Gab-Social/docs/server.md

17 KiB

Gab Social: Running A Server

Disclaimer:

This guide was written for Ubuntu Server 18.04. You may run into issues if you are using another operating system.

It is assumed that you have technical knowledge and skills sufficient to administer Linux servers and scale them, if necessary. Gab Social communities that succeed have no upper limit to the maximum amount of users, posts, attachments, and problems related to operating publicly-accessible online communities at scale. Fortunately, Gab Social does not require you to operate at scale. You can run this server in single-user mode, which guarantees users complete ownership of all their data while still participating in the Gab Platform.

This document describes how to prepare a host for development, test, and production service.

What is this guide?

This guide is a walk through of the setup process of a Gab Social instance.

We use example.com to represent a domain or sub-domain. Example.com should be replaced with your instance domain or sub-domain.

Prerequisites

You will need the following for this guide:

  • A server running Ubuntu Server 18.04.
  • Root access to the server.
  • A domain or sub-domain to use for the instance.

DNS

DNS records should be added before anything is done on the server.

The records added are:

  • A record (IPv4 address) for example.com
  • AAAA record (IPv6 address) for example.com

A Helpful And Optional Note

Using tmux when following through with this guide will be helpful.

Not only will this help you not lose your place if you are disconnected, it will let you have multiple terminal windows open for switching contexts (root user versus the gabsocial user).

You can install tmux from the package manager:

apt -y install tmux

Dependency Installation

All dependencies should be installed as root.

sudo -i

Extend Ubuntu repositories when using Ubuntu 18.04.1 LTS

Starting with .1-release Ubuntu 18.04.1 LTS (not 18.04), Canonical has removed the multiverse, universe and restricted repository from the sources.list file in /etc/apt/. It is now necessary to add those repositories, otherwise the installation of the following dependencies will fail. Simply run the following commands:

add-apt-repository universe
add-apt-repository multiverse
add-apt-repository restricted
apt update

Explanation of the dependencies

  • imagemagick - Gab Social uses imagemagick for image related operations
  • ffmpeg - Gab Social uses ffmpeg for conversion of GIFs to MP4s
  • libprotobuf-dev and protobuf-compiler - Gab Social uses these for language detection
  • nginx - nginx is our frontend web server
  • redis-* - Gab Social uses redis for its in-memory data structure store
  • postgresql-* - Gab Social uses PostgreSQL as its SQL database
  • nodejs - Node is used for Gab Social's streaming API and other platform services
  • yarn - Yarn is a Node.js package manager
  • Other -dev packages, g++ - these are needed for the compilation of Ruby using ruby-build.
apt -y install imagemagick ffmpeg libpq-dev libxml2-dev libxslt1-dev file git-core \
 g++ libprotobuf-dev protobuf-compiler pkg-config gcc autoconf bison build-essential \
 libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm6 \
 libgdbm-dev nginx redis-server redis-tools postgresql postgresql-contrib certbot \
 libidn11-dev libicu-dev gnupg2 supervisor

Dependencies That Need To Be Added As A Non-Root User

Let us create this user first:

adduser --disabled-password --shell /bin/bash gabsocial

Log in as the gabsocial user:

su - gabsocial

Node Version Manager, Node.js, and Yarn

Node Version Manager is a tool used for managing Node.js deployments. By convention at Gab, we only use Node.js as a standard user. No part of Node.js is managed or executed with superuser privileges. Those responsibilities are handled by Nginx later in this document.

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash

Refresh your user session to pick up the environment changes added by nvm. Then, let's install Node.js v10.15.3LTS, verify that it was installed correctly, and install Yarn:

# ask NVM to install 10.16.1LTS
nvm install --lts 12.19.0

nvm alias default 12.19.0
nvm use 12.19.0

# Install Yarn, globally
npm install -g yarn forever

rbenv, Ruby, Rails, Rake

We will need to set up rvm.

As root:

gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

\curl -sSL https://get.rvm.io | bash -s stable

usermod -a -G rvm root
usermod -a -G rvm gabsocial

source /etc/profile.d/rvm.sh

rvm install 2.6.5

node.js And Ruby Dependencies

Now that Ruby is enabled, we will clone the Gab Social git repository and install the Ruby and node.js dependancies.

