snac.8 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794
  1. .Dd $Mdocdate$
  2. .Dt SNAC 8
  3. .Os
  4. .Sh NAME
  5. .Nm snac
  6. .Nd snac administration
  7. .Sh DESCRIPTION
  8. The
  9. .Nm
  10. daemon processes messages from other servers in the Fediverse
  11. using the ActivityPub protocol.
  12. .Pp
  13. This is the admin manual. For user operation, see
  14. .Xr snac 1 .
  15. For file and data formats, see
  16. .Xr snac 5 .
  17. .Ss Special cares about your snac you must know beforehand
  18. .Nm
  19. makes heavy use of hard links and link reference counts for its work, so
  20. don't even think of using it on a filesystem that doesn't support this
  21. feature. Most UNIX-like operating systems (Linux, the BSDs, the old DEC
  22. Ultrix machine in your grandfather basement, probably MacOS) support hard
  23. links on their native filesystems. Don't do fancy things like moving the
  24. subdirectories to different filesystems. Also, if you move your
  25. .Nm
  26. installation to another server, do it with a tool that respect hard
  27. link counts. Remember:
  28. .Nm
  29. is a very UNIXy program that loves hard links.
  30. .Ss Building and Installation
  31. A C compiler must be installed in the system, as well as the development
  32. headers and libraries for OpenSSL (or compatible) and curl. To build
  33. .Nm ,
  34. run
  35. .Bd -literal -offset indent
  36. make
  37. .Ed
  38. .Pp
  39. And, after that, run as root
  40. .Bd -literal -offset indent
  41. make install
  42. .Ed
  43. .Ss Data storage Initialization
  44. Once
  45. .Nm
  46. is properly installed on the system, designate a directory where
  47. the server and user data are to be stored. This directory
  48. must not exist yet.
  49. .Nm
  50. must always be run as a regular user; you can create one for
  51. it or use your own. To initialize the data storage, execute
  52. .Bd -literal -offset indent
  53. snac init $HOME/snac-data
  54. .Ed
  55. .Pp
  56. A small set of questions will be asked regarding the installation,
  57. specially the host name it will run under, the local network address
  58. and port
  59. .Nm
  60. will listen to, the optional path prefix and possibly other things.
  61. .Pp
  62. Since version 2.57, if the 'network address' starts with /, it's
  63. assumed to be a UNIX-like socket (please take note that the http proxy
  64. must have full read and write access to this socket; this is a common
  65. pitfall. Permissions will break your heart).
  66. .Pp
  67. You can launch the
  68. .Nm
  69. process by running
  70. .Bd -literal -offset indent
  71. snac httpd $HOME/snac-data
  72. .Ed
  73. .Pp
  74. Log messages are sent to the standard error stream. By default, only
  75. relevant information is written there. You can increase the debugging
  76. level by editing the 'dbglevel' field in the
  77. .Pa server.json
  78. file or by setting a numeric value between 0 and 3 to the DEBUG
  79. environment variable, see below.
  80. .Pp
  81. If you operate a Linux systemd-enabled system, OpenBSD, FreeBSD or NetBSD, there are
  82. startup scripts and configuration data in the
  83. .Pa examples
  84. directory.
  85. For other operating systems, please read the appropriate documentation
  86. on how to install a daemon as a non-root service.
  87. .Ss Upgrading to a new version
  88. Sometimes, the data storage disk layout changes between versions. If there
  89. is such a change,
  90. .Nm
  91. will refuse to run and require an upgrade. Do this by running
  92. .Bd -literal -offset indent
  93. snac upgrade $HOME/snac-data
  94. .Ed
  95. .Pp
  96. Take special care to execute this upgrade operation without any
  97. .Nm
  98. processes serving on the same folder. You can break everything. I know
  99. this because Tyler knows this.
  100. .Pp
  101. .Ss Server Setup
  102. .Pp
  103. An http server with TLS and proxying support must already be
  104. installed and configured.
