin/pg_dump mastodon_production > /var/backups/mastodon/${today}/mastodon_production_${today}.sql
/bin/cp /home/mastodon/live/.env.production /var/backups/mastodon/${today}/

/bin/tar -cvzf /var/backups/mastodon/${today}/system${today}.tar.gz /home/mastodon/live/public/system
/bin/rm -rf /var/backups/mastodon/${expiry}/

Which is called in cron like so:
30 02 * * * /bin/bash /home/mastodon/backup_mastodon.sh > /home/mastodon/backups/backup.log 2>&1

Two weeks worth of backups are stored remotely using a shell script:
today=(`date +"%F"`)
expiry=(`date +'%F' -d "-14 days"`)
expiry_path=(/media/lurk_backup/mastodon/${expiry})

rsync -auv /var/backups/mastodon/${today} x@x.x.x.x:/media/lurk_backup/mastodon/
ssh x@x.x.x.x rm -rf $expiry_path

This is called in cron like so:
30 03 * * * /bin/bash /home/mastodon/backup_backup.sh > /home/mastodon/backups/backup_copy.log 2>&1

= Statistics =
Via the public API one can see the amount activity per week:

[https://post.lurk.org/api/v1/instance/activity https://post.lurk.org/api/v1/instance/activity]

and the amount of instances in the federation a server is connected to:

[https://post.lurk.org/api/v1/instance/peers https://post.lurk.org/api/v1/instance/peers]

[[Category: Fediverse]]

Mastodon

2025-02-04T10:00:53Z

Rra: /* Maintenance */

https://post.lurk.org is a mastodon service. [https://joinmastodon.org/ Mastodon] is a federated microblogging software that speaks both [http://www.activitypub.rocks/ ActivityPub] and [https://en.wikipedia.org/wiki/OStatus OStatus] and can thus communicate with other microblogging softwares like [https://gnu.io/ GnuSocial], [https://pleroma.social/ Pleroma], [https://github.com/pump-io/pump.io Pump.io] etc.

== admin resources ==

=== Useful pages from the mastodon documentation ===

* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Production-guide.md Installing Mastodon] the guide is meant for Ubuntu 16.04 but it worked flawlessly on Debian Stretch
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Tuning.md Tuning mastodon performance] TODO
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/List-of-Rake-tasks.md Mastodon admin commands from ruby terminal]
* [https://github.com/tootsuite/documentation/blob/master/Maintaining-Mastodon/Backups-Guide.md What and how to back up in Mastodon]
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Updating-Mastodon-Guide.md Updating to newer versions]

=== Admin community / help ===

* [https://discourse.joinmastodon.org/ Mastodon forum] some discussions happen here
* [https://github.com/tootsuite/mastodon/issues Mastodon git issues] some happen there

== Installation ==

post.lurk.org followed the mastodon install almost literally since it was one-to-one applicable on debian stretch. Quite boring really.

This means that mastodon runs as the user mastodon. All the mastodon files live in:
/home/mastodon/live/

Differences are:
* When running the interactive set up during install, the smtp address is set as localhost and the [[Postfix_Relay|postfix relay]] takes care of the rest.
* Mastodon-web runs on port 3001 instead of 3000, the changes to this are reflected in the systemd service files and in the nginx virtualhost config

== Maintenance ==

Mastodon can be (re)started by:
systemctl stop mastodon-*.service
systemctl start mastodon-web.service
systemctl start mastodon-sidekiq.service
systemctl start mastodon-streaming.service

Sometimes, specially when disk is full, postgresql may have crashed, and mastodon-streaming service will start *but* internally enter a loop of complaining that it cannot connect to the db (super annoying because to see that you need to examine the status of the service), anyway:

service postgresql restart

=== reduce disk space usage by cleaning out old versions of ruby, yarn etc after upgrades ===

rm the cache of yarn (nodejs package manager):

yarn cache clean

rm old versions of ruby you no longer need:

rbenv uninstall 2.5.3

source:
https://toot.cafe/@nolan/101450836285521185

=== script for pruning remote cache ===

#!/bin/bash
export PATH="$HOME/.rbenv/bin:$PATH"
eval "$(rbenv init -)"
export RAILS_ENV=production
LD_PRELOAD=libjemalloc.so

