From 1df3fbaf3e6c8a4f4be1f552b87f4227136de4e6 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Thu, 23 Jan 2020 11:25:08 +0100
Subject: [PATCH] Add Pleroma setup.

---
 buster/apt-mark/pleroma                    | 13 ++++
 buster/etc_files/pleroma/etc/nftables.conf | 22 +++++++
 buster/setup_scripts/setup_pleroma.sh      | 73 ++++++++++++++++++++++
 3 files changed, 108 insertions(+)
 create mode 100644 buster/apt-mark/pleroma
 create mode 100755 buster/etc_files/pleroma/etc/nftables.conf
 create mode 100755 buster/setup_scripts/setup_pleroma.sh

diff --git a/buster/apt-mark/pleroma b/buster/apt-mark/pleroma
new file mode 100644
index 0000000..623ea67
--- /dev/null
+++ b/buster/apt-mark/pleroma
@@ -0,0 +1,13 @@
+# might need nginx-standard instead
+nginx-light
+# for SSL
+certbot
+python3-certbot-nginx
+# Pleroma DB
+postgresql
+postgresql-contrib
+# only needed for setup
+curl
+unzip
+libncurses5
+pleroma
diff --git a/buster/etc_files/pleroma/etc/nftables.conf b/buster/etc_files/pleroma/etc/nftables.conf
new file mode 100755
index 0000000..ec6732a
--- /dev/null
+++ b/buster/etc_files/pleroma/etc/nftables.conf
@@ -0,0 +1,22 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		iif lo accept comment "accept localhost traffic"
+		ct state invalid drop comment "drop invalid connections"
+		ct state established, related accept comment "accept traffic originated from us"
+		tcp dport 22 accept comment "accept SSH on default port"
+		tcp dport 80 accept comment "accept HTTP on default port"
+		tcp dport 443 accept comment "accept HTTPS on default port"
+		ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
diff --git a/buster/setup_scripts/setup_pleroma.sh b/buster/setup_scripts/setup_pleroma.sh
new file mode 100755
index 0000000..ef736e8
--- /dev/null
+++ b/buster/setup_scripts/setup_pleroma.sh
@@ -0,0 +1,73 @@
+#!/bin/sh
+set -e
+# Heavily inspired by <https://docs.pleroma.social/otp_en.html>
+
+if [ "$#" -ne 2 ]; then
+    echo 'Need domain name, mail_address as arguments.'
+    false
+fi
+domain="$1"
+mail="$2"
+
+# Install dependencies, set up firewall.
+config_tree_prefix="${HOME}/config/buster"
+./install_for_target.sh pleroma
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" all "$@"
+nft -f /etc/nftables.conf
+
+# Set up letsencrypt certificate. TODO: Is it auto-renewed?
+certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
+
+# Prepare user and system info.
+adduser --system --shell  /bin/false --home /opt/pleroma pleroma
+export FLAVOUR='amd64'
+
+# Download and unzip latest stable release, set up Pleroma dirs.
+su pleroma -s $SHELL -lc "
+curl 'https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=$FLAVOUR' -o /tmp/pleroma.zip
+unzip /tmp/pleroma.zip -d /tmp/
+"
+su pleroma -s $SHELL -lc "
+mv /tmp/release/* /opt/pleroma
+rmdir /tmp/release
+rm /tmp/pleroma.zip
+"
+mkdir -p /var/lib/pleroma/uploads
+chown -R pleroma /var/lib/pleroma
+mkdir -p /etc/pleroma
+chown -R pleroma /etc/pleroma
+
+# Configure and set up DB.
+su pleroma -s $SHELL -lc './bin/pleroma_ctl instance gen '\
+   '--output /etc/pleroma/config.exs '\
+   '--output-psql /tmp/setup_db.psql' \
+   "--domain ${domain}" \
+   '--instance-name plom-roma' \
+   "--admin-email ${mail}" \
+   "--notify-email ${mail}" \
+   '--dbhost localhost' \
+   '--dbname pleroma' \
+   '--dbuser pleroma' \
+   "--dbpass $(pwgen -s 100 1)" \
+   '--rum N' \
+   '--indexable N' \
+   '--uploads-dir /var/lib/pleroma/uploads' \
+   '--static-dir /var/lib/pleroma/static' \
+   '--listen-ip 127.0.0.1' \
+   '--listen-port 4000'
+su postgres -s $SHELL -lc "psql -f /tmp/setup_db.psql"
+su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate"
+
+# Prepare NGINX config for Pleroma.
+cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.nginx
+sed -i "s/example\.tld/${domain}/g" /etc/nginx/sites-available/pleroma.nginx
+ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled/pleroma.nginx
+rm /etc/nginx/sites-enabled/default
+
+# Systemd integration.
+cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
+systemctl start pleroma
+systemctl enable pleroma
+
+# Only restart NGINX with Pleroma running.
+service nginx restart
-- 
2.30.2