Update mem limit. Set up git-crypt. Use own forgejo to serve.

New collaborators:

	FBB550F7 Sunoru <s@moon.moe>

.git-crypt/.gitattributes

@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary

.gitattributes

@@ -0,0 +1 @@
+.env* filter=git-crypt diff=git-crypt

.gitignore

@@ -1,7 +1,2 @@
-.env*
-/postgres
-/redis
-/mastodon
-/backups
-/nginx
+/data
 /tmp

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "mastodon"]
+	path = mastodon
+	url = https://roost.sunoru.com/sunoru/mastodon.git

Dockerfile

@@ -1,10 +1,16 @@
-FROM tootsuite/mastodon:v4.1.4
+FROM ghcr.io/mastodon/mastodon:v4.2.8
 
 USER root
 
 RUN mkdir -p /var/cache/apt/archives/partial && apt autoclean
-RUN apt update && apt-get install -y sudo vim htop patch && rm -rf /var/lib/apt/lists/*
+RUN apt update && apt-get install -y sudo vim htop git curl && rm -rf /var/lib/apt/lists/*
 
-# Restore working dir
-WORKDIR /opt/mastodon
+VOLUME [ "/opt/my-mastodon" ]
 
+RUN \
+    cp -r /opt/mastodon /opt/my-mastodon; \
+    ln -s /opt/my-mastodon /my-mastodon
+
+WORKDIR /opt/my-mastodon
+
+    # bundle exec rails assets:precompile

docker-compose.yml

@@ -1,17 +1,17 @@
 ---
-version: "3"
 services:
   db:
     container_name: mastodon-db
     restart: always
     image: postgres:15-alpine
+    mem_limit: 512mb
     shm_size: 256mb
     networks:
       - internal_network
     healthcheck:
       test: ['CMD', 'pg_isready', '-U', 'postgres']
     volumes:
-      - ./postgres:/var/lib/postgresql/data
+      - ./data/postgres:/var/lib/postgresql/data
     environment:
       - POSTGRES_HOST_AUTH_METHOD=trust
 
@@ -19,17 +19,19 @@ services:
     container_name: mastodon-redis
     restart: always
     image: redis:7-alpine
+    mem_limit: 128mb
     networks:
       - internal_network
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
     volumes:
-      - ./redis:/data
+      - ./data/redis:/data
 
   web:
     container_name: mastodon-web
     build: .
     restart: always
+    mem_limit: 1024mb
     env_file: .env.production
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
     networks:
@@ -39,23 +41,19 @@ services:
       test:
         - CMD-SHELL
         - wget -q --spider --proxy=off localhost:3000/health || exit 1
-    # ports:
-    #   - 127.0.0.1:3000:3000
     depends_on:
       - db
       - redis
     volumes:
-      - ./mastodon/public:/mastodon/public
-      # - ./mastodon/public/system:/mastodon/public/system
+      - ./mastodon:/opt/my-mastodon
 
   streaming:
     container_name: mastodon-streaming
     build: .
     restart: always
+    mem_limit: 128mb
     env_file: .env.production
     command: node ./streaming
-    # ports:
-    #   - 127.0.0.1:4000:4000
     depends_on:
       - db
       - redis
@@ -66,11 +64,14 @@ services:
       test:
         - CMD-SHELL
         - wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1
+    volumes:
+      - ./mastodon:/opt/my-mastodon
 
   sidekiq:
     container_name: mastodon-sidekiq
     build: .
     restart: always
+    mem_limit: 512mb
     env_file: .env.production
     command: bundle exec sidekiq
     depends_on:
@@ -84,13 +85,15 @@ services:
         - CMD-SHELL
         - ps aux | grep '[s]idekiq 6' || false
     volumes:
-      - ./mastodon/public:/mastodon/public
-      # - ./mastodon/public/system:/mastodon/public/system
+      - ./mastodon:/opt/my-mastodon
 
