Compare commits
10 Commits
9148ff4bf8
...
4011ad5036
Author | SHA1 | Date | |
---|---|---|---|
4011ad5036 | |||
fe6ac831d4 | |||
f42817065b | |||
92a346b2c9 | |||
a4348d96bf | |||
60dc18949f | |||
ee38bcc8fc | |||
3004f0497f | |||
d12dc1a47a | |||
6476f7a83b |
10
.drone.yml
10
.drone.yml
@ -6,7 +6,7 @@ steps:
|
||||
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||
settings:
|
||||
host: swarm-test.autonomic.zone
|
||||
stack: example_com # UPDATE ME
|
||||
stack: gotosocial
|
||||
generate_secrets: true
|
||||
purge: true
|
||||
deploy_key:
|
||||
@ -14,9 +14,13 @@ steps:
|
||||
networks:
|
||||
- proxy
|
||||
environment:
|
||||
DOMAIN: example.swarm-test.autonomic.zone # UPDATE ME
|
||||
STACK_NAME: example_com # UPDATE ME
|
||||
DOMAIN: social.swarm-test.autonomic.zone
|
||||
STACK_NAME: gotosocial
|
||||
LETS_ENCRYPT_ENV: production
|
||||
GTS_ACCOUNTS_OPEN_REGISTRATION: false
|
||||
GTS_ACCOUNTS_APPROVAL_REQUIRED: true
|
||||
GTS_ACCOUNTS_REASON_REQUIRED: true
|
||||
SECRET_OIDC_SECRET_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- main
|
||||
|
89
.env.sample
89
.env.sample
@ -9,19 +9,80 @@ LETS_ENCRYPT_ENV=production
|
||||
|
||||
TZ=UTC
|
||||
|
||||
## Account options
|
||||
#ACCOUNTS_REGISTRATION_OPEN=false
|
||||
#ACCOUNTS_REASON_REQUIRED=true
|
||||
#ACCOUNTS_ALLOW_CUSTOM_CSS=false
|
||||
#ACCOUNTS_CUSTOM_CSS_LENGTH=10000
|
||||
###########################
|
||||
##### ACCOUNTS CONFIG #####
|
||||
###########################
|
||||
|
||||
## OIDC options, please refer to https://docs.gotosocial.org/en/latest/configuration/oidc/#settings
|
||||
#OIDC_ENABLED=true
|
||||
#OIDC_IDP_NAME=SSO
|
||||
#OIDC_SKIP_VERIFICATION=false
|
||||
#OIDC_ISSUER
|
||||
#OIDC_CLIENT_ID
|
||||
#GTS_ACCOUNTS_REGISTRATION_OPEN=false
|
||||
#GTS_ACCOUNTS_REASON_REQUIRED=true
|
||||
#GTS_ACCOUNTS_ALLOW_CUSTOM_CSS=false
|
||||
#GTS_ACCOUNTS_CUSTOM_CSS_LENGTH=10000
|
||||
|
||||
###########################
|
||||
##### INSTANCE CONFIG #####
|
||||
###########################
|
||||
|
||||
#GTS_INSTANCE_LANGUAGES=[]
|
||||
GTS_INSTANCE_FEDERATION_MODE=allowlist
|
||||
#GTS_INSTANCE_FEDERATION_SPAM_FILTER=false
|
||||
#GTS_INSTANCE_EXPOSE_PEERS=false
|
||||
#GTS_INSTANCE_EXPOSE_SUSPENDED=false
|
||||
#GTS_INSTANCE_EXPOSE_SUSPENDED_WEB=false
|
||||
#GTS_INSTANCE_EXPOSE_PUBLIC_TIMELINE=false
|
||||
#GTS_INSTANCE_DELIVER_TO_SHARED_INBOXES=true
|
||||
#GTS_INSTANCE_INJECT_MASTODON_VERSION=false
|
||||
|
||||
########################
|
||||
##### MEDIA CONFIG #####
|
||||
########################
|
||||
|
||||
#GTS_MEDIA_LOCAL_MAX_SIZE=40MiB
|
||||
#GTS_MEDIA_IMAGE_SIZE_HINT=5MiB
|
||||
#GTS_MEDIA_VIDEO_SIZE_HINT=40MiB
|
||||
#GTS_MEDIA_REMOTE_MAX_SIZE=40MiB
|
||||
#GTS_MEDIA_DESCRIPTION_MIN_CHARS=0
|
||||
#GTS_MEDIA_DESCRIPTION_MAX_CHARS=1500
|
||||
#GTS_MEDIA_EMOJI_LOCAL_MAX_SIZE=50KiB
|
||||
#GTS_MEDIA_EMOJI_REMOTE_MAX_SIZE=100KiB
|
||||
#GTS_MEDIA_FFMPEG_POOL_SIZE=1
|
||||