echo -n "Start: "
date
BEFORE=`df -h /dev/xvda1`
BEFORE_DISK2=`df -h /dev/xvdb1`
# This one might be causing people to lose followers etc
#ionice -c 3 /home/mastodon/live/bin/tootctl accounts cull | awk '/The following domains were not available during the check/,0' > ~/crawl-domains-sorted.txt
ionice -c 3 /home/mastodon/live/bin/tootctl statuses remove --days=20
ionice -c 3 /home/mastodon/live/bin/tootctl media remove --days=2 --concurrency=8
ionice -c 3 /home/mastodon/live/bin/tootctl media remove --days=14 --prune-profiles --concurrency=8
ionice -c 3 /home/mastodon/live/bin/tootctl preview_cards remove --days=2 --concurrency=8
ionice -c 3 /home/mastodon/live/bin/tootctl media remove-orphans
#ionice -c 3 /home/mastodon/live/bin/tootctl cache clear
ionice -c 3 /home/mastodon/live/bin/tootctl media usage
echo -n "End: "
date
echo "Disk usage before and after:"
echo $BEFORE
df -h /dev/xvda1
echo $BEFORE_DISK2
df -h /dev/xvdb1

=== deleting remote inactive account and their associated avatars and headers ===

Deleting media attachments is not enough! Since Mastodon builds a local copy of every account it knows in the fediverse you will see the folders <code>/home/mastodon/live/public/system</code> balloon over time. Many instance admins [https://discourse.joinmastodon.org/t/clean-instance-unused-accounts-older-media/1182/6 are] [https://discourse.joinmastodon.org/t/ballooning-avatars-and-headers-folders/2049/4 dealing] [https://github.com/tootsuite/mastodon/issues/9567 with] [https://mathstodon.xyz/@christianp/102655520448724916 this issue] and the prevailing attitude to solving it is to get more storage, which is bs.

So here is an interim solution based on [https://discourse.joinmastodon.org/t/ballooning-avatars-and-headers-folders/2049/5 this]:

First query the <code>mastodon_production</code> database to find out which accounts haven't been active for 6 months or more:

sudo -i -u postgres /bin/bash -l -c "psql -A -d mastodon_production -c \"SELECT username||'@'||domain FROM public.accounts WHERE last_webfingered_at < (CURRENT_TIMESTAMP - interval '6 months') AND id NOT IN (SELECT target_account_id FROM public.follows)\"" | tail -n +2 | head -n -1 > stale.txt

Once you have that list use a scripting language to parse it. The below example is in python. Its suuuuuper slow so probably not the best way to do it. Calling rails like this is not so smart I guess. But hey it works. It went from 11.5GB worth of headers and avatars to 7.5GB.

mastodon@server:~$ cat del_stale_users.py

#get the output from:
#sudo -i -u postgres /bin/bash -l -c "psql -A -d mastodon_production -c \"SELECT username||'@'||domain FROM public.accounts WHERE last_webfingered_at < (CURRENT_TIMESTAMP - interval '12 months') AND id NOT IN (SELECT target_account_id FROM public.follows)\"" | tail -n +2 | head -n -1 > stale.txt
#and delete them

import os

stale_users=open('stale.txt').read().split('\n')

os.chdir('/home/mastodon/live')

command = """RAILS_ENV=production bundle exec rails r '
begin
a = Account.find_by(username: "{}", domain: "{}")
a.destroy
rescue => err
end'
"""

for user in stale_users:
if user:
username, domain = user.split('@')
os.system(command.format(username,domain))
print('deleted', user)

=== linkdump of bespoke maintenance scripts ===

https://mastodon.zombocloud.com/@staticsafe/103121989384729357

=== Make all the accounts force follow one specific account ===
Assuming you want everyone to follow <code>@lurk@post.lurk.org</code> then you would do the following:
su mastodon
cd ~/live
RAILS_ENV=production bin/tootctl accounts follow lurk --verbose

Notes:
* It can be ran live while the instance is up and running
* It takes a while for the command to get going, and it may spit a few warnings, then after that it's '''very''' quick and the <code>--verbose</code> flag helps to keep track of progress
* At time of writing, there's no way to specify which account(s) will be affected, everyone will be processed

== Performance tweaks ==

=== Increasing character limit on posts ===
Search and replace '500' by whatever you want in these two files:

modified: app/javascript/mastodon/features/compose/components/compose_form.js
modified: app/validators/status_length_validator.rb

Next, we probably want to let the world know, too. Currently there’s no official way to include your character length in the API, but unofficially, you’ll need to set the <code>max_toot_chars</code> attribute in your instance’s API response.

in <code>app/serializers/rest/instance_serializer.rb</code>

Change line 8 from <code>:languages, :registrations, :approval_required</code> to <code>:languages, :registrations, :approval_required, :max_toot_chars</code> (don’t forget the comma).