  105. .Nm
  106. runs as a daemon and listens on a TCP/IP socket, preferably
  107. on a local interface. It can serve the full domain or only
  108. a directory. The http server must be configured to route to the
  109. .Nm
  110. socket all related traffic and also the webfinger standard
  111. address. The Host header must be propagated.
  112. See the examples below.
  113. .Ss Adding Users
  114. .Pp
  115. Users must be created from the command line.
  116. You can do it by running
  117. .Bd -literal -offset indent
  118. snac adduser $HOME/snac-data
  119. .Ed
  120. .Pp
  121. All needed data will be prompted for. There is no artificial limit
  122. on the number of users that can be created.
  123. .Ss Customization
  124. The
  125. .Pa server.json
  126. configuration file allows some behaviour tuning:
  127. .Bl -tag -width tenletters
  128. .It Ic host
  129. The host name.
  130. .It Ic prefix
  131. The URL path prefix.
  132. .It Ic address
  133. The listen network address. If it starts with /, it's assumed to be
  134. a UNIX-like socket instead.
  135. .It Ic port
  136. The listen network port (unused if address is a UNIX socket).
  137. .It Ic dbglevel
  138. The debug level. An integer value, being 0 the less verbose (the default).
  139. .It Ic layout
  140. The disk storage layout version. Never touch this.
  141. .It Ic queue_retry_max
  142. Messages sent out are stored in a queue. If the posting of a messages fails,
  143. it's re-enqueued for later. This integer configures the maximum count of
  144. times the sending will be retried.
  145. .It Ic queue_retry_minutes
  146. The number of minutes to wait before the failed posting of a message is
  147. retried. This is not linear, but multiplied by the number of retries
  148. already done.
  149. .It Ic queue_timeout
  150. The maximum number of seconds to wait when sending a message from the queue.
  151. .It Ic queue_timeout_2
  152. The maximum number of seconds to wait when sending a message from the queue
  153. to those servers that went timeout in the previous retry. If you want to
  154. give slow servers a chance to receive your messages, you can increase this
  155. value (but also take into account that processing the queue will take longer
  156. while waiting for these molasses to respond).
  157. .It Ic max_timeline_entries
  158. This is the maximum timeline entries shown in the web interface.
  159. .It Ic timeline_purge_days
  160. Entries in the timeline older that this number of days are purged.
  161. If you don't want any timeline purging and enjoy your data drives
  162. fill up with old crap and finally burst in flames, you can disable
  163. purging by setting this to 0.
  164. .It Ic local_purge_days
  165. Same as before, but for the user-generated entries in the local timeline.
  166. .It Ic cssurls
  167. This is a list of URLs to CSS files that will be inserted, in this order,
  168. in the HTML before the user CSS. Use these files to configure the global
  169. site layout.
  170. .It Ic disable_cache
  171. If set to true, timeline caching is not done. This is only useful for
  172. debugging purposes; don't enable it unless you know what do you want, as
  173. it makes everything slower.
  174. .It Ic disable_openbsd_security
  175. If running under OpenBSD,
  176. .Nm
  177. makes use of the enhanced security functions
  178. .Xr unveil 2
  179. and
  180. .Xr pledge 2 .
  181. Setting this to true disables their usage. These functions limit severely
  182. what an intruder can do in case of a security vulnerability, so only enable
  183. this option if something is very broken.
  184. .It Ic num_threads
  185. By setting this value, you can specify the exact number of threads
  186. .Nm
  187. will use when processing connections. Values lesser than 4 will be ignored.
  188. .It Ic disable_email_notifications
  189. By setting this to true, no email notification will be sent for any user.
  190. .It Ic disable_inbox_collection
  191. By setting this to true, no inbox collection is done. Inbox collection helps
  192. being discovered from remote instances, but also increases network traffic.
  193. .It Ic http_headers
  194. If you need to add more HTTP response headers for whatever reason, you can
  195. fill this object with the required header/value pairs. For example, for enhanced
  196. XSS security, you can set the "Content-Security-Policy" header to "script-src ;"
  197. to be totally sure that no JavaScript is executed.