Run the following to clone and install:

# Return to gabsocial user's home directory
su - gabsocial

# Clone the gabsocial git repository into ~/live

# Change directory to ~/live
cd ~/live

# Install bundler
gem install bundler

# Use bundler to install the rest of the Ruby dependencies
bundle install -j$(getconf _NPROCESSORS_ONLN) --deployment --without development test

# Use yarn to install node.js dependencies
yarn install --pure-lockfile

That is all we need to do for now with the gabsocial user, you can now exit back to root.

If you plan on deploying more than one front-end app server, you may want to consider using a host image once you are done setting up all dependencies. That rbenv install 2.6.1 command only gets intensely worse on anemic shared cloud hosts, and the bundle install nonsense is just out of control.

The remainder of the setup procedure is quick (esp. when automated). If you want to leave the rest of your setup dynamic, now is really the right time to snapshot the host. You will save yourself a lot of deployment time in the days and months to come.

Eventually, the Ruby On Rails dependencies are going away. This is a stop-gap solution while we continue our migration to a Gab-native implementation of ActivityPub/GNU Social on HYDRA.

PostgreSQL Database Creation

Gab Social requires access to a PostgreSQL instance.

Create a user for a PostgreSQL instance:

# Launch psql as the postgres user
sudo -u postgres psql

# In the following prompt
CREATE USER gabsocial CREATEDB;
\q

Note that we do not set up a password of any kind, this is because we will be using ident authentication. This allows local users to access the database without a password.

nginx Configuration

You need to configure nginx to serve your Gab Social instance.

Reminder: Replace all occurrences of example.com with your own instance's domain or sub-domain.

cd to /etc/nginx/sites-available and open a new file:

nano /etc/nginx/sites-available/example.com.conf

Copy and paste the following and make edits as necessary:

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  listen [::]:80;
  server_name example.com;
  root /home/gabsocial/live/public;
  # Useful for Let's Encrypt
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name example.com;

  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;

  root /home/gabsocial/live/public;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  add_header Strict-Transport-Security "max-age=31536000";

  location / {
    try_files $uri @proxy;
  }

  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    try_files $uri @proxy;
  }

  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://127.0.0.1:3000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";

    proxy_pass http://127.0.0.1:4000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 500 501 502 503 504 /500.html;
}

Activate the nginx configuration added:

cd /etc/nginx/sites-enabled
ln -s ../sites-available/example.com.conf

This configuration makes the assumption you are using Let's Encrypt as your TLS certificate provider.

If you are going to be using Let's Encrypt as your TLS certificate provider, see the next sub-section. If not edit the ssl_certificate and ssl_certificate_key values accordingly.

Let's Encrypt

This section is only relevant if you are using Let's Encrypt as your TLS certificate provider.

Generation Of The Certificate

We need to generate Let's Encrypt certificates.

Make sure to replace any occurrence of 'example.com' with your Gab Social instance's domain.

Make sure that nginx is stopped at this point:

systemctl stop nginx

We will be creating the certificate twice, once with TLS SNI validation in standalone mode and the second time we will be using the webroot method. This is required due to the way nginx and the Let's Encrypt tool works.

certbot certonly --standalone -d example.com

After that successfully completes, we will use the webroot method. This requires nginx to be running:

systemctl start nginx

Automated Renewal Of Let's Encrypt Certificate

Let's Encrypt certificates have a validity period of 90 days.

You need to renew your certificate before the expiration date. Not doing so will make users of your instance unable to access the instance and users of other instances unable to federate with yours.

We can create a cron job that runs daily to do this:

nano /etc/cron.daily/letsencrypt-renew

Copy and paste this script into that file:

#!/usr/bin/env bash
certbot renew
systemctl reload nginx

Save and exit the file.

Make the script executable and restart the cron daemon so that the script runs daily:

chmod +x /etc/cron.daily/letsencrypt-renew
systemctl restart cron

That is it. Your server will renew your Let's Encrypt certificate.

Gab Social Application Configuration

We will configure the Gab Social application.

For this we will switch to the gabsocial system user:

sudo su - gabsocial

Change directory to ~/live and run the Gab Social setup wizard:

cd ~/live
RAILS_ENV=production bundle exec rake gabsocial:setup

If upgrading:

cd ~/live
RAILS_ENV=production bin/rake assets:precompile

The interactive wizard will guide you through basic and necessary options, generate new app secrets, setup the database schema and precompile the assets.

