Howto install Diaspora pod on NethServer

education
v7

(Markus Neuberger) #1

Hi friends,

this is a howto about installing Diaspora pod on NethServer.

Source:

https://wiki.diasporafoundation.org/Installation/CentOS/7

Preconfig

# Install needed packages
yum -y install tar make automake gcc gcc-c++ git net-tools cmake libcurl-devel libxml2-devel libffi-devel libxslt-devel wget nethserver-redis ImageMagick nodejs nethserver-postgresql postgresql-devel bison bzip2 libtool readline-devel sqlite-devel openssl-devel

Feel free to replace the postgres user password SECRET with a more secure one:

# Create diaspora DB user
sudo -u postgres psql
CREATE USER diaspora WITH CREATEDB PASSWORD 'SECRET';
\q

ImageMagick needs to be configured - see https://github.com/diaspora/diaspora/issues/6828

# ImageMagick policy settings for making captcha work
sed -i 's:  <policy domain="coder" rights="none" pattern="LABEL" />:<!-- <policy domain="coder" rights="none" pattern="LABEL" /> -->:' /etc/ImageMagick/policy.xml

Replace diaspora.example.com and diaspora\.example\.com with your domain (ServerName(s), RedirectMatch, RewriteCond and RewriteRule)

# Create httpd conf with reverse proxy, I used ports, socket didn't work.
cat > /etc/httpd/conf.d/zzz_diaspora.conf << EOL
# Make sure to notice the comments at https://gist.github.com/jhass/719014#gistcomment-19774

<VirtualHost *:80>
  ServerName diaspora.example.com

# To make letsencrypt work
  RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://diaspora.example.com
</VirtualHost>
<VirtualHost *:443>
 ServerName diaspora.example.com
 
 DocumentRoot /home/diaspora/diaspora/public

 RewriteEngine On

 RewriteCond %{HTTP_HOST} !^diaspora\.example\.com [NC]
 RewriteRule ^/(.*)$ https://diaspora\.example\.com/ [L,R,QSA]

 # For Camo support
 #RewriteRule ^/camo/(.*)$ balancer://camo/$1 [P,QSA,L]
 
 RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
 RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L]

 <Proxy balancer://upstream>
  # Recommended, using a unix socket (Requires Apache >= 2.4)
  # BalancerMember unix:///path/to/diaspora/tmp/diaspora.sock|http://
  # Alternatively let diaspora listen on a local port (Use this for Apache < 2.4)
  BalancerMember http://localhost:3000
 </Proxy>

 # For Camo support
 #<Proxy balancer://camo>
 #  BalancerMember http://localhost:8081
 #</Proxy>

 ProxyRequests Off
 ProxyVia On  
 ProxyPreserveHost On
 RequestHeader set X_FORWARDED_PROTO https

 <Proxy *>
  # Apache < 2.4
  #Order allow,deny
  #Allow from all
  # Apache >= 2.4
  Require all granted
 </Proxy>

 <Directory /home/diaspora/diaspora/public>
  Options -MultiViews
  # Apache < 2.4
  #Allow from all
  #AllowOverride all
  # Apache >= 2.4
  Require all granted
 </Directory>

 SSLEngine On
 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 
 # Based on https://wiki.mozilla.org/Security/Server_Side_TLS - consider as global configuration
 SSLProtocol             all -SSLv2 -SSLv3
 SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
 SSLHonorCipherOrder on
 SSLCompression off
</VirtualHost>
EOL

# Restart httpd to apply configs
systemctl restart httpd

Installation

# Add user diaspora
adduser diaspora
chmod 755 /home/diaspora

# Work as user
su - diaspora
cd ~

# Get Ruby Version Manager (RVM)
command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
curl -L https://s.diaspora.software/1t | bash

# Setup RVM
grep '[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm"' ~/.bashrc > nul || echo '[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm"' >> ~/.bashrc
source ~/.bashrc

# Install ruby 2.4
rvm install 2.4

# Get source
git clone -b master https://github.com/diaspora/diaspora.git
cd diaspora

# Edit configuration files
cp config/database.yml.example config/database.yml
cp config/diaspora.yml.example config/diaspora.yml

sed -i '5 s!username: postgres!username: diaspora!' config/database.yml

Replace SECRET with the password you used for the diaspora postgresql user.

sed -i '6 s!password:!password: SECRET!' config/database.yml
sed -i 's!encoding: unicode!encoding: unicode\n  template: template0!' config/database.yml