Change line 65, after the <code>approval_required</code> block, and add a definition for <code>max_toot_chars</code>

def max_toot_chars
1500
end

from https://indented.space/2019/07/28/change-max-character-limit-for-mastodon-instance/

Make sure you recompile the web assets afterwards:
RAILS_ENV=production bundle exec rails assets:precompile

=== Getting high scores on ssl comparison sites ===

[https://instances.social instances.social] automatically rates each fediverse instance using two different SSL testing sites:
* [https://tls.imirhil.fr/https/post.lurk.org https://tls.imirhil.fr/https/post.lurk.org]
* [https://observatory.mozilla.org/analyze.html?host=post.lurk.org https://observatory.mozilla.org/analyze.html?host=post.lurk.org].

At the time of writing we got A and B (untweaked mastodon config). We are good boys and want to get A+ grades.

==== weak DH primes ====
The first is the weak Diffie-Hellman key primes described [https://weakdh.org/sysadmin.html here] and [https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#Forward_Secrecy_&_Diffie_Hellman_Ephemeral_Parameters here].

Generate like so (this take a looong time):
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

in the post.lurk.org nginx config we point to this new prime by adding this line:
ssl_dhparam /etc/ssl/certs/dhparam.pem;

==== content security policy, xss etc ====
In order to get A+ one hast to set explicit policies the sources and origins of where post.lurk.org gets loaded. The [https://observatory.mozilla.org/analyze.html?host=post.lurk.org mozilla observatory] has a lot of documentation on these topics. Because it is unclear how mastodon loads all of its resources it was a bit of fiddling to find out how strict we could be without breaking the site. This is done by adding headers in the nginx config:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options "DENY";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self'; img-src 'self' data: https: blob:; media-src 'self'; frame-src 'none'; font-src 'self' data: https://post.lurk.org; upgrade-insecure-requests; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; connect-src 'self' blob: wss://post.lurk.org *.lurk.org";

= Backups =

the Mastodon project [https://github.com/tootsuite/documentation/blob/master/Maintaining-Mastodon/Backups-Guide.md advises] to back up the following things:
* Postgres database
* Assets (avatars, uploaded files etc)
* Application secrets

We do so using the following shell script:

today=(`date +"%F"`)
expiry=(`date +'%F' -d "-3 days"`)

/bin/mkdir /var/backups/mastodon/${today}/
/usr/bin/pg_dump mastodon_production > /var/backups/mastodon/${today}/mastodon_production_${today}.sql
/bin/cp /home/mastodon/live/.env.production /var/backups/mastodon/${today}/

/bin/tar -cvzf /var/backups/mastodon/${today}/system${today}.tar.gz /home/mastodon/live/public/system
/bin/rm -rf /var/backups/mastodon/${expiry}/

Which is called in cron like so:
30 02 * * * /bin/bash /home/mastodon/backup_mastodon.sh > /home/mastodon/backups/backup.log 2>&1

Two weeks worth of backups are stored remotely using a shell script:
today=(`date +"%F"`)
expiry=(`date +'%F' -d "-14 days"`)
expiry_path=(/media/lurk_backup/mastodon/${expiry})

rsync -auv /var/backups/mastodon/${today} x@x.x.x.x:/media/lurk_backup/mastodon/
ssh x@x.x.x.x rm -rf $expiry_path

This is called in cron like so:
30 03 * * * /bin/bash /home/mastodon/backup_backup.sh > /home/mastodon/backups/backup_copy.log 2>&1

= Statistics =
Via the public API one can see the amount activity per week:

[https://post.lurk.org/api/v1/instance/activity https://post.lurk.org/api/v1/instance/activity]

and the amount of instances in the federation a server is connected to:

