Update README.md

.drone.yml

@@ -6,7 +6,7 @@ steps:
     image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
-      stack: example_com  # UPDATE ME
+      stack: gotosocial
       generate_secrets: true
       purge: true
       deploy_key:
@@ -14,9 +14,13 @@ steps:
       networks:
         - proxy
     environment:
-      DOMAIN: example.swarm-test.autonomic.zone # UPDATE ME
-      STACK_NAME: example_com  # UPDATE ME
+      DOMAIN: social.swarm-test.autonomic.zone
+      STACK_NAME: gotosocial
       LETS_ENCRYPT_ENV: production
+      GTS_ACCOUNTS_OPEN_REGISTRATION: false
+      GTS_ACCOUNTS_APPROVAL_REQUIRED: true
+      GTS_ACCOUNTS_REASON_REQUIRED: true
+      SECRET_OIDC_SECRET_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -9,19 +9,80 @@ LETS_ENCRYPT_ENV=production
 
 TZ=UTC
 
-## Account options
-#ACCOUNTS_REGISTRATION_OPEN=false
-#ACCOUNTS_REASON_REQUIRED=true
-#ACCOUNTS_ALLOW_CUSTOM_CSS=false
-#ACCOUNTS_CUSTOM_CSS_LENGTH=10000
+###########################
+##### ACCOUNTS CONFIG #####
+###########################
 
-## OIDC options, please refer to https://docs.gotosocial.org/en/latest/configuration/oidc/#settings
-#OIDC_ENABLED=true
-#OIDC_IDP_NAME=SSO
-#OIDC_SKIP_VERIFICATION=false
-#OIDC_ISSUER
-#OIDC_CLIENT_ID
+#GTS_ACCOUNTS_REGISTRATION_OPEN=false
+#GTS_ACCOUNTS_REASON_REQUIRED=true
+#GTS_ACCOUNTS_ALLOW_CUSTOM_CSS=false
+#GTS_ACCOUNTS_CUSTOM_CSS_LENGTH=10000
+
+###########################
+##### INSTANCE CONFIG #####
+###########################
+
+#GTS_INSTANCE_LANGUAGES=[]
+GTS_INSTANCE_FEDERATION_MODE=allowlist
+#GTS_INSTANCE_FEDERATION_SPAM_FILTER=false
+#GTS_INSTANCE_EXPOSE_PEERS=false
+#GTS_INSTANCE_EXPOSE_SUSPENDED=false
+#GTS_INSTANCE_EXPOSE_SUSPENDED_WEB=false
+#GTS_INSTANCE_EXPOSE_PUBLIC_TIMELINE=false
+#GTS_INSTANCE_DELIVER_TO_SHARED_INBOXES=true
+#GTS_INSTANCE_INJECT_MASTODON_VERSION=false
+
+########################
+##### MEDIA CONFIG #####
+########################
+
+#GTS_MEDIA_LOCAL_MAX_SIZE=40MiB
+#GTS_MEDIA_IMAGE_SIZE_HINT=5MiB
+#GTS_MEDIA_VIDEO_SIZE_HINT=40MiB
+#GTS_MEDIA_REMOTE_MAX_SIZE=40MiB
+#GTS_MEDIA_DESCRIPTION_MIN_CHARS=0
+#GTS_MEDIA_DESCRIPTION_MAX_CHARS=1500
+#GTS_MEDIA_EMOJI_LOCAL_MAX_SIZE=50KiB
+#GTS_MEDIA_EMOJI_REMOTE_MAX_SIZE=100KiB
+#GTS_MEDIA_FFMPEG_POOL_SIZE=1
+GTS_MEDIA_REMOTE_CACHE_DAYS=2
+GTS_MEDIA_CLEANUP_FROM="00:00"
+GTS_MEDIA_CLEANUP_EVERY="24h"
+
+##########################
+##### STORAGE CONFIG #####
+##########################
+
+#GTS_STORAGE_BACKEND=local
+#GTS_STORAGE_S3_ENDPOINT=""
+#GTS_STORAGE_S3_PROXY=false
+#GTS_STORAGE_S3_REDIRECT_URL=""
+#GTS_STORAGE_S3_USE_SSL=true
+#GTS_STORAGE_S3_ACCESS_KEY=""
+#GTS_STORAGE_S3_SECRET_KEY=""
+#GTS_STORAGE_S3_BUCKET=""
+
+###########################
+##### STATUSES CONFIG #####
+###########################
+
+#GTS_STATUSES_MAX_CHARS=5000
+#GTS_STATUSES_POLL_MAX_OPTIONS=6
+#GTS_STATUSES_POLL_OPTION_MAX_CHARS=50
+#GTS_STATUSES_MEDIA_MAX_FILES=6
+
+#######################
+##### OIDC CONFIG #####
+#######################
+
+#GTS_OIDC_ENABLED=false
+#GTS_OIDC_IDP_NAME=""
+#GTS_OIDC_SKIP_VERIFICATION=false
+#GTS_OIDC_ISSUER=""
+#GTS_OIDC_CLIENT_ID=""
+#GTS_OIDC_CLIENT_SECRET=""
+#GTS_OIDC_SCOPES='"openid","email","profile","groups"'
+#GTS_OIDC_LINK_EXISTING=false
+#GTS_OIDC_ALLOWED_GROUPS=[]
+#GTS_OIDC_ADMIN_GROUPS=[]
 SECRET_OIDC_SECRET_VERSION=v1
-#OIDC_LINK_EXISTING=false
-#OIDC_ALLOWED_GROUPS
-#OIDC_ADMIN_GROUPS