Replace https://diaspora.example.com/ with the URL you want to use:

sed -i 's!#url: "https://example.org/"!url: "https://diaspora.example.com/"!' config/diaspora.yml
sed -i 's!#certificate_authorities: '\''/etc/pki/tls/certs/ca-bundle.crt'\''!certificate_authorities: '\''/etc/pki/tls/certs/ca-bundle.crt'\''!' config/diaspora.yml
sed -i 's!#rails_environment: '\''development'\''!rails_environment: '\''production'\''!' config/diaspora.yml
sed -i 's!#listen: '\''127.0.0.1:3000'\''!listen: '\''127.0.0.1:3000'\''!' config/diaspora.yml

# Installation - use bundler 1.16.2, newer version has a bug -> https://discourse.diasporafoundation.org/t/pid-file-could-not-be-created/1640/2
gem install bundler -v 1.16.2
script/configure_bundler
bin/bundle install --full-index

# DB creation
RAILS_ENV=production bundle exec rake db:create db:migrate

# Precompile assets
RAILS_ENV=production bin/rake assets:precompile

# exit as diaspora to become root
exit

Configure services

# systemd config for new services

# Diaspora target
cat > /etc/systemd/system/diaspora.target << EOL
[Unit]
Description=Diaspora social network
Wants=postgresql.service
Wants=redis-server.service
After=redis-server.service
After=postgresql.service

[Install]
WantedBy=multi-user.target
EOL

# Web service
cat > /etc/systemd/system/diaspora-web.service << EOL
[Unit]
Description=Diaspora social network (unicorn)
PartOf=diaspora.target
StopWhenUnneeded=true

[Service]
User=diaspora
Environment=RAILS_ENV=production
WorkingDirectory=/home/diaspora/diaspora
PIDFile=/home/diaspora/diaspora/tmp/pids/web.pid
ExecStart=/bin/bash -lc "bin/bundle exec unicorn -c config/unicorn.rb -E production"
ExecReload=/bin/kill -USR2 $MAINPID
Restart=always

[Install]
WantedBy=diaspora.target
EOL

# Sidekiq (admin interface) service
cat > /etc/systemd/system/diaspora-sidekiq.service << EOL
[Unit]
Description=Diaspora social network (sidekiq)
PartOf=diaspora.target
StopWhenUnneeded=true

[Service]
User=diaspora
Environment=RAILS_ENV=production
WorkingDirectory=/home/diaspora/diaspora
ExecStart=/bin/bash -lc "bin/bundle exec sidekiq"
Restart=always

[Install]
WantedBy=diaspora.target
EOL

# Enable and start services
systemctl enable diaspora.target diaspora-sidekiq.service diaspora-web.service --now

Use diaspora

Browse to https://yourdomain.com and you should see the diaspora start page.

Create an (admin) user

Create a user by using “Create account” in the web UI (admin is reserved, you’ll need another name)

In the rails console you may set the admin role. Replace “USER” with the user created in the previous step:

# change to diaspora user
su - diaspora
cd diaspora
# start console
RAILS_ENV=production bundle exec rails console
# define admin role for "USER"
Role.add_admin User.where(username: "USER").first.person
exit
exit

You may enter the admin interface via the user menu in the top right:

The Sidekiq monitor:


Organizing the NethServer Conference 2019 :date:
So, what are you working on? 6 Sep 2018
We Are NethServer - Community Overview - Sep 18
(Rob Bosch) #2

I am going to try and follow your howto… thnx for the effort!

If I install diaspora on a local VM, do I need to have a forward from the internet to the VM to make this work or should I be able to get the diaspora start page from my local network if I have set the domain in my local DNS?
Asking this because I get the NS startpage when I enter the configured address in my browser…

In other words: is a connection with the diaspora network mandatory to test this?


(Markus Neuberger) #3

It should work internally but I tested with port forward using a ddns domain.

EDIT:

It works internally with DNS resolvable name. You may use httpd -S to check if the virtualhost config is correct.


(Rob Bosch) #4

httpd -S gives this:

[root@ns7pod ~]# httpd -S
VirtualHost configuration:
*:80 pod.ad.interlin.nl (/etc/httpd/conf.d/zzz_diaspora.conf:3)
*:443 is a NameVirtualHost
default server ns7pod.ad.interlin.nl (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost ns7pod.ad.interlin.nl (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost ns7pod.ad.interlin.nl (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost pod.ad.interlin.nl/ (/etc/httpd/conf.d/zzz_diaspora.conf:8)
ServerRoot: “/etc/httpd”
Main DocumentRoot: "/var/www/html"
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

What could be the porblem? document root? Shouldn’t that be rewritten to /home/diaspora/diaspora/public??
I will try to re-create httpd.conf

/edit BINGO… after restarting httpd service I get the diaspora welcome page…

great work @mrmarkuz

/edit2: hmzz, just checked httpd -S again and it still shows /var/www/html as main document root… there is something I don’t understand here… :-/


(Markus Neuberger) #5

It’s just important that the zzz_diaspora.conf is listed here with correct domain name, don’t worry about the main document root…


(Rob Bosch) #6

Thnx for the comment.
This was a dry run.
Now going to install a pod on my VPS…

@mrmarkuz: Just for the sake of continuity of this howto:
What do you think? Is it worth the effort to have an RPM for this? Or should we stick with creating a howto in our wiki?