  198. .It Ic show_instance_timeline
  199. If this is set to true, the instance base URL will show a timeline with the latest
  200. user posts instead of the default greeting static page. If other information
  201. fields are set (see below), they are also shown.
  202. .It Ic admin_email
  203. The email address of the instance administrator (optional).
  204. .It Ic admin_account
  205. The user name of the instance administrator (optional).
  206. .It Ic short_description
  207. A textual short description about the instance (optional).
  208. .It Ic fastcgi
  209. If set to true,
  210. .Nm
  211. will use the FastCGI interface to communicate with the upper level
  212. http server, that must be configured accordingly.
  213. .It Ic disable_history
  214. If set to true, history monthly snapshots are not served nor their links shown.
  215. .It Ic shared_inboxes
  216. This boolean value selects if shared inboxes are announced or not. Enabling
  217. shared inboxes helps (somewhat) in optimizing incoming traffic for instances
  218. with a large number of users.
  219. .It Ic min_account_age
  220. If this numeric value (in seconds) is set, any activity coming from an account
  221. that was created more recently than that will be rejected. This may be used
  222. to mitigate spam from automatically created accounts.
  223. .It Ic protocol
  224. This string value contains the protocol (schema) to be used in URLs. If not
  225. set, it defaults to "https". If you run
  226. .Nm
  227. as part of a hidden network like Tor or I2P that doesn't have a TLS /
  228. Certificate infrastructure, you need to set it to "http". Don't change it
  229. unless you know what you are doing.
  230. .It Ic hide_delete_post_button
  231. If set to true, the button to delete a post is not shown. It's not very
  232. useful and somewhat clutters the already crowded button space.
  233. .It Ic disable_block_notifications
  234. If set to true, notifications about 'Block' activities are never sent.
  235. .It Ic strict_public_timelines
  236. If set to true, public timelines only show posts and boosts originating
  237. from an account (no conversation trees).
  238. .It Ic proxy_media
  239. If set to true, links to all image, audio or video media from other accounts'
  240. posts will not be direct ones, but proxied by
  241. .Nm .
  242. This way, remote media servers will not see the user's IP, but the server one,
  243. improving privacy. Please take note that this will increase the server's incoming
  244. and outgoing traffic.
  245. .It Ic badlogin_retries
  246. If incorrect logins from a given IP address reach this count, subsequent attempts
  247. from it are rejected until the lock expires (default: 5 retries).
  248. .It Ic badlogin_expire
  249. The number of seconds a blocked IP address is ignored in login attempts
  250. (default: 300 seconds).
  251. .El
  252. .Pp
  253. You must restart the server to make effective these changes.
  254. .Pp
  255. If a file named
  256. .Pa greeting.html
  257. is present in the server base directory, it will be returned whenever
  258. the base URL of the server is requested. Fill it with whatever
  259. information about the instance you want to supply to people
  260. visiting the server, like sign up requirements, site policies
  261. and such. The special %userlist% mark in the file will cause
  262. the list of users in this instance to be inserted.
  263. .Pp
  264. Users can change a bit of information about themselves from the
  265. web interface. See
  266. .Xr snac 1
  267. for details. Further, every user can have a private CSS file in their
  268. .Pa static/style.css
  269. that will be served instead of the server-wide one.
  270. It's not modifiable from the web interface to avoid users
  271. shooting themselves in the foot by destroying everything.
  272. .Ss Custom Emojis
  273. From version 2.51, support for customized Emojis in posts is available
  274. (previously, they were hardcoded). Emojis are read from the
  275. .Pa emojis.json
  276. file in the instance base directory, as a JSON object of key / value
  277. pairs (if this file does not exist, it will be created with
  278. the predefined set). Each key in the object contains the text to be found (e.g.,
  279. the :-) for a smiling face), and its associated value, the text string that
  280. will replace it (in this example case, the HTML entity for the Unicode codepoint
  281. for the smiley or the Emoji itself as text).