The assets precompilation takes a couple minutes, so this is a good time to take another break.

Gab Social systemd Service Files

We will need three systemd service files for each Gab Social service.

Now switch back to the root user.

For the Gab Social web workers service place the following in /etc/systemd/system/gabsocial-web.service:

[Unit]
Description=gabsocial-web
After=network.target

[Service]
Type=simple
User=gabsocial
WorkingDirectory=/home/gabsocial/live
Environment="RAILS_ENV=production"
Environment="PORT=3000"
ExecStart=/home/gabsocial/.rbenv/shims/bundle exec puma -C config/puma.rb
ExecReload=/bin/kill -SIGUSR1 $MAINPID
TimeoutSec=15
Restart=always

[Install]
WantedBy=multi-user.target

For Gab Social background queue service, place the following in /etc/systemd/system/gabsocial-sidekiq.service:

[Unit]
Description=gabsocial-sidekiq
After=network.target

[Service]
Type=simple
User=gabsocial
WorkingDirectory=/home/gabsocial/live
Environment="RAILS_ENV=production"
Environment="DB_POOL=5"
ExecStart=/home/gabsocial/.rbenv/shims/bundle exec sidekiq -c 5 -q default -q push -q mailers -q pull
TimeoutSec=15
Restart=always

[Install]
WantedBy=multi-user.target

For the Gab Social streaming API service place the following in /etc/systemd/system/gabsocial-streaming.service:

[Unit]
Description=gabsocial-streaming
After=network.target

[Service]
Type=simple
User=gabsocial
WorkingDirectory=/home/gabsocial/live
Environment="NODE_ENV=production"
Environment="PORT=4000"
ExecStart=/usr/bin/npm run start
TimeoutSec=15
Restart=always

[Install]
WantedBy=multi-user.target

Now you need to enable all of these services:

systemctl enable /etc/systemd/system/gabsocial-*.service

Now start the services:

systemctl start gabsocial-*.service

Check that they are properly running:

systemctl status gabsocial-*.service

Remote media attachment cache cleanup

Gab Social downloads media attachments from other instances and caches it locally for viewing. This cache can grow quite large if not cleaned up periodically and can cause issues such as low disk space or a bloated S3 bucket.

The recommended method to clean up the remote media cache is a cron job that runs daily like so (put this in the gabsocial system user's crontab with crontab -e.)

RAILS_ENV=production
@daily cd /home/gabsocial/live && /home/gabsocial/.rbenv/shims/bundle exec rake gabsocial:media:remove_remote

That rake task removes cached remote media attachments that are older than NUM_DAYS, NUM_DAYS defaults to 7 days (1 week) if not specified. NUM_DAYS is another environment variable so you can specify it like so:

RAILS_ENV=production
NUM_DAYS=14
@daily cd /home/gabsocial/live && /home/gabsocial/.rbenv/shims/bundle exec rake gabsocial:media:remove_remote

Email Service

If you plan on receiving email notifications or running more than just a single-user instance, you likely will want to get set up with an email provider.

There are several free email providers out there- a couple of decent ones are Mailgun.com, which requires a credit card but gives 10,000 free emails, and Sparkpost.com, which gives 15,000 with no credit card but requires you not be on a .space tld.

It may be easier to use a subdomain to setup your email with a custom provider - in this case, when registering your domain with the email service, sign up as something like "mail.domain.com"

Once you create your account, follow the instructions each provider gives you for updating your DNS records. Once you have all the information ready to go and the service validates your DNS configuration, edit your config file. These records should already exist in the configuration, but here's a sample setup that uses Mailgun that you can replace with your own personal info:

SMTP_SERVER=smtp.mailgun.org
SMTP_PORT=587
SMTP_LOGIN=anAccountThatIsntPostmaster@gabsocial.domain.com
SMTP_PASSWORD=HolySnacksAPassword
SMTP_FROM_ADDRESS=Domain.com Gab Social Admin <notifications@gab.com>

Finally, to test this, spin up a Rails console (see the administration guide) and run the following commands to test this out:

m = UserMailer.new.mail to:'email@address.com', subject: 'test', body: 'awoo'
m.deliver

That is all! If everything was done correctly, a Gab Social instance will appear when you visit https://example.com in a web browser.

Congratulations and welcome to Gab Social!