   nginx:
     container_name: mastodon-nginx
     restart: always
     image: nginx:latest
+    mem_limit: 64mb
+    depends_on:
+      - web
     networks:
       - external_network
       - internal_network
@@ -100,8 +103,21 @@ services:
       # - 127.0.0.1:3002:443
     volumes:
       - ./mastodon/public:/mastodon/public
-      - ./nginx/cache:/var/cache/nginx
       - ./nginx/conf.d:/etc/nginx/conf.d
+      - ./data/nginx-cache:/var/cache/nginx
+
+  duplicity:
+    container_name: mastodon-duplicity
+    hostname: mastodon-duplicity
+    restart: always
+    image: ghcr.io/tecnativa/docker-duplicity-postgres-s3:v3.3.1
+    mem_limit: 256mb
+    env_file: .env.duplicity
+    networks:
+      - internal_network
+      - external_network
+    volumes:
+      - ./data/redis:/mnt/redis:ro
 
 networks:
   external_network:

env.duplicity.sample

@@ -0,0 +1,23 @@
+PGHOST=db
+PGUSER=mastodon
+PGPASSWORD=
+DBS_TO_INCLUDE="^mastodon_production$"
+
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+
+DST=boto3+s3://<bucket_name>/backups/mastodon
+PASSPHRASE=
+OPTIONS=--s3-use-ia
+
+JOB_150_WHAT=cp /mnt/redis/dump.rdb /mnt/backup/src/dump.rdb
+JOB_150_WHEN=daily
+JOB_500_WHEN=never
+
+EMAIL_FROM=
+EMAIL_TO=
+SMTP_HOST=
+SMTP_PORT=
+SMTP_USER=
+SMTP_PASS=
+SMTP_REPORT_SUCCESS=0

mastodon

@@ -0,0 +1 @@
+Subproject commit e03bc3e68dd86120e915d39ef4f8a58c5d428548

nginx/conf.d/hub.moon.moe.conf

@@ -0,0 +1,146 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+upstream backend {
+    server web:3000 fail_timeout=0;
+}
+
+upstream streaming {
+    server streaming:4000 fail_timeout=0;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
+
+server {
+    listen 80;
+    listen [::]:80;
+    # server_name hub.moon.moe;
+    server_name _;
+
+    keepalive_timeout    70;
+    sendfile             on;
+    client_max_body_size 99m;
+
+    root /mastodon/public;
+
+    gzip on;
+    gzip_disable "msie6";
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
+
+    location / {
+        try_files $uri @proxy;
+    }
+
+    location /api/v2/media {
+        proxy_read_timeout 500;
+        client_max_body_size 2g;
+        try_files $uri @proxy;
+    }
+
+    location = /sw.js {
+        add_header Cache-Control "public, max-age=604800, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+    }
+
+    location ~ ^/assets/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+    }
+
+    location ~ ^/avatars/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+    }
+
+    location ~ ^/emoji/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+    }
+
+    location ~ ^/headers/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+    }
+
+    location ~ ^/packs/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+    }
+
+    location ~ ^/shortcuts/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+    }
+
+    location ~ ^/sounds/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+    }
+
+    location ~ ^/system/ {
+        add_header Cache-Control "public, max-age=2419200, immutable";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        add_header X-Content-Type-Options nosniff;
+        add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
+        try_files $uri =404;
+    }
+
+    location ^~ /api/v1/streaming {
+        proxy_set_header Host $host;
+        # proxy_set_header X-Real-IP $remote_addr;
+        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # proxy_set_header X-Forwarded-Proto https;
+        # proxy_set_header Proxy "";
+
+        proxy_pass http://streaming;
+        proxy_buffering off;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+        tcp_nodelay on;
+    }
+
+    location @proxy {
+        proxy_set_header Host $host;
+        # proxy_set_header X-Real-IP $remote_addr;
+        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # proxy_set_header X-Forwarded-Proto https; # very important
+        # proxy_set_header Proxy "";
+        proxy_pass_header Server;
+
+        proxy_pass http://backend;
+        proxy_buffering on;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_cache CACHE;
+        proxy_cache_valid 200 7d;
+        proxy_cache_valid 410 24h;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        add_header X-Cached $upstream_cache_status;
+
+        tcp_nodelay on;
+    }
+
+    error_page 404 500 501 502 503 504 /500.html;
+}