  282. .Pp
  283. Emoji values can also be URLs to image files; in this case, they will not be
  284. substituted in the post content, but added to the 'tag' array as an ActivityPub
  285. standard 'Emoji' object (it's recommendable that the Emoji key be enclosed in
  286. colons for maximum compatilibity with other ActivityPub implementations, like
  287. e.g. :happydoggo:). These images can be served from an external source or from the
  288. .Pa static
  289. directory of the instance admin.
  290. .Pp
  291. If you want to disable any Emoji substitution, change the file to contain
  292. just an empty JSON object ({}).
  293. .Ss SPAM Mitigation
  294. There have been some SPAM attacks on the Fediverse and, as too many
  295. instances and server implementations out there still allow automatic
  296. account creation, it will only get worse.
  297. .Nm
  298. includes some (not very strong) tools for trying to survive the SPAM
  299. flood that will eventually happen.
  300. .Pp
  301. The
  302. .Ic min_account_age
  303. field in the main configuration file allows setting a minimum age (in
  304. seconds) to consider too recently created accounts suspicious of being
  305. a potential source of SPAM. This is a naïve assumption, because spammers
  306. can create accounts, let them dormant for a while and then start to use
  307. them. Also, some ActivityPub implementations don't even bother to return
  308. a creation date for their accounts, so this is not very useful.
  309. .Pp
  310. From version 2.50, post content can be filtered out by regular expressions.
  311. These weapons of mass destruction can be written into the
  312. .Ic filter_reject.txt
  313. file in the server base directory, one per line; if this file exists,
  314. all posts' content will be matched (after being stripped of HTML tags)
  315. against these regexes, one by one, and any match will make the post to
  316. be rejected. If you don't know about regular expressions, don't use this
  317. option (or learn about them in some tutorial, there are gazillions of
  318. them out there), as you and your users may start missing posts. Also,
  319. given that every regular expression implementation supports a different
  320. set of features, consider reading the documentation about the one
  321. implemented in your system.
  322. .Ss ActivityPub Support
  323. These are the following activities and objects that
  324. .Nm
  325. supports:
  326. .Bl -tag -width tenletters
  327. .It Vt Follow
  328. Complete support, on input and output.
  329. .It Vt Undo
  330. For
  331. .Vt Follow ,
  332. .Vt Like
  333. and
  334. .Vt Announce
  335. objects, on input and output.
  336. .It Vt Create
  337. For
  338. .Vt Note ,
  339. .Vt Question ,
  340. .Vt Page ,
  341. .Vt Article ,
  342. .Vt Event
  343. and
  344. .Vt Video
  345. objects on input, and for
  346. .Vt Note
  347. and
  348. .Vt Question
  349. on output.
  350. .It Vt Accept
  351. For
  352. .Vt Follow
  353. objects, on input and output.
  354. .It Vt Like
  355. For
  356. .Vt Note
  357. objects, on input and output.
  358. .It Vt EmojiReact
  359. For
  360. .Vt Note
  361. objects, on input.
  362. .It Vt Announce
  363. For
  364. .Vt Note
  365. objects, on input and output.
  366. .It Vt Update
  367. For
  368. .Vt Note ,
  369. .Vt Question ,
  370. .Vt Page ,
  371. .Vt Article ,
  372. .Vt Event
  373. and
  374. .Vt Video
  375. objects on input, and for
  376. .Vt Note
  377. on output.
  378. .It Vt Delete
  379. Supported for
  380. .Vt Note
  381. and
  382. .Vt Tomsbtone
  383. objects on input, and for
  384. .Vt Note
  385. objects on output.