GTS_MEDIA_REMOTE_CACHE_DAYS=2
|
||||
GTS_MEDIA_CLEANUP_FROM="00:00"
|
||||
GTS_MEDIA_CLEANUP_EVERY="24h"
|
||||
|
||||
##########################
|
||||
##### STORAGE CONFIG #####
|
||||
##########################
|
||||
|
||||
#GTS_STORAGE_BACKEND=local
|
||||
#GTS_STORAGE_S3_ENDPOINT=""
|
||||
#GTS_STORAGE_S3_PROXY=false
|
||||
#GTS_STORAGE_S3_REDIRECT_URL=""
|
||||
#GTS_STORAGE_S3_USE_SSL=true
|
||||
#GTS_STORAGE_S3_ACCESS_KEY=""
|
||||
#GTS_STORAGE_S3_SECRET_KEY=""
|
||||
#GTS_STORAGE_S3_BUCKET=""
|
||||
|
||||
###########################
|
||||
##### STATUSES CONFIG #####
|
||||
###########################
|
||||
|
||||
#GTS_STATUSES_MAX_CHARS=5000
|
||||
#GTS_STATUSES_POLL_MAX_OPTIONS=6
|
||||
#GTS_STATUSES_POLL_OPTION_MAX_CHARS=50
|
||||
#GTS_STATUSES_MEDIA_MAX_FILES=6
|
||||
|
||||
#######################
|
||||
##### OIDC CONFIG #####
|
||||
#######################
|
||||
|
||||
#GTS_OIDC_ENABLED=false
|
||||
#GTS_OIDC_IDP_NAME=""
|
||||
#GTS_OIDC_SKIP_VERIFICATION=false
|
||||
#GTS_OIDC_ISSUER=""
|
||||
#GTS_OIDC_CLIENT_ID=""
|
||||
#GTS_OIDC_CLIENT_SECRET=""
|
||||
#GTS_OIDC_SCOPES='"openid","email","profile","groups"'
|
||||
#GTS_OIDC_LINK_EXISTING=false
|
||||
#GTS_OIDC_ALLOWED_GROUPS=[]
|
||||
#GTS_OIDC_ADMIN_GROUPS=[]
|
||||
SECRET_OIDC_SECRET_VERSION=v1
|
||||
#OIDC_LINK_EXISTING=false
|
||||
#OIDC_ALLOWED_GROUPS
|
||||
#OIDC_ADMIN_GROUPS
|
||||
|
18
README.md
18
README.md
@ -1,30 +1,34 @@
|
||||
# gotosocial
|
||||
|
||||
> Very light ActivityPub server compatible with Mastodon's client API, designed for cheap deployments whether it's single-user or a small group.
|
||||
> Light ActivityPub server compatible with Mastodon's client API, designed for small to medium sized deployments.
|
||||
|
||||
<!-- metadata -->
|
||||
|
||||
* **Category**: Apps
|
||||
* **Status**: 1
|
||||
* **Status**: 3
|
||||
* **Image**: [`gotosocial`](https://hub.docker.com/r/superseriousbusiness/gotosocial), 4, upstream
|
||||
* **Healthcheck**: Yes
|
||||
* **Backups**: No
|
||||
* **Email**: No
|
||||
* **Email**: 3
|
||||
* **Tests**: No
|
||||
* **SSO**: No
|
||||
* **SSO**: 3 (OIDC)
|
||||
|
||||
<!-- endmetadata -->
|
||||
|
||||
## Quick start
|
||||
|
||||
* `abra app new gotosocial`
|
||||
* (optional) Set timezone for home server using `abra app config <app-name>`
|
||||
* `abra app config <app-name>`
|
||||
* `abra app deploy <app-name>`
|
||||
|
||||
## Make your first admin account
|
||||
|
||||
* `abra app run <app-name> app ./gotosocial admin account create --username <user-name> --email <user-email> --password '<a-secure-password>'`
|
||||
|
||||
## Federation mode
|
||||
|
||||
You will want to consider either using an allowlist or a blacklist for federation, this is configurable using `GTS_INSTANCE_FEDERATION_MODE` which is set to allowlist by default meaning you will have to explicitly allow federation with other instances via the settings panel `https://your-domain.com/settings`.
