Daenney d2f6de0185
[feature] Allow loading TLS certs from disk (#1586)
Currently, GtS only supports using the built-in LE client directly for
TLS. However, admins may still want to use GtS directly (so without a
reverse proxy) but with certificates provided through some other
mechanism. They may have some centralised way of provisioning these
things themselves, or simply prefer to use LE but with a different
challenge like DNS-01 which is not supported by autocert.

This adds support for loading a public/private keypair from disk instead
of using LE and reconfigures the server to use a TLS listener if we
succeed in doing so.

Additionally, being able to load TLS keypair from disk opens up the path
to using a custom CA for testing purposes avoinding the need for a
constellation of containers and something like Pebble or Step CA to
provide LE APIs.
2023-03-04 17:24:02 +00:00

8.2 KiB

Docker

The official GoToSocial Docker images are provided through Docker Hub.

Docker images are currently available for the following OS + architecture combinations:

Linux

  • 386
  • amd64
  • arm6
  • arm7
  • arm64v8

FreeBSD

  • amd64

Before following this guide, you should read the system requirements.

This guide assumes that you're using Linux.

Run with Docker Compose

You can run GoToSocial using any orchestration system that can manage Docker containers (Kubernetes, Nomad, etc).

For simplicity's sake, this guide will lead you through the installation with Docker Compose, using SQLite as your database.

Create a Working Dir

You need a working directory in which your docker-compose file will be located, and a directory for GoToSocial to store data in, so create these directories with the following command:

mkdir -p ~/gotosocial/data

Now change to the working directory you created:

cd ~/gotosocial

Get the latest docker-compose.yaml

Use wget to download the latest docker-compose.yaml example, which we'll customize for our needs:

wget https://raw.githubusercontent.com/superseriousbusiness/gotosocial/main/example/docker-compose/docker-compose.yaml

Edit the docker-compose.yaml

Because GoToSocial can be configured using Environment Variables, we can skip mounting a config.yaml file into the container, to make our configuration simpler. We just need to edit the docker-compose.yaml file to change a few things.

First open the docker-compose.yaml file in your editor of choice. For example:

nano docker-compose.yaml

Version

If desired, update the GoToSocial Docker image tag to the version of GtS you want to use.

latest - the default. This points to the latest stable release of GoToSocial.

snapshot - points to whatever code is currently on the main branch. Not guaranteed to be stable, will often be broken. Use with caution.

You can also replace latest with a specific GoToSocial version number. This is recommended when you want to make sure that you don't update your GoToSocial version by accident, which can cause problems.

The list of releases can be found right here, with the newest release at the top. Replace latest in the docker-compose.yaml with the number of the desired release (without the leading v or trailing version name). So for example if you want to run v0.3.1 Sleepy Sloth for whatever reason, you should replace:

image: superseriousbusiness/gotosocial:latest

with:

image: superseriousbusiness/gotosocial:0.3.1

Host

Change the GTS_HOST environment variable to the domain you are running GoToSocial on.

User (optional / probably not necessary)

By default, Dockerized GoToSocial runs with Linux user/group 1000:1000, which is fine in most cases. If you want to run as a different user/group, you should change the user field in the docker-compose.yaml accordingly.

For example, let's say you created the ~/gotosocial/data directory for a user with id 1001, and group id 1001. If you now try to run GoToSocial without changing the user field, it will get a permissions error trying to open its database file in the directory. In this case, you would have to change the user field of the docker compose file to 1001:1001.

LetsEncrypt (optional)

If you want to use LetsEncrypt for ssl certificates (https), you should also:

  1. Change the value of GTS_LETSENCRYPT_ENABLED to "true".
  2. Remove the # before - "80:80" in the ports section.
  3. (Optional) Set GTS_LETSENCRYPT_EMAIL_ADDRESS to a valid email address to receive certificate expiry warnings etc.

Reverse proxies

The default port bindings are for exposing GoToSocial directly and publicly. Remove the # in front the line that forwards 127.0.0.1:8080:8080 which makes port 8080 available only to the local host. Change that 127.0.0.1 if the reverse proxy is somewhere else.

To ensure rate limiting by IP works, remove the # in front of GTS_TRUSTED_PROXIES and set it to the IP the requests from the reverse proxy are coming from. That's usually the value of the Gateway field of the docker network.

$ docker network inspect gotosocial_gotosocial
[
    {
        "Name": "gotosocial_gotosocial",
        [...]
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.19.0.0/16",
                    "Gateway": "172.19.0.1"
                }
            ]
        },
        [...]

In the example above, it would be 172.19.0.1.

If unsure, skip the trusted proxies step, continue with the next sections, and once it's running get the clientIP from the docker logs.

Start GoToSocial

With those small changes out of the way, you can now start GoToSocial with the following command:

docker-compose up -d

After running this command, you should get an output like:

Creating network "gotosocial_gotosocial" with the default driver
Creating gotosocial ... done

If you want to follow the logs of GoToSocial, you can use:

docker logs -f gotosocial

If everything is OK, you should see something similar to the following:

time=2022-04-19T09:48:35Z level=info msg=connected to SQLITE database
time=2022-04-19T09:48:35Z level=info msg=MIGRATED DATABASE TO group #1 (20211113114307, 20220214175650, 20220305130328, 20220315160814) func=doMigration
time=2022-04-19T09:48:36Z level=info msg=instance account example.org CREATED with id 01EXX0TJ9PPPXF2C4N2MMMVK50
time=2022-04-19T09:48:36Z level=info msg=created instance instance example.org with id 01PQT31C7BZJ1Q2Z4BMEV90ZCV
time=2022-04-19T09:48:36Z level=info msg=media manager cron logger: start[]
time=2022-04-19T09:48:36Z level=info msg=media manager cron logger: schedule[now 2022-04-19 09:48:36.096127852 +0000 UTC entry 1 next 2022-04-20 00:00:00 +0000 UTC]
time=2022-04-19T09:48:36Z level=info msg=started media manager remote cache cleanup job: will run next at 2022-04-20 00:00:00 +0000 UTC
time=2022-04-19T09:48:36Z level=info msg=listening on 0.0.0.0:8080

Create your first User

Now that GoToSocial is running, you can execute commands inside the running container to create and promote your admin user.

First create a user (replace the username, email, and password with appropriate values):

docker exec -it gotosocial /gotosocial/gotosocial admin account create --username some_username --email someone@example.org --password 'some_very_good_password'

If you are running a version older than 0.6.0, you will need to manually confirm as well:

./gotosocial --config-path ./config.yaml admin account confirm --username some_username

Replace some_username with the username of the account you just created.

Now promote the user you just created to admin privileges:

docker exec -it gotosocial /gotosocial/gotosocial admin account promote --username some_username

When running these commands, you'll get a bit of output like the following:

time=2022-04-19T09:53:29Z level=info msg=connected to SQLITE database
time=2022-04-19T09:53:29Z level=info msg=there are no new migrations to run func=doMigration
time=2022-04-19T09:53:29Z level=info msg=closing db connection

This is normal and indicates that the commands ran as expected.

Done

GoToSocial should now be running on your machine! To verify this, open your browser and go to http://localhost:443. You should see the GoToSocial landing page. Well done!

(Optional) Reverse Proxy

If you want to run other webservers on port 443, or want to add an additional layer of security you might want to add NGINX, Traefik, or Apache httpd into your docker-compose to use as a reverse proxy.