[https://post.lurk.org/api/v1/instance/peers https://post.lurk.org/api/v1/instance/peers]

[[Category: Fediverse]]

Welcome to post.lurk.org

2025-01-21T11:40:52Z

Rra:

Off-site Backup with Backupninja

2023-07-05T08:45:58Z

Rra:

2019-09-05T12:10:29Z

Rra: /* Maintenance */

https://post.lurk.org is a mastodon service. [https://joinmastodon.org/ Mastodon] is a federated microblogging software that speaks both [http://www.activitypub.rocks/ ActivityPub] and [https://en.wikipedia.org/wiki/OStatus OStatus] and can thus communicate with other microblogging softwares like [https://gnu.io/ GnuSocial], [https://pleroma.social/ Pleroma], [https://github.com/pump-io/pump.io Pump.io] etc.

== admin resources ==

=== Useful pages from the mastodon documentation ===

* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Production-guide.md Installing Mastodon] the guide is meant for Ubuntu 16.04 but it worked flawlessly on Debian Stretch
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Tuning.md Tuning mastodon performance] TODO
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/List-of-Rake-tasks.md Mastodon admin commands from ruby terminal]
* [https://github.com/tootsuite/documentation/blob/master/Maintaining-Mastodon/Backups-Guide.md What and how to back up in Mastodon]
* [https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Updating-Mastodon-Guide.md Updating to newer versions]

=== Admin community / help ===

* [https://discourse.joinmastodon.org/ Mastodon forum] some discussions happen here
* [https://github.com/tootsuite/mastodon/issues Mastodon git issues] some happen there

== Installation ==

post.lurk.org followed the mastodon install almost literally since it was one-to-one applicable on debian stretch. Quite boring really.

This means that mastodon runs as the user mastodon. All the mastodon files live in:
/home/mastodon/live/

Differences are:
* When running the interactive set up during install, the smtp address is set as localhost and the [[Postfix_Relay|postfix relay]] takes care of the rest.
* Mastodon-web runs on port 3001 instead of 3000, the changes to this are reflected in the systemd service files and in the nginx virtualhost config

== Maintenance ==

Mastodon can be (re)started by:
systemctl stop mastodon-*.service
systemctl start mastodon-web.service
systemctl start mastodon-sidekiq.service
systemctl start mastodon-streaming.service

=== Removing federated media attachments ===

RAILS_ENV=production ./bin/tootctl media remove

=== reduce disk space usage by cleaning out old versions of ruby, yarn etc after upgrades ===

rm the cache of yarn (nodejs package manager):

yarn cache clean

rm old versions of ruby you no longer need:

rbenv uninstall 2.5.3

source:
https://toot.cafe/@nolan/101450836285521185

=== script for pruning remote / old media ===

#!/bin/bash
export PATH="$HOME/.rbenv/bin:$PATH"
eval "$(rbenv init -)"
export RAILS_ENV=production

/home/mastodon/live/bin/tootctl statuses remove
/home/mastodon/live/bin/tootctl media remove --days=3

=== deleting remote inactive account and their associated avatars and headers ===

Deleting media attachments is not enough! Since Mastodon builds a local copy of every account it knows in the fediverse you will see the folders <code>/home/mastodon/live/public/system</code> balloon over time. Many instance admins [https://discourse.joinmastodon.org/t/clean-instance-unused-accounts-older-media/1182/6 are] [https://discourse.joinmastodon.org/t/ballooning-avatars-and-headers-folders/2049/4 dealing] [https://github.com/tootsuite/mastodon/issues/9567 with [https://mathstodon.xyz/@christianp/102655520448724916 this issue] and the prevailing attitude to solving it is to get more storage, which is bs.