README.md

@@ -1,30 +1,34 @@
 # gotosocial
 
-> Very light ActivityPub server compatible with Mastodon's client API, designed for cheap deployments whether it's single-user or a small group.
+> Light ActivityPub server compatible with Mastodon's client API, designed for small to medium sized deployments.
 
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**: 1
+* **Status**: 3
 * **Image**: [`gotosocial`](https://hub.docker.com/r/superseriousbusiness/gotosocial), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
-* **Email**: No
+* **Email**: 3
 * **Tests**: No
-* **SSO**: No
+* **SSO**: 3 (OIDC)
 
 <!-- endmetadata -->
 
 ## Quick start
 
 * `abra app new gotosocial`
-* (optional) Set timezone for home server using `abra app config <app-name>`
+* `abra app config <app-name>`
 * `abra app deploy <app-name>`
 
 ## Make your first admin account
 
 * `abra app run <app-name> app ./gotosocial admin account create --username <user-name> --email <user-email> --password '<a-secure-password>'`
 
+## Federation mode
+
+You will want to consider either using an allowlist or a blacklist for federation, this is configurable using `GTS_INSTANCE_FEDERATION_MODE` which is set to allowlist by default meaning you will have to explicitly allow federation with other instances via the settings panel `https://your-domain.com/settings`.
+
 ## OIDC
 
 Add your OIDC secret
@@ -33,8 +37,8 @@ Add your OIDC secret
 
 ## Further reading & commands
 
-Please refer to https://docs.gotosocial.org some of the commands run will require undeploying and redeploying the app.
+Please refer to https://docs.gotosocial.org some of the commands run will require redeploying the app.
 
 If you need to run any particular command make sure to append `./` to the command `gotosocial` as it is not in the contianer's PATH.
 
-ex. If you want to promote a user to admin run `abra app run <app-name> app ./gotosocial admin account promote --username <user-name>` then run `abra app undeploy <app-name> && abra app deploy <app-name>`
+ex. If you want to promote a user to admin run `abra app run <app-name> app ./gotosocial admin account promote --username <user-name>` then run `abra app undeploy <app-name>` & `abra app deploy <app-name>`

compose.yml

@@ -16,25 +16,17 @@ services:
       - GTS_DB_ADDRESS=/gotosocial/storage/sqlite.db
       - GTS_WAZERO_COMPILATION_CACHE=/gotosocial/.cache
       - GTS_TRUSTED_PROXIES=0.0.0.0/0
-      - OIDC_ENABLED
-      - OIDC_IDP_NAME
-      - OIDC_SKIP_VERIFICATION
-      - OIDC_ISSUER
-      - OIDC_CLIENT_ID
-      - OIDC_SCOPES
-      - OIDC_LINK_EXISTING
-      - OIDC_ALLOWED_GROUPS
-      - OIDC_ADMIN_GROUPS
-      - ACCOUNTS_REGISTRATION_OPEN
-      - ACCOUNTS_REASON_REQUIRED
-      - ACCOUNTS_ALLOW_CUSTOM_CSS
-      - ACCOUNTS_CUSTOM_CSS_LENGTH
     volumes:
       - gtsdata:/gotosocial/storage
       - gtscache:/gotosocial/.cache
     networks:
       - proxy
     deploy:
+      resources:
+        limits:
+          memory: 2048M
+        reservations:
+          memory: 500M
       labels:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
@@ -43,6 +35,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "coop-cloud.${STACK_NAME}.version=0.17.3"
+    healthcheck:
+      test: wget --no-verbose --tries=1 --spider http://localhost:8080/readyz || exit 1
+      interval: 120s
+      retries: 5
+      start_period: 30s
+      timeout: 10s
 
 networks:
   proxy:

config.yaml.tmpl

@@ -1,108 +1 @@
-###########################
-##### ACCOUNTS CONFIG #####
-###########################
-
-# Config pertaining to creation and maintenance of accounts on the server, as well as defaults for new accounts.
-
-# Bool. Allow people to submit new sign-up / registration requests via the form at /signup.
-#
-# Options: [true, false]
-# Default: false
-accounts-registration-open: {{ env "ACCOUNTS_REGISTRATION_OPEN" }}
-
-# Bool. Are sign up requests required to submit a reason for the request (eg., an explanation of why they want to join the instance)?
-# Options: [true, false]
-# Default: true
-accounts-reason-required: {{ env "ACCOUNTS_REASON_REQUIRED" }}
-
-# Bool. Allow accounts on this instance to set custom CSS for their profile pages and statuses.
-# Enabling this setting will allow accounts to upload custom CSS via the /user settings page,
-# which will then be rendered on the web view of the account's profile and statuses.
-#
-# For instances with public sign ups, it is **HIGHLY RECOMMENDED** to leave this setting on 'false',
-# since setting it to true allows malicious accounts to make their profile pages misleading, unusable
-# or even dangerous to visitors. In other words, you should only enable this setting if you trust
-# the users on your instance not to produce harmful CSS.
-#
-# Regardless of what this value is set to, any uploaded CSS will not be federated to other instances,
-# it will only be shown on profiles and statuses on *this* instance.
-#
-# Options: [true, false]
-# Default: false
-accounts-allow-custom-css: {{ env "ACCOUNTS_ALLOW_CUSTOM_CSS" }}
-
-# Int. If accounts-allow-custom-css is true, this is the permitted length in characters for
-# CSS uploaded by accounts on this instance. No effect if accounts-allow-custom-css is false.
-#
-# Examples: [500, 5000, 9999]
-# Default: 10000
-accounts-custom-css-length: {{ env "ACCOUNTS_CUSTOM_CSS_LENGTH" }}
-
-
-#######################
-##### OIDC CONFIG #####
-#######################
-# Config for authentication with an external OIDC provider (Dex, Google, Auth0, etc).
-
-# Bool. Enable authentication with external OIDC provider. If set to true, then
-# the other OIDC options must be set as well. If this is set to false, then the standard
-# internal oauth flow will be used, where users sign in to GtS with username/password.
-# Options: [true, false]
-# Default: false
-oidc-enabled: {{ env "OIDC_ENABLED" }}
-
-# String. Name of the oidc idp (identity provider). This will be shown to users when
-# they log in.
-# Examples: ["Google", "Dex", "Auth0"]
-# Default: ""
-oidc-idp-name: "{{ env "OIDC_IDP_NAME" }}"
-
-# Bool. Skip the normal verification flow of tokens returned from the OIDC provider, ie.,
-# don't check the expiry or signature. This should only be used in debugging or testing,
-# never ever in a production environment as it's extremely unsafe!
-# Options: [true, false]
-# Default: false
-oidc-skip-verification: {{ env "OIDC_SKIP_VERIFICATION" }}
-
-# String. The OIDC issuer URI. This is where GtS will redirect users to for login.
-# Typically this will look like a standard web URL.
-# Examples: ["https://auth.example.org", "https://example.org/auth"]
-# Default: ""
-oidc-issuer: "{{ env "OID_ISSUER" }}"
-
-# String. The ID for this client as registered with the OIDC provider.
-# Examples: ["some-client-id", "fda3772a-ad35-41c9-9a59-f1943ad18f54"]
-# Default: ""
-oidc-client-id: "{{ env "OIDC_CLIENT_ID" }}"
-
-# String. The secret for this client as registered with the OIDC provider.
-# Examples: ["super-secret-business", "79379cf5-8057-426d-bb83-af504d98a7b0"]
-# Default: ""
 oidc-client-secret: "{{ secret "oidc_secret" }}"
-
-# Array of string. Scopes to request from the OIDC provider. The returned values will be used to
-# populate users created in GtS as a result of the authentication flow. 'openid' and 'email' are required.
-# 'profile' is used to extract a username for the newly created user.
-# 'groups' is optional and can be used to determine if a user is an admin based on oidc-admin-groups.
-# Examples: See eg., https://auth0.com/docs/scopes/openid-connect-scopes
-# Default: ["openid", "email", "profile", "groups"]
-oidc-scopes: ["openid", "email", "profile", "groups"]
-
-
-# Bool. Link OIDC authenticated users to existing ones based on their email address.
-# This is mostly intended for migration purposes if you were running previous versions of GTS
-# which only correlated users with their email address. Should be set to false for most usecases.
-# Options: [true, false]
-# Default: false
-oidc-link-existing: {{ env "OIDC_LINK_EXISTING" }}
-
-# Array of string. If the returned ID token contains a 'groups' claim that matches one of the
-# groups in oidc-allowed-groups, then this user will be granted access on the GtS instance. If the array is empty,
-# then all groups will be granted permission.
-# Default: []
-oidc-allowed-groups: [{{ env "OIDC_ALLOWED_GROUPS" }}]
-
-# Array of string. If the returned ID token contains a 'groups' claim that matches one of the
-# groups in oidc-admin-groups, then this user will be granted admin rights on the GtS instance
-# Default: []
-oidc-admin-groups: [{{ env "OIDC_ADMIN_GROUPS" }}]