Howto install Diaspora pod on NethServer


(Markus Neuberger) #1

Hi friends,

this is a howto about installing Diaspora pod on NethServer.



# Install needed packages
yum -y install tar make automake gcc gcc-c++ git net-tools cmake libcurl-devel libxml2-devel libffi-devel libxslt-devel wget nethserver-redis ImageMagick nodejs nethserver-postgresql postgresql-devel bison bzip2 libtool readline-devel sqlite-devel openssl-devel

Feel free to replace the postgres user password SECRET with a more secure one:

# Create diaspora DB user
sudo -u postgres psql

ImageMagick needs to be configured - see

# ImageMagick policy settings for making captcha work
sed -i 's:  <policy domain="coder" rights="none" pattern="LABEL" />:<!-- <policy domain="coder" rights="none" pattern="LABEL" /> -->:' /etc/ImageMagick/policy.xml

Replace and diaspora\.example\.com with your domain (ServerName(s), RedirectMatch, RewriteCond and RewriteRule)

# Create httpd conf with reverse proxy, I used ports, socket didn't work.
cat > /etc/httpd/conf.d/zzz_diaspora.conf << EOL
# Make sure to notice the comments at

<VirtualHost *:80>

# To make letsencrypt work
  RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).*
<VirtualHost *:443>
 DocumentRoot /home/diaspora/diaspora/public

 RewriteEngine On

 RewriteCond %{HTTP_HOST} !^diaspora\.example\.com [NC]
 RewriteRule ^/(.*)$ https://diaspora\.example\.com/ [L,R,QSA]

 # For Camo support
 #RewriteRule ^/camo/(.*)$ balancer://camo/$1 [P,QSA,L]
 RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L]

 <Proxy balancer://upstream>
  # Recommended, using a unix socket (Requires Apache >= 2.4)
  # BalancerMember unix:///path/to/diaspora/tmp/diaspora.sock|http://
  # Alternatively let diaspora listen on a local port (Use this for Apache < 2.4)
  BalancerMember http://localhost:3000

 # For Camo support
 #<Proxy balancer://camo>
 #  BalancerMember http://localhost:8081

 ProxyRequests Off
 ProxyVia On  
 ProxyPreserveHost On
 RequestHeader set X_FORWARDED_PROTO https

 <Proxy *>
  # Apache < 2.4
  #Order allow,deny
  #Allow from all
  # Apache >= 2.4
  Require all granted

 <Directory /home/diaspora/diaspora/public>
  Options -MultiViews
  # Apache < 2.4
  #Allow from all
  #AllowOverride all
  # Apache >= 2.4
  Require all granted

 SSLEngine On
 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 # Based on - consider as global configuration
 SSLProtocol             all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCompression off

# Restart httpd to apply configs
systemctl restart httpd


# Add user diaspora
adduser diaspora
chmod 755 /home/diaspora

# Work as user
su - diaspora
cd ~

# Get Ruby Version Manager (RVM)
command curl -sSL | gpg2 --import -
curl -L | bash

# Setup RVM
grep '[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm"' ~/.bashrc > nul || echo '[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm"' >> ~/.bashrc
source ~/.bashrc

# Install ruby 2.4
rvm install 2.4

# Get source
git clone -b master
cd diaspora

# Edit configuration files
cp config/database.yml.example config/database.yml
cp config/diaspora.yml.example config/diaspora.yml

sed -i '5 s!username: postgres!username: diaspora!' config/database.yml

Replace SECRET with the password you used for the diaspora postgresql user.

sed -i '6 s!password:!password: SECRET!' config/database.yml
sed -i 's!encoding: unicode!encoding: unicode\n  template: template0!' config/database.yml

Replace with the URL you want to use:

sed -i 's!#url: ""!url: ""!' config/diaspora.yml
sed -i 's!#certificate_authorities: '\''/etc/pki/tls/certs/ca-bundle.crt'\''!certificate_authorities: '\''/etc/pki/tls/certs/ca-bundle.crt'\''!' config/diaspora.yml
sed -i 's!#rails_environment: '\''development'\''!rails_environment: '\''production'\''!' config/diaspora.yml
sed -i 's!#listen: '\'''\''!listen: '\'''\''!' config/diaspora.yml

# Installation - use bundler 1.16.2, newer version has a bug ->
gem install bundler -v 1.16.2
bin/bundle install --full-index

# DB creation
RAILS_ENV=production bundle exec rake db:create db:migrate

# Precompile assets
RAILS_ENV=production bin/rake assets:precompile

# exit as diaspora to become root

Configure services

# systemd config for new services

# Diaspora target
cat > /etc/systemd/system/ << EOL
Description=Diaspora social network


# Web service
cat > /etc/systemd/system/diaspora-web.service << EOL
Description=Diaspora social network (unicorn)

ExecStart=/bin/bash -lc "bin/bundle exec unicorn -c config/unicorn.rb -E production"
ExecReload=/bin/kill -USR2 $MAINPID


# Sidekiq (admin interface) service
cat > /etc/systemd/system/diaspora-sidekiq.service << EOL
Description=Diaspora social network (sidekiq)

ExecStart=/bin/bash -lc "bin/bundle exec sidekiq"


# Enable and start services
systemctl enable diaspora-sidekiq.service diaspora-web.service --now

Use diaspora

Browse to and you should see the diaspora start page.