  386. .It Vt Move
  387. For actor-like objects, for input and output.
  388. .El
  389. .Pp
  390. The rest of activities and objects are dropped on input.
  391. .Pp
  392. There is partial support for
  393. .Vt OrderedCollection
  394. objects in the
  395. .Pa /outbox
  396. (with the last 20 entries of the local timeline shown). No pagination
  397. is supported. Intentionally, the
  398. .Pa /followers
  399. and
  400. .Pa /following
  401. paths return empty lists.
  402. .Ss Migrating from snac to Mastodon
  403. Since version 2.60, you can migrate your
  404. .Nm
  405. account to other ActivityPub instances. What is described here is the process to do it from
  406. .Nm
  407. to Mastodon; on other software implementations, it will surely be somewhat different. All
  408. the steps regarding your
  409. .Nm
  410. account must be done from the command line. For the sake of the example, let's
  411. say that you want to migrate from an account named @origin@snac.example.org to
  412. another one named @destination@mastodon.example.com and that both of them
  413. already exist. I've used this very informative page as a guideline:
  414. .Pp
  415. .Lk https://fedi.tips/transferring-your-mastodon-account-to-another-server/
  416. .Pp
  417. 1. On your
  418. .Nm
  419. server, first export your data to CSV by running:
  420. .Bd -literal -offset indent
  421. snac export_csv $SNAC_BASEDIR origin
  422. .Ed
  423. .Pp
  424. You'll find the following CSV files in the current directory:
  425. .Pa bookmarks.csv ,
  426. .Pa blocked_accounts.csv ,
  427. .Pa lists.csv , and
  428. .Pa following_accounts.csv .
  429. .Pp
  430. 2. In the web interface of your new Mastodon account, click on
  431. .Vt Preferences
  432. >
  433. .Vt Import and Export
  434. >
  435. .Vt Import
  436. and upload the CSV files one at a time. You must specify the type of
  437. file you are uploading.
  438. .Pp
  439. 3. Still in the web interface of your new Mastodon account, click on
  440. .Vt Preferences
  441. >
  442. .Vt Account
  443. >
  444. .Vt Moving From a Different Account ,
  445. then click on
  446. .Vt Create an account alias
  447. and follow the instructions. (When it asks you to
  448. write your old account’s handle, it needs to include the @ at the start
  449. as well as the @ in the middle; as of our example, @origin@snac.example.org).
  450. It seems this step is not performed immediately, you must wait an unspecified
  451. number of minutes for this to be effective.
  452. .Pp
  453. 4. Meanwhile, you must tell
  454. .Nm
  455. about your new account by creating an alias from your current one.
  456. So, on your
  457. .Nm
  458. server, run
  459. .Bd -literal -offset indent
  460. snac alias $SNAC_BASEDIR origin "@destination@mastodon.example.com"
  461. .Ed
  462. .Pp
  463. 5. Finally, you must order
  464. .Nm
  465. to start the migration process, that will consist in iterating all the
  466. people that follows your account and sending them a
  467. .Vt Move
  468. message, that acts as a suggestion to unfollow your old account
  469. and follow the new one. The command is
  470. .Bd -literal -offset indent
  471. snac migrate $SNAC_BASEDIR origin
  472. .Ed
  473. .Pp
  474. This process can be very long and unreliable; any destination server may be down,
  475. too busy, disconnected or gone. I recommend you to read the document I linked
  476. above to know about all the sorrows awaiting.
  477. .Pp
  478. Also, please take note that the
  479. .Nm
  480. account you migrated from is not disabled nor changed in any way, so can still
  481. use it as it no migration was done. This behaviour may or may not match what other
  482. ActivityPub implementations do.
  483. .Pp
  484. NOTE: If you run
  485. .Nm
  486. on OpenBSD, please take note that the pledge()/unveil() security system disallows
  487. opening or creating files in the current directory; to do this operation, please
  488. temporarily set the disable_openbsd_security option to true in the
  489. .Pa server.json
  490. file and restart before migrating. You can restore the option back to the default false
  491. value afterwards.
  492. .Ss Migrating from Mastodon to snac
  493. Since version 2.61, you can migrate accounts on other ActivityPub instances to your
  494. .Nm
  495. one. What is described here is the process to do it from
  496. Mastodon; on other software implementations, it will surely be somewhat different. All
  497. the steps regarding your
  498. .Nm
  499. account must be done from the command line. For the sake of the example, let's
  500. say that you want to migrate from an account named @origin@mastodon.example.com to
  501. another one named @destination@snac.example.org and that both of them
  502. already exist. I've used this very informative page as a guideline:
  503. .Pp
  504. .Lk https://fedi.tips/transferring-your-mastodon-account-to-another-server/
  505. .Pp
  506. 1. On the web interface of your origin Mastodon account, click on
  507. .Vt Preferences
  508. >
  509. .Vt Import and Export
  510. >
  511. .Vt Export
  512. and download the CSV files under the "Follows", "Lists", "You Block" and "Bookmarks"
  513. labels. After being downloaded, you should find the following files on your download
  514. directory:
  515. .Pa bookmarks.csv ,
  516. .Pa blocked_accounts.csv ,
  517. .Pa lists.csv , and
  518. .Pa following_accounts.csv .
  519. .Pp
  520. 2. From the directory where those files are stored, run
  521. .Bd -literal -offset indent
  522. snac import_csv $SNAC_BASEDIR destination
  523. .Ed
  524. .Pp
  525. This process may take some time because it depends on the availability / responsiveness
  526. of all the ActivityPub servers involved (webfinger, accounts, posts, etc.). Some errors
  527. may be transient and retried later. Also, if
  528. .Nm
  529. complains that it can't find any of these files, please check that they are really
  530. stored in the current directory and that their names match exactly. Some of them may be
  531. empty (for example, if you didn't create any list) and that's fine.
  532. .Pp
  533. 3. Again on your
  534. .Nm
  535. server, run
  536. .Bd -literal -offset indent
  537. snac alias $SNAC_BASEDIR destination "@origin@mastodon.example.com"
  538. .Ed
  539. .Pp
  540. Check that no errors were shown. If they do, the origin Mastodon server may be
  541. busy or down; try again later.
  542. .Pp
  543. 4. Move back to the web interface of the origin Mastodon account, go to
  544. .Vt Preferences
  545. >
  546. .Vt Account
  547. >
  548. .Vt Move To A Different Account ,
  549. and follow the instructions there. Set the handle of the new account to your
  550. .Nm
  551. one; as of our example, @destination@snac.example.org. This will start the migration
  552. process: it's the duty of your old Mastodon instance to send an automatic
  553. .Vt Move
  554. message to every one of your followers. Eventually, you will start receiving follow notifications to your
  555. .Nm
  556. account from all accounts that followed the Mastodon one. According to the great document
  557. I linked above, this process may or may not start immediately, and its success may depend
  558. heavily on how all the servers involved behave. Just cross your fingers and hope for the best.
  559. .Pp
  560. NOTE: If you run
  561. .Nm
  562. on OpenBSD, please take note that the pledge()/unveil() security system disallows
  563. opening or creating files in the current directory; to do this operation, please
  564. temporarily set the disable_openbsd_security option to true in the
  565. .Pa server.json
  566. file and restart before migrating. You can restore the option back to the default false
  567. value afterwards.
  568. .Ss Instance blocking
  569. Full instances can be blocked. This operation must be done from
  570. the command-line tool. See
  571. .Xr snac 1 .
  572. .Pp
  573. .Ss Bad login throttling
  574. Since version 2.67, a simple logic to avoid brute force attacks against user passwords
  575. has been implemented: if, from a given IP address, the number of failed logins reaches
  576. a given threshold, further tries from that IP address are never successful until a timer
  577. expires. The maximum number of retries can be configured in the
  578. .Pa server.json
  579. file by setting the
  580. .Ic badlogin_retries
  581. variable, and the number of seconds the IP address unlock timer expires, in
  582. .Ic badlogin_expire .
