Howto install Diaspora pod on NethServer

Hi friends,

this is a howto about installing Diaspora pod on NethServer.

Source:

https://wiki.diasporafoundation.org/Installation/CentOS/7

Preconfig

# Install needed packages
yum -y install tar make automake gcc gcc-c++ git net-tools cmake libcurl-devel libxml2-devel libffi-devel libxslt-devel wget nethserver-redis ImageMagick nodejs nethserver-postgresql postgresql-devel bison bzip2 libtool readline-devel sqlite-devel openssl-devel

Feel free to replace the postgres user password SECRET with a more secure one:

# Create diaspora DB user
sudo -u postgres psql
CREATE USER diaspora WITH CREATEDB PASSWORD 'SECRET';
\q

ImageMagick needs to be configured - see https://github.com/diaspora/diaspora/issues/6828

# ImageMagick policy settings for making captcha work
sed -i 's:  <policy domain="coder" rights="none" pattern="LABEL" />:<!-- <policy domain="coder" rights="none" pattern="LABEL" /> -->:' /etc/ImageMagick/policy.xml

Replace diaspora.example.com and diaspora\.example\.com with your domain (ServerName(s), RedirectMatch, RewriteCond and RewriteRule)

# Create httpd conf with reverse proxy, I used ports, socket didn't work.
cat > /etc/httpd/conf.d/zzz_diaspora.conf << EOL
# Make sure to notice the comments at https://gist.github.com/jhass/719014#gistcomment-19774

<VirtualHost *:80>
  ServerName diaspora.example.com

# To make letsencrypt work
  RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://diaspora.example.com
</VirtualHost>
<VirtualHost *:443>
 ServerName diaspora.example.com
 
 DocumentRoot /home/diaspora/diaspora/public

 RewriteEngine On

 RewriteCond %{HTTP_HOST} !^diaspora\.example\.com [NC]
 RewriteRule ^/(.*)$ https://diaspora\.example\.com/ [L,R,QSA]

 # For Camo support
 #RewriteRule ^/camo/(.*)$ balancer://camo/$1 [P,QSA,L]
 
 RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
 RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L]

 <Proxy balancer://upstream>
  # Recommended, using a unix socket (Requires Apache >= 2.4)
  # BalancerMember unix:///path/to/diaspora/tmp/diaspora.sock|http://
  # Alternatively let diaspora listen on a local port (Use this for Apache < 2.4)
  BalancerMember http://localhost:3000
 </Proxy>

 # For Camo support
 #<Proxy balancer://camo>
 #  BalancerMember http://localhost:8081
 #</Proxy>

 ProxyRequests Off
 ProxyVia On  
 ProxyPreserveHost On
 RequestHeader set X_FORWARDED_PROTO https

 <Proxy *>
  # Apache < 2.4
  #Order allow,deny
  #Allow from all
  # Apache >= 2.4
  Require all granted
 </Proxy>

 <Directory /home/diaspora/diaspora/public>
  Options -MultiViews
  # Apache < 2.4
  #Allow from all
  #AllowOverride all
  # Apache >= 2.4
  Require all granted
 </Directory>

 SSLEngine On
 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 
 # Based on https://wiki.mozilla.org/Security/Server_Side_TLS - consider as global configuration
 SSLProtocol             all -SSLv2 -SSLv3
 SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
 SSLHonorCipherOrder on
 SSLCompression off
</VirtualHost>
EOL

# Restart httpd to apply configs
systemctl restart httpd

Installation

# Add user diaspora
adduser diaspora
chmod 755 /home/diaspora

# Work as user
su - diaspora
cd ~

# Get Ruby Version Manager (RVM)
command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
curl -L https://s.diaspora.software/1t | bash

# Setup RVM
grep '[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm"' ~/.bashrc > nul || echo '[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm"' >> ~/.bashrc
source ~/.bashrc

# Install ruby 2.4
rvm install 2.4

# Get source
git clone -b master https://github.com/diaspora/diaspora.git
cd diaspora

# Edit configuration files
cp config/database.yml.example config/database.yml
cp config/diaspora.yml.example config/diaspora.yml

sed -i '5 s!username: postgres!username: diaspora!' config/database.yml

Replace SECRET with the password you used for the diaspora postgresql user.

sed -i '6 s!password:!password: SECRET!' config/database.yml
sed -i 's!encoding: unicode!encoding: unicode\n  template: template0!' config/database.yml