Create an (admin) user

Create a user by using “Create account” in the web UI (admin is reserved, you’ll need another name)

In the rails console you may set the admin role. Replace “USER” with the user created in the previous step:

# change to diaspora user
su - diaspora
cd diaspora
# start console
RAILS_ENV=production bundle exec rails console
# define admin role for "USER"
Role.add_admin User.where(username: "USER").first.person

You may enter the admin interface via the user menu in the top right:

The Sidekiq monitor:

Organizing the NethServer Conference 2019 :date:
So, what are you working on? 6 Sep 2018
We Are NethServer - Community Overview - Sep 18
(Rob Bosch) #2

I am going to try and follow your howto… thnx for the effort!

If I install diaspora on a local VM, do I need to have a forward from the internet to the VM to make this work or should I be able to get the diaspora start page from my local network if I have set the domain in my local DNS?
Asking this because I get the NS startpage when I enter the configured address in my browser…

In other words: is a connection with the diaspora network mandatory to test this?

(Markus Neuberger) #3

It should work internally but I tested with port forward using a ddns domain.


It works internally with DNS resolvable name. You may use httpd -S to check if the virtualhost config is correct.

(Rob Bosch) #4

httpd -S gives this:

[root@ns7pod ~]# httpd -S
VirtualHost configuration:
*:80 (/etc/httpd/conf.d/zzz_diaspora.conf:3)
*:443 is a NameVirtualHost
default server (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost (/etc/httpd/conf.d/zzz_diaspora.conf:8)
ServerRoot: “/etc/httpd”
Main DocumentRoot: "/var/www/html"
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: “/run/httpd/”
User: name=“apache” id=48
Group: name=“apache” id=48

What could be the porblem? document root? Shouldn’t that be rewritten to /home/diaspora/diaspora/public??
I will try to re-create httpd.conf

/edit BINGO… after restarting httpd service I get the diaspora welcome page…

great work @mrmarkuz

/edit2: hmzz, just checked httpd -S again and it still shows /var/www/html as main document root… there is something I don’t understand here… :-/

(Markus Neuberger) #5

It’s just important that the zzz_diaspora.conf is listed here with correct domain name, don’t worry about the main document root…

(Rob Bosch) #6

Thnx for the comment.
This was a dry run.
Now going to install a pod on my VPS…

@mrmarkuz: Just for the sake of continuity of this howto:
What do you think? Is it worth the effort to have an RPM for this? Or should we stick with creating a howto in our wiki?

/edit: sent out a conversation with a link to this howto:

(Markus Neuberger) #7

Good questions. I’d stick to the howto for now and do some further testing and maybe test some other similar applications and then decide.

Would be a challenge for “community sprint” workshop too…

(Rob Bosch) #8

Maybe we can add some services for integration. When you head over to the pod statistics, you can see 4 services: Twitter, Tumblr, Facebook and Wordpress (so your diaspora messages get posted on those networks too.)

(Markus Neuberger) #9

Good idea. There are some more addons/scripts:

(Rob Bosch) #10

Great stuff. My pod is running and available from

btw, am I right that since it is using Apache, there automatically is a fail2ban jail for this instance because apache jail is active?

(Markus Neuberger) #11

No but that’s a good point. We need to track /home/diaspora/diaspora/log/production.log in fail2ban for failed logins (they look like Completed 401 Unauthorized in).

(Rob Bosch) #12

I tried to add letsencrypt to the pod install, but when I do this through the NethServer admin interface (configuration / server certificate) I get this error:

perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = “nl.utf8” are supported and installed on your system. perl: warning: Falling back to the standard locale (“C”). Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from " The page you were looking for doesn’t exist (404) <link hre"

I understood having a valid (not self-signed) certificate is essential for diaspora pods to communicate with eachother. How should we tackle this?

When searching for the error I get this topic on letsencrypt forums:

For what I have seen there is a .well-known directory in /var/www/html directory

(Markus Neuberger) #13

For a quick solution you may just comment out the virtualhost on port 80 in /etc/httpd/conf.d/zzz_diaspora.conf. I have to recheck…

#<VirtualHost *:80>
#  ServerName your.domain.local
#  RedirectPermanent / https://your.domain.local

systemctl restart httpd httpd-admin

(Rob Bosch) #14

thnx… worked like a charm. Now I have letsencrypt also active on the diaspora pod…

(Marc) #15

If helps…

(Markus Neuberger) #16

Thanks Marc, that did the trick :+1:, I updated the howto.

(Rob Bosch) #17

Bumping this topic.
I have my pod running quite stable now. Although I would like to add some functionality. There are several options to connect diaspora* with other networks:
But more interesting would be to integrate chat/xmpp support:
I will try these extra’s, but have to install a test server first because I don’t want to “mess” with my production pod.
Anyone else want to give it a go? @mrmarkuz?.. :wink:

(Rob Bosch) #18

I just received a pm on d* forums. I will copy paste the pm here:

In the guide on installing diaspora*, it is suggested to create the database manually. This can be error-prone and is potentialy time consuming to repair when supporting podmins. Please suggest to remove this, as the database will be created later on in the process by bin/rake db:create with all the right defaults.

@mrmarkuz, should the howto be adapted with this feature to stay consistent with upstream instructions?

(Markus Neuberger) #19

Yes, I’ll apply the changes and test them asap.

Our howtos are always describing the whole thing, not only the NS part but I’ll add a link to diaspora docs if not already there…

(Rob Bosch) #20

Hi @mrmarkuz
I received another remark on the howto. When creating the db, you specify:


diaspora uses encoding unicode exclusively. Is there any reason why you set encoding on UTF8 and not unicode? (in both database creation and config/database.yml)