  583. Please take note that, for this system to work, you must setup your web server proxy
  584. to pass the remote connection address in the
  585. .Ic X-Forwarded-For
  586. HTTP header (unless you use the FastCGI interface; if that's the case, you don't have
  587. to do anything).
  588. .Sh ENVIRONMENT
  589. .Bl -tag -width Ds
  590. .It Ev DEBUG
  591. Overrides the debugging level from the server 'dbglevel' configuration
  592. variable. Set it to an integer value. The higher, the deeper in meaningless
  593. verbiage you'll find yourself into.
  594. .El
  595. .Sh EXAMPLES
  596. You want to install the
  597. .Nm
  598. Fediverse daemon in the host example.com, that is correctly configured
  599. with a valid TLS certificate and running the nginx httpd server.
  600. The service will be installed under the
  601. .Pa fedi
  602. location. Two users, walter and jessie, will be hosted in the system.
  603. Their Fediverse presence addresses will be
  604. .Lk https://example.com/fedi/walter
  605. and
  606. .Lk https://example.com/fedi/jesse ,
  607. respectively. They will be known
  608. in the Fediverse as @walter@example.com and @jesse@example.com. The
  609. .Nm
  610. daemon will run as the user snacusr in the system and listen to the
  611. localhost:8001 network socket. All data will be stored in the
  612. .Pa /home/snacusr/fedidata
  613. directory.
  614. .Pp
  615. Log into the system as snacusr and execute:
  616. .Bd -literal -offset indent
  617. snac init /home/snacusr/fedidata
  618. .Ed
  619. .Pp
  620. Answer "example.com" to the host name question, "/fedi" to the path
  621. prefix question, "localhost" to the address and "8001" to the port.
  622. .Pp
  623. Create the users
  624. .Bd -literal -offset indent
  625. snac adduser /home/snacusr/fedidata walter
  626. snac adduser /home/snacusr/fedidata jesse
  627. .Ed
  628. .Pp
  629. Answer the questions with reasonable values.
  630. .Pp
  631. Execute the server:
  632. .Bd -literal -offset indent
  633. snac httpd /home/snacusr/fedidata
  634. .Ed
  635. .Pp
  636. Edit the nginx configuration and add the following snippet to the
  637. example.com server section:
  638. .Bd -literal -offset indent
  639. # nginx configuration example
  640. # main web access point
  641. location /fedi {
  642. proxy_pass http://localhost:8001;
  643. proxy_set_header Host $http_host;
  644. proxy_set_header X-Forwarded-For $remote_addr;
  645. }
  646. # webfinger
  647. location /.well-known/webfinger {
  648. proxy_pass http://localhost:8001;
  649. proxy_set_header Host $http_host;
  650. proxy_set_header X-Forwarded-For $remote_addr;
  651. }
  652. # Mastodon API (entry points)
  653. location /api/v1/ {
  654. proxy_pass http://localhost:8001;
  655. proxy_set_header Host $http_host;
  656. proxy_set_header X-Forwarded-For $remote_addr;
  657. }
  658. location /api/v2/ {
  659. proxy_pass http://localhost:8001;
  660. proxy_set_header Host $http_host;
  661. proxy_set_header X-Forwarded-For $remote_addr;
  662. }
  663. # Mastodon API (OAuth support)
  664. location /oauth {
  665. proxy_pass http://localhost:8001;
  666. proxy_set_header Host $http_host;
  667. proxy_set_header X-Forwarded-For $remote_addr;
  668. }
  669. # optional
  670. location /.well-known/nodeinfo {
  671. proxy_pass http://localhost:8001;
  672. proxy_set_header Host $http_host;
  673. proxy_set_header X-Forwarded-For $remote_addr;
  674. }
  675. # optional (needed by some Mastodon API clients)
  676. location /.well-known/host-meta {
  677. proxy_pass http://localhost:8001;
  678. proxy_set_header Host $http_host;
  679. proxy_set_header X-Forwarded-For $remote_addr;
  680. }
  681. .Ed
  682. .Pp
  683. Restart the nginx daemon and connect to
  684. .Lk https://example.com/fedi/walter .