Replace https://diaspora.example.com/ with the URL you want to use:

sed -i 's!#url: "https://example.org/"!url: "https://diaspora.example.com/"!' config/diaspora.yml
sed -i 's!#certificate_authorities: '\''/etc/pki/tls/certs/ca-bundle.crt'\''!certificate_authorities: '\''/etc/pki/tls/certs/ca-bundle.crt'\''!' config/diaspora.yml
sed -i 's!#rails_environment: '\''development'\''!rails_environment: '\''production'\''!' config/diaspora.yml
sed -i 's!#listen: '\''127.0.0.1:3000'\''!listen: '\''127.0.0.1:3000'\''!' config/diaspora.yml

# Installation - use bundler 1.16.2, newer version has a bug -> https://discourse.diasporafoundation.org/t/pid-file-could-not-be-created/1640/2
gem install bundler -v 1.16.2
script/configure_bundler
bin/bundle install --full-index

# DB creation
RAILS_ENV=production bundle exec rake db:create db:migrate

# Precompile assets
RAILS_ENV=production bin/rake assets:precompile

# exit as diaspora to become root
exit

Configure services

# systemd config for new services

# Diaspora target
cat > /etc/systemd/system/diaspora.target << EOL
[Unit]
Description=Diaspora social network
Wants=postgresql.service
Wants=redis-server.service
After=redis-server.service
After=postgresql.service

[Install]
WantedBy=multi-user.target
EOL

# Web service
cat > /etc/systemd/system/diaspora-web.service << EOL
[Unit]
Description=Diaspora social network (unicorn)
PartOf=diaspora.target
StopWhenUnneeded=true

[Service]
User=diaspora
Environment=RAILS_ENV=production
WorkingDirectory=/home/diaspora/diaspora
PIDFile=/home/diaspora/diaspora/tmp/pids/web.pid
ExecStart=/bin/bash -lc "bin/bundle exec unicorn -c config/unicorn.rb -E production"
ExecReload=/bin/kill -USR2 $MAINPID
Restart=always

[Install]
WantedBy=diaspora.target
EOL

# Sidekiq (admin interface) service
cat > /etc/systemd/system/diaspora-sidekiq.service << EOL
[Unit]
Description=Diaspora social network (sidekiq)
PartOf=diaspora.target
StopWhenUnneeded=true

[Service]
User=diaspora
Environment=RAILS_ENV=production
WorkingDirectory=/home/diaspora/diaspora
ExecStart=/bin/bash -lc "bin/bundle exec sidekiq"
Restart=always

[Install]
WantedBy=diaspora.target
EOL

# Enable and start services
systemctl enable diaspora.target diaspora-sidekiq.service diaspora-web.service --now

Use diaspora

Browse to https://yourdomain.com and you should see the diaspora start page.

Create an (admin) user

Create a user by using ā€œCreate accountā€ in the web UI (admin is reserved, youā€™ll need another name)

In the rails console you may set the admin role. Replace ā€œUSERā€ with the user created in the previous step:

# change to diaspora user
su - diaspora
cd diaspora
# start console
RAILS_ENV=production bundle exec rails console
# define admin role for "USER"
Role.add_admin User.where(username: "USER").first.person
exit
exit

You may enter the admin interface via the user menu in the top right:

The Sidekiq monitor:

3 Likes

I am going to try and follow your howtoā€¦ thnx for the effort!

If I install diaspora on a local VM, do I need to have a forward from the internet to the VM to make this work or should I be able to get the diaspora start page from my local network if I have set the domain in my local DNS?
Asking this because I get the NS startpage when I enter the configured address in my browserā€¦

In other words: is a connection with the diaspora network mandatory to test this?

1 Like

It should work internally but I tested with port forward using a ddns domain.

EDIT:

It works internally with DNS resolvable name. You may use httpd -S to check if the virtualhost config is correct.

httpd -S gives this:

[root@ns7pod ~]# httpd -S
VirtualHost configuration:
*:80 pod.ad.interlin.nl (/etc/httpd/conf.d/zzz_diaspora.conf:3)
*:443 is a NameVirtualHost
default server ns7pod.ad.interlin.nl (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost ns7pod.ad.interlin.nl (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost ns7pod.ad.interlin.nl (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost pod.ad.interlin.nl/ (/etc/httpd/conf.d/zzz_diaspora.conf:8)
ServerRoot: ā€œ/etc/httpdā€
Main DocumentRoot: ā€œ/var/www/htmlā€
Main ErrorLog: ā€œ/etc/httpd/logs/error_logā€
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir=ā€œ/run/httpd/ā€ mechanism=default
Mutex mpm-accept: using_defaults
PidFile: ā€œ/run/httpd/httpd.pidā€
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=ā€œapacheā€ id=48
Group: name=ā€œapacheā€ id=48