|
||||
|
||||
## OIDC
|
||||
|
||||
Add your OIDC secret
|
||||
@ -33,8 +37,8 @@ Add your OIDC secret
|
||||
|
||||
## Further reading & commands
|
||||
|
||||
Please refer to https://docs.gotosocial.org some of the commands run will require undeploying and redeploying the app.
|
||||
Please refer to https://docs.gotosocial.org some of the commands run will require redeploying the app.
|
||||
|
||||
If you need to run any particular command make sure to append `./` to the command `gotosocial` as it is not in the contianer's PATH.
|
||||
|
||||
ex. If you want to promote a user to admin run `abra app run <app-name> app ./gotosocial admin account promote --username <user-name>` then run `abra app undeploy <app-name> && abra app deploy <app-name>`
|
||||
ex. If you want to promote a user to admin run `abra app run <app-name> app ./gotosocial admin account promote --username <user-name>` then run `abra app undeploy <app-name>` & `abra app deploy <app-name>`
|
||||
|
24
compose.yml
24
compose.yml
@ -16,25 +16,17 @@ services:
|
||||
- GTS_DB_ADDRESS=/gotosocial/storage/sqlite.db
|
||||
- GTS_WAZERO_COMPILATION_CACHE=/gotosocial/.cache
|
||||
- GTS_TRUSTED_PROXIES=0.0.0.0/0
|
||||
- OIDC_ENABLED
|
||||
- OIDC_IDP_NAME
|
||||
- OIDC_SKIP_VERIFICATION
|
||||
- OIDC_ISSUER
|
||||
- OIDC_CLIENT_ID
|
||||
- OIDC_SCOPES
|
||||
- OIDC_LINK_EXISTING
|
||||
- OIDC_ALLOWED_GROUPS
|
||||
- OIDC_ADMIN_GROUPS
|
||||
- ACCOUNTS_REGISTRATION_OPEN
|
||||
- ACCOUNTS_REASON_REQUIRED
|
||||
- ACCOUNTS_ALLOW_CUSTOM_CSS
|
||||
- ACCOUNTS_CUSTOM_CSS_LENGTH
|
||||
volumes:
|
||||
- gtsdata:/gotosocial/storage
|
||||
- gtscache:/gotosocial/.cache
|
||||
networks:
|
||||
- proxy
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
memory: 2048M
|
||||
reservations:
|
||||
memory: 500M
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.docker.network=proxy"
|
||||
@ -43,6 +35,12 @@ services:
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "coop-cloud.${STACK_NAME}.version=0.17.3"
|
||||
healthcheck:
|
||||
test: wget --no-verbose --tries=1 --spider http://localhost:8080/readyz || exit 1
|
||||
interval: 120s
|
||||
retries: 5
|
||||
start_period: 30s
|
||||
timeout: 10s
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
|
107
config.yaml.tmpl
107
config.yaml.tmpl
@ -1,108 +1 @@
|
||||
###########################
|
||||
##### ACCOUNTS CONFIG #####
|
||||
###########################
|
||||
|
||||
# Config pertaining to creation and maintenance of accounts on the server, as well as defaults for new accounts.
|
||||
|
||||
# Bool. Allow people to submit new sign-up / registration requests via the form at /signup.
|
||||
#
|
||||
# Options: [true, false]
|
||||
# Default: false
|
||||
accounts-registration-open: {{ env "ACCOUNTS_REGISTRATION_OPEN" }}
|
||||
|
||||
# Bool. Are sign up requests required to submit a reason for the request (eg., an explanation of why they want to join the instance)?
