Notes I kept while getting my Digital Ocean + Docker + SparkPost Mastodon environment set up

.env.production

# Service dependencies
REDIS_HOST=redis
REDIS_PORT=6379
DB_HOST=db
DB_USER=postgres
DB_NAME=postgres
DB_PASS=
DB_PORT=5432

# Federation
LOCAL_DOMAIN=notrobotic.com
LOCAL_HTTPS=true

# Application secrets
# Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
PAPERCLIP_SECRET=<rake generated secret>
SECRET_KEY_BASE=<rake generated secret>
OTP_SECRET=<rake generated secret>

# Registrations
# Single user mode will disable registrations and redirect frontpage to the first profile
# SINGLE_USER_MODE=true
# Prevent registrations with following e-mail domains
# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
# Only allow registrations with the following e-mail domains
# EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc

# E-mail configuration
SMTP_SERVER=smtp.sparkpostmail.com
SMTP_PORT=587
SMTP_LOGIN=SMTP_Injection
SMTP_PASSWORD=<my sparkpost api key>
[email protected]

# Optional asset host for multi-server setups
# CDN_HOST=assets.example.com

# S3 (optional)
# S3_ENABLED=true
# S3_BUCKET=
# AWS_ACCESS_KEY_ID=
# AWS_SECRET_ACCESS_KEY=
# S3_REGION=
# S3_PROTOCOL=http
# S3_HOSTNAME=192.168.1.123:9000

# Optional alias for S3 if you want to use Cloudfront or Cloudflare in front
# S3_CLOUDFRONT_HOST=

# Streaming API integration

edited-ruby-config.rb

# this is the file i had to edit
# /mastodon-root/config/initializers/devise.rb
# had to uncomment that 'config.secret_key =' line and include a secret there


  # The secret key used by Devise. Devise uses this key to generate
  # random tokens. Changing this key will render invalid all existing
  # confirmation, reset password and unlock tokens in the database.
  # Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`
  # by default. You can change it below and use your own secret key.
  config.secret_key = '<rake generated secret>'

mastodon-notes.md

• Used an Ubuntu 16.0.4 Digital Ocean droplet (didn't realize there was a Docker one)
• Installed Docker Compose via https://docs.docker.com/engine/installation/linux/ubuntu/
• Cloned my fork of the tootsuite/mastodon repo into /opt/mastodon
• Set up SparkPost account for sending
  • added a sending domain
  • clicked "settings" to get DKIM subdomain and DNS record value (note, did not click "test" to avoid possible caching issues later)
  • updated my DNS
  • verified propagation happened using whatsmydns.net
  • refreshed sending domains page, had domain approved and ready to send in ~5 min
  • created an API key with SMTP sending permissions
• Added config values (SparkPost and 3 rake-generated secret values) to .env.production (copied from .env.production.sample)
• Followed Docker deployment instructions here: https://github.com/tootsuite/mastodon#running-with-docker-and-docker-compose
• Felt confused about what to do next ??
• Installed nginx https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04
• Added /etc/nginx/conf.d/mastodon.conf (used https://github.com/tootsuite/mastodon/blob/master/docs/Running-Mastodon/Production-guide.md#nginx )
• Followed certbot instructions for let's encrypt, generated certificates
• Got notrobotic.com running with https (it loaded the fail-ephant at that point)
• Debug docker-running services for a while, tailed web/ruby logs to find problem with some missing secret/key
• Added rake-generated secret to rails devise config file lol idk
• Rebuilt, re-upped, restarted services ... it worked!

nginx-mastodon.conf

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  listen [::]:80;
  server_name notrobotic.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name notrobotic.com;

  ssl_protocols TLSv1.2;
  ssl_ciphers EECDH+AESGCM:EECDH+AES;
  ssl_ecdh_curve secp384r1;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  ssl_certificate     /etc/letsencrypt/live/notrobotic.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/notrobotic.com/privkey.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 0;
  gzip off;

  root /opt/mastodon/public;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

  location / {
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;

    proxy_pass_header Server;

    proxy_pass http://localhost:3000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;

    proxy_pass http://localhost:4000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 500 501 502 503 504 /500.html;
}