What could be the porblem? document root? Shouldnā€™t that be rewritten to /home/diaspora/diaspora/public??
I will try to re-create httpd.conf

/edit BINGOā€¦ after restarting httpd service I get the diaspora welcome pageā€¦

great work @mrmarkuz

/edit2: hmzz, just checked httpd -S again and it still shows /var/www/html as main document rootā€¦ there is something I donā€™t understand hereā€¦ :-/

1 Like

Itā€™s just important that the zzz_diaspora.conf is listed here with correct domain name, donā€™t worry about the main document rootā€¦

Thnx for the comment.
This was a dry run.
Now going to install a pod on my VPSā€¦

@mrmarkuz: Just for the sake of continuity of this howto:
What do you think? Is it worth the effort to have an RPM for this? Or should we stick with creating a howto in our wiki?

/edit: sent out a conversation with a link to this howto: https://pod.interlin.nl/posts/c34cddf0b6050136aa2e62ad60e939da

2 Likes

Good questions. Iā€™d stick to the howto for now and do some further testing and maybe test some other similar applications and then decide.

Would be a challenge for ā€œcommunity sprintā€ workshop tooā€¦

1 Like

Maybe we can add some services for integration. When you head over to the pod statistics, you can see 4 services: Twitter, Tumblr, Facebook and Wordpress (so your diaspora messages get posted on those networks too.)
https://wiki.diasporafoundation.org/FAQ_for_developers#How_do_I_add_services_for_a_user.3F

1 Like

Good idea. There are some more addons/scripts:

https://wiki.diasporafoundation.org/Tools_to_use_with_Diaspora

1 Like

Great stuff. My pod is running and available from https://pod.interlin.nl

btw, am I right that since it is using Apache, there automatically is a fail2ban jail for this instance because apache jail is active?

No but thatā€™s a good point. We need to track /home/diaspora/diaspora/log/production.log in fail2ban for failed logins (they look like Completed 401 Unauthorized in).

I tried to add letsencrypt to the pod install, but when I do this through the NethServer admin interface (configuration / server certificate) I get this error:

perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = ā€œnl.utf8ā€ are supported and installed on your system. perl: warning: Falling back to the standard locale (ā€œCā€). Failed authorization procedure. pod.interlin.nl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pod.interlin.nl/.well-known/acme-challenge/TFmv9CS51XssgOkOFEsqE-ahsf4evMWmOMcx1soTHqU: ā€œ The page you were looking for doesnā€™t exist (404) <link hreā€

I understood having a valid (not self-signed) certificate is essential for diaspora pods to communicate with eachother. How should we tackle this?

When searching for the error I get this topic on letsencrypt forums: The client lacks sufficient authorization - 404 - Help - Let's Encrypt Community Support

For what I have seen there is a .well-known directory in /var/www/html directory

For a quick solution you may just comment out the virtualhost on port 80 in /etc/httpd/conf.d/zzz_diaspora.conf. I have to recheckā€¦

#<VirtualHost *:80>
#  ServerName your.domain.local
#
#  RedirectPermanent / https://your.domain.local
#</VirtualHost>

systemctl restart httpd httpd-admin

thnxā€¦ worked like a charm. Now I have letsencrypt also active on the diaspora podā€¦

If helpsā€¦

3 Likes

Thanks Marc, that did the trick :+1:, I updated the howto.

2 Likes

Bumping this topic.
I have my pod running quite stable now. Although I would like to add some functionality. There are several options to connect diaspora* with other networks: https://wiki.diasporafoundation.org/Integrating_other_social_networks
But more interesting would be to integrate chat/xmpp support: https://wiki.diasporafoundation.org/Integration/Chat
I will try these extraā€™s, but have to install a test server first because I donā€™t want to ā€œmessā€ with my production pod.
Anyone else want to give it a go? @mrmarkuz?.. :wink:

I just received a pm on d* forums. I will copy paste the pm here:

In the guide on installing diaspora*, it is suggested to create the database manually. This can be error-prone and is potentialy time consuming to repair when supporting podmins. Please suggest to remove this, as the database will be created later on in the process by bin/rake db:create with all the right defaults.

@mrmarkuz, should the howto be adapted with this feature to stay consistent with upstream instructions?

2 Likes

Yes, Iā€™ll apply the changes and test them asap.

Our howtos are always describing the whole thing, not only the NS part but Iā€™ll add a link to diaspora docs if not already thereā€¦

Hi @mrmarkuz
I received another remark on the howto. When creating the db, you specify:

ENCODING ā€˜UTF8ā€™

diaspora uses encoding unicode exclusively. Is there any reason why you set encoding on UTF8 and not unicode? (in both database creation and config/database.yml)