|
||||
# Options: [true, false]
|
||||
# Default: true
|
||||
accounts-reason-required: {{ env "ACCOUNTS_REASON_REQUIRED" }}
|
||||
|
||||
# Bool. Allow accounts on this instance to set custom CSS for their profile pages and statuses.
|
||||
# Enabling this setting will allow accounts to upload custom CSS via the /user settings page,
|
||||
# which will then be rendered on the web view of the account's profile and statuses.
|
||||
#
|
||||
# For instances with public sign ups, it is **HIGHLY RECOMMENDED** to leave this setting on 'false',
|
||||
# since setting it to true allows malicious accounts to make their profile pages misleading, unusable
|
||||
# or even dangerous to visitors. In other words, you should only enable this setting if you trust
|
||||
# the users on your instance not to produce harmful CSS.
|
||||
#
|
||||
# Regardless of what this value is set to, any uploaded CSS will not be federated to other instances,
|
||||
# it will only be shown on profiles and statuses on *this* instance.
|
||||
#
|
||||
# Options: [true, false]
|
||||
# Default: false
|
||||
accounts-allow-custom-css: {{ env "ACCOUNTS_ALLOW_CUSTOM_CSS" }}
|
||||
|
||||
# Int. If accounts-allow-custom-css is true, this is the permitted length in characters for
|
||||
# CSS uploaded by accounts on this instance. No effect if accounts-allow-custom-css is false.
|
||||
#
|
||||
# Examples: [500, 5000, 9999]
|
||||
# Default: 10000
|
||||
accounts-custom-css-length: {{ env "ACCOUNTS_CUSTOM_CSS_LENGTH" }}
|
||||
|
||||
|
||||
#######################
|
||||
##### OIDC CONFIG #####
|
||||
#######################
|
||||
# Config for authentication with an external OIDC provider (Dex, Google, Auth0, etc).
|
||||
|
||||
# Bool. Enable authentication with external OIDC provider. If set to true, then
|
||||
# the other OIDC options must be set as well. If this is set to false, then the standard
|
||||
# internal oauth flow will be used, where users sign in to GtS with username/password.
|
||||
# Options: [true, false]
|
||||
# Default: false
|
||||
oidc-enabled: {{ env "OIDC_ENABLED" }}
|
||||
|
||||
# String. Name of the oidc idp (identity provider). This will be shown to users when
|
||||
# they log in.
|
||||
# Examples: ["Google", "Dex", "Auth0"]
|
||||
# Default: ""
|
||||
oidc-idp-name: "{{ env "OIDC_IDP_NAME" }}"
|
||||
|
||||
# Bool. Skip the normal verification flow of tokens returned from the OIDC provider, ie.,
|
||||
# don't check the expiry or signature. This should only be used in debugging or testing,
|
||||
# never ever in a production environment as it's extremely unsafe!
|
||||
# Options: [true, false]
|
||||
# Default: false
|
||||
oidc-skip-verification: {{ env "OIDC_SKIP_VERIFICATION" }}
|
||||
|
||||
# String. The OIDC issuer URI. This is where GtS will redirect users to for login.
|
||||
# Typically this will look like a standard web URL.
|
||||
# Examples: ["https://auth.example.org", "https://example.org/auth"]
|
||||
# Default: ""
|
||||
oidc-issuer: "{{ env "OID_ISSUER" }}"
|
||||
|
||||
# String. The ID for this client as registered with the OIDC provider.
|
||||
# Examples: ["some-client-id", "fda3772a-ad35-41c9-9a59-f1943ad18f54"]
|
||||
# Default: ""
|
||||
oidc-client-id: "{{ env "OIDC_CLIENT_ID" }}"
|
||||
|
||||
# String. The secret for this client as registered with the OIDC provider.
|
||||
# Examples: ["super-secret-business", "79379cf5-8057-426d-bb83-af504d98a7b0"]
|
||||
# Default: ""
|
||||
oidc-client-secret: "{{ secret "oidc_secret" }}"
|
||||
|
||||
# Array of string. Scopes to request from the OIDC provider. The returned values will be used to
|
||||
# populate users created in GtS as a result of the authentication flow. 'openid' and 'email' are required.
|
||||
# 'profile' is used to extract a username for the newly created user.
|
||||
# 'groups' is optional and can be used to determine if a user is an admin based on oidc-admin-groups.
|
||||
# Examples: See eg., https://auth0.com/docs/scopes/openid-connect-scopes
|
||||
# Default: ["openid", "email", "profile", "groups"]
|
||||
oidc-scopes: ["openid", "email", "profile", "groups"]
|
||||
|
||||
|
||||
# Bool. Link OIDC authenticated users to existing ones based on their email address.
|
||||
# This is mostly intended for migration purposes if you were running previous versions of GTS
|
||||
# which only correlated users with their email address. Should be set to false for most usecases.
|
||||
# Options: [true, false]
|
||||
# Default: false
|
||||
oidc-link-existing: {{ env "OIDC_LINK_EXISTING" }}
|
||||
|
||||
# Array of string. If the returned ID token contains a 'groups' claim that matches one of the
|
||||
# groups in oidc-allowed-groups, then this user will be granted access on the GtS instance. If the array is empty,
|
||||
# then all groups will be granted permission.
|
||||
# Default: []
|
||||
oidc-allowed-groups: [{{ env "OIDC_ALLOWED_GROUPS" }}]
|
||||
|
||||
# Array of string. If the returned ID token contains a 'groups' claim that matches one of the
|
||||
# groups in oidc-admin-groups, then this user will be granted admin rights on the GtS instance
|
||||
# Default: []
|
||||
oidc-admin-groups: [{{ env "OIDC_ADMIN_GROUPS" }}]
|
||||
|
Loading…
Reference in New Issue
Block a user