So here is an interim solution based on [https://discourse.joinmastodon.org/t/ballooning-avatars-and-headers-folders/2049/5 this]:

First query the <code>mastodon_production</code> database to find out which accounts haven't been active for 6 months or more:

sudo -i -u postgres /bin/bash -l -c "psql -A -d mastodon_production -c \"SELECT username||'@'||domain FROM public.accounts WHERE last_webfingered_at < (CURRENT_TIMESTAMP - interval '6 months') AND id NOT IN (SELECT target_account_id FROM public.follows)\"" | tail -n +2 | head -n -1 > stale.txt

Once you have that list use a scripting language to parse it. The below example is in python. Probably very flawed since its suuuuuper slow, calling rails like this is not so smart I guess. But hey it works. It went from 11.5GB of headers and avatrs to 7.5GB.

mastodon@server:~$ cat del_stale_users.py

mastodon@douglas:~$ cat del_stale_users.py
#get the output from:
#sudo -i -u postgres /bin/bash -l -c "psql -A -d mastodon_production -c \"SELECT username||'@'||domain FROM public.accounts WHERE last_webfingered_at < (CURRENT_TIMESTAMP - interval '12 months') AND id NOT IN (SELECT target_account_id FROM public.follows)\"" | tail -n +2 | head -n -1 > stale.txt
#and delete them

import os

stale_users=open('stale.txt').read().split('\n')

os.chdir('/home/mastodon/live')

command = """RAILS_ENV=production bundle exec rails r '
begin
a = Account.find_by(username: "{}", domain: "{}")
a.destroy
rescue => err
end'
"""

for user in stale_users:
if user:
username, domain = user.split('@')
os.system(command.format(username,domain))
print('deleted', user)

== Performance tweaks ==

=== Increasing character limit on posts ===
Search and replace '500' by whatever you want in these two files:

modified: app/javascript/mastodon/features/compose/components/compose_form.js
modified: app/validators/status_length_validator.rb

Next, we probably want to let the world know, too. Currently there’s no official way to include your character length in the API, but unofficially, you’ll need to set the <code>max_toot_chars</code> attribute in your instance’s API response.

in <code>app/serializers/rest/instance_serializer.rb</code>

Change line 8 from <code>:languages, :registrations, :approval_required</code> to <code>:languages, :registrations, :approval_required, :max_toot_chars</code> (don’t forget the comma).

Change line 65, after the <code>approval_required</code> block, and add a definition for <code>max_toot_chars</code>

def max_toot_chars
1500
end

from https://indented.space/2019/07/28/change-max-character-limit-for-mastodon-instance/

Make sure you recompile the web assets afterwards:
RAILS_ENV=production bundle exec rails assets:precompile

=== Getting high scores on ssl comparison sites ===

[https://instances.social instances.social] automatically rates each fediverse instance using two different SSL testing sites:
* [https://tls.imirhil.fr/https/post.lurk.org https://tls.imirhil.fr/https/post.lurk.org]
* [https://observatory.mozilla.org/analyze.html?host=post.lurk.org https://observatory.mozilla.org/analyze.html?host=post.lurk.org].

At the time of writing we got A and B (untweaked mastodon config). We are good boys and want to get A+ grades.

==== weak DH primes ====
The first is the weak Diffie-Hellman key primes described [https://weakdh.org/sysadmin.html here] and [https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#Forward_Secrecy_&_Diffie_Hellman_Ephemeral_Parameters here].

Generate like so (this take a looong time):
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

in the post.lurk.org nginx config we point to this new prime by adding this line:
ssl_dhparam /etc/ssl/certs/dhparam.pem;

==== content security policy, xss etc ====
In order to get A+ one hast to set explicit policies the sources and origins of where post.lurk.org gets loaded. The [https://observatory.mozilla.org/analyze.html?host=post.lurk.org mozilla observatory] has a lot of documentation on these topics. Because it is unclear how mastodon loads all of its resources it was a bit of fiddling to find out how strict we could be without breaking the site. This is done by adding headers in the nginx config:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options "DENY";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self'; img-src 'self' data: https: blob:; media-src 'self'; frame-src 'none'; font-src 'self' data: https://post.lurk.org; upgrade-insecure-requests; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; connect-src 'self' blob: wss://post.lurk.org *.lurk.org";

= Backups =

the Mastodon project [https://github.com/tootsuite/documentation/blob/master/Maintaining-Mastodon/Backups-Guide.md advises] to back up the following things:
* Postgres database
* Assets (avatars, uploaded files etc)
* Application secrets

We do so using the following shell script:

today=(`date +"%F"`)
expiry=(`date +'%F' -d "-3 days"`)

/bin/mkdir /var/backups/mastodon/${today}/
/usr/bin/pg_dump mastodon_production > /var/backups/mastodon/${today}/mastodon_production_${today}.sql
/bin/cp /home/mastodon/live/.env.production /var/backups/mastodon/${today}/

