Mastodon Docker

.env.mastodon

# Generated with mastodon:setup on 2019-06-09 21:39:02 UTC

LOCAL_DOMAIN=<your domain>
SINGLE_USER_MODE=false

S3_ENABLED=true
S3_BUCKET=<digital ocean bucket name>
AWS_ACCESS_KEY_ID=<digital ocean bucket access key>
AWS_SECRET_ACCESS_KEY=<digital ocean bucket secret key>
S3_PROTOCOL=https
S3_HOSTNAME=<digital ocean bucket name>.<digital ocean region>.digitaloceanspaces.com
S3_ENDPOINT=https://sfo3.digitaloceanspaces.com

S3_ALIAS_HOST=<digital ocean bucket name>.<digital ocean region>.cdn.digitaloceanspaces.com

SECRET_KEY_BASE=
OTP_SECRET=
VAPID_PRIVATE_KEY=
VAPID_PUBLIC_KEY=

DB_HOST=posgres
DB_USER=mastodon_production
DB_NAME=mastodon_production
DB_PASS=<database password>
DB_PORT=5432

REDIS_HOST=redis
REDIS_PORT=6379

ES_ENABLED=false
ES_HOST=es1
ES_PORT=9200

#SMTP_SERVER=
#SMTP_PORT=
#SMTP_LOGIN=
#SMTP_PASSWORD=
#SMTP_AUTH_METHOD=plain
#SMTP_OPENSSL_VERIFY_MODE=none
#SMTP_FROM_ADDRESS=Mastodon <notifications@<your domain>>

STREAMING_API_BASE_URL=wss://pettingzoo.co

#STATSD_ADDR=127.0.0.1
#STATSD_NAMESPACE=mastodon

.env.postgres

POSTGRES_PASSWORD=<pick a password>
POSTGRES_USER=mastodon_production
POSTGRES_DB=mastodon_production

certbot-gen-certs.sh

#!/bin/bash

DOMAIN=<your domain>

certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --rsa-key-size 4096 -d $DOMAIN -d *.$DOMAIN

certbot-post-renew-hook.sh

#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"

/usr/sbin/nginx -s reload

crontab

# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
15 1 * * *  certbot renew --post-hook "/root/scripts/certbot-post-renew-hook.sh" >> /var/log/certbot/certbot.log 2>&1

digitalocean.ini

dns_digitalocean_token = superlongdoapikey

docker-compose.yaml

---
version: '3.7'

x-mastodon-common: &mastodon-common
    image: tyrm/mastodon:v3.5.1

services:
  # Persistent Data Stuff
  postgres:
    image: postgres:14-alpine
    volumes:
      - /opt/docker/mastodon/pgdata:/var/lib/postgresql/data:rw
    ports:
      - 55432:5432/tcp
    env_file:
     - /opt/docker/mastodon/.env.postgres
    restart: always
  redis:
    image: redis:6-alpine
    command: redis-server --appendonly yes
    volumes:
      - /opt/docker/mastodon/redisdata:/data:rw
    restart: always

  # Mastodon Services
  web:
    <<: *mastodon-common
    restart: always
    env_file: /opt/docker/mastodon/.env.mastodon
    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000 -b '0.0.0.0'"
    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider --header 'x-forwarded-proto: https' --proxy off localhost:3000/api/v1/instance || exit 1"]
    ports:
      - 127.0.0.1:3000:3000
  streaming:
    <<: *mastodon-common
    restart: always
    env_file: /opt/docker/mastodon/.env.mastodon
    command: yarn start
    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider --header 'x-forwarded-proto: https' --proxy off localhost:4000/api/v1/streaming/health || exit 1"]
    ports:
      - 127.0.0.1:4000:4000
  sidekiq:
    <<: *mastodon-common
    restart: always
    env_file: /opt/docker/mastodon/.env.mastodon
    command: bundle exec sidekiq

nginx-mastodon

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 80;
    listen [::]:80;

    server_name <your domain>;

    root /var/www/html;

    location /.well-known {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

proxy_cache_path /var/cache/nginx_ptzo levels=1:2 keys_zone=MASTOCACHE:10m inactive=7d max_size=1g;

server {
    listen              443 ssl http2;
    listen              [::]:443 ssl http2;

    server_name         <your domain>;

    ssl_certificate     /etc/letsencrypt/live/<your domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<your domain>/privkey.pem;

    ssl_protocols       TLSv1.2 TLSv1.3;
    #ssl_ciphers         HIGH:!aNULL:!MD5;

    #ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    access_log /var/log/nginx/mastodon-access.log main;
    error_log /var/log/nginx/mastodon-error.log;

    keepalive_timeout    70;
    sendfile             on;
    client_max_body_size 80m;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    location / {
      try_files $uri @proxy;
    }
    
    location /api/v1/streaming {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Proxy "";

        proxy_pass http://localhost:4000;
        proxy_buffering off;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        tcp_nodelay on;
    }
        
    location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
      add_header Cache-Control "public, max-age=31536000, immutable";
      add_header Strict-Transport-Security "max-age=31536000";
      try_files $uri @proxy;
    }

    location /sw.js {
      add_header Cache-Control "public, max-age=0";
      add_header Strict-Transport-Security "max-age=31536000";
      try_files $uri @proxy;
    }

    location @proxy {

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Proxy "";
      proxy_pass_header Server;

      proxy_pass http://127.0.0.1:3000;
      proxy_buffering on;
      proxy_redirect off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;

      proxy_cache MASTOCACHE;
      proxy_cache_valid 200 7d;
      proxy_cache_valid 410 24h;
      proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
      add_header X-Cached $upstream_cache_status;
      add_header Strict-Transport-Security "max-age=31536000";

      tcp_nodelay on;
    }

    error_page 500 501 502 503 504 /500.html;
}