Mastodon
https://post.lurk.org is a mastodon service. Mastodon is a federated microblogging software that speaks both ActivityPub and OStatus and can thus communicate with other microblogging softwares like GnuSocial, Pleroma, Pump.io etc.
admin resources
Useful pages from the mastodon documentation
- Installing Mastodon the guide is meant for Ubuntu 16.04 but it worked flawlessly on Debian Stretch
- Tuning mastodon performance TODO
- Mastodon admin commands from ruby terminal
- What and how to back up in Mastodon
- Updating to newer versions
Admin community / help
- Mastodon forum some discussions happen here
- Mastodon git issues some happen there
Installation
post.lurk.org followed the mastodon install almost literally since it was one-to-one applicable on debian stretch. Quite boring really.
This means that mastodon runs as the user mastodon. All the mastodon files live in:
/home/mastodon/live/
Differences are:
- When running the interactive set up during install, the smtp address is set as localhost and the postfix relay takes care of the rest.
- Mastodon-web runs on port 3001 instead of 3000, the changes to this are reflected in the systemd service files and in the nginx virtualhost config
Maintenance
It's a beast that gobbles up all the ram. Something to take into account.
For now I've added the mastodon user to a cgroup TODO
Mastodon can be (re)started by:
systemctl stop mastodon-*.service systemctl start mastodon-web.service systemctl start mastodon-sidekiq.service systemctl start mastodon-streaming.service
Removing federated media attachments
RAILS_ENV=production ./bin/tootctl media remove
Performance tweaks
Increasing character limit on posts
Search and replace '500' by whatever you want in these two files:
modified: app/javascript/mastodon/features/compose/components/compose_form.js modified: app/validators/status_length_validator.rb
Make sure you recompile the web assets afterwards:
RAILS_ENV=production bundle exec rails assets:precompile
Getting high scores on ssl comparison sites
instances.social automatically rates each fediverse instance using two different SSL testing sites:
- https://tls.imirhil.fr/https/post.lurk.org
- https://observatory.mozilla.org/analyze.html?host=post.lurk.org.
At the time of writing we got A and B (untweaked mastodon config). We are good boys and want to get A+ grades.
weak DH primes
The first is the weak Diffie-Hellman key primes described here and here.
Generate like so (this take a looong time):
cd /etc/ssl/certs openssl dhparam -out dhparam.pem 4096
in the post.lurk.org nginx config we point to this new prime by adding this line:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
content security policy, xss etc
In order to get A+ one hast to set explicit policies the sources and origins of where post.lurk.org gets loaded. The mozilla observatory has a lot of documentation on these topics. Because it is unclear how mastodon loads all of its resources it was a bit of fiddling to find out how strict we could be without breaking the site. This is done by adding headers in the nginx config:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header X-Frame-Options "DENY"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Content-Security-Policy "default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self'; img-src 'self' data: https: blob:; media-src 'self'; frame-src 'none'; font-src 'self' data: https://post.lurk.org; upgrade-insecure-requests; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; connect-src 'self' blob: wss://post.lurk.org *.lurk.org";
Backups
the Mastodon project advises to back up the following things:
- Postgres database
- Assets (avatars, uploaded files etc)
- Application secrets
We do so using the following shell script:
today=(`date +"%F"`) expiry=(`date +'%F' -d "-3 days"`) /bin/mkdir /var/backups/mastodon/${today}/ /usr/bin/pg_dump mastodon_production > /var/backups/mastodon/${today}/mastodon_production_${today}.sql /bin/tar -cvzf /var/backups/mastodon/${today}/system${today}.tar.gz /home/mastodon/live/public/system /bin/rm -rf /var/backups/mastodon/${expiry}/
Which is called in cron like so:
30 02 * * * /bin/bash /home/mastodon/backup_mastodon.sh > /home/mastodon/backups/backup.log 2>&1
Two weeks worth of backups are stored remotely using a shell script:
today=(`date +"%F"`) expiry=(`date +'%F' -d "-14 days"`) expiry_path=(/media/lurk_backup/mastodon/${expiry}) rsync -auv /var/backups/mastodon/${today} x@x.x.x.x:/media/lurk_backup/mastodon/ ssh x@x.x.x.x rm -rf $expiry_path
This is called in cron like so: 30 03 * * * /bin/bash /home/mastodon/backup_backup.sh > /home/mastodon/backups/backup_copy.log 2>&1
Statistics
Via the public API one can see the amount activity per week:
https://post.lurk.org/api/v1/instance/activity
and the amount of instances in the federation a server is connected to: