CentOS7でmastodonを構築する

※mastodonインスタンス作成をまとめています。

【使用した物】

さくらVPS 1G　CentOS 7.3

 

【インストール手順】

OSのパッケージインストールして再起動

# yum -y update

# reboot

 

docker、docker-composeのインストール

# yum -y install docker

# curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

 

firewalldの設定

http(80)とhttps(443)ポートを開ける。

# firewall-cmd –add-service=http –zone=public –permanen

# firewall-cmd –add-service=https –zone=public –permanen

# firewall-cmd –reload
success

# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

 

enginxのインストール

# rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

# yum -y update nginx-release-centos

# yum -y –enablerepo=nginx install nginx

# nginx -v

nginx version: nginx/1.12.0

 

Mastodonをgit cloneからダウンロード

# cd /home

# git clone https://github.com/tootsuite/mastodon.git

remote: Counting objects: 26012, done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 26012 (delta 0), reused 0 (delta 0), pack-reused 26002
Receiving objects: 100% (26012/26012), 34.36 MiB | 9.02 MiB/s, done.
Resolving deltas: 100% (15651/15651), done.

# cd mastodon/

 

データの永続化設定

# vi docker-compose.yml

(コメントの#文字を外す)

# volumes:

# - ./postgres:/var/lib/postgresql/data

# volumes:

# - ./redis:/data

シークレットキーの発行

# docker-compose run –rm web rake secret    ※3回実行

.env.production設定ファイルを編集

# cp .env.production.sample .env.production

# Federation
 LOCAL_DOMAIN=使用サイトのドメイン名を入れる
 LOCAL_HTTPS=true

# Application secrets
 # Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
 PAPERCLIP_SECRET=シークレットキーの発行で作成したキー

SECRET_KEY_BASE=シークレットキーの発行で作成したキー

OTP_SECRET=シークレットキーの発行で作成したキー

# E-mail configuration
 # Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
 # If you want to use an SMTP server without authentication (e.g local Postfix relay)
 # then set SMTP_AUTH_METHOD to 'none' and *comment* SMTP_LOGIN and SMTP_PASSWORD.
 # Leaving them blank is not enough for authentication method 'none'.
 SMTP_SERVER=smtp.sparkpostmail.com　　※SparkPostでの設定例
 SMTP_PORT=587
 SMTP_LOGIN=SMTP_Injection
 SMTP_PASSWORD=XXXXXXXX　　　　　　※SparkPostで取得したパスワードを入力
 SMTP_FROM_ADDRESS=送信するアドレス
 SMTP_AUTH_METHOD=plain
 SMTP_OPENSSL_VERIFY_MODE=none
 SMTP_ENABLE_STARTTLS_AUTO=true

 

nginxプロキシ設定ファイル作成

mastodon.confを作成し「https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Production-guide.md」から内容を持ってくる。

vi /etc/nginx/conf.d/mastodon.conf

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  listen [::]:80;
  server_name example.com;
  # Useful for Let's Encrypt
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name example.com;

  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  #ssl_dhparam         /etc/ssl/certs/dhparam.pem;    使用しないのでコメントアウト

  error_log /var/log/nginx/mastodon/error.log warn;     #ログを出力するため記載
  access_log /var/log/nginx/mastodon/access.log main;    #ログを出力するため記載
  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 0;

  root /home/mastodon/public;    #/home/mastodon/live/public⇒/home/mastodon/publicに修正

　gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  add_header Strict-Transport-Security "max-age=31536000";

  location / {
    try_files $uri @proxy;
  }

  location ~ ^/(assets|system/media_attachments/files|system/accounts/avatars) {
    add_header Cache-Control "public, max-age=31536000, immutable";
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://127.0.0.1:3000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";

    proxy_pass http://localhost:4000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 500 501 502 503 504 /500.html;
}

certbotインストール

# yum -y install epel-release

# yum -y install certbot python-certbot-apache