Mastodon

From Run Your Own
Revision as of 11:13, 9 May 2018 by Rra (talk | contribs)
Jump to: navigation, search

https://post.lurk.org is a mastodon service. Mastodon is a federated microblogging software that speaks both ActivityPub and OStatus and can thus communicate with other microblogging softwares like GnuSocial, Pleroma, Pump.io etc.

admin resources

Useful pages from the mastodon documentation

Admin community / help


Installation

post.lurk.org followed the mastodon install almost literally since it was one-to-one applicable on debian stretch. Quite boring really.

This means that mastodon runs as the user mastodon. All the mastodon files live in:

/home/mastodon/live/

Differences are:

  • When running the interactive set up during install, the smtp address is set as localhost and the postfix relay takes care of the rest.
  • Mastodon-web runs on port 3001 instead of 3000, the changes to this are reflected in the systemd service files and in the nginx virtualhost config

Maintenance

It's a beast that gobbles up all the ram. Something to take into account.

For now I've added the mastodon user to a cgroup TODO

Mastodon can be (re)started by:

systemctl stop mastodon-*.service
systemctl start mastodon-web.service
systemctl start mastodon-sidekiq.service
systemctl start mastodon-streaming.service


Performance tweaks

Getting high scores on ssl comparison sites

instances.social automatically rates each fediverse instance using two different SSL testing sites:

At the time of writing we got A and B (untweaked mastodon config). We are good boys and want to get A+ grades.

weak DH primes

The first is the weak Diffie-Hellman key primes described here and here.

Generate like so (this take a looong time):

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

in the post.lurk.org nginx config we point to this new prime by adding this line:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

content security policy, xss etc

In order to get A+ one hast to set explicit policies the sources and origins of where post.lurk.org gets loaded. The mozilla observatory has a lot of documentation on these topics. Because it is unclear how mastodon loads all of its resources it was a bit of fiddling to find out how strict we could be without breaking the site. This is done by adding headers in the nginx config:

 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; #this page is only allowed to be loaded over HTTPS
 add_header X-Frame-Options "DENY"; #post.lurk.org can't be loaded inside an iframe
 add_header Referrer-Policy "strict-origin-when-cross-origin"; 
 add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self'; font-src 'self' data:; frame-src 'self'; object-src 'none';frame-ancestors 'none'"; #only load sources from post.lurk.org, not externally.


Statistics

Via the public API one can see the amount activity per week:

https://post.lurk.org/api/v1/instance/activity

and the amount of instances in the federation a server is connected to:

https://post.lurk.org/api/v1/instance/peers