/bin/tar -cvzf /var/backups/mastodon/${today}/system${today}.tar.gz /home/mastodon/live/public/system
/bin/rm -rf /var/backups/mastodon/${expiry}/

Which is called in cron like so:
30 02 * * * /bin/bash /home/mastodon/backup_mastodon.sh > /home/mastodon/backups/backup.log 2>&1

Two weeks worth of backups are stored remotely using a shell script:
today=(`date +"%F"`)
expiry=(`date +'%F' -d "-14 days"`)
expiry_path=(/media/lurk_backup/mastodon/${expiry})

rsync -auv /var/backups/mastodon/${today} x@x.x.x.x:/media/lurk_backup/mastodon/
ssh x@x.x.x.x rm -rf $expiry_path

This is called in cron like so:
30 03 * * * /bin/bash /home/mastodon/backup_backup.sh > /home/mastodon/backups/backup_copy.log 2>&1

= Statistics =
Via the public API one can see the amount activity per week:

[https://post.lurk.org/api/v1/instance/activity https://post.lurk.org/api/v1/instance/activity]

and the amount of instances in the federation a server is connected to:

[https://post.lurk.org/api/v1/instance/peers https://post.lurk.org/api/v1/instance/peers]

[[Category: Fediverse]]

Mastodon

2019-07-31T19:45:19Z

Rra: /* Increasing character limit on posts */

Off-site Backup with Backupninja

2019-07-25T07:26:49Z

Rra:

Tinc Settings for LURK

2019-07-09T14:50:54Z

Rra:

== LURK specific settings ==

Tinc is currently installed to connect nodes in the lurk network

douglas = 10.0.1.1
agnesbaxter = 10.0.1.3
skattkista = 10.0.1.2

both skattkista and agnesbaxter connect to douglas

[[Category: VPN]]

VPN with Tinc

2019-07-09T11:49:12Z

Rra: /* GNU/Linux (Debian based) */

FIXME: What's a VPN, what's Tinc

== Installation on Server(s) and Client(s) ==
=== FreeBSD ===
* Install tinc 1.1 pre from ports
sudo pkg install tinc-devel # binary
sudo portmaster -iB security/tinc-devel # source

=== GNU/Linux (Debian based) ===
* Install tinc 1.1 pre from source
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev

Compile Tinc 1.1pre :

cd /usr/src/

wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz

tar xvf tinc-1.1pre17.tar.gz

cd tinc-1.1pre17

./configure

make

sudo make install

Once installed the configuration dir should be in:
/usr/local/etc/tinc/

And tinc is installed in
/usr/local/sbin/tinc

Make a directory for pidfile and socket

sudo mkdir -p /usr/local/var/run/

==== Set up systemd serivces ====

sudo vim /lib/systemd/system/tinc.service

[Unit]
Description=Tinc VPN
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/usr/local/etc/tinc

[Install]
WantedBy=multi-user.target

and

sudo vim /lib/systemd/system/tinc@.service

[Unit]
Description=Tinc net %i
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
KillMode=mixed
TimeoutStopSec=5
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target

Enable them on boot:

systemctl enable tinc@lurknet

Start / stop at will:

sudo systemctl start tinc@lurknet

sudo systemctl stop tinc@lurknet

==== Configure Server ====

sudo tinc -n lurknet init servername

sudo tincd -n lurknet

sudo tinc -n lurknet add subnet 10.0.1.1

sudo tinc -n lurknet add address=public.IP.address

==== Set up interface scripts ====

sudo vim /usr/local/etc/tinc/lurknet/tinc-up

#!/bin/bash
ip addr add 10.0.1.1/24 dev $INTERFACE
ip link set $INTERFACE up

sudo vim /usr/local/etc/tinc/VPNNAME/tinc-down

#!/bin/bash
ip route del 10.0.1.1/24 dev $INTERFACE
ifconfig $INTERFACE down

Make them executable

cd /usr/local/etc/tinc/lurknet/ && chmod +x tinc-*

==== Configure client ====

For the client (given gnu/linux) compile the software as instructed above. Also make the systemD scripts and set up the interface scripts (using a different IP-address).

'''On the server''' then generate an invitation url:

tinc -n lurknet invite $CLIENTHOSTNAME

This will give you an invite URL so you can join the network '''on the client''':

tinc join $INVITEURL

tinc -n lurknet add subnet 10.0.1.3

==== Further reading ====

The above is an amalgam from and may provide further details:

https://zingmars.info/2018/07/14/Tinc-1.1-setup-instructions/

https://www.tinc-vpn.org/documentation-1.1/

http://pzwiki.wdka.nl/mediadesign/Tinc

=== MacOs ===
'''FIXME'''

=== Windows ===
* Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/

== Setup Server(s) ==
=== FreeBSD ===
* Initialize new VPN
sudo tinc -n beernet init server
* Configure the host's own interface
sudo tinc -n beernet add subnet 10.10.10.1
* Configure the host's public IP, or domain if you have one for the host
sudo tinc -n beernet add address=super.domain.xxx # if you have a domain ...
sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3

== Setup Client ==
=== FreeBSD ===
=== GNU/Linux ===
=== MacOs ===
=== Windows ===

[[Category: VPN]]

VPN with Tinc

2019-07-09T11:47:41Z

Rra: /* GNU/Linux (Debian based) */

FIXME: What's a VPN, what's Tinc

== Installation on Server(s) and Client(s) ==
=== FreeBSD ===
* Install tinc 1.1 pre from ports
sudo pkg install tinc-devel # binary
sudo portmaster -iB security/tinc-devel # source

=== GNU/Linux (Debian based) ===
* Install tinc 1.1 pre from source
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev

Compile Tinc 1.1pre :

cd /usr/src/

wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz

tar xvf tinc-1.1pre17.tar.gz

cd tinc-1.1pre17

./configure

make

sudo make install

Once installed the configuration dir should be in:
/usr/local/etc/tinc/

And tinc is installed in
/usr/local/sbin/tinc

Make a directory for pidfile and socket

sudo mkdir -p /usr/local/var/run/

==== Set up systemd serivces ====

sudo vim /lib/systemd/system/tinc.service

[Unit]
Description=Tinc VPN
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/usr/local/etc/tinc

[Install]
WantedBy=multi-user.target

and

sudo vim /lib/systemd/system/tinc@.service

[Unit]
Description=Tinc net %i
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
KillMode=mixed
TimeoutStopSec=5
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target

Enable them on boot:

systemctl enable tinc@lurknet

Start / stop at will:

sudo systemctl start tinc@lurknet

sudo systemctl stop tinc@lurknet

==== Configure Server ====

sudo tinc -n lurknet init servername

sudo tincd -n lurknet

sudo tinc -n lurknet add subnet 10.0.1.1

sudo tinc -n lurknet add address=public.IP.address

==== Set up interface scripts ====

sudo vim /usr/local/etc/tinc/lurknet/tinc-up

#!/bin/bash
ip addr add 10.0.1.1/24 dev $INTERFACE
ip link set $INTERFACE up

sudo vim /usr/local/etc/tinc/VPNNAME/tinc-down

#!/bin/bash
ip route del 10.0.1.1/24 dev $INTERFACE
ifconfig $INTERFACE down

Make them executable

cd /usr/local/etc/tinc/lurknet/ && chmod +x tinc-*

==== Configure client ====

For the client (given gnu/linux) compile the software as instructed above. Also make the systemD scripts and set up the interface scripts (using a different IP-address).

'''On the server''' then generate an invitation url:

tinc -n lurknet invite $CLIENTHOSTNAME

This will give you an invite URL so you can join the network '''on the client''':

tinc join $INVITEURL

tinc -n lurknet add subnet 10.0.1.3

=== MacOs ===
'''FIXME'''

=== Windows ===
* Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/

== Setup Server(s) ==
=== FreeBSD ===
* Initialize new VPN
sudo tinc -n beernet init server
* Configure the host's own interface
sudo tinc -n beernet add subnet 10.10.10.1
* Configure the host's public IP, or domain if you have one for the host
sudo tinc -n beernet add address=super.domain.xxx # if you have a domain ...
sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3

== Setup Client ==
=== FreeBSD ===
=== GNU/Linux ===
=== MacOs ===
=== Windows ===

[[Category: VPN]]

VPN with Tinc

2019-07-09T11:30:05Z