/edit: sent out a conversation with a link to this howto: https://pod.interlin.nl/posts/c34cddf0b6050136aa2e62ad60e939da


(Markus Neuberger) #7

Good questions. I’d stick to the howto for now and do some further testing and maybe test some other similar applications and then decide.

Would be a challenge for “community sprint” workshop too…


(Rob Bosch) #8

Maybe we can add some services for integration. When you head over to the pod statistics, you can see 4 services: Twitter, Tumblr, Facebook and Wordpress (so your diaspora messages get posted on those networks too.)
https://wiki.diasporafoundation.org/FAQ_for_developers#How_do_I_add_services_for_a_user.3F


(Markus Neuberger) #9

Good idea. There are some more addons/scripts:

https://wiki.diasporafoundation.org/Tools_to_use_with_Diaspora


(Rob Bosch) #10

Great stuff. My pod is running and available from https://pod.interlin.nl

btw, am I right that since it is using Apache, there automatically is a fail2ban jail for this instance because apache jail is active?


(Markus Neuberger) #11

No but that’s a good point. We need to track /home/diaspora/diaspora/log/production.log in fail2ban for failed logins (they look like Completed 401 Unauthorized in).


(Rob Bosch) #12

I tried to add letsencrypt to the pod install, but when I do this through the NethServer admin interface (configuration / server certificate) I get this error:

perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = “nl.utf8” are supported and installed on your system. perl: warning: Falling back to the standard locale (“C”). Failed authorization procedure. pod.interlin.nl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pod.interlin.nl/.well-known/acme-challenge/TFmv9CS51XssgOkOFEsqE-ahsf4evMWmOMcx1soTHqU: " The page you were looking for doesn’t exist (404) <link hre"

I understood having a valid (not self-signed) certificate is essential for diaspora pods to communicate with eachother. How should we tackle this?

When searching for the error I get this topic on letsencrypt forums: https://community.letsencrypt.org/t/the-client-lacks-sufficient-authorization-404/5309

For what I have seen there is a .well-known directory in /var/www/html directory


(Markus Neuberger) #13

For a quick solution you may just comment out the virtualhost on port 80 in /etc/httpd/conf.d/zzz_diaspora.conf. I have to recheck…

#<VirtualHost *:80>
#  ServerName your.domain.local
#
#  RedirectPermanent / https://your.domain.local
#</VirtualHost>

systemctl restart httpd httpd-admin


(Rob Bosch) #14

thnx… worked like a charm. Now I have letsencrypt also active on the diaspora pod…


(Marc) #15

If helps…


(Markus Neuberger) #16

Thanks Marc, that did the trick :+1:, I updated the howto.


(Rob Bosch) #17

Bumping this topic.
I have my pod running quite stable now. Although I would like to add some functionality. There are several options to connect diaspora* with other networks: https://wiki.diasporafoundation.org/Integrating_other_social_networks
But more interesting would be to integrate chat/xmpp support: https://wiki.diasporafoundation.org/Integration/Chat
I will try these extra’s, but have to install a test server first because I don’t want to “mess” with my production pod.
Anyone else want to give it a go? @mrmarkuz?.. :wink:


(Rob Bosch) #18

I just received a pm on d* forums. I will copy paste the pm here:

In the guide on installing diaspora*, it is suggested to create the database manually. This can be error-prone and is potentialy time consuming to repair when supporting podmins. Please suggest to remove this, as the database will be created later on in the process by bin/rake db:create with all the right defaults.

@mrmarkuz, should the howto be adapted with this feature to stay consistent with upstream instructions?


(Markus Neuberger) #19

Yes, I’ll apply the changes and test them asap.

Our howtos are always describing the whole thing, not only the NS part but I’ll add a link to diaspora docs if not already there…


(Rob Bosch) #20

Hi @mrmarkuz
I received another remark on the howto. When creating the db, you specify:

ENCODING ‘UTF8’

diaspora uses encoding unicode exclusively. Is there any reason why you set encoding on UTF8 and not unicode? (in both database creation and config/database.yml)