Browse Source

Prod config files

master
Sean King 4 months ago
parent
commit
037bb98c5e
Signed by: seanking GPG Key ID: 778810DE76B9460F
  1. 1
      config/config.exs
  2. 12
      config/prod.exs
  3. 78
      installation/fuck-gab.nginx
  4. 38
      installation/fuck-gab.service

1
config/config.exs

@ -61,6 +61,7 @@ config :fuck_gab, FuckGab.Captcha, seconds_valid: 300
# Configures the endpoint
config :fuck_gab, FuckGabWeb.Endpoint,
url: [host: "localhost"],
http: [ip: {127, 0, 0, 1}, port: 9002],
render_errors: [view: FuckGabWeb.ErrorView, accepts: ~w(html json), layout: false],
pubsub_server: FuckGab.PubSub

12
config/prod.exs

@ -9,13 +9,19 @@ use Mix.Config
# manifest is generated by the `mix phx.digest` task,
# which you should run after static files are built and
# before starting your production server.
config :fuck_gab, FuckGabWeb.Endpoint,
url: [host: "example.com", port: 80],
cache_static_manifest: "priv/static/cache_manifest.json"
config :fuck_gab, FuckGabWeb.Endpoint, cache_static_manifest: "priv/static/cache_manifest.json"
# Do not print debug messages in production
config :logger, level: :info
# Configure your database
config :fuck_gab, FuckGab.Repo,
username: "postgres",
password: "postgres",
database: "fuck_gab",
hostname: "localhost",
pool_size: 10
# ## SSL Support
#
# To get SSL working, you will need to add the `https` key

78
installation/fuck-gab.nginx

@ -0,0 +1,78 @@
# Default Nginx configuration for Fuck Gab!
#
# Simple installation instructions:
# 1. Install your TLS certificate, possibly using Let's Encrypt.
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
server {
server_name example.tld;
listen 80;
listen [::]:80;
# Uncomment this if you need to use the 'webroot' method with certbot. Make sure
# that the directory exists and that it is accessible by the webserver. If you followed
# the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
# You may need to load this file with the ssl server block commented out, run certbot
# to get the certificate, and then uncomment it.
#
# location ~ /\.well-known/acme-challenge {
# root /var/lib/letsencrypt/;
# }
location / {
return 301 https://$server_name$request_uri;
}
}
# Enable SSL session caching for improved performance
ssl_session_cache shared:ssl_session_cache:10m;
server {
server_name example.tld;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_session_timeout 5m;
ssl_trusted_certificate /etc/letsencrypt/live/example.tld/chain.pem;
ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
# Add TLSv1.0 to support older devices
ssl_protocols TLSv1.2;
# Uncomment line below if you want to support older devices (Before Android 4.4.2, IE 8, etc.)
# ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
# In case of an old server with an OpenSSL version of 1.0.2 or below,
# leave only prime256v1 or comment out the following line.
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
# the nginx default is 1m, not enough for large media uploads
client_max_body_size 16m;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# this is explicitly IPv4 since FuckGabWeb.Endpoint binds on IPv4 only
# and `localhost.` resolves to [::0] on some systems: see pleroma/pleroma#930
proxy_pass http://127.0.0.1:9002;
client_max_body_size 16m;
}
}

38
installation/fuck-gab.service

@ -0,0 +1,38 @@
[Unit]
Description=Phoenix/Elixir info page about fediverse instances
After=network.target postgresql.service
[Service]
ExecReload=/bin/kill $MAINPID
KillMode=process
Restart=on-failure
; Name of the user that runs the Fuck Gab! service.
User=fuck-gab
; Declares that Fuck Gab! runs in production mode.
Environment="MIX_ENV=prod"
; Make sure that all paths fit your installation.
; Path to the home directory of the user running the Fuck Gab! service.
Environment="HOME=/var/lib/fuck-gab"
; Path to the folder containing the Fuck Gab! installation.
WorkingDirectory=/opt/fuck-gab
; Path to the Mix binary.
ExecStart=/usr/bin/mix phx.server
; Some security directives.
; Use private /tmp and /var/tmp folder inside a new file system namespace, which are discarded after the process stops.
PrivateTmp=true
; The /home, /root, and /run/user folder can not be accessed by this service anymore. If your Fuck Gab! user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false.
ProtectHome=true
; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false
; Ensures that the service process and all its children can never gain new privileges through execve().
NoNewPrivileges=true
; Drops the sysadmin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN
[Install]
WantedBy=multi-user.target
Loading…
Cancel
Save