  685. The empty, default screen will be shown. Enter the admin section with the
  686. credentials defined for this user. Search people, start following
  687. them, engage in arid discussions and generally enjoy the frustrating
  688. experience of Social Media.
  689. .Pp
  690. This is an example of a similar configuration for the Apache2 web server:
  691. .Bd -literal -offset indent
  692. # apache2 configuration example
  693. ProxyPreserveHost On
  694. # Main web access point
  695. <Location /fedi>
  696. ProxyPass http://127.0.0.1:8001/social
  697. </Location>
  698. # WebFinger
  699. <Location /.well-known/webfinger>
  700. ProxyPass http://127.0.0.1:8001/.well-known/webfinger
  701. </Location>
  702. # Mastodon API (entry points)
  703. <Location /api/v1/>
  704. ProxyPass http://127.0.0.1:8001/api/v1/
  705. </Location>
  706. <Location /api/v2/>
  707. ProxyPass http://127.0.0.1:8001/api/v2/
  708. </Location>
  709. # Mastodon API (OAuth support)
  710. <Location /oauth>
  711. ProxyPass http://127.0.0.1:8001/oauth
  712. </Location>
  713. # NodeInfo (optional)
  714. <Location /.well-known/nodeinfo>
  715. ProxyPass http://127.0.0.1:8001/.well-known/nodeinfo
  716. </Location>
  717. # host-meta (optional, needed for some Mastodon API clients)
  718. <Location /.well-known/host-meta>
  719. ProxyPass http://127.0.0.1:8001/.well-known/host-meta
  720. </Location>
  721. .Ed
  722. .Pp
  723. Since version 2.43,
  724. .Nm
  725. supports communicating from / to the front end http server using the FastCGI
  726. protocol. There is no special advantage in using this, only that some servers
  727. allow for simpler configuration. For example, in the case of nginx, you can
  728. replace the two 'proxy_pass' and 'proxy_set_header' lines in the example
  729. above with just
  730. .Bd -literal -offset indent
  731. fastcgi_pass localhost:8001;
  732. .Ed
  733. .Pp
  734. The only thing to change on
  735. .Nm
  736. is to the set 'fastcgi' value to true in
  737. .Pa server.json .
  738. .Pp
  739. Further, using the FastCGI interface allows a much simpler configuration
  740. under OpenBSD's native httpd, given that it's natively implemented there
  741. and you no longer need to configure the complicated relayd server. This is
  742. an example:
  743. .Bd -literal -offset indent
  744. # OpenBSD httpd configuration example
  745. # other server configuration
  746. [...]
  747. location "/fedi/*" {
  748. fastcgi socket tcp "127.0.0.1" 8001
  749. }
  750. location "/.well-known/webfinger" {
  751. fastcgi socket tcp "127.0.0.1" 8001
  752. }
  753. location "/oauth/*" {
  754. fastcgi socket tcp "127.0.0.1" 8001
  755. }
  756. location "/api/v1/*" {
  757. fastcgi socket tcp "127.0.0.1" 8001
  758. }
  759. location "/api/v2/*" {
  760. fastcgi socket tcp "127.0.0.1" 8001
  761. }
  762. location "/.well-known/nodeinfo" {
  763. fastcgi socket tcp "127.0.0.1" 8001
  764. }
  765. location "/.well-known/host-meta" {
  766. fastcgi socket tcp "127.0.0.1" 8001
  767. }
  768. .Ed
  769. .Sh SEE ALSO
  770. .Xr snac 1 ,
  771. .Xr snac 5
  772. .Sh AUTHORS
  773. .An grunfink Lk https://comam.es/snac/grunfink @grunfink@comam.es
  774. .Sh LICENSE
  775. See the LICENSE file for details.
  776. .Sh CAVEATS
  777. JSON files are fragile when modified by hand. Take care.